https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Ludovic+PetitOWASP - User contributions [en]2026-05-16T09:13:01ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=2013_Board_Elections&diff=1581482013 Board Elections2013-09-10T10:01:10Z<p>Ludovic Petit: </p>
<hr />
<div>[[File:2013 Board ELECTION-BANNER2.jpg]]<br />
<br />
<br />
= 2013 OWASP International Board of Directors Election =<br />
<br />
The OWASP Foundation was established in 2001 as an open community and software security resource. Since then, OWASP has grown to be globally recognized as a credible source for application security standards (see industry citations). Individuals typically find OWASP when searching the internet for information about software security - and they are happy to find a reliable source of knowledge built by an extremely open and passionate community. OWASP is open to anyone. Anyone can attend OWASP's vendor agnostic local chapter meetings, participate in regional and global conferences, and contribute to the many OWASP projects. And anyone can start a new project, form a new chapter, or lend their expertise to help an OWASP Global Committee.<br />
<br />
<br />
The OWASP Foundation Board of Directors currently consists of six elected volunteers (seven starting in 2014). These unpaid volunteers dedicate themselves to the organizational mission and playing a pivotal role in the software security community. OWASP conducts democratic elections of its Board Members to enable bottom-up advancement of its mission.<br />
<br />
<br />
=== Learn about OWASP ===<br />
<br />
* Read the OWASP Foundation bylaws - [https://www.owasp.org/images/0/05/OWASP_Foundation_ByLaws.pdf Click Here] - Review the Monthly Board meetings, voting history and topics - [https://www.owasp.org/index.php/OWASP_Board_Meetings Click Here]<br />
<br />
Watch a current video about OWASP:<br> <br />
<br />
*[http://www.vimeo.com/23889097 Click here] to watch an interview with Tom Brennan, OWASP Board Member 2007-Current<br />
<br />
*[http://www.vimeo.com/25335824 Click here] to watch an interview with Jeff Williams, OWASP Board Member 2004-2011<br />
<br />
<br />
Or to see OWASP from the beginning, visit [http://waybackmachine.org/jsp/Interstitial.jsp?seconds=5&date=1009278073000&url=http%3A%2F%2Fwww.owasp.org%2Fabout_owasp%2Forgchart.shtml&target=http%3A%2F%2Freplay.waybackmachine.org%2F20011225110113%2Fhttp%3A%2F%2Fwww.owasp.org%2Fabout_owasp%2Forgchart.shtml the WayBack Machine.]<br />
<br />
===Election Timeline===<br />
# '''May 7 - Call for Candidates [http://www.tfaforms.com/284825 Candidate Submission Form]'''<br> <br />
#* [http://lists.owasp.org/pipermail/owasp-leaders/2013-May/009311.html Leaders List Announcement], [http://owasp.blogspot.com/2013/05/2013-board-election-call-for-candidates.html Blog Post Announcement], [https://twitter.com/owasp/status/334836154195128320 Twitter Announcement]<br />
# August 11 - Call for Candidates Reminder<br><br />
#*[http://lists.owasp.org/pipermail/owasp-leaders/2013-August/009938.html Leaders List Reminder], [http://owasp.blogspot.com/2013/08/last-call-for-2013-election-board-of.html Blog Post Reminder], [https://twitter.com/owasp/statuses/366630187854598144 Twitter Announcement], [http://www.linkedin.com/groups/Last-Call-2013-Election-Board-36874.S.264990813?qid=7110e493-81e4-4a3d-86b5-a956c43ee5bb&goback=%2Enpv_101664190_*1_*1_name_6z5f_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_NUS_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_NUS*5memb*4pic+_*1%2Egmp_36874 LinkedIn Reminder]<br />
# August 16 - Deadline for Call for Candidates<br><br />
# August 22 - Candidates announced LIVE at AppSecEU 2013 as well as on all social media, in the connector and email to leaders list.<br />
# August 25 - Deadline for questions to be submitted for use during interviews. [https://www.google.com/moderator/#16/e=20f717 2013 Election Questions]<br />
# September 6 - Deadline for interview recordings to be completed<br><br />
# September 30 - Paid & Honorary membership application deadline [http://www.tfaforms.com/284826 Honorary Membership Self Nomination Form]<br><br />
# October 9 - Q&A Webinar<br><br />
# October 14 - Voting process begins<br><br />
# October 25 - Voting process ends<br><br />
# October 29 - Election result announcement<br><br />
<br />
<br />
=== International Board of Directors Primary Responsibilities ===<br />
<br />
Seated members of the Board of Directors attend and contribute to monthly meetings. [https://www.owasp.org/index.php/OWASP_Board_Meetings See Archive]. Additionally, they:<br> <br />
<br />
#Create and review a statement of mission and purpose that articulates the organization's goals, means, and primary constituents served globally. They then support that mission and purpose. <br />
#Support all employees. The Board should ensure that the employees have the moral and professional support needed to further the goals of the organization.<br> <br />
#Ensure effective planning. The Board must actively participate in the overall planning process for the organization and assist in implementing and monitoring the organization's goals. <br />
#Monitor and strengthen programs and services. The Board's responsibility is to determine which programs are consistent with the organization's mission and monitor their effectiveness. <br />
#Ensure adequate financial resources. One of the Board's foremost responsibilities is to secure adequate resources for the organization to fulfill its mission. <br />
#Protect assets and provide proper financial oversight. The Board must assist in developing the annual budget and ensuring that proper financial controls are in place. <br />
#Build a competent Board. The Board has a responsibility to articulate prerequisites for candidates, orient new members, and periodically and comprehensively evaluate their own performance. <br />
#Ensure legal and ethical integrity. The Board is ultimately responsible for adherence to legal standards and ethical norms.<br> <br />
#Enhance the organization's public standing. The Board should clearly articulate the organization's mission, accomplishments, and goals to the public and garner support from the community.<br><br />
<br />
Additional Responsibilities that the International Board of Directors must adhere to can be found here [https://docs.google.com/a/owasp.org/document/d/sP5OOETtzriv6bC6L6zzr6g/headless/print#heading=h.hgfxswibcczn Board of Directors]<br />
<br />
=== OWASP Foundation Board of Directors Updates ===<br />
<span style="color:red">Note: Changes were decided and voted on at the August 19, 2013 Board Meeting</span><br />
<br />
*'''Board Orientation Documents''' - An official board orientation set of documents will be created that includes a stated conflict of interest policy (in addition to what we have in the bylaws), 2 required reading short books on non-profit foundations, requirement to read previous financial reports and 990, and links to our to-be created governance page. All board members will sign and acknowledge completion of the orientation by Jan 1, 2014. <br />
<br />
*'''Conflict of interest policies''' will also be extended to all employees and those in decision making roles for global conferences. We see this as a natural step to mature OWASP and better align with non-profit requirements. This is not in response to any concerns.<br />
<br />
*'''Board Size''' - OWASP bylaws specify the board must be between 5 and 7 members. Currently the OWASP board is 6 members. We voted to extend to 7 members. The 2013 election will now seat 4 spots instead of 3. The newly elected board members will begin their terms Jan 1, 2014. At this time we'll see the board officially expand to 7 members.<br />
<br />
*'''Quarterly Board Meetings''' - The board voted to move board meetings from the current schedule of monthly 1 hour meeting to quarterly 4-6 hour meetings. The schedule of meetings will be set by the board in December before the year. It is likely the the board meetings will take place on Saturdays or on a dedicated day before a large OWASP conference. This change is a result of the success of the longer format board meeting and also a result of the Executive Director role that has enabled full time involvement and focus on OWASP operations. This will take effect in January, 2014.<br />
<br />
<br />
=== Eligibility Requirements for Board Candidates ===<br />
<br />
You need to be an OWASP member. '''NOT''' just paid members, but an active project and chapter contributors are eligible. All candidates must be in good standing for a twelve (12) month period of time prior to '''30-September 2013'''. Candidates are required to submit a bio, current membership number and note if you are a paid or honorary member. You will be contacted shortly after your response for an audio interview/podcast.<br />
If you are interesting in running for the board then please submit your intention along with the requirements listed above to: [http://www.tfaforms.com/284825 Call for Candidates]<br />
<br />
<br />
===2013 Board Candidates===<br />
{|class="wikitable" {{table border=1}}<br />
| [[#Abbas_Naderi_Afooshteh | Abbas Naderi Afooshteh]]|| [[#Fabio_Cerullo | Fabio Cerullo]]||<span style="color:red">Tahir Khan - Withdrawn</span>||[[#Jason_Li | Jason Li]]<br />
|-<br />
| [[#Kelvin_Arcelay | Kelvin Arcelay]]||[[#Michael_Coates | Michael Coates]]||[[#Timur_kHrotko | Timur kHrotko]]||[[#Yiannis_Pavlosoglou | Yiannis Pavlosoglou]]<br />
|-<br />
| [[#Ezendu_Ariwa | Ezendu Ariwa]]||[[#Bil_Corry | Bil Corry]]||[[#Martin_Knobloch | Martin Knobloch]]||[[#Ludovic_Petit | Ludovic Petit]]<br />
|-<br />
| [[#Sergei_Belokamen | Sergei Belokamen]]||[[#Tobias_Gondrom | Tobias Gondrom]]||[[#Gregory_Disney-Leugers | Gregory Disney-Leugers]] ||[[#Josh_Sokol |Josh Sokol]]<br />
|}<br />
<br />
<br />
<br />
==== Abbas Naderi Afooshteh ====<br />
{| class="wikitable"<br />
|-<br />
! Candidate !! Abbas Naderi Afooshteh <br />
|-<br />
| Country Of Residence || USA <br />
|-<br />
| Membership Status || Honorary Member <br />
|-<br />
| Bio || Abbas Naderi Afooshteh is a renowned security expert in the middle east, he has ranked first in many national and global CTFs and has been in the field for more than 8 years. He is the current Iran Chapter Leader at OWASP, and has 5 years of activity in OWASP resulting in many projects such as OWASP RBAC Project, OWASP PHP Security Project, OWASP WebGoatPHP Project and etc. He has participated in many other projects such as Cheat Sheets and ESAPI.Abbas has studied software engineering and information technology in his BS and MS and is now going to CMU to study Information Security for MS+PhD. He spends many hours daily leading OWASP projects and mentoring new enthusiastics that join projects, as well as shaping bright ideas into OWASP projects.More can be found at https://abiusx.com/cv <br />
|-<br />
| Why Me? || I have watched OWASP evolve in many years, and inspected how greatly it has impacted the world of web security. Security has grown rapidly these years, and people look up to OWASP to feed them what they need.On top of that, OWASP has been my open source haven. The way it operates, people contributing without wanting back, everyone sharing and decisions made in public; I have never seen a community more selfless and more productive in any of the open source communities I've worked in.Unfortunately in recent years (specially last year), this trend was changed somehow. Many decisions were made at the board level, that leaders and active members greatly dislike. Many things were done that were not transparent at all. This trend has unmotivated a great many of OWASP participants, and I hate to see that happen any further.The board is there to take the load on OWASP, not to take the spirit away. It is solely there to make decisions when everybody else is busy doing actual worthy stuff, so I strongly believe that when the board works on a decision that will impact everybody in the community, and is not sure that (almost) everybody will like it, it has an obligation to ask and make sure before making that decision.I'm also strongly against the board members empowering their respective chapters, and leaving others behind. The rapid growth of OWASP is bound to introduction of new chapters, and supporting them. I see a lot of chapter with a handful of enthusiastics and they just need a kick-start to add a hundred new active members to our community, yet small influential chapters are taking all the credit and juice to them. The board are the elective body of the community, not their chapters.So on top of making the board activities much more transparent, and supportive other chapters, I plan to involve other influential bodies in the infosec world (namely companies and universities) and get them to financially and academically support new and bright OWASP projects so that they can prosper more rapidly. If we're going to stick what we had 5 years ago as our projects, people will turn away in time. We have a lot of potential and we ought to make it happen. <br />
|}<br />
<br />
<br />
==== Kelvin Arcelay ====<br />
{| class="wikitable"<br />
|-<br />
! Candidate !! Kelvin Arcelay <br />
|-<br />
| Country Of Residence || USA <br />
|-<br />
| Membership Status || Current Paid Member <br />
|-<br />
| Bio || Transformational Information Technology and IT Risk Management executive with extensive expertise in the payments processing and manufacturing industries including operating regulations, supply chain and vertical integration management, discrete and process manufacturing, payment processing platforms and, domestic and international deployments. Core competencies include:* Strategy* Implementation Scope and Plan* Project Management* Capacity Planning* Security and Risk Management* Internal Controls* M&A Due Diligence* Multi-Nationals* Business Continuity Planning* Disaster Recovery <br />
|-<br />
| Why Me? || Performance-focused executive with more than 25 years of successes managing reliable and secure IT operations. Offers Fortune 100 experience, consistent record of realizing multimillion-dollar cost savings, proven blend of business and technical expertise. Hands-on approach to leadership and change management including ensuring compliance, maintaining quality assurance, optimizing processes, and driving strategic alignment.Experienced in advisory services for clients with international and domestic operations, collaboration efforts with external auditors, optimization of governance processes and delivering significant optimization programs capable of netting his clients several million dollars in cost savings. Highly analytic, adaptable style of decision-making and problem solving management style proven in the corporate realm, delivering IT services management in global enterprises, M&A portfolio integration management, consolidation of business operations and services, turning around “runaway†ERP initiatives, and, establishing industry standards capable of achieving highly integrated management processes and financial data accuracy. <br />
|}<br />
<br />
==== Ezendu Ariwa ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Candidate !! Ezendu Ariwa <br />
|-<br />
| Country Of Residence || Nigeria <br />
|-<br />
| Membership Status || Current Paid Member <br />
|-<br />
| Bio || Professor Ezendu Ariwa, FBCS, CITP, SMIEEE, FHEA Chair, IEEE Consumer Electronics & Broadcast Technology Chapter, UKRI Visiting Professor, Gulf University, Bahrain Visiting Professor, University of Lagos, NigeriaProfessor of Business Enterprise Consultancy/Non-Executive Director, ELITSER IT SOLUTIONS INDIA PVT LTDResearch Professor for Enterprise Projects/Director - Technical, Sun Bio IT Solutions Pvt. Ltd, IndiaLondon Metropolitan University, UK Ezendu holds the position of Visiting Professor, Gulf University, Bahrain, Visiting Professor, University of Lagos, Nigeria and Visiting Professor, Kano State Polytechnics, Nigeria as well as Visiting Affiliate of the Green IT Observatory, RIMT University, Australia and Visiting Affiliate of ICT University, USA. He also holds the position of Director - Technical and Non-Executive Director and Research Professor for Enterprise Projects at Sun Bio IT Solutions Pvt. Ltd, India; and Non-Executive Director and Professor of Business Enterprise Consultancy of ELITSER IT SOLUTIONS INDIA PVT LTD, Hyderabad – 500 038 Andhra Pradesh INDIA. He is also the Chair for the IEEE Consumer Electronics Chapter, United Kingdom & Republic of Ireland (UKRI) and Chair for the IEEE Broadcast Technology Chapter, UKRI. He is a Senior Member of Institute of Electrical & Electronic Engineers (SMIEE); Chartered FELLOW of the British Computer Society (CITP, FBCS), Fellow of the Institute of Information Technology Training (FIITT) and Fellow of the Higher Education Academy (FHEA).He is also a Fellow of the Higher Education Academy of United Kingdom (FHEA), member of the Elite Group of The British Computer Society (BCS), member of British Institute of Facilities Management and Fellow of Global Strategic Management, Inc., Michigan, USA and Member of the UK Council for Health Informatics Professions and Fellow of the Higher Education Academy. He is also the Co-ordinator of the Digital Enterprise Research Group (DERG), African Research in Business Group (ARBG) and working with the team to achieve African Business and Enterprise Research Observatory (ABERO) at the London Metropolitan Business School. The ABERO achieved good collaboration with multicultural SMEs in the United Kingdom, with respect to mentoring and working on joint professional development enterprise programmes. He has experience of doctoral research supervision as well as doctoral external examiner for various Universities both in the UK and internationally.He has a good research profile and the Founding Editor-in-Chief of the International Journal of Green Computing (IJGC), Editor-in-Chief of the International Journal of Computing and Digital Systems (IJCDS), Journal of E-Technology, and the Associate Editor of the International Journal of E-Politics and the Associate Editor of International Journal of Distributed Systems and Technologies (IJDST). He is a member of Policy Co-ordination Committee of the International Research Foundation for Development (A Corporation of NGO in special Consultative status with the Economic and Social Council of the United Nations). His research interest includes: Green Technology and Corporate Sustainability, Strategic Information Systems, E-Learning and Knowledge Management, Consumer Electronics and Broadcast Technology, ICT for Development and Facilities Management, Knowledge Transfer in Developing Economy, Open Learning and Social Enterprise, Green Communications and Corporate Social Responsibility, Renewable Energy and Climate Change, Social Media and Energy Management Systems. <br />
|-<br />
| Why Me? || If elected to the Global OWASP Foundation Board of Directors, I will use various international networks including Universities, Colleges, Institutions of Higher Education, Industrial Sectors, Business Sectors, Governmental and Non-governmental outlets to promote and engage with the good work.I will work with the board of Directors and members closely through regular communication in generate new ideas and collaborations for the positive work of the Global OWASP objectives and mission.In addition, the Global OWASP will be promoted through various conferences, Symposium and web-based publications of events and possible special issues with Guest Editors as part of promoting the Global OWASP and collaborative research projects and workshops With my experience in working with various executive board. editorial board, this will complement forum for promoting the Global OWASP internationally and putting it on the apex of professional organisation for excellence. I have the expertise and experience from University teaching, research and enterprise partnerships in the field of Strategic Information Systems and Knowledge Management; and other Enterprise Systems to working with Business and industrial sectors as well as community groups, on collaborative projects and widening Participation as well as Business Enterprise partnerships using Information and Community Technology (ICT). I am one of the Co-Founders, and Co-ordinator of various positive initiatives such as LMBS African Research in Business Group (ARBG) and the Digital Enterprise Research Group (DERG) which received support from the IEEE URI – Consumer Electronics Chapter for events organised. I also served in voluntary capacity as Council Member of the UK Council of Healthcare Informatics Professionals, Chair for the IEEE UKRI Consumer Electronics Chapter, Chair for the IEEE UKRI Broadcast Technology Chapter, Chair of the Society of Digital Information & Wireless Communications (SDIWC), President/Chair of the Nigerian ICT Professionals in the UK, Former Member of Haringey Council Inspection and Registration Advisory Committee, Former member of the Board of Governor of Homerton University Teaching Hospital, London; Former member of the Board of Governor of Royal National College of the Blind, Hereford. My work experience and involvement ranged from University, Business Sectors, local authority, community groups partnerships within Further Education (FE) and Higher Education (HE); Business and Enterprise Sectors and Industries as well as United Nations Representative on behalf of the International Research Foundation Development (IRFD). At the National and International levels, I have active interest in partnerships and collaborative research with the businesses, industries and Universities. I have organised and chaired various international, national and regional conferences, symposium, forum and focus groups, and sharing information, knowledge and communication framework tailored towards digital enterprise and widening participation agenda. This model was geared towards knowledge dissemination through publications, improving performance and ensuring that service levels are improved using cost effective and benefit models in order to achieve best practice. I have developed both national and international network through publications and contributions through meetings where briefing and positive agenda were discussed. I am an efficient and effective person in terms of completing customer satisfaction reports, feedback and time management at cost savings facet within the faculty and the university levels. These factors were used to address gaps in service delivery and provisions with reference to my Green Computing and Energy Savings research in 2008 which focused on the Tower Building (Technology Tower) with positive results in terms of energy savings of £18, 000 per year using the Carbon Trust indicators. I have positive drive and competence that I am always sharing with team members for the advancement of work and developmental target. I am a good listener and active member of a team, and value contribution from reflective team members. I have very good communication skills, both written and oral. I have experience in presentation, reports, and representation using various interface mechanisms. I am skilful in dealing with impartiality, integrity and objectivity, as I am focused on developing positive business enterprise, collaborative research, KTP agenda, and Income Generation. I respect equal opportunity, and wider participation in business and work. In the nutshell, I have in-depth knowledge in the business applications and hope to provide a balance to competitive benchmarking and quality assurance.I have good record of Consultancy and practical achievement at professional, business, industrial and institutional levels. I successfully completed the following consultancy programmes:Design and Development (KTP) with Hug Engineering UK and Austria Working on the GreenTrac – Energy Savings proposals (with UK Company)The British Council Knowledge Management projects for Developing Economies on the following:Record Management Systems for Nigerian Universities and PolytechnicsE-Learning Programmes for USA University (Collaborative work)Business Process RE-Engineering & Management for University in Bangladesh ICT Archiving Systems for Iraqi Parliament (In discussion) with the ICT Minister In summary, my experience from University collaborative partnership, community involvement, widening participation and network development programmes; and University research potentials using information systems and financial services expertise will complement my practical orientation and act as valuable asset towards effective Leadership service delivery and customer relationship management . I serve in academic, business and community forum groups for University Diversity Directorate; and I hold the following Visiting Professorship and Editorial positions: Visiting Professor University of Lagos, Nigeria; Visiting Professor Gulf University, Bahrain; Visiting Professor [European School of Economics, London Campus], Editorial Advisory Board Member and Executive Peer Reviewer for Educational Technology & Society responsible for the review of Journal of International Forum of Educational Technology & Society and IEEE Learning Technology Task Force, Reviewer of Computing Reviews/ACM Journals and Assistant Editor of The International Journal of Applied Human Resource Management. I am currently a member of Policy Co-ordination Committee of the International Research Foundation for Development (A Corporation of NGO in SPECIAL Consultative status with the Economic and Social Council of the United Nations). I was member of Homerton University Hospital NHS Trust Board, UK and currently member of the UK Council for Healthcare Informatics Professionals (UKCHIP) and Committee member of the British Computer Society (BCS) – Information Security Specialist Group (ISSG). These skills will bring valuable experience and expertise dissemination in the position of member of the Global OWASP Foundation Board of Directors <br />
|}<br />
<br />
<br />
==== Sergei Belokamen ====<br />
{| class="wikitable"<br />
|-<br />
! Candidate !! Sergei Belokamen <br />
|-<br />
| Country Of Residence || Australia <br />
|-<br />
| Membership Status || Honorary Member, Melbourne Chapter Leader <br />
|-<br />
| Bio || Sergei has over 10 years of experience in providing Application Security, Information Security and IT services to high profile and prominent companies in Australia and internationally. He's recognised within the industry as someone with impeccable reputation, who has helped his clients establish leading strategies around Information Security. In his current role, Sergei is a CTO and a founder of Bugcrowd - Crowdsourced Security Testing. Bugcrowd runs managed bug bounty programs.
Some of my past achievements include:- Current chapter lead for OWASP Melbourne, Australia.- OWASP PHP Project lead. Though the project is now defunct.- Working on large scale secure software development lifecycle methodology and processes; development and deployment.- Developing Information Security strategy, controls and low level APIs for online user behaviour monitoring, malicious activity monitoring and ecommerce fraud minimisation.- Bugcrowd being accepted into 2013 intake of the Startmate Tech Accelerator program.
Sergei has also worked on a number of short, medium and long term security consulting engagements, providing application security, ethical hacking, application security architecture, source code security review for a wide range of clients across most industries; contributed and been recognised within Google's security bounty programme; and long standing involvement with OWASP. <br />
|-<br />
| Why Me? || I have been involved with OWASP for the last eight years. From attending chapter meetings and events to leading a project and chapter lead for the Melbourne OWASP chapter. 
The friends I made through OWASP have helped me grow both personally and professionally and have ultimately influenced and assisted my career transition to focus exclusively on application security.
I feel that OWASP has a lot of potential and I would like to play a role in influencing making OWASP a single, most recognised, global resource for application security. I would like to leverage my experience and network to improve the visibility of application security and contribute to it's evolution. Some of the areas I would like to influence are:- Improving the quality and adoption of OWASP standards through tighter integration with standards bodies such as ISO, NIST and PCI.- Improving the project management office within OWASP to boost the quality of materials, response times and streamlining the overall process.- Establish 'OWASP reputation' for high quality and high volume contributors, where individuals can apply for funding to move along research or development.- Establish a funding mechanism that allows OWASP to pay key contributors like Linux Foundation- Establishing a review project for all materials on the OWASP website.- Work on making OWASP a more inclusive 'application security' resource with less focus on 'web application' security exclusively to mirror the evolution of the industry and ensure that OWASP remains the preeminent and relevant body for application security. For example mobile application, APIs, etc. <br />
|}<br />
<br />
<br />
==== Fabio Cerullo ====<br />
{| class="wikitable"<br />
|-<br />
! Candidate !! Fabio Cerullo <br />
|-<br />
| Country Of Residence || Ireland <br />
|-<br />
| Membership Status || Current Paid Member, Ireland-Dublin Chapter Leader <br />
|-<br />
| Bio || Fabio has over 12 years of experience in the information security field gained across a diverse range of industries. As CEO & Founder of Cycubix, he helps customers around the globe by assessing the security of applications developed in-house or by third parties, defining policies and standards, implementing risk management initiatives, as well as providing training on the subject to developers, auditors, executives and security professionals.As a member of the OWASP Foundation, Fabio is usually involved in raising application security awareness among businesses, governments and educational institutions. He organised the OWASP AppSec Europe 2011 conference in Dublin, the OWASP Latam & European Tours, and is part of the OWASP Ireland Chapter Board since early 2010. He also represents OWASP in the Google Summer of Code since 2012 making sure students and mentors alike could collaborate and work together in OWASP projects. He holds a Msc in Computer Engineering from UCA and has been granted the CISSP & CSSLP certificates by (ISC)2. <br />
<br />
Please feel free to reach me with your questions/comments through [http://www.linkedin.com/in/fcerullo/ Linkedin] / [http://twitter.com/fcerullo Twitter] / [mailto:fcerullo@owasp.org Email]<br />
<br />
|-<br />
| Why Me? || My main motivations to join the Global OWASP Foundation Board of Directors could be summarised as follows:<br />
* '''Increase OWASP presence in emerging regions.'''<br />
* '''Promote development of new/existing OWASP projects.'''<br />
* '''Build relationships with industry, government, and educational institutions.'''<br />
* '''Support the overall OWASP community and its various activities.'''<br />
|}<br />
<br />
==== Michael Coates ====<br />
{| class="wikitable"<br />
|-<br />
! Candidate !! [https://www.owasp.org/index.php/User:MichaelCoates Michael Coates ]<br />
|-<br />
| Country Of Residence || USA <br />
|-<br />
| Membership Status || Honorary Member <br />
|-<br />
| Bio || <br />
* Director of Security Assurance at Mozilla<br />
* Current Chairperson of the OWASP Global Board<br />
* Founder of OWASP AppSensor Project<br />
<br />
Michael Coates is the Director of Security Assurance at Mozilla. In this role, Michael sets the strategy for security across Mozilla and leads security operational initiatives. Michael leads a team of talented security experts from around the world that focus on securing Mozilla's technologies including: Firefox, Firefox OS, Web applications, services and the infrastructure and systems that power Mozilla. Michael was recently featured as one of [http://www.scmagazine.com/community-advocate-for-secure-software/article/269005/ SC Magazine's 2012 Influential IT security minds] and often [http://michael-coates.blogspot.com/p/speaking-events.html speaks] on Web security at open source conferences and security events throughout the world. <br />
<br />
Michael holds a M.S. in Computer, Information and Network Security from DePaul University and a B.S in Computer Science from the University of Illinois.From 2011-2013 Michael was elected to the OWASP global board and served as the chair of the board. <br />
<br />
Michael is also the founder of the [https://www.owasp.org/index.php/OWASP_AppSensor_Project OWASP AppSensor] project which is now featured by the Department of Homeland Security as a core approach to building [https://buildsecurityin.us-cert.gov/swa/topics/resilient-software/ resilient software] and was the subject of an article within the Department of Defense Cross Talk magazine. <br />
<br />
More about me: [http://www.linkedin.com/in/mcoates/ linkedin] | [http://michael-coates.blogspot.com blog] | [http://twitter.com/_mwc twitter] | [https://www.owasp.org/index.php/Special:Contributions/MichaelCoates OWASP Wiki Edits]<br />
|-<br />
| Why Me? || Over the first term on the global board I worked to bring maturity and structure to our growing organization. We established OWASP as a platform for security experimentation and growth. This included experimenting with new outreach channels such as the Security 101 mailing list and the 2012 monthly security blitz. In addition, I helped advance the OWASP foundation with a strong focus on budget planning and fiscal responsibility. We formalized board meetings with clear agendas and recorded archives and also created an Executive Director full time position to adapt to the growing size and needs of OWASP.Throughout these two years I was also a public advocate for OWASP which included OWASP specific talks at RSA 2012, the Department of Defense and at Oracle. I also conducted interviews for CNN and SCMagazine related to OWASP topics and security. Throughout my tenure I've always tried to bring a positive and community oriented spirit to OWASP discussions.<br />
<br />
If the OWASP community would like to see me continue on the OWASP board (which I would love to do) I will focus on the following items in 2013-2015:<br />
* '''Expansion of OWASP to Technology Startups''' - Numerous technology startups are looking for guidance on how to build the framework and foundation of the security programs. Through my consultation with them I wish to work with the OWASP community to build an OWASP program focused on their needs. This will bring new organizations to OWASP and spread our mission to new technologies at the birth of their design.<br />
* '''Growth of OWASP within Government''' - Now more then ever the issue of security is in the spotlight of legislation. OWASP can provide independent guidance and resources to help educate key policy makers and tools and projects that can be used by implementors. <br />
* '''OWASP Community Platform''': I've been working with our operations team to introduce recognition programs to our community. This would be in the form of digital badges, promotion of key activities by OWASP volunteers, creation of a central OWASP directory software to promote and build the OWASP community and more.I believe the OWASP community is the true power of OWASP. I'm committed to continuing to build a structure at OWASP that empowers individuals to take risks, experiment and learn. OWASP is a platform for security research and an independent voice of reason in the growingly complex field of security. <br />
|}<br />
<br />
==== Bil Corry ====<br />
<br />
{| class="wikitable"<br />
|-<br />
! Candidate !! Bil Corry <br />
|-<br />
| Country Of Residence || Luxembourg <br />
|-<br />
| Membership Status || Current Paid Member <br />
|-<br />
| Bio || || <br />
|-<br />
| Why Me? || OWASP has grown and will continue to grow, ad-hoc processes do not scale well. I plan to focus on maturing the organization - clarifying the bylaws, documenting ad-hoc processes, creating guidelines in various areas of contention, improving the general web experience, and other much needed refining. <br />
|}<br />
<br />
<br />
==== Tobias Gondrom ====<br />
{| class="wikitable"<br />
|-<br />
! Candidate !! Tobias Gondrom <br />
|-<br />
| Country Of Residence || Hong Kong <br />
|-<br />
| Membership Status || Current Paid Member, London Chapter Board Member <br />
|-<br />
| Bio || Running Thames Stanley, a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany.About 15 yrs of experience in software development, application security, cryptography, electronic signatures and global standardization organizations working for independent software vendors and large global corporations in the financial, technology and government sector.My background is in the industry and corporate side of web application security. Over the years, have run a coprorate info sec team and trained and advised dozens of CISOs and senior information security leaders around the globe. And in addition to my technical background, also have a management degree from London Business School, which helps with the governance and financial bit and pieces. And over the years gained some governance experience in a few global organisations and boards. OWASP related: Have volunteered for a few projects and chapter leadership roles since 2007.- Currently, as a member of the OWASP London chapter board and visiting a number of OWASP chapters in Asia as a guest speaker. - project lead for the OWASP CISO Report and Survey project and contributor to some other bits and pieces. - and given some CISO training days at our AppSec conferences. previously: - chapter lead OWASP Germany for a couple of months (until I moved to London). - volunteered for the Global Industry Committee. Beyond OWASP: - Since 2003, the chair of working groups of the IETF (www.ietf.org), a member of the IETF security directorate, and since 2010 chair of the web security WG at the IETF. - written some security RFCs and co-authored books on „Secure Electronic Archiving“ and a frequent presenter at conferences and publication of articles (e.g. AppSec, IETF, ISSE, ...).- Board member of the CSA Hong Kong and Macau chapter. - ISC2 CSSLP and CISSP Instructor. <br />
|-<br />
| Why Me? || I feel very passionate about our mission and our goals for an open community to advance web and application security globally. In the past that has inspired me to help with some ground work here and there, but not so much seeking a board election. However, in the last year, there were a few board decisions and activities, where I felt they were executed not in the best way for our community. And as a consequence, I gave myself the challenge to either shut up and accept things as they are or spend the time and effort and try to do it better. So am now trying the latter and volunteering for the board. ;-) There are a few things that I would like to look at on the board: 1. Increase reach out to developers and industry: I like to extend our OWASP reach much more towards industry and developers. (so to speak "where the rubber meets the road") We have so much expertise and knowledge in our community with all our great security experts and projects, but we need to get it out there and bring this more into the developer community and industry who actually build the applications in the first place, to increase our impact and help reduce the most common vulnerabilities. E.g. I find it is a shame that we are still looking at so many (too many) basic vulnerabilities, like e.g. SQL injection vulns, which could with some basic developer training be avoided. 2. Membership: I also like to extend corporate memberships towards industry and "consuming" companies as well. Today most of our corporate members are consulting and pen testing companies, I would like to also work to gain more industry corporate members. 3. Governance: advance the maturity of OWASP as an open community organisation. E.g. review some of the oversight and governance questions: I think we can be more transparent and open in how we do things, and even if it's just to be open and document processes how we make decisions. 4. Revisit the transition away from the global committees. I fear that a few things fell in the cracks when we shut down the committees and were not picked up yet. <br />
|}<br />
<br />
<br />
==== Timur kHrotko ====<br />
{| class="wikitable"<br />
|-<br />
! Candidate !! Timur kHrotko <br />
|-<br />
| Country Of Residence || Hungary <br />
|-<br />
| Membership Status || Not a Member, Hungary Chapter Leader <br />
|-<br />
| Bio || I am a 43 yrs old Russian born in Budapest, Hungary. I am resident in Hungary, but I try to short visit Russia 4x a year. My English is quite fluent. It is 10 years now that my professional activity focuses on information security. First years me and my company we developed our own innovative enterprise IAM solutions. The key of innovation was to look at security not as a technical but business/organizational matter. While being quite a tech-savvy in security (from hardening a bsd server to teaching about password internals, advising financial institutions on secure architecture and being regular listener of pauldotcom) I still am a person who looks at problems in organizational perspective (management is my academic topic). I understand well the legal language having my 20 years practice in negotiations and contracting. I understand the managerial decision making not only as software vendor and consultant but as a researcher in organizational studies. All this is important, since I believe we must provide a whole vertical solution in application security: from secure coding guidelines up to corporate appsec policy and down the contractual templates. And we, OWASP have to cover these non-technological areas as good as we did with the development field. Some years backwards and achievement highlights:2013 Hungary chapter leader2012 Hungary chapter founder (one of the founders)2011 cloudbreaker.co AppSec/EH company started, partner/business relations2010 Defended PhD at Corvinus University of Budapest (more publications still needed to have the title)2010 My PhD dissertation is published in English as a book2008 ITEuropa IT Excellence Award to our innovative Identity Management solution (AZD idED) 2007 Hungarian (IT business) innovation award to our Identity Management solution2006 GE Money Hungary deploys the Identity Management solution (idED) made on mainly my concept2003 GE Money Hungary deploys an Access Management solution made with my business-process centric concept2000 MSc, Finance, Budapest University of Economic Sciences (BKÃE, BUES)1993 MSc, Business IT Management, Budapest University of Economic Sciences (BKE, BUES)<br />
|-<br />
| Why Me? || We have extraordinary security expertise, projects and tools, but a lot of security aware effort brakes on managerial/business and contractual negligence regarding application security. In order to be more successful in our efforts we must package the security aware approach into practices more easily adoptable by profit-oriented business organizations and bureaucratic institutions, practices more accessible for managerial decision making, and requirements controllable by legal instruments. As a Board member I would like to take care of non technological (non development/code/tool related) but rather business management related projects, best practices and vision of application security. For example application security must be blessed on corporate governance level, implemented on the level of procurement and contracting, and application security must be an aspect in vendor management. As OWASP we already have an authority of the global best practice provider, so using our existing patterns of projects we can provide the solutions for obstacles faced by our mainstream efforts. And there are already existing projects in OWASP regarding the aspect I advocate, so we can move forward fast.Being resident in Eastern Europe and being in my major part Russian I would like to extend the global spirit of the organization, and I would try to make the OWASP "device" more accessible in Russia next year. <br />
|}<br />
<br />
<br />
==== Martin Knobloch ====<br />
{| class="wikitable"<br />
|-<br />
! Candidate !! Martin Knobloch <br />
|-<br />
| Country Of Residence || Netherlands<br />
|-<br />
| Membership Status || Current Paid Member , Netherland Chapter Leader<br />
|-<br />
| Bio || Martin has been a Java Developer and Software Architect, until he focused on Software security in 2005. In that year, he set-up an security task force at his former employer and after attending the 2nd OWASP AppSec-Eu conference in 2006, Martin got hooked by OWASP.Since 2007 Martin has been an active board member in the Netherlands Chapter. He has been involved in several projects and volunteers at AppSec-conferences. Further, he has been an active participator at the OWASP summits in 2008 and 2011 as well as chair of the OWASP Education Committee. Martin has represented OWASP and been a speaker at several OWASP, Developer, Testing and Hacker events in the Netherlands and International. Since February 2011, Martin is a self-employed security consultant and trainer. <br />
|-<br />
| Why Me? || With my experience of the OWASP organization, I will help the foundation to continue to grow the organization size and relevance to the wider community whilst maintaining independence and increasing openness towards the community.Next to that, I will focus on the following:- Increasing the awareness of OWASP outside the security community- Fostering the growing African community- Cultivate the initiatives of OWASP at educational institution as Universities <br />
|}<br />
<br />
==== Gregory Disney-Leugers ====<br />
{| class="wikitable"<br />
|-<br />
! Candidate !! Gregory Disney-Leugers <br />
|-<br />
| Country Of Residence || USA <br />
|-<br />
| Membership Status || Honorary Member <br />
|-<br />
| Bio || Gregory is the project leader of OWASP Mantra-OS, and the Owner of Seccomp. <br />
|-<br />
| Why Me? || I believe OWASP is the web standard of web security and has some of the best and the brightest volunteers, of any Open source project. With the constant growth of technology, OWASP needs to grow with these changes and be current with security threats. If I was to be elected I would bring my passion and dedication to OWASP, and do everything in my power to help grow OWASP with the every constant changes. <br />
|}<br />
<br />
<br />
==== Jason Li ====<br />
{| class="wikitable"<br />
|-<br />
! Candidate !! Jason Li <br />
|-<br />
| Country Of Residence || USA <br />
|-<br />
| Membership Status || Current Paid Member <br />
|-<br />
| Bio || I am a long time OWASP contributor having served actively on the OWASP Global Projects CommitteeI from the birth of the global committees through their disbanding. I am one of the original co-authors of the AntiSamy Java project and the Code of Conduct for Certifying Bodies (the "Red" book). I was part of the core planning committee for the 2011 OWASP Summit along with Lorna Alamri and Sarah Baso. I've also worked behind the scenes supporting OWASP staff by creating the expense reimbursement workflow and new project forms that are still in use. I'm one of the resident OWASP wiki ninjas having created/pioneered many of the wiki templates used in OWASP projects and ultimately copied in other aspects of the wiki. During the day, I work as a Managing Consultant for Aspect Security performing a variety of application security consulting services. In my spare time, I am a social ballroom dancer, indoor rock climber, amateur trapeze artist, Star Trek fan, world traveler, and general adventurer. <br />
|-<br />
| Why Me? || I believe I will bring a sense of balance and vision to the Board. Having been involved in the organization for many years, I'm keenly aware of our history and of initiatives that have been successful and those that have failed. I would like those experiences and lessons learned to have a voice on the Board. I also believe in taking pragmatic action as opposed to pontificating about ideals. I have history of taking thoughtful action on behalf of OWASP - sometimes I've succeeded, sometimes I've failed - but I believe at some point the endless debate must end and something must simply be done with the best of intentions. <br />
|}<br />
<br />
<br />
==== Yiannis Pavlosoglou ====<br />
{| class="wikitable"<br />
|-<br />
! Candidate !! Yiannis Pavlosoglou <br />
|-<br />
| Country Of Residence || United Kingdom <br />
|-<br />
| Membership Status || Current Paid Member <br />
|-<br />
| Bio || There is a world of numbers, hiding behind letters, inside computers that stimulates the brain of Yiannis. Currently, he is spending a lot of time in the area of IT risk management and risk control within the finance industry. Starting from the world of professional penetration testing, Yiannis did focus his career evolution on assisting teams write secure code and implementing an SDLC for large scale projects. For OWASP, Yiannis was the project leader for JBroFuzz and used to chair the Global Industry Committee, having contributed to a number of projects and initiatives listed here:https://www.owasp.org/index.php/User:Yiannis He is on the Application Security Advisory Board of (ISC)2, holds a PhD in information security, is a certified Scrum Master and is also CISSP certified.<br />
|-<br />
| Why Me? || "It's not what OWASP can do for you, but it's what you can do being a WASP!"Despite the above starting as a joke post BlackHat on the leaders mailing list, I think we as an organisation have a small reversal of roles when it comes to way we treat OWASP. I see a lot of people angry on the leaders mailing list, why is that? Do we need to perhaps clear to define the governance on this and other lists? For starters, I haven't been a project or chapter leader for a number of years, yet I am still on it. If I was elected on the board, I would continue building on the foundations of a good governance we have had from previous board members, with the intention of adding more structure to the organisation. Let's be clear this would not be an attempt to challenge the "O" in OWASP, instead provide the right forum for the right level of communication to take place. Experience in other organisations has shown me that you achieve a lot more that way.Vendors, logos, images, agendas, what is going on there? Definitely some work would need to take place to re-affirm the necessary neutrality that OWASP should have when it comes to such matters. An iterative process of re-affirming the level of neutrality required would be a proposal I would put forward for wider adoption. Having being a project leader, I recall the motivation of been granted money to write code, it was so exciting! We need more of that, but in the form of stakeholder management: Let's not kid ourselves there are well known ways to write good software and this industry has but a few good examples of that. Requirements, testing, stakeholder decisions on roadmaps would be on the table to manage and help fund projects. This would also help warrant maturity levels on projects and well, address the motivation behind the sad fact that everybody wants to be a project leader, without always carrying the responsibility.With the work that has been happening on the OWASP main site, I think it's time we started looking at how to clean up the content that is out there. Again, this is not necessarily in the form of archiving, but instead in the form of attempting to make the site simple to navigate. Everything from input validation filters for Java to people's itinerary information is on there. I mean, come on! I would tie this work into the governance piece stated above.Finally, I would invest a lot of time in terms of making sure that our permanent members of staff have a healthy environment of work to operate in. How? By means of establishing run-books, escalation paths and targeting the relevant communication to the right people. This after all would show how healthy we are in terms of processes and structure as an organisation. But before any of this, I would actually sit and listen, collecting feedback from the community on how they see we should change and how we should achieve getting there. <br />
|-<br />
| Why Me? || "It's not what OWASP can do for you, but it's what you can do being a WASP!"Despite the above starting as a joke post BlackHat on the leaders mailing list, I think we as an organisation have a small reversal of roles when it comes to way we treat OWASP. I see a lot of people angry on the leaders mailing list, why is that? Do we need to perhaps clear to define the governance on this and other lists? For starters, I haven't been a project or chapter leader for a number of years, yet I am still on it. If I was elected on the board, I would continue building on the foundations of a good governance we have had from previous board members, with the intention of adding more structure to the organisation. Let's be clear this would not be an attempt to challenge the "O" in OWASP, instead provide the right forum for the right level of communication to take place. Experience in other organisations has shown me that you achieve a lot more that way.Vendors, logos, images, agendas, what is going on there? Definitely some work would need to take place to re-affirm the necessary neutrality that OWASP should have when it comes to such matters. An iterative process of re-affirming the level of neutrality required would be a proposal I would put forward for wider adoption. Having being a project leader, I recall the motivation of been granted money to write code, it was so exciting! We need more of that, but in the form of stakeholder management: Let's not kid ourselves there are well known ways to write good software and this industry has but a few good examples of that. Requirements, testing, stakeholder decisions on roadmaps would be on the table to manage and help fund projects. This would also help warrant maturity levels on projects and well, address the motivation behind the sad fact that everybody wants to be a project leader, without always carrying the responsibility.With the work that has been happening on the OWASP main site, I think it's time we started looking at how to clean up the content that is out there. Again, this is not necessarily in the form of archiving, but instead in the form of attempting to make the site simple to navigate. Everything from input validation filters for Java to people's itinerary information is on there. I mean, come on! I would tie this work into the governance piece stated above.Finally, I would invest a lot of time in terms of making sure that our permanent members of staff have a healthy environment of work to operate in. How? By means of establishing run-books, escalation paths and targeting the relevant communication to the right people. This after all would show how healthy we are in terms of processes and structure as an organisation. But before any of this, I would actually sit and listen, collecting feedback from the community on how they see we should change and how we should achieve getting there. <br />
|}<br />
<br />
<br />
==== Ludovic Petit ====<br />
{| class="wikitable"<br />
|-<br />
! Candidate !! Ludovic Petit <br />
|-<br />
| Country Of Residence || France <br />
|-<br />
| Membership Status || Honorary Member, France Chapter Leader <br />
|-<br />
| Bio || Just a guy passionate about Web application Security ... and good sense! I am a modest Security Evangelist for roughly 20 years, OWASP DNA'ed. In short/clear, I'm working at the 8th OSI Layer: on the Human Capital.<br />
<br />
I am Chapter Leader and Founding Member OWASP France (2004), and Global Connections Committee Member. A couple of contributions to OWASP Projects over time: OWASP 2013 Strategic Goals (with Samantha Groves & Sarah Baso, for the Board), 2013 Marketing Initiave (with Samantha Groves & Sarah Baso), Translator of the OWASP Top Ten in French (All versions. Project Lead), Application Security Guide For CISOs (with Marco Morana), OWASP Mobile Security Project (with Jack Mannino), OWASP Cloud Top10 Project (with Vinay Bensal), OWASP Secure Coding Practices - Quick Reference Guide (with Keith Turpin. I help also on request Chapters Leads around the world needing to have inputs about how to deal with the foundation and their respective ecosystem as well.<br />
<br />
Apart of this, I am Chief Security Officer for a big firm, with 20 years international experience of Security management within the Telecommunications industry, following 10 years in Information Technology, with a strong balance of business acumen and technical skills gained from working in global and multicultural professional environments. I am a Certified Information Systems Security Professional (CISSP) and Certified Telecommunications Fraud Specialist (CTFS) serving as a trusted leader at board-level. I am working at Group level with a proven ability of managing global projects and cross-functional teams, and successfully achieving strategic level objectives. I am a relationship builder who enjoys working with others, with the ability to adapt to rapidly changing environments and different cultures.I have both a Technical and a Law Enforcement background (Legal & Regulation). Public LinkedIn profile: linkedin.com/in/lpetit/<br />
|-<br />
| Why Me? || Because! ;-) More seriously, I'm member of the OWASP since 2004, and I'm actively contributing to the OWASP Top Ten Project as French translator since the first version of 2004, as well as other stuff mentioned above. As Chapter Leader OWASP France and Global Connections Committee Member, I'd like to propose my background to continue helping the Foundation spread the Voice of OWASP. I'm convinced the mix of profiles & backgrounds from Board Members could enrich and enhance the way in which things could be done for the Community. My modest wish is trying to bring the great value-added of the knowledge from the Board to local Chapters ecosystems, AND vice-versa! to streamline knowledge, processes and awareness as much as I could. I have no other wish but to serve the Community. Well, that being said, if you wish a refreshing wind between the neurons, don't hesitate to vote for me guys! I say what I do and I do what I say. I am transparent... and French ;-) <br />
|}<br />
<br />
<br />
==== Josh Sokol ====<br />
{| class="wikitable"<br />
|-<br />
! Candidate !! Josh Sokol <br />
|-<br />
| Country Of Residence || USA <br />
|-<br />
| Membership Status || Current Paid Member, Austin Chapter Leader <br />
|-<br />
| Bio || Josh Sokol began his involvement with the OWASP Foundation over six and a half years ago. At the time, he was a newly hired Web Systems Engineer, working at National Instruments, and one of his teammates encouraged him to attend an OWASP meeting due to his active interests around Information Security. After just a single meeting, Josh was hooked. Soon, thereafter, Josh began helping the OWASP Austin Chapter Leader with scheduling and facilitating the meetings at National Instruments. His friend ended up taking over as President of the chapter and Josh became his VP. Several years later his friend was looking for someone to take over as President of the chapter and Josh was the natural choice. After fulfilling his obligations as Treasurer of the Capital of Texas ISSA Chapter, Josh took on the role of President of OWASP Austin. Josh installed a strong leadership team around him and worked with them to grow the chapter from a meeting average of 10-15 people to a consistent 40+, created monthly sponsored happy hours to help the community network, began weekly study groups to aide members in learning different topics, and co-founded the Lonestar Application Security Conference (LASCON) in order to make the OWASP Austin Chapter entirely self-sustaining as well as one of the largest financial contributors to the OWASP Foundation. After two years of serving as the OWASP Austin President, Josh handed the reigns over to another member of his leadership team and joined the OWASP Global Chapter Committee. Within two months of joining, the committee appointed Josh as the Chair. While serving on this committee, Josh fought for the rights of the Chapters. He helped to re-write the Chapter Handbook and created several new initiatives with the goal of helping maximize the potential of all OWASP chapters. Josh served as the Chair of the Global Chapter Committee until the committee structure was eliminated by the OWASP Board in late 2012. Josh continues to be an active member of the OWASP Austin leadership team.In his professional life, Josh has spent the past three and a half years employed as the Information Security Program Owner at National Instruments where he handles all vulnerability management, risk management, security architecture, security training, and security policies (among many other things) for the company. He has presented on security topics at BlackHat, OWASP AppSec USA, BSides Las Vegas, MISTI InfoSecWorld, and many more and is currently developing a free and open source risk management tool. Josh lives in Austin, TX with his wife and four daughters.<br />
|-<br />
| Why Me? || With two exceptions, the current OWASP Board of Directors consists of people who sell security products and services as their day job. But with one of the OWASP Core Values being "vendor neutrality", this presents a very significant conflict of interest. One which I, personally, have witnessed issues with and raised my concerns to the current Board. While I am most definitely a security professional by trade, my company does not currently make any products or sell any services in the security space. I am truly a security practitioner and have no hidden agendas or biases.Also, with few exceptions, many of the current Board members have no idea what it takes to run a successful OWASP chapter. Recently, they held a vote to remove the 60/40 membership fee split in order to correct a perceived issue with what they refer to as "rich chapters". The problem being, this proposal would have had little effect on those chapters and would effectively wipe out the ability for many of our smaller chapters to make money. Formerly, we had the Chapters Committee to stand up for the rights of our chapters and its leaders, but with the elimination of that committee structure, we have nothing. I frequently monitor the Board list as well as the Governance list and have, on several occasions, engaged the Board on issues that I felt warranted some "chapter leader" intervention, but officially I have no vote in these matters. Since the majority of our members are affiliated with a chapter, I am hoping that you will support me in being your voice. I love OWASP and have been passionate about it from the beginning. I am unbiased in my opinions and unafraid to stand up for what I believe is right. I would sincerely appreciate your vote to put me on the OWASP Board of Directors. <br />
|}<br />
<br />
=== Honorary Membership ===<br />
<br />
Honorary Membership will be granted to the following for the 2013 election:<br />
*Chapter Leaders <br />
*Project Leaders<br />
<br />
'''**NOTE**''' Chapters and Projects must be active. Your leadership position must be on file prior to 30-September 2013 in order to be eligible for 2013 honorary membership. '''ALL''' qualified individuals '''MUST''' apply for Honorary Membership in order to vote by completing the [http://www.tfaforms.com/284826 Honorary Membership Self Nomination Form]<br />
<br />
<br />
=== Who Can Vote? ===<br />
<br />
OWASP Paid Individual Members, Paid Corporate Members and Honorary Members registered as of 30-September 2013 have one (1) vote per seat (there are 3 seats up for election).<br />
<br />
*Note - this will include all chapter leaders and project leaders on file effective 30-September 2013, you can check the current [https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0Ag5ZloRZ0SmjdElHZnp5VnozSXFfR0c3UkF1WHh5dVE&hl=en#gid=0 Member Look Up]If you are not a member yet you are encouraged to do so.<br />
<br />
<center>'''[[Image:Join_Now_BlueIcon.JPG|100px|link=https://www.owasp.org/index.php/Membership_Map]]'''</center><br />
<br />
<br />
=== Have additional questions about OWASP Membership? === <br />
Read the Membershhip FAQ [https://www.owasp.org/index.php/Membership#OWASP_Membership_Frequently_Asked_Questions_.28FAQ.29 CLICK HERE]<br />
<br />
<br />
=== Election Frequently Asked Questions<br>===<br />
If you have a question about the current election please [http://owasp4.owasp.org/contactus.html click here].<br />
<br />
<br />
====Where can I find communication to the OWASP Community about the upcoming election?====<br />
Answer:<br />
We will try to publish announcements and key milestone reminders to as many communication channels as possible, including the OWASP Blog, OWASP Connector, OWASP Leader's List and this Wiki Page. Please feel free to help us communicate the message, by re-posting, re-tweeting, or sharing with the OWASP Chapter, Project, or Initiatives you may be involved with.<br />
*[http://owasp.blogspot.com/2013/05/owasp-connector-may-7-2013.html May 7 OWASP Connector Announcement]<br />
*[https://docs.google.com/file/d/0B5Z9zE0hx0LNUkxnVUMwc215UnM/edit?usp=sharing May 9 Webinar Slides]<br />
*[http://owasp.blogspot.com/2013/05/2013-board-election-call-for-candidates.html May 15 Blog Post]<br />
*[http://lists.owasp.org/pipermail/owasp-leaders/2013-May/009311.html May 15 Email to OWASP Leaders List]<br />
* June 20 OWASP Connector [http://owasp.blogspot.com/2013/06/owasp-connector-june-20-2013.html posted to Blog] and [http://lists.owasp.org/pipermail/owasp-all/2013-June/000178.html Email to OWASP-all]<br />
* July 4 OWASP Connector [http://owasp.blogspot.com/2013/07/owasp-connector-july-4-2013.html posted to Blog] and [http://lists.owasp.org/pipermail/owasp-all/2013-July/000179.html Email to OWASP-all]<br />
*[https://twitter.com/appsecusa/statuses/35492802439269580 July 10 Tweet] <br />
July 16 OWASP Connector [http://owasp.blogspot.com/2013/07/owasp-connector-july-16-2013.html posted to Blog] and [http://lists.owasp.org/pipermail/owasp-all/2013-July/000180.html Email to OWASP-all]<br />
*[https://twitter.com/owasp/statuses/358693550680064000 July 20 Twitter Reminder]<br />
* August 1 OWASP Connector [http://owasp.blogspot.com/2013/08/owasp-global-connector-august-1-2013.html posted to Blog] and [http://lists.owasp.org/pipermail/owasp-all/2013-August/000181.html Email to OWASP-all]<br />
*[http://lists.owasp.org/pipermail/owasp-leaders/2013-August/009938.html August 11 Leaders List Reminder]<br />
*[http://owasp.blogspot.com/2013/08/last-call-for-2013-election-board-of.html August 11 Blog Post Reminder]<br />
*[https://twitter.com/owasp/statuses/366630187854598144 August 11 Twitter Announcement]<br />
*[http://www.linkedin.com/groups/Last-Call-2013-Election-Board-36874.S.264990813?qid=7110e493-81e4-4a3d-86b5-a956c43ee5bb&goback=%2Enpv_101664190_*1_*1_name_6z5f_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_NUS_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_NUS*5memb*4pic+_*1%2Egmp_36874 August 11 LinkedIn Post to Global OWASP Foundation Group]<br />
<br />
<br />
<br />
<br />
[[Category:Board Elections]]</div>Ludovic Petithttps://wiki.owasp.org/index.php?title=User:Ludovic_Petit&diff=157634User:Ludovic Petit2013-09-01T09:10:45Z<p>Ludovic Petit: </p>
<hr />
<div>I'm member of the OWASP since 2004. I'm actively contributing to the OWASP Top Ten Project as French translator since the first version of 2004, as well as other stuff described below. <br />
<br />
'''Chapter Leader [https://www.owasp.org/index.php/France OWASP France]''' and '''[https://www.owasp.org/index.php/OWASP_Connections_Committee OWASP Global Connections Committee]''' '''Member'''.<br />
<br />
I started working with the OWASP Foundation end of 2003 and initiated the first translation of the OWASP Top Ten in another language, in French. Then, I also translated the Top Ten 2007 in French, as well as the Top Ten 2010, and guess what... the Top Ten 2013 as Project Leader.<br />
<br />
I created the OWASP France Chapter beggining of 2004 and grew it from 2 peers to over 300 members rapidly. I also created a group for the French Chapter on LinkedIn in Jan 2009.<br><br />
<br />
Then in May 2008, I decided to register The OWASP France Chapter as a not-for-profit organization called “Association Loi 1901 reconnue d’utilité publique” in France with Sebastien Gioria, this to prevent the OWASP brand/name from business misuses in France. <br />
<br />
The French Chapter fully complies with the OWASP Foundation’s bylaws and our activities are directly inline with the OWASP core mission of spreading awareness.<br />
<br />
I am currently working as Chief Security Officer at Huawei France.<br />
Take a look at my '''LinkedIn profile''' [http://www.linkedin.com/in/lpetit '''here'''] for more information about me.<br />
<br />
Don't hesitate to drop me an email if you would like to get in touch, I'd be glad to (modestly) help if needed '''ludovic.petit@owasp.org'''.<br />
<br />
'''A few contributions to OWASP Projects:'''<br />
<br />
* OWASP 2013 Strategic Goals (with Samantha Groves & Sarah Baso, for the Board)<br />
* OWASP 2013 Marketing Initiave (with Samantha Groves & Sarah Baso)<br />
* Translator of the OWASP Top Ten in French (All versions)<br />
* Application Security Guide For CISOs (with Marco Morana)<br />
* OWASP Mobile Security Project (with Jack Mannino)<br />
* OWASP Cloud Top10 Project (with Vinay Bensal)<br />
* OWASP Secure Coding Practices - Quick Reference Guide (with Keith Turpin)<br />
<br />
<br />
I also run the [http://www.linkedin.com/e/gis/1638517 OWASP French Chapter on LinkedIn]. Join us, you're welcome, it only takes a mn!<br></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=User:Ludovic_Petit&diff=157273User:Ludovic Petit2013-08-23T16:09:40Z<p>Ludovic Petit: </p>
<hr />
<div>I'm member of the OWASP since 2004. I'm actively contributing to the OWASP Top Ten Project as French translator since the first version of 2004, as well as other stuff described below. <br />
<br />
'''Chapter Leader [https://www.owasp.org/index.php/France OWASP France]''' and '''[https://www.owasp.org/index.php/OWASP_Connections_Committee OWASP Global Connections Committee]''' '''Member'''.<br />
<br />
I started working with the OWASP Foundation end of 2003 and initiated the first translation of the OWASP Top Ten in another language, in French. Then, I also translated the Top Ten 2007 in French, as well as the Top Ten 2010, and guess what... as well as the Top Ten 2013 as Project Leader.<br />
<br />
I created the OWASP France Chapter beggining of 2004 and grew it from 2 peers to over 300 members rapidly. I also created a group for the French Chapter on LinkedIn in Jan 2009.<br><br />
<br />
Then in May 2008, I decided to register The OWASP France Chapter as a not-for-profit organization called “Association Loi 1901 reconnue d’utilité publique” in France with Sebastien Gioria, this to prevent the OWASP brand/name from business misuses in France. <br />
<br />
The French Chapter fully complies with the OWASP Foundation’s bylaws and our activities are directly inline with the OWASP core mission of spreading awareness.<br />
<br />
Take a look at my '''LinkedIn profile''' [http://www.linkedin.com/in/lpetit '''here'''] for more information about me.<br />
<br />
Don't hesitate to drop me an email if you would like to get in touch, I'd be glad to (modestly) help if needed '''ludovic.petit@owasp.org'''.<br />
<br />
'''A few contributions to OWASP Projects:'''<br />
<br />
* OWASP 2013 Strategic Goals (with Samantha Groves & Sarah Baso, for the Board)<br />
* OWASP 2013 Marketing Initiave (with Samantha Groves & Sarah Baso)<br />
* Translator of the OWASP Top Ten in French (All versions)<br />
* Application Security Guide For CISOs (with Marco Morana)<br />
* OWASP Mobile Security Project (with Jack Mannino)<br />
* OWASP Cloud Top10 Project (with Vinay Bensal)<br />
* OWASP Secure Coding Practices - Quick Reference Guide (with Keith Turpin)<br />
<br />
<br />
I also run the [http://www.linkedin.com/e/gis/1638517 OWASP French Chapter on LinkedIn]. Join us, you're welcome, it only takes a mn!<br></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=France&diff=155174France2013-07-05T09:49:52Z<p>Ludovic Petit: </p>
<hr />
<div>{{Chapter Template|chaptername=France|extra=The '''Chapter Leaders''' are [mailto:ludovic.petit@owasp.org Ludovic Petit] and [mailto:sebastien.gioria@owasp.org Sebastien Gioria]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-france|emailarchives=http://lists.owasp.org/pipermail/owasp-france}}'''<br />
<paypal>France Chapter</paypal><br />
<br />
'''The French Chapter is also available on LinkedIn''': [http://www.linkedin.com/groupInvitation?gid=1638517 '''Join us''', it only takes a minute!]<br />
<br />
== Contacts, Présentations, Contributions & Partenariats ==<br />
<br />
*[mailto:sebastien.gioria@owasp.org Sebastien Gioria] et [mailto:ludovic.petit@owasp.org Ludovic Petit] sont à votre disposition si vous souhaitez des informations et discuter de la plus-value proposée par la Fondation OWASP, ainsi que sur la Sécurité des Applications Web.<br />
<br />
Entreprises, Individuels, Monde Académique, Sponsors, Supports, tout le monde est bienvenu à l'OWASP! L'accès à nos Chapter meetings est gratuit et ouvert à tous.<br />
<br />
Pour les Entreprises souhaitant adhérer à l'OWASP, le montant de l'adhésion annuelle de base est de $5000 US (dont 40% sont reversés au Projet ou au Chapitre de votre choix), déductible à 100% aux USA, et déductible à 60% en France <br />
<br />
Les fonds collectés servent à organiser les meetings du Chapitre, mais aussi et surtout à construire et organiser avec vous une approche collégiale spécifique répondant à vos souhaits (sessions de sensibilisation, meetings internes, interventions de Speakers, etc.). Tout cela peut être discuté avec le Chapitre Français et acté conjointement avec vous si vous souhaitez adhérer à l'OWASP. <br />
<br />
N'hésitez pas à nous solliciter si vous souhaitez discuter d'un sujet particulier, ou si vous souhaitez effectuer une présentation lors d'un meeting du Chapitre France.<br />
<br />
Amis de la Presse écrite et du Multimédia, n'hésitez pas à faire appel à nous si vous souhaitez notre concours pour vos articles et reportages, vous êtes les bienvenus et nous en serions honorés. Utilisez notre savoir-faire dans une perspective gagnant-gagnant!<br />
<br />
Nous restons modestes dans notre approche, nous souhaitons que le Chapitre OWASP France devienne un de vos contacts de référence. '''Ensembles, Chacun fait plus'''!<br />
<br />
'''TEAM stands for... Together Each Achieves More!'''<br />
<br />
<br />
= News =<br />
<br />
<br />
==OWASP European Chapter Tour 2013, Sophia-Antipolis, France, 24 Juin 2013==<br />
'''Présentation''' : "[https://www.owasp.org/images/1/10/Synth%C3%A8se.ppt Synthèse]"'''<br />
'''Présentation''' : "[https://www.owasp.org/images/9/96/EuTour_-_Owasp_Eurecom.pdf Introduction]"'''<br />
'''Présentation''' : "[https://www.owasp.org/images/5/50/EuTour-providers.pdf The Role of Web Hosting Providers in Detecting Compromised Websites]"'''<br />
'''Présentation''' : "[https://www.owasp.org/images/f/fc/EuTour-webhoneypots.pdf Behind the Scenes of Web Attacks]"'''<br />
'''Présentation''' : "[https://www.owasp.org/images/8/8d/Pellegrino-OWASP_EUTour2013.pdf Logic Vulnerabilities in eCommerce Web Applications]"'''<br />
<br />
'''Résumé''' : <br />
Meeting de grande qualité, présentations très intéressantes.<br />
Nous remercions EURECOM pour avoir eu l'amabilité d'héberger le meeting, ainsi que les speakers pour leur prestation très appréciée!<br />
<br />
'''Speaker''' : Aurélien Francillon: Maître de Conférences, Département "Réseaux et sécurité", EURECOM<br />
'''Speaker''' : Davide Balzarotti: Maître de Conférences, Département "Réseaux et sécurité", EURECOM<br />
'''Speaker''' : Giancarlo Pellegrino: Doctorant, Département "Réseaux et sécurité", EURECOM et chercheur, SAP AG EURECOM<br />
'''Speaker''' : Ely de Travieso: Owasp France, Directeur Phonesec<br />
'''Speaker''' : Maurizio Abbà: Etudiant en Master, EURECOM<br />
'''Speaker''' : Davide Canali: Doctorant, Département "Réseaux et sécurité", EURECOM<br />
<br />
==Looking Forward… and Beyond, Distinctiveness Through Security Excellence==<br />
'''Présentation''' : "[https://www.owasp.org/images/5/50/Looking_Forward%E2%80%A6_and_Beyond.pptx Looking Forward… and Beyond]"'''<br />
'''Résumé''' : <br />
Here is a presentation I gave in Sept for a big Software maker in an internal meeting. This presentation aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes, or people and firms interested about OWASP and willing to join the Foundation as Member. The first 2 parts are more an update for those who are not yet familiar with OWASP, the 3rd part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway. Enjoy and feel free to email me, all comments welcome!<br />
<br />
'''Speaker''' : Ludovic Petit <br />
<br />
==28 Mars 2012 Meeting du premier trimestre==<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : "[https://www.owasp.org/images/6/6d/Developer_Top_Ten_Core_Controls_v4.1.pptx Top Ten Web Defenses]"'''<br />
'''Résumé''' : <br />
Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. <br />
This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will also detail several of the key access control anti-patterns commonly found during website security audits. <br />
These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. <br />
In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico <br />
Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. <br />
He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.<br />
'''Enregistrement en ligne sur''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== 7 et 8 Février 2012 - [http://www.microsoft.com/france/mstechdays/ Techdays Microsoft 2012] ==<br />
<br />
Sébastien présentera un talk sur [http://www.microsoft.com/france/mstechdays/programmes/parcours.aspx?SessionID=62e02774-6045-4be8-80ff-8332a793ad4f HTML5et la Sécurité] le 7 Février 2012 à 17h30. <br />
Plus d'informations sur la page dédiée aux TechDays Microsoft 2012. ==<br />
<br />
== 6 Janvier 2012 - Nouveau Groupe de Travail sur la Sécurité des Web Services au [http://www.clusif.fr CLUSIF] ==<br />
<br />
Dans la continuité du Groupe de Travail sur la Sécurité des Application Web initialement créé en 2009, le CLUSIF a lancé un nouveau groupe de travail autour de la sécurité des WebServices. N'hésitez pas à participer si vous êtes intéressés. Le CLUSIF recherche des utilisateurs pour ce groupe de travail et des personnes en environnements Microsoft pour disposer d'un panel le plus large possible pour ce document<br />
<br />
Contact : [mailto:sebastien.gioria@owasp.org Sébastien Gioria]<br />
<br />
== 19 Décembre 2011 - Publication du deuxième document du [http://www.clusif.fr CLUSIF] sur la Sécurité des Applications Web ==<br />
<br />
Le CLUSIF a publié son deuxième document sur la [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Defense-en-profondeur-des-applications-Web.pdf Défense en profondeur des applications Web]. Ce document fait suite au [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf premier document publié en 2009] <br />
<br />
== 15 Décembre 2011 Conférence du [http://www.clusif.fr CLUSIF] sur la [http://www.clusif.fr/fr/infos/event/#conf111215 sécurité des applications Web] ==<br />
<br />
Le CLUSIF a présenté la conférence Sécurité des Applications Web le jeudi 15 décembre 2011 au cercle National des Armées.<br />
Le programme était : <br />
<br />
* Mise en place d'une politique de sécurité applicative : retour d'expérience d'un RSSI par Philippe LARUE - Responsable Sécurité - [http://www.cbp-prevoyance.com/ CBP]<br />
* Revue de code source, ou test sécurité applicatif, quel est le plus efficient pour évaluer un niveau de sécurité applicatif ? par Sébastien GIORIA - Consultant Senior [http://www.groupey.fr Groupe Y] et leader du chapitre Français de [https://www.owasp.org l'OWASP] - OWASP France<br />
* Les enjeux réglementaires de la protection des informations en ligne par Garance MATHIAS - Avocat - Cabinet d'Avocats<br />
<br />
Les présentations sont disponibles sur le site du [http://www.clusif.fr CLUSIF], les vidéos de l'intervention seront aussi disponible.<br />
<br />
== 2 Décembre 2011 - [[OWASP BeNeLux 2011 Conference - University of Luxembourg]] ==<br />
<br />
Ludovic had a talk about "[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd WebApp Security and Legal aspects]" on Dec 2.<br />
<br />
*'''Overview'''<br />
**This presentation aims to be used by anybody willing to spread the voice of OWASP. See this as an Awareness session.<br />
**Use it and use it again. <br />
**Try to open your mind, just met me know if I can help. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/5/55/Do_you..._Legal_-_OWASP_BeNeLux_Day_-_2_Dec_2011.pptx Do you... Legal?]"'''<br />
**The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this. <br />
<br />
<br />
<br />
=== [[EUROPE - ENISA’s Who-is-Who Directory on Network and Information Security]] ===<br />
<br />
We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].<br />
<br />
The ENISA is the European Network and Information Security Agency.<br />
[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities. <br />
This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.<br />
<br />
<br />
= Chapter Meetings 2013 =<br />
<br />
== Q1 2013 ==<br />
'''Date''' : 7 février 2013<br />
'''Lieu''' : Gemalto - Salle Plazza, 6 rue de la Verrerie, 92197 Meudon-sur-Seine <br />
'''Horaire''' : 18h30 à 21h<br />
'''Présentation''' : Update sur les '''Projets OWASP''', Ludovic<br />
'''Présentation''' : '''Evolution du Cadre Légal - Developers, Software makers held liable for code?'''[[https://www.owasp.org/images/2/2a/Chapter_Meeting_OWASP_France_-_7_Feb_2013.pdf]] Ludovic<br />
'''Présentation''' : '''Données personnelles: le nouveau projet de règlement européen'''[http://www.donneespersonnelles.fr/donnees-personnelles-le-nouveau-projet-de-reglement-europeen], Thiébaut Devergranne<br />
'''Breaking News''' : Présentation de l''''OWASP France Day''' que nous souhaitons organiser en mars, Ludovic & Sébastien<br />
'''Appel à contribution''' : '''Traduction OWASP Top Ten 2013''', Ludovic & Sébastien<br />
'''Update''' : '''Relations Partenaires''' & '''Adhésions''', Ely de Travieso<br />
<br />
Pour nous accompagner lors de ce meeting, Thiébaut Devergranne, docteur en droit et consultant. Thiébaut travaille en droit des nouvelles technologies depuis plus de 10 ans, dont 6 passés au sein des services du Premier Ministre.<br />
<br />
''''''Speakers'''''' : Ludovic Petit, Sébastien Gioria, Ely de Travieso, Thiébaut Devergranne<br />
'''Enregistrement en ligne ici''' : https://www.eventbrite.com/event/4615236296<br />
<br />
'''Date''' : 12 mars 2013<br />
'''Lieu''' : Solucom, Tour Franklin, 100-101 Terrasse Boieldieu, 92042 Paris La Défense <br />
'''Horaire''' : 09h00 à 12h30<br />
'''Présentation''' : Secure Coding (en Anglais), Jim Manico<br />
'''Présentation''' : Sécurité Applicative: l’Organisation, clé de la réussite!, Gérôme Billois<br />
'''Présentation''' : OWASP News & Update, Ludovic Petit & Sébastien Gioria<br />
'''Appel à contribution''' : '''Traduction OWASP Top Ten 2013''', Ludovic & Sébastien<br />
<br />
'''Présentation globale''' : '''Chapter Meeting OWASP France 12 Mars'''[[https://www.owasp.org/images/2/2d/Chapter_Meeting_OWASP_France_12_Mars.pdf]]<br />
<br />
Les sujets abordés par Jim Manico: <br />
'''Authentication Best Practices for Developers:''' This module will discuss the security mechanisms found within an authentication (AuthN) layer of a web application. We will review a series of historical authentication threats. We will also discuss a variety of authentication design patterns necessary to build a low-risk high-security web application. Session management threats and best practices will also be covered. This module will include several technical demonstrations and code review labs. <br />
<br />
'''Access Control Design Best Practices:''' Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
<br />
''''''Speakers'''''' : Jim Manico, Gérôme Billois, Ludovic Petit, Sébastien Gioria<br />
'''Enregistrement en ligne obligatoire''' : http://owaspfrance12mars2013.eventbrite.com/<br />
<br />
<br />
= Appel à contribution OWASP France =<br />
<br />
Ici seront relayés les différents appels à contributions du Chapitre (Sponsors, talks, etc.).<br />
<br />
<br />
= Appel à contributions externes =<br />
<br />
Ici seront relayés les appels à contributions que nous estimons interessants pour le Chapitre. <br />
<br />
<br />
<br />
<br />
= Meetings 2012 =<br />
<br />
== Q1 2012 ==<br />
'''Date''' : 28 Mars 2012<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : Web Application Access Control Design Excellence<br />
'''Résumé''' : Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will discuss several of the key access control anti-patterns commonly found during <br />
website security audits. These access control anti-patterns include hard-coded security policies, <br />
lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these<br />
and other access control problems, we will discuss and design a positive access control mechanism <br />
that is data contextual, activity based, configurable, flexible, and deny-by-default - among other<br />
positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico<br />
'''Enregistrement en ligne ici''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== Q2 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q3 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q4 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
<br />
<br />
= 2011 Meetings =<br />
<br />
=== [[May 2011 - Paris Meeting]] ===<br />
<br />
[Logo to be placed here]<br />
<br />
We are honored to welcome '''Jim Manico''' during his European Tour in the Netherlands, Belgium and France.<br />
<br />
*'''Overview'''<br />
**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle. <br />
**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. <br />
**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered. <br />
**If you are interested in participating in the hands on portion of the course, please bring a laptop. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/f/f4/Future_of_XSS_v4.pptx The Ghost of XSS Past, Present and Future. A Defensive Tale]"'''<br />
**This talk will discuss the past methods used for XSS defense that were only partially effective. Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg. <br />
<br />
*'''Speaker'''<br />
**'''Jim Manico''' is a managing partner of Infrared Security with over 15 years of professional web development experience. Jim is also the Chair of the OWASP Connections Committee, one of the Project Managers of the OWASP ESAPI Project, a participant and manager of the OWASP Cheatsheet series, the Producer and host of the OWASP Podcast Series, the Manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project. When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.<br />
<br />
*'''Date'''<br />
**May 24, 2011 <br />
<br />
*'''Venue'''<br />
**Paris<br />
<br />
*'''Registration'''<br />
**[http://www.regonline.com/Register/Checkin.aspx?EventID=971375 Click here]<br />
<br />
<br />
== 26 Avril 2011 ==<br />
<br />
'''Le 26 Avril 2011 dans les locaux de [http://www.groupey.fr/nos-cabinets-paris.html GROUPE Y] :'''<br />
<br />
* 9:00: [https://www.owasp.org/images/2/2f/Agenda_26th_April_2011.pptx Introduction] - '''Ludovic Petit''' & '''Sébastien Gioria'''<br />
* 9:30: [https://www.owasp.org/images/3/36/OPENSAMM2.pptx OpenSAMM] - '''Antonio Fontes''' (Chapter Leader OWASP Geneva) <br />
* 11:00: [https://www.owasp.org/images/c/cf/OWASP_Cloud_Top_10.pptx OWASP Cloud Top 10 Project] - '''Ludovic Petit''' (Chapter Leader OWASP France & OWASP Global Education Committee Member)<br />
* 11:45: [https://www.owasp.org/images/5/5c/ESAPI_Swingset_talk_at_Paris.ppt OWASP ESAPI] - '''Fabio Cerullo''' (Chapter Leader OWASP Ireland & Global Education Committee)<br />
* 14:15: [https://www.owasp.org/images/3/38/OWASP_Testing_Guide.pptx OWASP Testing Guide] - '''Sébastien Gioria''' (French Chapter Leader & OWASP Global Education Committee Member)<br />
* 15:15: [http://o2platform.com OWASP 02 Platform - Live Session] - '''Dinis Cruz''' (OWASP O2 Project Leader)<br />
* 16:30: [https://www.owasp.org/images/9/96/OWASP-Paris2011-VV-CodeReview.pdf OWASP Code Review] - '''Victor Vuillard'''<br />
<br />
= 2009 Meetings =<br />
<br />
'''Le 6 Mai 2009 à 17h30 à [http://www.epitech.eu L'EPITECH] :'''<br />
<br />
* 17h30 : Accueil des participants<br />
* 18h - 18h 15 : [http://www.owasp.org/images/d/dc/OWASP_Paris_Meeting_-_May_2009.pdf Welcome et overview of agenda] '''(Board OWASP France)'''<br />
* 18h30 - 19h : [http://www.owasp.org/images/6/6b/2009-05-06-OWASPFR-WebServices.pdf Attaques sur les Web Services] - '''Renaud Bidou'''<br />
* 19h15 - 19h45 : [http://www.owasp.org/images/8/82/2009-05-06-OWASPFR-OpenSAM.pdf Software Security Initiatives in the Real World] - '''Claudio Merloni'''<br />
* 20h : Close <br />
<br />
A propos des Speakers :<br />
<br />
<br />
'''''Renaud Bidou :''' ''Directeur Technique de DenyAll. Il travaille depuis plus de 10 ans dans la sécurité et a publié de nombreux articles et white-papers touchant à des sujets aussi variés que les dénis de service, les portknockers, les botnets, la mise en place d’un SOC, l’analyse graphique d’attaques ou encore les techniques de contournements.<br />
<br />
<br />
'''''Claudio Merloni : '''''Claudio Merloni est Software Security Consultant chez Fortify Software. Ses expériences dans le domaine de la sécurité embrassent la sécurité applicative, revue de code, architectures sécurisées, analyse des risques, conformité, test de sécurité à niveau réseau, système et applicatif, monitoring, contrôle d'accès. Il a participé a plusieurs conférences, entre lesquelles BlackHat et CONFidence.<br />
<br />
<br />
'''Le Lieu : EPITECH'''<br />
<br />
Amphi 2<br />
<br />
14-16 rue Voltaire<br />
<br />
94276 Kremlin Bicêtre Cedex <br />
<br />
<br />
''Moyens d'accès Métro''<br />
* ligne 7 : Porte d'Italie<br />
<br />
''Bus''<br />
* ligne 47, 125, 131, 185 : Roger Salengro<br />
* ligne 186 : Pierre Brossolette <br/> <br />
<br />
''Voiture''<br />
* périphérique : sortie Porte d'Italie <br />
<br />
<br />
<br />
<br />
= Translation effort =<br />
<br />
* The '''OWASP TOP Ten 2010 in French''' is [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf available]<br />
* 2010-08-30 : La version française du Top 10 2010 est disponible [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] <br />
* 2008-02-15 : Le Top10 2007 est en version Française [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.pdf Format PDF], [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.doc Format Word]<br />
* 2007-11-16 : [https://www.owasp.org/images/5/52/Owasp_tryptique.pdf Folio 2 pages Recto/verso] de présentation pour Infosecurity.<br />
* 2007-02-27 : [[Newsletter_francaise_num%C3%A9ro_1]]<br />
* 2007-06-20 : Présentation de l'OWASP faite à NY en Juin 2007 [https://www.owasp.org/images/7/71/20070620-FR-OWASP_NY_Keynote.ppt]<br />
[[Category:Europe]]<br />
<br />
<br />
<br />
= Old News = <br />
<br />
* 2009-06-09 : [http://www.owasp.org/images/d/d2/20090609-CERT-IST-WAF-v0.1.pdf Intervention sur les WAF] lors du Forum [http://www.cert-ist.com CERT-IST] <br />
* 2009-02-03 : L'OWASP France sera présent à [http://www.pci-portal.com/events/event-info/paris PCI Paris]. La présentation est : [https://www.owasp.org/images/f/fb/20090203-OWASP_PCI-Global_2009_Paris_-_v03.ppt l'OWASP et l'exigence 6.5 de PCI-DSS]<br />
* 2008-11-19 : L'OWASP France sera présent sur [http://www.infosecurity.com.fr/FR/badge?ref=OWAW Infosecurity France] à Paris :<br />
[http://www.infosecurity.com.fr/index.php?argRedirect=FR|badge&Lang=FR&ref=OWAW https://www.owasp.org/images/8/88/Infosecurity.gif]<br />
<br />
* 2008-07-08 : L'OWASP France a présenté le projet OWASP à l'[http://www.ossir.org OSSIR]. La présentation est disponible sur le site de [https://www.owasp.org/images/9/94/20080708-OWASP_OSSIR.ppt l'OWASP]<br />
* 2008-02-15 : Le Top10 2007 est en version Francaise<br />
* 2008-02-11 : Présentation aux [http://www.owasp.org/images/0/09/20080129-OWASP_TechDays_France_.ppt TechDays 2008 Microsoft ]<br />
* 2007-11-22 : Présentation a Infosecurity France [http://www.owasp.org/images/8/85/20071122-OWASP_Infosecurity_France.ppt de l'OWASP]<br />
* 2007-11-07 : Interview dans le [http://www.journaldunet.com/developpeur/itws/071106-securite-applicative-owasp.shtml Journal du Net]<br />
* 2007-10-05 : L'OWASP France présentera les enjeux de la sécurité des [http://www.infosecurity.com.fr/?Jpto=116&KM_Session=f345bb91df954e6cbc0148328f109e94&CurrentNode=518&Lang=FR&IdNode=708 Services WEB à Infosecurity France le 22/11/2007]<br />
* 2006-12-18 : Mise en place de l'association pour supporter le groupe OWASP<br />
* 2006-12-14 : Le Hub OWASP Viaduc a vu le jour http://www.viadeo.com/hub/affichehub/?hubId=002fj37grgb7o7n<br />
* 2006-12-13 : Naissance du chapitre Francais de l'OWASP. Une liste de diffusion est disponible.[http://lists.owasp.org/mailman/listinfo/owasp-france Abonnez vous]<br />
<br />
<br />
<br> __NOTOC__ <headertabs /></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=File:Pellegrino-OWASP_EUTour2013.pdf&diff=155173File:Pellegrino-OWASP EUTour2013.pdf2013-07-05T09:47:36Z<p>Ludovic Petit: </p>
<hr />
<div></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=File:EuTour-webhoneypots.pdf&diff=155172File:EuTour-webhoneypots.pdf2013-07-05T09:46:12Z<p>Ludovic Petit: </p>
<hr />
<div></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=File:EuTour-providers.pdf&diff=155171File:EuTour-providers.pdf2013-07-05T09:44:21Z<p>Ludovic Petit: </p>
<hr />
<div></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=File:EuTour_-_Owasp_Eurecom.pdf&diff=155170File:EuTour - Owasp Eurecom.pdf2013-07-05T09:42:30Z<p>Ludovic Petit: </p>
<hr />
<div></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=File:Synth%C3%A8se.ppt&diff=155169File:Synthèse.ppt2013-07-05T09:36:56Z<p>Ludovic Petit: </p>
<hr />
<div></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=User:Ludovic_Petit&diff=154839User:Ludovic Petit2013-07-02T08:08:46Z<p>Ludovic Petit: </p>
<hr />
<div>I'm Group Fraud & Security Advisor at SFR, 2nd largest French Telecom Operator and International Group with subsidiaries in Morocco and Brazil.<br />
<br />
I'm member of the OWASP since 2004. I'm actively contributing to the OWASP Top Ten Project as French translator since the first version of 2004, as well as other stuff described below. <br />
<br />
'''Chapter Leader [https://www.owasp.org/index.php/France OWASP France]''' and '''[https://www.owasp.org/index.php/OWASP_Connections_Committee OWASP Global Connections Committee]''' '''Member'''.<br />
<br />
I started working with the OWASP Foundation end of 2003 and initiated the first translation of the OWASP Top Ten in another language, in French. Then, I also translated the Top Ten 2007 in French, as well as the Top Ten 2010, and guess what... also the Top Ten 2013 as Project Leader.<br />
<br />
I created the OWASP France Chapter beggining of 2004 and grew it from 2 peers to over 300 members rapidly. I also created a group for the French Chapter on LinkedIn in Jan 2009.<br><br />
<br />
Then in May 2008, I decided to register The OWASP France Chapter as a not-for-profit organization called “Association Loi 1901 reconnue d’utilité publique” in France with Sebastien Gioria, this to prevent the OWASP brand/name from business misuses in France. <br />
<br />
The French Chapter fully complies with the OWASP Foundation’s bylaws, and our activities are directly inline with the OWASP core mission of spreading awareness.<br />
<br />
Take a look at my '''LinkedIn profile''' [http://www.linkedin.com/in/lpetit '''here'''] for more information about me.<br />
<br />
Don't hesitate to drop me an email if you would like to get in touch, I'd be glad to (modestly) help if needed '''ludovic.petit@owasp.org'''.<br />
<br />
'''A few contributions to OWASP Projects:'''<br />
<br />
* OWASP 2013 Strategic Goals (with Samantha Groves & Sarah Baso, for the Board)<br />
* OWASP 2013 Marketing Initiave (with Samantha Groves & Sarah Baso)<br />
* Translator of the OWASP Top Ten in French (All versions)<br />
* Application Security Guide For CISOs (with Marco Morana)<br />
* OWASP Mobile Security Project (with Jack Mannino)<br />
* OWASP Cloud Top10 Project (with Vinay Bensal)<br />
* OWASP Secure Coding Practices - Quick Reference Guide (with Keith Turpin)<br />
<br />
<br />
I also run the [http://www.linkedin.com/e/gis/1638517 OWASP French Chapter on LinkedIn]. Join us!<br></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=User:Ludovic_Petit&diff=154838User:Ludovic Petit2013-07-02T08:08:16Z<p>Ludovic Petit: </p>
<hr />
<div>I'm Group Fraud & Security Advisor at SFR, 2nd largest French Telecom Operator and International Group with subsidiaries in Morocco and Brazil.<br />
<br />
I'm member of the OWASP since 2004. I'm actively contributing to the OWASP Top Ten Project as French translator since the first version of 2004, as well as other stuff described below. <br />
<br />
'''Chapter Leader [https://www.owasp.org/index.php/France OWASP France]''' and '''[https://www.owasp.org/index.php/OWASP_Connections_Committee OWASP Global Connections Committee]''' '''Member'''.<br />
<br />
I started working with the OWASP Foundation end of 2003 and initiated the first translation of the OWASP Top Ten in another language, in French. Then, I also translated the Top Ten 2007 in French, as well as the Top Ten 2010, and guess what... also the Top Ten 2013 as Project Leader.<br />
<br />
I created the OWASP France Chapter beggining of 2004 and grew it from 2 peers to over 300 members rapidly. I also created a group for the French Chapter on LinkedIn in Jan 2009.<br><br />
<br />
Then in May 2008, I decided to register The OWASP France Chapter as a not-for-profit organization called “Association Loi 1901 reconnue d’utilité publique” in France with Sebastien Gioria, this to prevent the OWASP brand/name from business misuses in France. <br />
<br />
The French Chapter fully complies with the OWASP Foundation’s bylaws, and our activities are directly inline with the OWASP core mission of spreading awareness.<br />
<br />
Take a look at my '''LinkedIn profile''' [http://www.linkedin.com/in/lpetit '''here'''] for more information about me.<br />
<br />
Don't hesitate to drop me an email if you would like to get in touch, I'd be glad to (modestly) help '''ludovic.petit@owasp.org'''<br />
<br />
'''A few contributions to OWASP Projects:'''<br />
<br />
* OWASP 2013 Strategic Goals (with Samantha Groves & Sarah Baso, for the Board)<br />
* OWASP 2013 Marketing Initiave (with Samantha Groves & Sarah Baso)<br />
* Translator of the OWASP Top Ten in French (All versions)<br />
* Application Security Guide For CISOs (with Marco Morana)<br />
* OWASP Mobile Security Project (with Jack Mannino)<br />
* OWASP Cloud Top10 Project (with Vinay Bensal)<br />
* OWASP Secure Coding Practices - Quick Reference Guide (with Keith Turpin)<br />
<br />
<br />
I also run the [http://www.linkedin.com/e/gis/1638517 OWASP French Chapter on LinkedIn]. Join us!<br></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=User:Ludovic_Petit&diff=154837User:Ludovic Petit2013-07-02T08:07:13Z<p>Ludovic Petit: </p>
<hr />
<div>I'm Group Fraud & Security Advisor at SFR, 2nd largest French Telecom Operator and International Group with subsidiaries in Morocco and Brazil.<br />
<br />
I'm member of the OWASP since 2004. I'm actively contributing to the OWASP Top Ten Project as French translator since the first version of 2004, as well as other stuff described below. <br />
<br />
'''Chapter Leader [https://www.owasp.org/index.php/France OWASP France]''' and '''[https://www.owasp.org/index.php/OWASP_Connections_Committee OWASP Global Connections Committee]''' '''Member'''.<br />
<br />
I started working with the OWASP Foundation end of 2003 and initiated the first translation of the OWASP Top Ten in another language, in French. Then, I also translated the Top Ten 2007 in French, as well as the Top Ten 2010, and guess what... also the Top Ten 2013 as Project Leader.<br />
<br />
I created the OWASP France Chapter beggining of 2004 and grew it from 2 peers to over 300 members rapidly. I also created a group for the French Chapter on LinkedIn in Jan 2009.<br><br />
<br />
Then in May 2008, I decided to register The OWASP France Chapter as a not-for-profit organization called “Association Loi 1901 reconnue d’utilité publique” in France with Sebastien Gioria, this to prevent the OWASP brand/name from business misuses in France. <br />
<br />
The French Chapter fully complies with the OWASP Foundation’s bylaws, and our activities are directly inline with the OWASP core mission of spreading awareness.<br />
<br />
Take a look at my '''LinkedIn profile''' [http://www.linkedin.com/in/lpetit '''here'''] for more information about me.<br />
<br />
Don't hesitate to drop me an email if you would like to get in touch. '''ludovic.petit@owasp.org'''<br />
<br />
'''A few contributions to OWASP Projects:'''<br />
<br />
* OWASP 2013 Strategic Goals (with Samantha Groves & Sarah Baso, for the Board)<br />
* OWASP 2013 Marketing Initiave (with Samantha Groves & Sarah Baso)<br />
* Translator of the OWASP Top Ten in French (All versions)<br />
* Application Security Guide For CISOs (with Marco Morana)<br />
* OWASP Mobile Security Project (with Jack Mannino)<br />
* OWASP Cloud Top10 Project (with Vinay Bensal)<br />
* OWASP Secure Coding Practices - Quick Reference Guide (with Keith Turpin)<br />
<br />
<br />
I also run the [http://www.linkedin.com/e/gis/1638517 OWASP French Chapter on LinkedIn]. Join us!<br></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=User:Ludovic_Petit&diff=154836User:Ludovic Petit2013-07-02T08:04:06Z<p>Ludovic Petit: </p>
<hr />
<div>I'm Group Fraud & Security Advisor at SFR, 2nd largest French Telecom Operator and International Group with subsidiaries in Morocco and Brazil.<br />
<br />
I'm member of the OWASP since 2004. I'm actively contributing to the OWASP Top Ten Project as French translator since the first version of 2004, as well as other stuff described below. <br />
<br />
'''Chapter Leader [https://www.owasp.org/index.php/France OWASP France]''' and '''[https://www.owasp.org/index.php/OWASP_Connections_Committee OWASP Global Connections Committee]''' '''Member'''.<br />
<br />
I started working with the OWASP Foundation end of 2003 and initiated the first translation of the OWASP Top Ten in another language, in French. Then, I also carried out the French translation of the Top Ten 2007, as well as the Top Ten 2010 translation. I'm currently translating the Top Ten 2013 in French as Project Lead with a team of Benedictins.<br />
<br />
I created the OWASP France Chapter beggining of 2004 and grew it from 2 peers to over 300 members rapidly. I also created a group for the French Chapter on LinkedIn in Jan 2009.<br><br />
<br />
Then in May 2008, I decided to register The OWASP France Chapter as a not-for-profit organization called “Association Loi 1901 reconnue d’utilité publique” in France with Sebastien Gioria, this to prevent the OWASP brand/name from business misuses in France. <br />
<br />
The French Chapter fully complies with the OWASP Foundation’s bylaws, and our activities are directly inline with the OWASP core mission of spreading awareness.<br />
<br />
Take a look at my '''LinkedIn profile''' [http://www.linkedin.com/in/lpetit '''here'''] for more information about me.<br />
<br />
Don't hesitate to drop me an email if you would like to get in touch. '''ludovic.petit@owasp.org'''<br />
<br />
'''A few contributions to OWASP Projects:'''<br />
<br />
* OWASP 2013 Strategic Goals (with Samantha Groves & Sarah Baso, for the Board)<br />
* OWASP 2013 Marketing Initiave (with Samantha Groves & Sarah Baso)<br />
* Translator of the OWASP Top Ten in French (All versions)<br />
* Application Security Guide For CISOs (with Marco Morana)<br />
* OWASP Mobile Security Project (with Jack Mannino)<br />
* OWASP Cloud Top10 Project (with Vinay Bensal)<br />
* OWASP Secure Coding Practices - Quick Reference Guide (with Keith Turpin)<br />
<br />
<br />
I also run the [http://www.linkedin.com/e/gis/1638517 OWASP French Chapter on LinkedIn]. Join us!<br></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=User:Ludovic_Petit&diff=154835User:Ludovic Petit2013-07-02T08:02:52Z<p>Ludovic Petit: </p>
<hr />
<div>I'm Group Fraud & Security Advisor at SFR, 2nd largest French Telecom Operator and International Group with subsidiaries in Morocco and Brazil.<br />
<br />
I'm member of the OWASP since 2004. I'm actively contributing to the OWASP Top Ten Project as French translator since the first version of 2004, as well as other stuff described below. <br />
<br />
'''Chapter Leader [https://www.owasp.org/index.php/France OWASP France]''' and '''[https://www.owasp.org/index.php/OWASP_Connections_Committee OWASP Global Connections Committee]''' '''Member'''.<br />
<br />
I started working with the OWASP Foundation end of 2003 and initiated the first translation of the OWASP Top Ten in another language, in French. Then, I also carried out the French translation of the Top Ten 2007, as well as the Top Ten 2010 translation. I'm currently translating the Top Ten 2013 in French as Project Lead with a team of Benedictins.<br />
<br />
I created the OWASP France Chapter beggining of 2004 and grew it from 2 peers to over 300 members rapidly. I also created a group for the French Chapter on LinkedIn in Jan 2009.<br><br />
<br />
Then in May 2008, I decided to register The OWASP France Chapter as a not-for-profit organization called “Association Loi 1901 reconnue d’utilité publique” in France with Sebastien Gioria, this to prevent the OWASP brand/name from business misuses in France. <br />
<br />
The French Chapter fully complies with the OWASP Foundation’s bylaws, and our activities are directly inline with the OWASP core mission of spreading awareness.<br />
<br />
Take a look at my '''LinkedIn profile''' [http://www.linkedin.com/in/lpetit '''here'''] for more information about me.<br />
<br />
Don't hesitate to drop me an email if you would like to get in touch. '''ludovic.petit@owasp.org'''<br />
<br />
'''Some contributions to OWASP Projects:'''<br />
<br />
* OWASP 2013 Strategic Goals (with Samantha Groves & Sarah Baso, for the Board)<br />
* OWASP 2013 Marketing Initiave (with Samantha Groves & Sarah Baso)<br />
* Translator of the OWASP Top Ten in French (All versions)<br />
* Application Security Guide For CISOs (with Marco Morana)<br />
* OWASP Mobile Security Project (with Jack Mannino)<br />
* OWASP Cloud Top10 Project (with Vinay Bensal)<br />
* OWASP Secure Coding Practices - Quick Reference Guide (with Keith Turpin)<br />
<br />
<br />
I also run the [http://www.linkedin.com/e/gis/1638517 OWASP French Chapter on LinkedIn]. Join us!<br></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=User:Ludovic_Petit&diff=154834User:Ludovic Petit2013-07-02T08:01:54Z<p>Ludovic Petit: </p>
<hr />
<div>I'm Group Fraud & Security Advisor at SFR, 2nd largest French Telecom Operator and International Group with subsidiaries in Morocco and Brazil.<br />
<br />
I'm member of the OWASP since 2004. I'm actively contributing to the OWASP Top Ten Project as French translator since the first version of 2004, as well as other stuff described below. <br />
<br />
'''Chapter Leader [https://www.owasp.org/index.php/France OWASP France]''' and '''[https://www.owasp.org/index.php/OWASP_Connections_Committee OWASP Global Connections Committee]''' '''Member'''.<br />
<br />
I started working with the OWASP Foundation end of 2003 and initiated the first translation of the OWASP Top Ten in another language, in French. Then, I also carried out the French translation of the Top Ten 2007, as well as the Top Ten 2010 translation. I'm currently translating the Top Ten 2013 in French as Project Lead with a team of Benedictins.<br />
<br />
I created the OWASP France Chapter beggining of 2004 and grew it from 2 peers to over 300 members rapidly. I also created a group for the French Chapter on LinkedIn in Jan 2009.<br><br />
<br />
Then in May 2008, I decided to register The OWASP France Chapter as a not-for-profit organization called “Association Loi 1901 reconnue d’utilité publique” in France with Sebastien Gioria, this to prevent the OWASP brand/name from business misuses in France. <br />
<br />
The French Chapter fully complies with the OWASP Foundation’s bylaws, and our activities are directly inline with the OWASP core mission of spreading awareness.<br />
<br />
Take a look at my '''LinkedIn profile''' [http://www.linkedin.com/in/lpetit '''here'''] for more information about me.<br />
<br />
Don't hesitate to drop me an email if you would like to get in touch. '''ludovic.petit@owasp.org'''<br />
<br />
'''Some contributions to OWASP Projects:'''<br />
<br />
* OWASP 2013 Strategic Goals<br />
* OWASP 2013 Marketing Initiave<br />
* Translator of the OWASP Top Ten in French (All versions)<br />
* Application Security Guide For CISOs (with Marco Morana)<br />
* OWASP Mobile Security Project (with Jack Mannino)<br />
* OWASP Cloud Top10 Project (with Vinay Bensal)<br />
* OWASP Secure Coding Practices - Quick Reference Guide (with Keith Turpin)<br />
<br />
<br />
I also run the [http://www.linkedin.com/e/gis/1638517 OWASP French Chapter on LinkedIn]. Join us!<br></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=Category:OWASP_Top_Ten_Project&diff=154833Category:OWASP Top Ten Project2013-07-02T07:54:56Z<p>Ludovic Petit: </p>
<hr />
<div>{{OWASP Book|1400974}} <br />
<br />
{{Social Media Links}}<br />
<br />
= OWASP Top 10 for 2013 =<br />
<br />
'''Welcome to the OWASP Top Ten Project''' - if you're looking for the OWASP Top 10 Mobile [[OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks | Click Here]]<br />
<br />
On June 12, 2013 the OWASP Top 10 for 2013 was officially released. This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.<br />
<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 document (PDF)].<br />
* [[Top_10_2013 | OWASP Top 10 2013 - Wiki.]]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
<br />
<br />
The OWASP Top 10 - 2013 is as follows:<br />
<br />
* A1 Injection<br />
* A2 Broken Authentication and Session Management<br />
* A3 Cross-Site Scripting (XSS)<br />
* A4 Insecure Direct Object References<br />
* A5 Security Misconfiguration<br />
* A6 Sensitive Data Exposure<br />
* A7 Missing Function Level Access Control<br />
* A8 Cross-Site Request Forgery (CSRF)<br />
* A9 Using Components with Known Vulnerabilities<br />
* A10 Unvalidated Redirects and Forwards<br />
<br />
If you are interested, the methodology for how the Top 10 is produced is now documented here: [[Top_10_2013/ProjectMethodology | OWASP Top 10 Development Methodology]]<br />
<br />
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!! <br />
<br />
As you help us spread the word, please emphasize: <br />
<br />
*OWASP is reaching out to developers, not just the application security community <br />
*The Top 10 is about managing risk, not just avoiding vulnerabilities <br />
*To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation<br />
<br />
We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 version were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. Translation efforts for the 2013 version are underway and they will be posted as they become available. <br />
<br />
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
<br />
== Changes between 2010 and 2013 Editions ==<br />
<br />
The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:<br />
<br />
* A1 Injection<br />
* A2 Broken Authentication and Session Management (was formerly 2010-A3)<br />
* A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)<br />
* A4 Insecure Direct Object References<br />
* A5 Security Misconfiguration (was formerly 2010-A6)<br />
* A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)<br />
* A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)<br />
* A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)<br />
* A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)<br />
* A10 Unvalidated Redirects and Forwards<br />
<br />
== 2013 Versions ==<br />
<br />
2013 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 - PDF] <br />
*[[Top_10_2013 | OWASP Top 10 2013 - wiki]]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf OWASP Top 10 - 2013 - Release Candidate]<br />
<br />
== Feedback ==<br />
<br />
Please let us know how your organization is using the Top Ten. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP! <br />
<br />
We hope you find the information in the OWASP Top Ten useful. Please contribute back to the project by sending your comments, questions, and suggestions to topten@lists.owasp.org Thanks! <br />
<br />
To join the OWASP Top Ten mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-topten subscription page.] <br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top Ten project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<!-- ==== Project Identification ====<br />
{{Template:OWASP OWASP_Top10 Project}} --><br />
<br />
<br />
= OWASP Top 10 for 2010 =<br />
<br />
On April 19, 2010 the final version of the OWASP Top 10 for 2010 was released, and here is the associated [[OWASPTop10-2010-PressRelease|press release]]. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009. <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 - 2010 Document] <br />
*[[Top 10 2010|OWASP Top 10 - 2010 - wiki]] <br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx OWASP Top 10 - 2010 Presentation]<br />
*[http://blip.tv/owasp-appsec-conference-in-europe/day2_track1_1430-1505-3936900 OWASP Top 10 Video of the Presentation above - this focused alot on the Top 10 for 2010 approach, rather than the details. (From OWASP AppSec EU 2010)]<br />
*[http://www.vimeo.com/9006276 OWASP Top 10 Video of this Presentation when the Top 10 for 2010 was 1st released for comment - this goes through each item in the Top 10. (From OWASP AppSec DC 2009)]<br />
<br />
The OWASP Top 10 Web Application Security Risks for 2010 are: <br />
<br />
*[[Top_10_2010-A1|A1: Injection]]<br />
*[[Top_10_2010-A2|A2: Cross-Site Scripting (XSS)]]<br />
*[[Top_10_2010-A3|A3: Broken Authentication and Session Management]]<br />
*[[Top_10_2010-A4|A4: Insecure Direct Object References]]<br />
*[[Top_10_2010-A5|A5: Cross-Site Request Forgery (CSRF)]]<br />
*[[Top_10_2010-A6|A6: Security Misconfiguration]]<br />
*[[Top_10_2010-A7|A7: Insecure Cryptographic Storage]]<br />
*[[Top_10_2010-A8|A8: Failure to Restrict URL Access]]<br />
*[[Top_10_2010-A9|A9: Insufficient Transport Layer Protection]]<br />
*[[Top_10_2010-A10|A10: Unvalidated Redirects and Forwards]]<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages and the 2010 version was translated into even more languages. See below for all the translated versions.<br />
<br />
== 2010 Versions ==<br />
<br />
2010 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 2010 - PDF] <br />
*[[Top 10 2010|OWASP Top 10 2010 - wiki]]<br />
<br />
2010 Translations: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] <br />
*[https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 2010 - German PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF]<br />
*[http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF]<br />
*[http://www.owasp.org/images/8/86/OWASP_Top_10_-_2010_FINAL_%28spanish%29.pptx OWASP Top 10 2010 - Spanish PPT]<br />
*[http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF / 这里下载PDF格式文档]<br />
*[http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF]<br />
*[https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]<br />
<br />
2010 Release Candidate: <br />
<br />
*[http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf OWASP Top 10 2010 Release Candidate] <br />
*[http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 2010 Release Candidate Comments], except for one set of scanned comments [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf which are here].<br />
<br />
Previous versions: <br />
<br />
*[http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf OWASP Top 10 2007 - PDF] <br />
*[[Top 10 2007|OWASP Top 10 2007 - wiki]] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Project_Details OWASP Top 10 2007 - PDF Translations are here] <br />
*[[Top 10 2004|OWASP Top 10 2004 - wiki]]<br />
<br />
<br />
= Translation Efforts =<br />
<br />
Efforts are underway in numerous languages to translate the OWASP Top 10 for 2013. If you are interested in helping, please contact the other members of the team for the language you are interested in contributing to, or if you don't see your language listed, please let me know you want to help and we'll form a volunteer group for your language too!!<br />
<br />
Here is the original source document for the [https://www.owasp.org/images/4/4d/OWASP_Top_10_-_2013_Final_-_English.pptx OWASP Top 10 - 2013 which is in PowerPoint]. Please use this document as the basis for your translation efforts.<br />
<br />
Completed Translations:<br />
<br />
*French 2013: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French PDF] Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall: g4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert: jocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy: aline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory Blanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras: Etienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes: antonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire: nicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau: antoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain: gilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr, Michel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin: aymeric.tabourin@orange.com<br />
*French 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] ludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org, benoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com, Guillaume.Huysmans@gemalto.com <br />
*German: [https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 - German PDF] top10@owasp.de which is Frank Dölitzscher, Tobias Glemser, Dr. Ingo Hanke, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer<br />
*Indonesian: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF] Tedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad<br />
*Italian: [http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF] Simone Onofri, Paolo Perego, Massimo Biagiotti, Edoardo Viscosi, Salvatore Fiorillo, Roberto Battistoni, Loredana Mancini, Michele Nesta, Paco Schiaffella, Lucilla Mancini, Gerardo Di Giacomo, Valentino Squilloni<br />
*Japanese: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF] cecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin Umemoto, Takashi Arima<br />
*Korean: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF] Hyungkeun Park, (mirrk1@gmail.com)<br />
*Spanish: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF] *Daniel Cabezas Molina , Edgar Sanchez, Juan Carlos Calderon, Jose Antonio Guasch, Paulo Coronado, Rodrigo Marcos, Vicente Aguilera<br />
*Chinese: [http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF] 感谢以下为中文版本做出贡献的翻译人员和审核人员: Rip Torn, 钟卫林, 高雯, 王颉, 于振东<br />
*Vietnamese: [http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF] (NEW) Translation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung, Luong Dieu Phuong, Huynh Thien Tam<br />
*Hebrew (New): [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]. Lead by Or Katz, see translation page for list of contributors.<br />
<br />
Volunteer Translation Efforts Underway: <br />
<br />
*Portuguese: carlos.j.serrao@gmail.com; taquiles@gmail.com; wagner.elias@owasp.org; victoreufrasio@gmail.com; leo.cavallari@owasp.org; victoreufrasio@gmail.com; <br />
*Greek: Konstantinos Papapanagiotou (conpap@di.uoa.gr) <br />
*Turkish: bora@abi.com.tr <br />
*Malay: cecil.su@owasp.org <br />
*Czech: petr.zavodsky@owasp-czech-republic.cz<br />
*Dutch: marinus@kuivenhoven.com<br />
<br />
= Project Details =<br />
<br />
{{:GPC_Project_Details/OWASP_Top10 | OWASP Project Identification Tab}}<br />
<br />
= How Are Companies-Projects-Vendors Using the OWASP Top 10 =<br />
<br />
Click the links for more details on each use! <br />
<br />
'''Warning''': these articles have not been rated for accuracy by OWASP. Product companies should be extremely careful about claiming to "cover" or "ensure compliance" with the OWASP Top 10. The current state-of-the-art for automated detection (scanners and static analysis) and prevention (waf) is nowhere near sufficient to claim adequate coverage of the issues in the Top 10. Nevertheless, using the Top 10 as a simple way to communicate security to end users is effective. <br />
<br />
;[http://blogs.msdn.com/b/sdl/archive/2008/05/01/sdl-and-the-owasp-top-ten.aspx Microsoft] <br />
:as a way to measure the coverage of their SDL and improve security<br />
<br />
;[http://www.nsa.gov/applications/search/index.cfm?q=owasp NSA] <br />
:in their developer guidance on web application security<br />
<br />
;[https://www.pcisecuritystandards.org/index.shtml PCI Council] <br />
:as part of the Payment Card Industry Data Security Standard (PCI DSS)<br />
<br />
;[http://community.citrix.com/display/ocb/2010/06/02/NetScaler+Application+Firewall+and+the+OWASP+Top+10+2010 Citrix] <br />
:in a guide showing how to configure their NetScalar product<br />
<br />
;[http://msdn.microsoft.com/en-us/library/dd129898.aspx Microsoft] <br />
:to show how "T10 threats are handled by the security design and test procedures of Microsoft"<br />
<br />
;[http://www.web2py.com/examples/default/security web2py] <br />
:to demonstrate the security of this Python web framework<br />
<br />
;[http://www.owasp.org/index.php/Commentary_OWASP_Top_Ten_2004_Project Oracle] <br />
:for developer awareness<br />
<br />
;[http://www.theatremanagerhelp.com/book/export/html/1640 TheatreManager] <br />
:to show how their product is secure for web use<br />
<br />
;[http://knol.google.com/k/automated-vulnerabilty-scanners-and-the-owasp-top-10# WhiteHat] <br />
:as a way to explain the coverage of their service<br />
<br />
;[http://www.imperva.com/docs/TB_SecureSphere_OWASP_2010-Top-Ten.pdf Imperva] <br />
:to show the coverage of the SecureSphere tool<br />
<br />
;[http://blog.cenzic.com/public/item/254309 Cenzic] <br />
:to enable "focused scans for compliance testing with the updated PCI standard"<br />
<br />
== Users and Adopters ==<br />
<br />
The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency (DISA) has listed the OWASP Top Ten as key best practices that should be used as part of the DoD Information Assurance Certification and Accreditation Process ([http://iase.disa.mil/diacap/ DIACAP]). <br />
<br />
In the commercial market, the [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf Payment Card Industry (PCI) standard] has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. In addition, a broad range of companies and agencies around the globe are also using the OWASP Top Ten, including: <br />
<br />
*A.G. Edwards <br />
*Bank of Newport <br />
*Best Software <br />
*British Telecom <br />
*Bureau of Alcohol, Tobacco, and Firearms (ATF) <br />
*Citibank <br />
*Cboss Internet <br />
*Cognizant <br />
*Contra Costa County, CA <br />
*Corillian Corporation <br />
*Digital Payment Technologies <br />
*Foundstone Strategic Security <br />
*HP <br />
*IBM Global Services <br />
*MorphoTrust USA<br />
*National Australia Bank <br />
*Norfolk Southern <br />
*OneSAS.com <br />
*Online Business Systems <br />
*Predictive Systems <br />
*Price Waterhouse Coopers <br />
*Recreational Equipment, Inc. (REI) <br />
*SSP Solutions <br />
*Samsung SDS (Korea) <br />
*Sempra Energy <br />
*Sprint <br />
*Sun Microsystems <br />
*Swiss Federal Institute of Technology <br />
*Symantec <br />
*Texas Dept of Human Services <br />
*The Hartford <br />
*Zapatec <br />
*ZipForm <br />
*...and many others<br />
<br />
Several schools have also adopted the OWASP Top Ten as a part of their curriculum, including Michigan State University (MSU), and the University of California at San Diego (UCSD). <br />
<br />
Several open source projects have adopted the OWASP Top Ten as part of their security audits, including: <br />
<br />
*[http://plone.org Plone open source CMS project] (managed by the Plone Foundation)<br />
<br />
<br />
= Other uses and resources =<br />
<br />
* [[OWASP_Top_10/Mapping_to_WHID | OWASP Top 10 Mapped to the Web Hacking Incident Database]]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Ludovic Petithttps://wiki.owasp.org/index.php?title=Category:OWASP_Speakers_Project&diff=149246Category:OWASP Speakers Project2013-04-05T13:14:07Z<p>Ludovic Petit: </p>
<hr />
<div>This program lead by [[:user:Knoblochmartin|Martin Knobloch]] helps local chapters or application security conferences to find OWASP related speakers to have OWASP presenters on site.<br />
<br />
This program allows two parties to find each other:<br />
<br />
* Local chapters or application security events that want to attract an OWASP speaker<br />
* OWASP speakers to entertain OWASP presentations and that want to see the world<br />
<br />
For sponsorship, see the [[:Category:OWASP_on_the_Move_Project|OWASP on the Move Project]] page<br />
<br />
== available presentations ==<br />
<br />
== available speakers ==<br />
<br />
If you want to (re)do an OWASP related presentation, propose them here with your availability boundaries (timing/geographical) <br />
<br />
*Add your name, contact and bio information to become available as OWASP Speaker!<br />
<br />
{| class="prettytable"<br />
|-<br />
! Name <br />
! Introduction <br />
! Available Area <br />
! Bios<br />
|-<br />
| [mailto:Robert(at)ZakonGroup.com Robert H'obbes' Zakon] <br />
| Presenter on Web Application Security, OWASP Top 10, PHP Security, and assorted other topics. Training sessions taught at events such as [http://www.zakongroup.com/technology/services-training.shtml OWASP, ACSAC, and CCS]. Based in New Hampshire, and available for travel worldwide. Fluent in English, and able to converse in Portuguese. A developer and consultant for the past decade, formerly a Principal Engineer with MITRE's InfoSec Group. <br />
| Global (USA/NH-based) <br />
| [http://www.zakon.org/robert/vitae.html BIO]<br />
|-<br />
| [mailto:jmcgovern@virtusa.com James McGovern] <br />
| Presenter on Enterprise Architecture and Web Application Security, SOA Web Services Security and Federated Identity. <br />
| Global (USA/CT-based) <br />
| [http://www.linkedin.com/in/jamesmcgovern BIO]<br />
|-<br />
| [mailto:chuck(at)McCulloughAssociates.com Chuck McCullough] <br />
| Chuck provides training sessions to developers on the Top 10. Chuck welcomes speaking opportunities to any group. Chuck is available in the Texas area and at various other locations in the USA. <br />
| USA/Texas <br />
| [http://www.linkedin.com/in/chuckmccullough BIO]<br />
|-<br />
| Marc Curphey <br />
| Marc will happily speak about the WebAppSec industry, SDLC etc. around Europe. You can see him in action at [http://video.hitb.org/2006.html HITB with John Viega] (big download) <br />
| Europe <br />
| [http://www.linkedin.com/in/curphey BIO]<br />
|-<br />
| [mailto:tomb(at)owasp.org Tom Brennan] <br />
| based in NYC Metro Tom is a long time volunteer and OWASP contributor and [http://www.owasp.org/index.php/About_OWASP International Board Member]. He is available for global speaking venues to educate audiences about the OWASP Foundation core mission, how it works and various projects. In addition he also provides regular talks on honeypot research and case-studies about tactical experiences when conducting [http://en.wikipedia.org/wiki/Red_Team Red Team]/Tiger Team assessments involving the application, network, wireless and physical security - [https://www.owasp.org/index.php/User:Brennan BIO]<br />
| Global <br />
| [http://www.linkedin.com/in/tombrennan BIO]<br />
|-<br />
| [mailto:thesp0nge@owasp.org Paolo Perego] <br />
| Paolo is available to talk about [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Orizon project], safe coding and code review issues around Europe in the near October-December. <br />
| Europe <br />
| [http://www.linkedin.com/in/thesp0nge BIO]<br />
|-<br />
| [mailto:marc.m.morana@gmail.org Marco Morana] <br />
| Marco is available to talk about [http://iac.dtic.mil/iatac/download/security.pdf Software Security Frameworks]and Secure Code Reviews [https://www.cmpevents.com/CSI33/a.asp?option=G&V=3&id=443342 see 07 CSI conference as reference] in USA around November-December and in Europe around January-February <br />
| Europe <br />
| [http://www.linkedin.com/pub/2/a7a/59b BIO]<br />
|-<br />
| [mailto:sebastien.gioria@owasp.fr Sébastien Gioria] <br />
| Sebastien is available to talk about WebAppSec, educational purpose on AppSec in French or at least in english around France/Europe/Canada from middle of March 08. You can find some Talk on the [http://www.owasp.fr Owasp France Chapter] <br />
| France/Europe/Canada <br />
| [http://www.linkedin.com/in/gioria BIO]<br />
|-<br />
| [mailto:mkraushar@gmail.com Mordecai Kraushar] <br />
| Mordecai is available to talk about different topics within the Web application security space. One discussion involves the OWASP project [http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project Vicnum], a flexible vulnerable web application that can be used in 'capture the flag' exercises. <br />
| Northeastern United States <br />
| [http://www.linkedin.com/in/mkraushar BIO]<br />
|-<br />
| [mailto:michael.coates@owasp.org Michael Coates] <br />
| Michael is available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Michael has spoken at multiple OWASP conferences and University security courses on topics such as Introduction to Application Security, Automated Defense Systems in Applications, Real Time Detection and Prevention of Application Worms, and security risks in SSL/TLS. <br />
| USA/San Francisco & Virtual Presentations<br />
| [http://www.linkedin.com/in/mcoates BIO]<br />
|-<br />
| [mailto:tobias.gondrom@owasp.org Tobias Gondrom] <br />
| Tobias is on the London chapter board (and previously Germany chapter lead) and currently member of the OWASP Global Industry committee. He is available to talk on a variety of web application and information security and risk management topics. He gives two different types of presentations - preferred in Asia or Europe: <br>- CISO level: information security, risk management from Secure SDLCs, maturity models, standards and security strategy, to change management and managing application security in large organisations and the OWASP CISO Guide. <br>- Deep technical talks: new security standards and research, involving his work in web security research and as the chair of the web security working group at the IETF. Tobias has spoken at multiple OWASP AppSec and other security conferences, given university guest lectures and full training days on topics like CISO training, browser security, web security, new technologies for channel protection with SSL/TLS, electronic signatures, ...<br />
| Asia and Europe <br>(dual based in both regions)<br />
| [http://uk.linkedin.com/in/gondrom BIO]<br />
|-<br />
| [mailto:dan.cornell@owasp.org Dan Cornell] <br />
| Dan Cornell has over twelve years of experience architecting, developing and securing web-based software systems. He speaks on a variety of software development and software security topics such as Vulnerability Management, Software Security Remediation, and Code Review/Static Analysis. Dan is based in San Antonio, TX and available to fly/drive as needed to the site. <br />
| USA/San Antonio <br />
| [http://www.denimgroup.com/about_team_dan.html BIO]<br />
|-<br />
| [mailto:John.Steven@owasp.org John Steven] <br />
| John speaks on a variety of topics including "How to build your own application security group", "Threat Modeling", "Code Review and Static analysis", as well as other topics. John has spoken at and given tutorials for multiple OWASP conferences. John frequents New York, Boston, Washington DC, and Charlotte, but is available for travel elsewhere. <br />
| Washington, DC/USA <br />
| [http://www.cigital.com/about/team/management.php#jsteven BIO]<br />
|-<br />
| [mailto:blake@owasp.org Blake Cornell] <br />
| Blake is available to speak regarding topics including Security v. HIPPA, Penetration Testing Methodologies, Fuzzing and Blended Threats such as attacking VoIP with the OWASP Top 10. Blake lives in the NY Metro area and is available for speaking at regional, national and world wide events. <br />
| New York, NY/USA <br />
| [http://www.linkedin.com/in/blakecornell BIO]<br />
|-<br />
| [mailto:Nick.Coblentz@gmail.com Nick Coblentz] <br />
| Nick regularly performs research related to secure software development. He is available to present on topics such as the [http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (SAMM)], the [http://nickcoblentz.blogspot.com/2009/06/samm-inteview-template-version-10.html SAMM Interview Template], [http://nickcoblentz.blogspot.com/2009/05/issa-journal-web-application-security.html Building Web Application Security Portfolios], and [http://nickcoblentz.blogspot.com/2009/11/owasp-presentation-on-dec-10-microsoft.html The Microsoft SDL for Agile Development]. Please email Nick if you see articles on his [http://nickcoblentz.blogspot.com/ blog] that you would like him to present. <br />
| USA/Kansas, Oklahoma, Missouri <br />
| [http://www.linkedin.com/in/ncoblentz BIO]<br />
|-<br />
| [mailto:johnccr@yahoo.com Juan Carlos Calderon] <br />
| Juan has being part of the Appliction Security industry for 9 years, currently performs research on application and information security arena. He is available to present "Preparing an strategy for application vulnerability detection", "Owasp Spanish and Internationalization" and "Análisis y efectos del cibercrimen en Mexico"(Analysis and effects of cibercrime in México). He is also open to talk about other topics related to OWASP materials and tools, send him a note to verify the coverage. <br />
| Aguascalientes/México <br />
| [http://www.linkedin.com/in/juancarloscalderon BIO]<br />
|-<br />
| [mailto:edward@owasp.org Edward Bonver] <br />
| Edward has over a decade of experience in the software security field. He currently works for Symantec's Product Security Team, where he brings all aspects of secure software development to product teams across the company. He is a frequent speaker at various industry conferences and OWASP events; topics of interest include Threat Modeling and Security Testing.<br />
| Global(USA/Los Angeles-based)<br />
| [http://www.linkedin.com/in/bonver BIO]<br />
|-<br />
| [mailto:ludovic.petit@owasp.org Ludovic Petit] <br />
| Chapter Leader OWASP France and OWASP Global Connections Committee Member, [https://www.owasp.org/index.php/User:Ludovic_Petit '''Ludovic'''] is living in Paris and is willing to talk about Web Application Security topics with a Corporate dimension, including about Legal and Law Enforcement, the OWASP Foundation approach, and explain why WebApp Security is also linked to Legal and Regulatory aspects, so Corporate responsibility, to protect your business.<br />
| France, Europe and elsewhere, according to my availabilities and if you pay yourself the travel and accommodation expenses.<br />
| [http://www.linkedin.com/in/lpetit BIO]<br />
|-<br />
| [mailto:magno.logan@owasp.org Magno Logan] <br />
| OWASP Paraiba Chapter Leader and OWASP Portuguese Language Project Member. Magno (Logan) Rodrigues has an MBA in Information Security and studied Computer Forensics for one year in New York. He has done many talks about OWASP and it's main projects at national and international events such as [http://www.ensol.org.br/ ENSOL], [http://gts.nic.br/ GTS] and [https://www.owasp.org/index.php/AppSecLatam2011 App Sec Latam 2011]. Topics of interest include: OWASP Top 10, WebGoat, Java Security, E-commerce Security and Computer Forensics.<br />
<br />
| Latin America<br />
| [https://www.owasp.org/index.php/User:Magno_Logan BIO]<br />
|-<br />
| [mailto:wagner.elias@owasp.org Wagner Elias] <br />
| Wagner founded the Brazil chapter is currently Curitiba-Brazil Chapter Leader and available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Wagner has spoken at various conferences in Brazil.<br />
<br />
Topics of interest: Mobile Security; SDL Process and Implementation; Code Review and Application Test<br />
<br />
| Brazil<br />
| [https://www.owasp.org/index.php/User:wagner.elias BIO]<br />
|-<br />
| [mailto:ramiro.pulgar@owasp.org Ramiro Pulgar] <br />
| Chapter Leader OWASP Ecuador. [https://www.owasp.org/index.php/User:Ramiro_Pulgar '''milovisho'''] OWASP Ecuador Chapter Leader <br />
| Ecuador, Latin America, Global<br />
| [http://ec.linkedin.com/in/ramiropulgar BIO]<br />
|-<br />
| [mailto:john.vargas@owasp.org John Vargas] <br />
| Chapter Leader OWASP Perú. [https://www.owasp.org/index.php/User:Jvargas '''John Vargas'''] OWASP Perú Chapter Leader <br />
| Perú, Latin America, Global<br />
| [http://pe.linkedin.com/in/jvargasp BIO]<br />
|-<br />
|}<br />
*Add your name, contact and bio information to become available as OWASP Speaker!</div>Ludovic Petithttps://wiki.owasp.org/index.php?title=Category:OWASP_Speakers_Project&diff=149245Category:OWASP Speakers Project2013-04-05T13:13:28Z<p>Ludovic Petit: </p>
<hr />
<div>This program lead by [[:user:Knoblochmartin|Martin Knobloch]] helps local chapters or application security conferences to find OWASP related speakers to have OWASP presenters on site.<br />
<br />
This program allows two parties to find each other:<br />
<br />
* Local chapters or application security events that want to attract an OWASP speaker<br />
* OWASP speakers to entertain OWASP presentations and that want to see the world<br />
<br />
For sponsorship, see the [[:Category:OWASP_on_the_Move_Project|OWASP on the Move Project]] page<br />
<br />
== available presentations ==<br />
<br />
== available speakers ==<br />
<br />
If you want to (re)do an OWASP related presentation, propose them here with your availability boundaries (timing/geographical) <br />
<br />
*Add your name, contact and bio information to become available as OWASP Speaker!<br />
<br />
{| class="prettytable"<br />
|-<br />
! Name <br />
! Introduction <br />
! Available Area <br />
! Bios<br />
|-<br />
| [mailto:Robert(at)ZakonGroup.com Robert H'obbes' Zakon] <br />
| Presenter on Web Application Security, OWASP Top 10, PHP Security, and assorted other topics. Training sessions taught at events such as [http://www.zakongroup.com/technology/services-training.shtml OWASP, ACSAC, and CCS]. Based in New Hampshire, and available for travel worldwide. Fluent in English, and able to converse in Portuguese. A developer and consultant for the past decade, formerly a Principal Engineer with MITRE's InfoSec Group. <br />
| Global (USA/NH-based) <br />
| [http://www.zakon.org/robert/vitae.html BIO]<br />
|-<br />
| [mailto:jmcgovern@virtusa.com James McGovern] <br />
| Presenter on Enterprise Architecture and Web Application Security, SOA Web Services Security and Federated Identity. <br />
| Global (USA/CT-based) <br />
| [http://www.linkedin.com/in/jamesmcgovern BIO]<br />
|-<br />
| [mailto:chuck(at)McCulloughAssociates.com Chuck McCullough] <br />
| Chuck provides training sessions to developers on the Top 10. Chuck welcomes speaking opportunities to any group. Chuck is available in the Texas area and at various other locations in the USA. <br />
| USA/Texas <br />
| [http://www.linkedin.com/in/chuckmccullough BIO]<br />
|-<br />
| Marc Curphey <br />
| Marc will happily speak about the WebAppSec industry, SDLC etc. around Europe. You can see him in action at [http://video.hitb.org/2006.html HITB with John Viega] (big download) <br />
| Europe <br />
| [http://www.linkedin.com/in/curphey BIO]<br />
|-<br />
| [mailto:tomb(at)owasp.org Tom Brennan] <br />
| based in NYC Metro Tom is a long time volunteer and OWASP contributor and [http://www.owasp.org/index.php/About_OWASP International Board Member]. He is available for global speaking venues to educate audiences about the OWASP Foundation core mission, how it works and various projects. In addition he also provides regular talks on honeypot research and case-studies about tactical experiences when conducting [http://en.wikipedia.org/wiki/Red_Team Red Team]/Tiger Team assessments involving the application, network, wireless and physical security - [https://www.owasp.org/index.php/User:Brennan BIO]<br />
| Global <br />
| [http://www.linkedin.com/in/tombrennan BIO]<br />
|-<br />
| [mailto:thesp0nge@owasp.org Paolo Perego] <br />
| Paolo is available to talk about [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Orizon project], safe coding and code review issues around Europe in the near October-December. <br />
| Europe <br />
| [http://www.linkedin.com/in/thesp0nge BIO]<br />
|-<br />
| [mailto:marc.m.morana@gmail.org Marco Morana] <br />
| Marco is available to talk about [http://iac.dtic.mil/iatac/download/security.pdf Software Security Frameworks]and Secure Code Reviews [https://www.cmpevents.com/CSI33/a.asp?option=G&V=3&id=443342 see 07 CSI conference as reference] in USA around November-December and in Europe around January-February <br />
| Europe <br />
| [http://www.linkedin.com/pub/2/a7a/59b BIO]<br />
|-<br />
| [mailto:sebastien.gioria@owasp.fr Sébastien Gioria] <br />
| Sebastien is available to talk about WebAppSec, educational purpose on AppSec in French or at least in english around France/Europe/Canada from middle of March 08. You can find some Talk on the [http://www.owasp.fr Owasp France Chapter] <br />
| France/Europe/Canada <br />
| [http://www.linkedin.com/in/gioria BIO]<br />
|-<br />
| [mailto:mkraushar@gmail.com Mordecai Kraushar] <br />
| Mordecai is available to talk about different topics within the Web application security space. One discussion involves the OWASP project [http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project Vicnum], a flexible vulnerable web application that can be used in 'capture the flag' exercises. <br />
| Northeastern United States <br />
| [http://www.linkedin.com/in/mkraushar BIO]<br />
|-<br />
| [mailto:michael.coates@owasp.org Michael Coates] <br />
| Michael is available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Michael has spoken at multiple OWASP conferences and University security courses on topics such as Introduction to Application Security, Automated Defense Systems in Applications, Real Time Detection and Prevention of Application Worms, and security risks in SSL/TLS. <br />
| USA/San Francisco & Virtual Presentations<br />
| [http://www.linkedin.com/in/mcoates BIO]<br />
|-<br />
| [mailto:tobias.gondrom@owasp.org Tobias Gondrom] <br />
| Tobias is on the London chapter board (and previously Germany chapter lead) and currently member of the OWASP Global Industry committee. He is available to talk on a variety of web application and information security and risk management topics. He gives two different types of presentations - preferred in Asia or Europe: <br>- CISO level: information security, risk management from Secure SDLCs, maturity models, standards and security strategy, to change management and managing application security in large organisations and the OWASP CISO Guide. <br>- Deep technical talks: new security standards and research, involving his work in web security research and as the chair of the web security working group at the IETF. Tobias has spoken at multiple OWASP AppSec and other security conferences, given university guest lectures and full training days on topics like CISO training, browser security, web security, new technologies for channel protection with SSL/TLS, electronic signatures, ...<br />
| Asia and Europe <br>(dual based in both regions)<br />
| [http://uk.linkedin.com/in/gondrom BIO]<br />
|-<br />
| [mailto:dan.cornell@owasp.org Dan Cornell] <br />
| Dan Cornell has over twelve years of experience architecting, developing and securing web-based software systems. He speaks on a variety of software development and software security topics such as Vulnerability Management, Software Security Remediation, and Code Review/Static Analysis. Dan is based in San Antonio, TX and available to fly/drive as needed to the site. <br />
| USA/San Antonio <br />
| [http://www.denimgroup.com/about_team_dan.html BIO]<br />
|-<br />
| [mailto:John.Steven@owasp.org John Steven] <br />
| John speaks on a variety of topics including "How to build your own application security group", "Threat Modeling", "Code Review and Static analysis", as well as other topics. John has spoken at and given tutorials for multiple OWASP conferences. John frequents New York, Boston, Washington DC, and Charlotte, but is available for travel elsewhere. <br />
| Washington, DC/USA <br />
| [http://www.cigital.com/about/team/management.php#jsteven BIO]<br />
|-<br />
| [mailto:blake@owasp.org Blake Cornell] <br />
| Blake is available to speak regarding topics including Security v. HIPPA, Penetration Testing Methodologies, Fuzzing and Blended Threats such as attacking VoIP with the OWASP Top 10. Blake lives in the NY Metro area and is available for speaking at regional, national and world wide events. <br />
| New York, NY/USA <br />
| [http://www.linkedin.com/in/blakecornell BIO]<br />
|-<br />
| [mailto:Nick.Coblentz@gmail.com Nick Coblentz] <br />
| Nick regularly performs research related to secure software development. He is available to present on topics such as the [http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (SAMM)], the [http://nickcoblentz.blogspot.com/2009/06/samm-inteview-template-version-10.html SAMM Interview Template], [http://nickcoblentz.blogspot.com/2009/05/issa-journal-web-application-security.html Building Web Application Security Portfolios], and [http://nickcoblentz.blogspot.com/2009/11/owasp-presentation-on-dec-10-microsoft.html The Microsoft SDL for Agile Development]. Please email Nick if you see articles on his [http://nickcoblentz.blogspot.com/ blog] that you would like him to present. <br />
| USA/Kansas, Oklahoma, Missouri <br />
| [http://www.linkedin.com/in/ncoblentz BIO]<br />
|-<br />
| [mailto:johnccr@yahoo.com Juan Carlos Calderon] <br />
| Juan has being part of the Appliction Security industry for 9 years, currently performs research on application and information security arena. He is available to present "Preparing an strategy for application vulnerability detection", "Owasp Spanish and Internationalization" and "Análisis y efectos del cibercrimen en Mexico"(Analysis and effects of cibercrime in México). He is also open to talk about other topics related to OWASP materials and tools, send him a note to verify the coverage. <br />
| Aguascalientes/México <br />
| [http://www.linkedin.com/in/juancarloscalderon BIO]<br />
|-<br />
| [mailto:edward@owasp.org Edward Bonver] <br />
| Edward has over a decade of experience in the software security field. He currently works for Symantec's Product Security Team, where he brings all aspects of secure software development to product teams across the company. He is a frequent speaker at various industry conferences and OWASP events; topics of interest include Threat Modeling and Security Testing.<br />
| Global(USA/Los Angeles-based)<br />
| [http://www.linkedin.com/in/bonver BIO]<br />
|-<br />
| [mailto:ludovic.petit@owasp.org Ludovic Petit] <br />
| Chapter Leader OWASP France and OWASP Global Connections Committee Member, [https://www.owasp.org/index.php/User:Ludovic_Petit '''Ludovic'''] is living in Paris and is willing to talk about Web Application Security topics with a Corporate dimension, including about Legal and Law Enforcement, the OWASP Foundation approach, and explain why WebApp Security is also linked to Legal and Regulatory aspects, so Corporate responsibility, to protect your business.<br />
| According to my availabilities, France, Europe and elsewhere, if you pay yourself the travel and accommodation expenses.<br />
| [http://www.linkedin.com/in/lpetit BIO]<br />
|-<br />
| [mailto:magno.logan@owasp.org Magno Logan] <br />
| OWASP Paraiba Chapter Leader and OWASP Portuguese Language Project Member. Magno (Logan) Rodrigues has an MBA in Information Security and studied Computer Forensics for one year in New York. He has done many talks about OWASP and it's main projects at national and international events such as [http://www.ensol.org.br/ ENSOL], [http://gts.nic.br/ GTS] and [https://www.owasp.org/index.php/AppSecLatam2011 App Sec Latam 2011]. Topics of interest include: OWASP Top 10, WebGoat, Java Security, E-commerce Security and Computer Forensics.<br />
<br />
| Latin America<br />
| [https://www.owasp.org/index.php/User:Magno_Logan BIO]<br />
|-<br />
| [mailto:wagner.elias@owasp.org Wagner Elias] <br />
| Wagner founded the Brazil chapter is currently Curitiba-Brazil Chapter Leader and available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Wagner has spoken at various conferences in Brazil.<br />
<br />
Topics of interest: Mobile Security; SDL Process and Implementation; Code Review and Application Test<br />
<br />
| Brazil<br />
| [https://www.owasp.org/index.php/User:wagner.elias BIO]<br />
|-<br />
| [mailto:ramiro.pulgar@owasp.org Ramiro Pulgar] <br />
| Chapter Leader OWASP Ecuador. [https://www.owasp.org/index.php/User:Ramiro_Pulgar '''milovisho'''] OWASP Ecuador Chapter Leader <br />
| Ecuador, Latin America, Global<br />
| [http://ec.linkedin.com/in/ramiropulgar BIO]<br />
|-<br />
| [mailto:john.vargas@owasp.org John Vargas] <br />
| Chapter Leader OWASP Perú. [https://www.owasp.org/index.php/User:Jvargas '''John Vargas'''] OWASP Perú Chapter Leader <br />
| Perú, Latin America, Global<br />
| [http://pe.linkedin.com/in/jvargasp BIO]<br />
|-<br />
|}<br />
*Add your name, contact and bio information to become available as OWASP Speaker!</div>Ludovic Petithttps://wiki.owasp.org/index.php?title=Category:OWASP_Speakers_Project&diff=149244Category:OWASP Speakers Project2013-04-05T13:11:06Z<p>Ludovic Petit: </p>
<hr />
<div>This program lead by [[:user:Knoblochmartin|Martin Knobloch]] helps local chapters or application security conferences to find OWASP related speakers to have OWASP presenters on site.<br />
<br />
This program allows two parties to find each other:<br />
<br />
* Local chapters or application security events that want to attract an OWASP speaker<br />
* OWASP speakers to entertain OWASP presentations and that want to see the world<br />
<br />
For sponsorship, see the [[:Category:OWASP_on_the_Move_Project|OWASP on the Move Project]] page<br />
<br />
== available presentations ==<br />
<br />
== available speakers ==<br />
<br />
If you want to (re)do an OWASP related presentation, propose them here with your availability boundaries (timing/geographical) <br />
<br />
*Add your name, contact and bio information to become available as OWASP Speaker!<br />
<br />
{| class="prettytable"<br />
|-<br />
! Name <br />
! Introduction <br />
! Available Area <br />
! Bios<br />
|-<br />
| [mailto:Robert(at)ZakonGroup.com Robert H'obbes' Zakon] <br />
| Presenter on Web Application Security, OWASP Top 10, PHP Security, and assorted other topics. Training sessions taught at events such as [http://www.zakongroup.com/technology/services-training.shtml OWASP, ACSAC, and CCS]. Based in New Hampshire, and available for travel worldwide. Fluent in English, and able to converse in Portuguese. A developer and consultant for the past decade, formerly a Principal Engineer with MITRE's InfoSec Group. <br />
| Global (USA/NH-based) <br />
| [http://www.zakon.org/robert/vitae.html BIO]<br />
|-<br />
| [mailto:jmcgovern@virtusa.com James McGovern] <br />
| Presenter on Enterprise Architecture and Web Application Security, SOA Web Services Security and Federated Identity. <br />
| Global (USA/CT-based) <br />
| [http://www.linkedin.com/in/jamesmcgovern BIO]<br />
|-<br />
| [mailto:chuck(at)McCulloughAssociates.com Chuck McCullough] <br />
| Chuck provides training sessions to developers on the Top 10. Chuck welcomes speaking opportunities to any group. Chuck is available in the Texas area and at various other locations in the USA. <br />
| USA/Texas <br />
| [http://www.linkedin.com/in/chuckmccullough BIO]<br />
|-<br />
| Marc Curphey <br />
| Marc will happily speak about the WebAppSec industry, SDLC etc. around Europe. You can see him in action at [http://video.hitb.org/2006.html HITB with John Viega] (big download) <br />
| Europe <br />
| [http://www.linkedin.com/in/curphey BIO]<br />
|-<br />
| [mailto:tomb(at)owasp.org Tom Brennan] <br />
| based in NYC Metro Tom is a long time volunteer and OWASP contributor and [http://www.owasp.org/index.php/About_OWASP International Board Member]. He is available for global speaking venues to educate audiences about the OWASP Foundation core mission, how it works and various projects. In addition he also provides regular talks on honeypot research and case-studies about tactical experiences when conducting [http://en.wikipedia.org/wiki/Red_Team Red Team]/Tiger Team assessments involving the application, network, wireless and physical security - [https://www.owasp.org/index.php/User:Brennan BIO]<br />
| Global <br />
| [http://www.linkedin.com/in/tombrennan BIO]<br />
|-<br />
| [mailto:thesp0nge@owasp.org Paolo Perego] <br />
| Paolo is available to talk about [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Orizon project], safe coding and code review issues around Europe in the near October-December. <br />
| Europe <br />
| [http://www.linkedin.com/in/thesp0nge BIO]<br />
|-<br />
| [mailto:marc.m.morana@gmail.org Marco Morana] <br />
| Marco is available to talk about [http://iac.dtic.mil/iatac/download/security.pdf Software Security Frameworks]and Secure Code Reviews [https://www.cmpevents.com/CSI33/a.asp?option=G&V=3&id=443342 see 07 CSI conference as reference] in USA around November-December and in Europe around January-February <br />
| Europe <br />
| [http://www.linkedin.com/pub/2/a7a/59b BIO]<br />
|-<br />
| [mailto:sebastien.gioria@owasp.fr Sébastien Gioria] <br />
| Sebastien is available to talk about WebAppSec, educational purpose on AppSec in French or at least in english around France/Europe/Canada from middle of March 08. You can find some Talk on the [http://www.owasp.fr Owasp France Chapter] <br />
| France/Europe/Canada <br />
| [http://www.linkedin.com/in/gioria BIO]<br />
|-<br />
| [mailto:mkraushar@gmail.com Mordecai Kraushar] <br />
| Mordecai is available to talk about different topics within the Web application security space. One discussion involves the OWASP project [http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project Vicnum], a flexible vulnerable web application that can be used in 'capture the flag' exercises. <br />
| Northeastern United States <br />
| [http://www.linkedin.com/in/mkraushar BIO]<br />
|-<br />
| [mailto:michael.coates@owasp.org Michael Coates] <br />
| Michael is available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Michael has spoken at multiple OWASP conferences and University security courses on topics such as Introduction to Application Security, Automated Defense Systems in Applications, Real Time Detection and Prevention of Application Worms, and security risks in SSL/TLS. <br />
| USA/San Francisco & Virtual Presentations<br />
| [http://www.linkedin.com/in/mcoates BIO]<br />
|-<br />
| [mailto:tobias.gondrom@owasp.org Tobias Gondrom] <br />
| Tobias is on the London chapter board (and previously Germany chapter lead) and currently member of the OWASP Global Industry committee. He is available to talk on a variety of web application and information security and risk management topics. He gives two different types of presentations - preferred in Asia or Europe: <br>- CISO level: information security, risk management from Secure SDLCs, maturity models, standards and security strategy, to change management and managing application security in large organisations and the OWASP CISO Guide. <br>- Deep technical talks: new security standards and research, involving his work in web security research and as the chair of the web security working group at the IETF. Tobias has spoken at multiple OWASP AppSec and other security conferences, given university guest lectures and full training days on topics like CISO training, browser security, web security, new technologies for channel protection with SSL/TLS, electronic signatures, ...<br />
| Asia and Europe <br>(dual based in both regions)<br />
| [http://uk.linkedin.com/in/gondrom BIO]<br />
|-<br />
| [mailto:dan.cornell@owasp.org Dan Cornell] <br />
| Dan Cornell has over twelve years of experience architecting, developing and securing web-based software systems. He speaks on a variety of software development and software security topics such as Vulnerability Management, Software Security Remediation, and Code Review/Static Analysis. Dan is based in San Antonio, TX and available to fly/drive as needed to the site. <br />
| USA/San Antonio <br />
| [http://www.denimgroup.com/about_team_dan.html BIO]<br />
|-<br />
| [mailto:John.Steven@owasp.org John Steven] <br />
| John speaks on a variety of topics including "How to build your own application security group", "Threat Modeling", "Code Review and Static analysis", as well as other topics. John has spoken at and given tutorials for multiple OWASP conferences. John frequents New York, Boston, Washington DC, and Charlotte, but is available for travel elsewhere. <br />
| Washington, DC/USA <br />
| [http://www.cigital.com/about/team/management.php#jsteven BIO]<br />
|-<br />
| [mailto:blake@owasp.org Blake Cornell] <br />
| Blake is available to speak regarding topics including Security v. HIPPA, Penetration Testing Methodologies, Fuzzing and Blended Threats such as attacking VoIP with the OWASP Top 10. Blake lives in the NY Metro area and is available for speaking at regional, national and world wide events. <br />
| New York, NY/USA <br />
| [http://www.linkedin.com/in/blakecornell BIO]<br />
|-<br />
| [mailto:Nick.Coblentz@gmail.com Nick Coblentz] <br />
| Nick regularly performs research related to secure software development. He is available to present on topics such as the [http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (SAMM)], the [http://nickcoblentz.blogspot.com/2009/06/samm-inteview-template-version-10.html SAMM Interview Template], [http://nickcoblentz.blogspot.com/2009/05/issa-journal-web-application-security.html Building Web Application Security Portfolios], and [http://nickcoblentz.blogspot.com/2009/11/owasp-presentation-on-dec-10-microsoft.html The Microsoft SDL for Agile Development]. Please email Nick if you see articles on his [http://nickcoblentz.blogspot.com/ blog] that you would like him to present. <br />
| USA/Kansas, Oklahoma, Missouri <br />
| [http://www.linkedin.com/in/ncoblentz BIO]<br />
|-<br />
| [mailto:johnccr@yahoo.com Juan Carlos Calderon] <br />
| Juan has being part of the Appliction Security industry for 9 years, currently performs research on application and information security arena. He is available to present "Preparing an strategy for application vulnerability detection", "Owasp Spanish and Internationalization" and "Análisis y efectos del cibercrimen en Mexico"(Analysis and effects of cibercrime in México). He is also open to talk about other topics related to OWASP materials and tools, send him a note to verify the coverage. <br />
| Aguascalientes/México <br />
| [http://www.linkedin.com/in/juancarloscalderon BIO]<br />
|-<br />
| [mailto:edward@owasp.org Edward Bonver] <br />
| Edward has over a decade of experience in the software security field. He currently works for Symantec's Product Security Team, where he brings all aspects of secure software development to product teams across the company. He is a frequent speaker at various industry conferences and OWASP events; topics of interest include Threat Modeling and Security Testing.<br />
| Global(USA/Los Angeles-based)<br />
| [http://www.linkedin.com/in/bonver BIO]<br />
|-<br />
| [mailto:ludovic.petit@owasp.org Ludovic Petit] <br />
| Chapter Leader OWASP France and OWASP Global Connections Committee Member, [https://www.owasp.org/index.php/User:Ludovic_Petit '''Ludovic'''] is living in Paris and is willing to talk about Web Application Security topics with a Corporate dimension, including about Legal and Law Enforcement, the OWASP Foundation approach, and explain why WebApp Security is also linked to Legal and Regulatory aspects, so Corporate responsibility, to protect your business.<br />
| France, Europe and elsewhere, if you pay yourself the travel and accommodation expenses.<br />
| [http://www.linkedin.com/in/lpetit BIO]<br />
|-<br />
| [mailto:magno.logan@owasp.org Magno Logan] <br />
| OWASP Paraiba Chapter Leader and OWASP Portuguese Language Project Member. Magno (Logan) Rodrigues has an MBA in Information Security and studied Computer Forensics for one year in New York. He has done many talks about OWASP and it's main projects at national and international events such as [http://www.ensol.org.br/ ENSOL], [http://gts.nic.br/ GTS] and [https://www.owasp.org/index.php/AppSecLatam2011 App Sec Latam 2011]. Topics of interest include: OWASP Top 10, WebGoat, Java Security, E-commerce Security and Computer Forensics.<br />
<br />
| Latin America<br />
| [https://www.owasp.org/index.php/User:Magno_Logan BIO]<br />
|-<br />
| [mailto:wagner.elias@owasp.org Wagner Elias] <br />
| Wagner founded the Brazil chapter is currently Curitiba-Brazil Chapter Leader and available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Wagner has spoken at various conferences in Brazil.<br />
<br />
Topics of interest: Mobile Security; SDL Process and Implementation; Code Review and Application Test<br />
<br />
| Brazil<br />
| [https://www.owasp.org/index.php/User:wagner.elias BIO]<br />
|-<br />
| [mailto:ramiro.pulgar@owasp.org Ramiro Pulgar] <br />
| Chapter Leader OWASP Ecuador. [https://www.owasp.org/index.php/User:Ramiro_Pulgar '''milovisho'''] OWASP Ecuador Chapter Leader <br />
| Ecuador, Latin America, Global<br />
| [http://ec.linkedin.com/in/ramiropulgar BIO]<br />
|-<br />
| [mailto:john.vargas@owasp.org John Vargas] <br />
| Chapter Leader OWASP Perú. [https://www.owasp.org/index.php/User:Jvargas '''John Vargas'''] OWASP Perú Chapter Leader <br />
| Perú, Latin America, Global<br />
| [http://pe.linkedin.com/in/jvargasp BIO]<br />
|-<br />
|}<br />
*Add your name, contact and bio information to become available as OWASP Speaker!</div>Ludovic Petithttps://wiki.owasp.org/index.php?title=Category:OWASP_Speakers_Project&diff=149243Category:OWASP Speakers Project2013-04-05T13:09:17Z<p>Ludovic Petit: </p>
<hr />
<div>This program lead by [[:user:Knoblochmartin|Martin Knobloch]] helps local chapters or application security conferences to find OWASP related speakers to have OWASP presenters on site.<br />
<br />
This program allows two parties to find each other:<br />
<br />
* Local chapters or application security events that want to attract an OWASP speaker<br />
* OWASP speakers to entertain OWASP presentations and that want to see the world<br />
<br />
For sponsorship, see the [[:Category:OWASP_on_the_Move_Project|OWASP on the Move Project]] page<br />
<br />
== available presentations ==<br />
<br />
== available speakers ==<br />
<br />
If you want to (re)do an OWASP related presentation, propose them here with your availability boundaries (timing/geographical) <br />
<br />
*Add your name, contact and bio information to become available as OWASP Speaker!<br />
<br />
{| class="prettytable"<br />
|-<br />
! Name <br />
! Introduction <br />
! Available Area <br />
! Bios<br />
|-<br />
| [mailto:Robert(at)ZakonGroup.com Robert H'obbes' Zakon] <br />
| Presenter on Web Application Security, OWASP Top 10, PHP Security, and assorted other topics. Training sessions taught at events such as [http://www.zakongroup.com/technology/services-training.shtml OWASP, ACSAC, and CCS]. Based in New Hampshire, and available for travel worldwide. Fluent in English, and able to converse in Portuguese. A developer and consultant for the past decade, formerly a Principal Engineer with MITRE's InfoSec Group. <br />
| Global (USA/NH-based) <br />
| [http://www.zakon.org/robert/vitae.html BIO]<br />
|-<br />
| [mailto:jmcgovern@virtusa.com James McGovern] <br />
| Presenter on Enterprise Architecture and Web Application Security, SOA Web Services Security and Federated Identity. <br />
| Global (USA/CT-based) <br />
| [http://www.linkedin.com/in/jamesmcgovern BIO]<br />
|-<br />
| [mailto:chuck(at)McCulloughAssociates.com Chuck McCullough] <br />
| Chuck provides training sessions to developers on the Top 10. Chuck welcomes speaking opportunities to any group. Chuck is available in the Texas area and at various other locations in the USA. <br />
| USA/Texas <br />
| [http://www.linkedin.com/in/chuckmccullough BIO]<br />
|-<br />
| Marc Curphey <br />
| Marc will happily speak about the WebAppSec industry, SDLC etc. around Europe. You can see him in action at [http://video.hitb.org/2006.html HITB with John Viega] (big download) <br />
| Europe <br />
| [http://www.linkedin.com/in/curphey BIO]<br />
|-<br />
| [mailto:tomb(at)owasp.org Tom Brennan] <br />
| based in NYC Metro Tom is a long time volunteer and OWASP contributor and [http://www.owasp.org/index.php/About_OWASP International Board Member]. He is available for global speaking venues to educate audiences about the OWASP Foundation core mission, how it works and various projects. In addition he also provides regular talks on honeypot research and case-studies about tactical experiences when conducting [http://en.wikipedia.org/wiki/Red_Team Red Team]/Tiger Team assessments involving the application, network, wireless and physical security - [https://www.owasp.org/index.php/User:Brennan BIO]<br />
| Global <br />
| [http://www.linkedin.com/in/tombrennan BIO]<br />
|-<br />
| [mailto:thesp0nge@owasp.org Paolo Perego] <br />
| Paolo is available to talk about [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Orizon project], safe coding and code review issues around Europe in the near October-December. <br />
| Europe <br />
| [http://www.linkedin.com/in/thesp0nge BIO]<br />
|-<br />
| [mailto:marc.m.morana@gmail.org Marco Morana] <br />
| Marco is available to talk about [http://iac.dtic.mil/iatac/download/security.pdf Software Security Frameworks]and Secure Code Reviews [https://www.cmpevents.com/CSI33/a.asp?option=G&V=3&id=443342 see 07 CSI conference as reference] in USA around November-December and in Europe around January-February <br />
| Europe <br />
| [http://www.linkedin.com/pub/2/a7a/59b BIO]<br />
|-<br />
| [mailto:sebastien.gioria@owasp.fr Sébastien Gioria] <br />
| Sebastien is available to talk about WebAppSec, educational purpose on AppSec in French or at least in english around France/Europe/Canada from middle of March 08. You can find some Talk on the [http://www.owasp.fr Owasp France Chapter] <br />
| France/Europe/Canada <br />
| [http://www.linkedin.com/in/gioria BIO]<br />
|-<br />
| [mailto:mkraushar@gmail.com Mordecai Kraushar] <br />
| Mordecai is available to talk about different topics within the Web application security space. One discussion involves the OWASP project [http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project Vicnum], a flexible vulnerable web application that can be used in 'capture the flag' exercises. <br />
| Northeastern United States <br />
| [http://www.linkedin.com/in/mkraushar BIO]<br />
|-<br />
| [mailto:michael.coates@owasp.org Michael Coates] <br />
| Michael is available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Michael has spoken at multiple OWASP conferences and University security courses on topics such as Introduction to Application Security, Automated Defense Systems in Applications, Real Time Detection and Prevention of Application Worms, and security risks in SSL/TLS. <br />
| USA/San Francisco & Virtual Presentations<br />
| [http://www.linkedin.com/in/mcoates BIO]<br />
|-<br />
| [mailto:tobias.gondrom@owasp.org Tobias Gondrom] <br />
| Tobias is on the London chapter board (and previously Germany chapter lead) and currently member of the OWASP Global Industry committee. He is available to talk on a variety of web application and information security and risk management topics. He gives two different types of presentations - preferred in Asia or Europe: <br>- CISO level: information security, risk management from Secure SDLCs, maturity models, standards and security strategy, to change management and managing application security in large organisations and the OWASP CISO Guide. <br>- Deep technical talks: new security standards and research, involving his work in web security research and as the chair of the web security working group at the IETF. Tobias has spoken at multiple OWASP AppSec and other security conferences, given university guest lectures and full training days on topics like CISO training, browser security, web security, new technologies for channel protection with SSL/TLS, electronic signatures, ...<br />
| Asia and Europe <br>(dual based in both regions)<br />
| [http://uk.linkedin.com/in/gondrom BIO]<br />
|-<br />
| [mailto:dan.cornell@owasp.org Dan Cornell] <br />
| Dan Cornell has over twelve years of experience architecting, developing and securing web-based software systems. He speaks on a variety of software development and software security topics such as Vulnerability Management, Software Security Remediation, and Code Review/Static Analysis. Dan is based in San Antonio, TX and available to fly/drive as needed to the site. <br />
| USA/San Antonio <br />
| [http://www.denimgroup.com/about_team_dan.html BIO]<br />
|-<br />
| [mailto:John.Steven@owasp.org John Steven] <br />
| John speaks on a variety of topics including "How to build your own application security group", "Threat Modeling", "Code Review and Static analysis", as well as other topics. John has spoken at and given tutorials for multiple OWASP conferences. John frequents New York, Boston, Washington DC, and Charlotte, but is available for travel elsewhere. <br />
| Washington, DC/USA <br />
| [http://www.cigital.com/about/team/management.php#jsteven BIO]<br />
|-<br />
| [mailto:blake@owasp.org Blake Cornell] <br />
| Blake is available to speak regarding topics including Security v. HIPPA, Penetration Testing Methodologies, Fuzzing and Blended Threats such as attacking VoIP with the OWASP Top 10. Blake lives in the NY Metro area and is available for speaking at regional, national and world wide events. <br />
| New York, NY/USA <br />
| [http://www.linkedin.com/in/blakecornell BIO]<br />
|-<br />
| [mailto:Nick.Coblentz@gmail.com Nick Coblentz] <br />
| Nick regularly performs research related to secure software development. He is available to present on topics such as the [http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (SAMM)], the [http://nickcoblentz.blogspot.com/2009/06/samm-inteview-template-version-10.html SAMM Interview Template], [http://nickcoblentz.blogspot.com/2009/05/issa-journal-web-application-security.html Building Web Application Security Portfolios], and [http://nickcoblentz.blogspot.com/2009/11/owasp-presentation-on-dec-10-microsoft.html The Microsoft SDL for Agile Development]. Please email Nick if you see articles on his [http://nickcoblentz.blogspot.com/ blog] that you would like him to present. <br />
| USA/Kansas, Oklahoma, Missouri <br />
| [http://www.linkedin.com/in/ncoblentz BIO]<br />
|-<br />
| [mailto:johnccr@yahoo.com Juan Carlos Calderon] <br />
| Juan has being part of the Appliction Security industry for 9 years, currently performs research on application and information security arena. He is available to present "Preparing an strategy for application vulnerability detection", "Owasp Spanish and Internationalization" and "Análisis y efectos del cibercrimen en Mexico"(Analysis and effects of cibercrime in México). He is also open to talk about other topics related to OWASP materials and tools, send him a note to verify the coverage. <br />
| Aguascalientes/México <br />
| [http://www.linkedin.com/in/juancarloscalderon BIO]<br />
|-<br />
| [mailto:edward@owasp.org Edward Bonver] <br />
| Edward has over a decade of experience in the software security field. He currently works for Symantec's Product Security Team, where he brings all aspects of secure software development to product teams across the company. He is a frequent speaker at various industry conferences and OWASP events; topics of interest include Threat Modeling and Security Testing.<br />
| Global(USA/Los Angeles-based)<br />
| [http://www.linkedin.com/in/bonver BIO]<br />
|-<br />
| [mailto:ludovic.petit@owasp.org Ludovic Petit] <br />
| Chapter Leader OWASP France and OWASP Global Connections Committee Member, [https://www.owasp.org/index.php/User:Ludovic_Petit '''Ludovic'''] is living in Paris and is willing to talk about Web Application Security topics with a Corporate dimension, including about Legal and Law Enforcement, the OWASP Foundation approach, and explain why WebApp Security is also linked to Legal and Regulatory aspects, so Corporate responsibility, to protect your business.<br />
| France, Europe and elsewhere, if you pay yourself travel expenses.<br />
| [http://www.linkedin.com/in/lpetit BIO]<br />
|-<br />
| [mailto:magno.logan@owasp.org Magno Logan] <br />
| OWASP Paraiba Chapter Leader and OWASP Portuguese Language Project Member. Magno (Logan) Rodrigues has an MBA in Information Security and studied Computer Forensics for one year in New York. He has done many talks about OWASP and it's main projects at national and international events such as [http://www.ensol.org.br/ ENSOL], [http://gts.nic.br/ GTS] and [https://www.owasp.org/index.php/AppSecLatam2011 App Sec Latam 2011]. Topics of interest include: OWASP Top 10, WebGoat, Java Security, E-commerce Security and Computer Forensics.<br />
<br />
| Latin America<br />
| [https://www.owasp.org/index.php/User:Magno_Logan BIO]<br />
|-<br />
| [mailto:wagner.elias@owasp.org Wagner Elias] <br />
| Wagner founded the Brazil chapter is currently Curitiba-Brazil Chapter Leader and available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Wagner has spoken at various conferences in Brazil.<br />
<br />
Topics of interest: Mobile Security; SDL Process and Implementation; Code Review and Application Test<br />
<br />
| Brazil<br />
| [https://www.owasp.org/index.php/User:wagner.elias BIO]<br />
|-<br />
| [mailto:ramiro.pulgar@owasp.org Ramiro Pulgar] <br />
| Chapter Leader OWASP Ecuador. [https://www.owasp.org/index.php/User:Ramiro_Pulgar '''milovisho'''] OWASP Ecuador Chapter Leader <br />
| Ecuador, Latin America, Global<br />
| [http://ec.linkedin.com/in/ramiropulgar BIO]<br />
|-<br />
| [mailto:john.vargas@owasp.org John Vargas] <br />
| Chapter Leader OWASP Perú. [https://www.owasp.org/index.php/User:Jvargas '''John Vargas'''] OWASP Perú Chapter Leader <br />
| Perú, Latin America, Global<br />
| [http://pe.linkedin.com/in/jvargasp BIO]<br />
|-<br />
|}<br />
*Add your name, contact and bio information to become available as OWASP Speaker!</div>Ludovic Petithttps://wiki.owasp.org/index.php?title=Category:OWASP_Speakers_Project&diff=149242Category:OWASP Speakers Project2013-04-05T13:05:49Z<p>Ludovic Petit: </p>
<hr />
<div>This program lead by [[:user:Knoblochmartin|Martin Knobloch]] helps local chapters or application security conferences to find OWASP related speakers to have OWASP presenters on site.<br />
<br />
This program allows two parties to find each other:<br />
<br />
* Local chapters or application security events that want to attract an OWASP speaker<br />
* OWASP speakers to entertain OWASP presentations and that want to see the world<br />
<br />
For sponsorship, see the [[:Category:OWASP_on_the_Move_Project|OWASP on the Move Project]] page<br />
<br />
== available presentations ==<br />
<br />
== available speakers ==<br />
<br />
If you want to (re)do an OWASP related presentation, propose them here with your availability boundaries (timing/geographical) <br />
<br />
*Add your name, contact and bio information to become available as OWASP Speaker!<br />
<br />
{| class="prettytable"<br />
|-<br />
! Name <br />
! Introduction <br />
! Available Area <br />
! Bios<br />
|-<br />
| [mailto:Robert(at)ZakonGroup.com Robert H'obbes' Zakon] <br />
| Presenter on Web Application Security, OWASP Top 10, PHP Security, and assorted other topics. Training sessions taught at events such as [http://www.zakongroup.com/technology/services-training.shtml OWASP, ACSAC, and CCS]. Based in New Hampshire, and available for travel worldwide. Fluent in English, and able to converse in Portuguese. A developer and consultant for the past decade, formerly a Principal Engineer with MITRE's InfoSec Group. <br />
| Global (USA/NH-based) <br />
| [http://www.zakon.org/robert/vitae.html BIO]<br />
|-<br />
| [mailto:jmcgovern@virtusa.com James McGovern] <br />
| Presenter on Enterprise Architecture and Web Application Security, SOA Web Services Security and Federated Identity. <br />
| Global (USA/CT-based) <br />
| [http://www.linkedin.com/in/jamesmcgovern BIO]<br />
|-<br />
| [mailto:chuck(at)McCulloughAssociates.com Chuck McCullough] <br />
| Chuck provides training sessions to developers on the Top 10. Chuck welcomes speaking opportunities to any group. Chuck is available in the Texas area and at various other locations in the USA. <br />
| USA/Texas <br />
| [http://www.linkedin.com/in/chuckmccullough BIO]<br />
|-<br />
| Marc Curphey <br />
| Marc will happily speak about the WebAppSec industry, SDLC etc. around Europe. You can see him in action at [http://video.hitb.org/2006.html HITB with John Viega] (big download) <br />
| Europe <br />
| [http://www.linkedin.com/in/curphey BIO]<br />
|-<br />
| [mailto:tomb(at)owasp.org Tom Brennan] <br />
| based in NYC Metro Tom is a long time volunteer and OWASP contributor and [http://www.owasp.org/index.php/About_OWASP International Board Member]. He is available for global speaking venues to educate audiences about the OWASP Foundation core mission, how it works and various projects. In addition he also provides regular talks on honeypot research and case-studies about tactical experiences when conducting [http://en.wikipedia.org/wiki/Red_Team Red Team]/Tiger Team assessments involving the application, network, wireless and physical security - [https://www.owasp.org/index.php/User:Brennan BIO]<br />
| Global <br />
| [http://www.linkedin.com/in/tombrennan BIO]<br />
|-<br />
| [mailto:thesp0nge@owasp.org Paolo Perego] <br />
| Paolo is available to talk about [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Orizon project], safe coding and code review issues around Europe in the near October-December. <br />
| Europe <br />
| [http://www.linkedin.com/in/thesp0nge BIO]<br />
|-<br />
| [mailto:marc.m.morana@gmail.org Marco Morana] <br />
| Marco is available to talk about [http://iac.dtic.mil/iatac/download/security.pdf Software Security Frameworks]and Secure Code Reviews [https://www.cmpevents.com/CSI33/a.asp?option=G&V=3&id=443342 see 07 CSI conference as reference] in USA around November-December and in Europe around January-February <br />
| Europe <br />
| [http://www.linkedin.com/pub/2/a7a/59b BIO]<br />
|-<br />
| [mailto:sebastien.gioria@owasp.fr Sébastien Gioria] <br />
| Sebastien is available to talk about WebAppSec, educational purpose on AppSec in French or at least in english around France/Europe/Canada from middle of March 08. You can find some Talk on the [http://www.owasp.fr Owasp France Chapter] <br />
| France/Europe/Canada <br />
| [http://www.linkedin.com/in/gioria BIO]<br />
|-<br />
| [mailto:mkraushar@gmail.com Mordecai Kraushar] <br />
| Mordecai is available to talk about different topics within the Web application security space. One discussion involves the OWASP project [http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project Vicnum], a flexible vulnerable web application that can be used in 'capture the flag' exercises. <br />
| Northeastern United States <br />
| [http://www.linkedin.com/in/mkraushar BIO]<br />
|-<br />
| [mailto:michael.coates@owasp.org Michael Coates] <br />
| Michael is available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Michael has spoken at multiple OWASP conferences and University security courses on topics such as Introduction to Application Security, Automated Defense Systems in Applications, Real Time Detection and Prevention of Application Worms, and security risks in SSL/TLS. <br />
| USA/San Francisco & Virtual Presentations<br />
| [http://www.linkedin.com/in/mcoates BIO]<br />
|-<br />
| [mailto:tobias.gondrom@owasp.org Tobias Gondrom] <br />
| Tobias is on the London chapter board (and previously Germany chapter lead) and currently member of the OWASP Global Industry committee. He is available to talk on a variety of web application and information security and risk management topics. He gives two different types of presentations - preferred in Asia or Europe: <br>- CISO level: information security, risk management from Secure SDLCs, maturity models, standards and security strategy, to change management and managing application security in large organisations and the OWASP CISO Guide. <br>- Deep technical talks: new security standards and research, involving his work in web security research and as the chair of the web security working group at the IETF. Tobias has spoken at multiple OWASP AppSec and other security conferences, given university guest lectures and full training days on topics like CISO training, browser security, web security, new technologies for channel protection with SSL/TLS, electronic signatures, ...<br />
| Asia and Europe <br>(dual based in both regions)<br />
| [http://uk.linkedin.com/in/gondrom BIO]<br />
|-<br />
| [mailto:dan.cornell@owasp.org Dan Cornell] <br />
| Dan Cornell has over twelve years of experience architecting, developing and securing web-based software systems. He speaks on a variety of software development and software security topics such as Vulnerability Management, Software Security Remediation, and Code Review/Static Analysis. Dan is based in San Antonio, TX and available to fly/drive as needed to the site. <br />
| USA/San Antonio <br />
| [http://www.denimgroup.com/about_team_dan.html BIO]<br />
|-<br />
| [mailto:John.Steven@owasp.org John Steven] <br />
| John speaks on a variety of topics including "How to build your own application security group", "Threat Modeling", "Code Review and Static analysis", as well as other topics. John has spoken at and given tutorials for multiple OWASP conferences. John frequents New York, Boston, Washington DC, and Charlotte, but is available for travel elsewhere. <br />
| Washington, DC/USA <br />
| [http://www.cigital.com/about/team/management.php#jsteven BIO]<br />
|-<br />
| [mailto:blake@owasp.org Blake Cornell] <br />
| Blake is available to speak regarding topics including Security v. HIPPA, Penetration Testing Methodologies, Fuzzing and Blended Threats such as attacking VoIP with the OWASP Top 10. Blake lives in the NY Metro area and is available for speaking at regional, national and world wide events. <br />
| New York, NY/USA <br />
| [http://www.linkedin.com/in/blakecornell BIO]<br />
|-<br />
| [mailto:Nick.Coblentz@gmail.com Nick Coblentz] <br />
| Nick regularly performs research related to secure software development. He is available to present on topics such as the [http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (SAMM)], the [http://nickcoblentz.blogspot.com/2009/06/samm-inteview-template-version-10.html SAMM Interview Template], [http://nickcoblentz.blogspot.com/2009/05/issa-journal-web-application-security.html Building Web Application Security Portfolios], and [http://nickcoblentz.blogspot.com/2009/11/owasp-presentation-on-dec-10-microsoft.html The Microsoft SDL for Agile Development]. Please email Nick if you see articles on his [http://nickcoblentz.blogspot.com/ blog] that you would like him to present. <br />
| USA/Kansas, Oklahoma, Missouri <br />
| [http://www.linkedin.com/in/ncoblentz BIO]<br />
|-<br />
| [mailto:johnccr@yahoo.com Juan Carlos Calderon] <br />
| Juan has being part of the Appliction Security industry for 9 years, currently performs research on application and information security arena. He is available to present "Preparing an strategy for application vulnerability detection", "Owasp Spanish and Internationalization" and "Análisis y efectos del cibercrimen en Mexico"(Analysis and effects of cibercrime in México). He is also open to talk about other topics related to OWASP materials and tools, send him a note to verify the coverage. <br />
| Aguascalientes/México <br />
| [http://www.linkedin.com/in/juancarloscalderon BIO]<br />
|-<br />
| [mailto:edward@owasp.org Edward Bonver] <br />
| Edward has over a decade of experience in the software security field. He currently works for Symantec's Product Security Team, where he brings all aspects of secure software development to product teams across the company. He is a frequent speaker at various industry conferences and OWASP events; topics of interest include Threat Modeling and Security Testing.<br />
| Global(USA/Los Angeles-based)<br />
| [http://www.linkedin.com/in/bonver BIO]<br />
|-<br />
| [mailto:ludovic.petit@owasp.org Ludovic Petit] <br />
| Chapter Leader OWASP France and OWASP Global Connections Committee Member. [https://www.owasp.org/index.php/User:Ludovic_Petit '''Ludovic'''] is living in Paris and is available for speaking on a variety of Web Application Security topics with a Corporate dimension, including about Legal and Law Enforcement. Ludovic is willing to talk about the OWASP Foundation approach, and explain why WebApp Security is also linked to Legal and Regulatory aspects, so Corporate responsibility. <br />
| France, Europe and elsewhere, if you pay yourself travel expenses.<br />
| [http://www.linkedin.com/in/lpetit BIO]<br />
|-<br />
| [mailto:magno.logan@owasp.org Magno Logan] <br />
| OWASP Paraiba Chapter Leader and OWASP Portuguese Language Project Member. Magno (Logan) Rodrigues has an MBA in Information Security and studied Computer Forensics for one year in New York. He has done many talks about OWASP and it's main projects at national and international events such as [http://www.ensol.org.br/ ENSOL], [http://gts.nic.br/ GTS] and [https://www.owasp.org/index.php/AppSecLatam2011 App Sec Latam 2011]. Topics of interest include: OWASP Top 10, WebGoat, Java Security, E-commerce Security and Computer Forensics.<br />
<br />
| Latin America<br />
| [https://www.owasp.org/index.php/User:Magno_Logan BIO]<br />
|-<br />
| [mailto:wagner.elias@owasp.org Wagner Elias] <br />
| Wagner founded the Brazil chapter is currently Curitiba-Brazil Chapter Leader and available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Wagner has spoken at various conferences in Brazil.<br />
<br />
Topics of interest: Mobile Security; SDL Process and Implementation; Code Review and Application Test<br />
<br />
| Brazil<br />
| [https://www.owasp.org/index.php/User:wagner.elias BIO]<br />
|-<br />
| [mailto:ramiro.pulgar@owasp.org Ramiro Pulgar] <br />
| Chapter Leader OWASP Ecuador. [https://www.owasp.org/index.php/User:Ramiro_Pulgar '''milovisho'''] OWASP Ecuador Chapter Leader <br />
| Ecuador, Latin America, Global<br />
| [http://ec.linkedin.com/in/ramiropulgar BIO]<br />
|-<br />
| [mailto:john.vargas@owasp.org John Vargas] <br />
| Chapter Leader OWASP Perú. [https://www.owasp.org/index.php/User:Jvargas '''John Vargas'''] OWASP Perú Chapter Leader <br />
| Perú, Latin America, Global<br />
| [http://pe.linkedin.com/in/jvargasp BIO]<br />
|-<br />
|}<br />
*Add your name, contact and bio information to become available as OWASP Speaker!</div>Ludovic Petithttps://wiki.owasp.org/index.php?title=Category:OWASP_Speakers_Project&diff=149240Category:OWASP Speakers Project2013-04-05T13:04:39Z<p>Ludovic Petit: </p>
<hr />
<div>This program lead by [[:user:Knoblochmartin|Martin Knobloch]] helps local chapters or application security conferences to find OWASP related speakers to have OWASP presenters on site.<br />
<br />
This program allows two parties to find each other:<br />
<br />
* Local chapters or application security events that want to attract an OWASP speaker<br />
* OWASP speakers to entertain OWASP presentations and that want to see the world<br />
<br />
For sponsorship, see the [[:Category:OWASP_on_the_Move_Project|OWASP on the Move Project]] page<br />
<br />
== available presentations ==<br />
<br />
== available speakers ==<br />
<br />
If you want to (re)do an OWASP related presentation, propose them here with your availability boundaries (timing/geographical) <br />
<br />
*Add your name, contact and bio information to become available as OWASP Speaker!<br />
<br />
{| class="prettytable"<br />
|-<br />
! Name <br />
! Introduction <br />
! Available Area <br />
! Bios<br />
|-<br />
| [mailto:Robert(at)ZakonGroup.com Robert H'obbes' Zakon] <br />
| Presenter on Web Application Security, OWASP Top 10, PHP Security, and assorted other topics. Training sessions taught at events such as [http://www.zakongroup.com/technology/services-training.shtml OWASP, ACSAC, and CCS]. Based in New Hampshire, and available for travel worldwide. Fluent in English, and able to converse in Portuguese. A developer and consultant for the past decade, formerly a Principal Engineer with MITRE's InfoSec Group. <br />
| Global (USA/NH-based) <br />
| [http://www.zakon.org/robert/vitae.html BIO]<br />
|-<br />
| [mailto:jmcgovern@virtusa.com James McGovern] <br />
| Presenter on Enterprise Architecture and Web Application Security, SOA Web Services Security and Federated Identity. <br />
| Global (USA/CT-based) <br />
| [http://www.linkedin.com/in/jamesmcgovern BIO]<br />
|-<br />
| [mailto:chuck(at)McCulloughAssociates.com Chuck McCullough] <br />
| Chuck provides training sessions to developers on the Top 10. Chuck welcomes speaking opportunities to any group. Chuck is available in the Texas area and at various other locations in the USA. <br />
| USA/Texas <br />
| [http://www.linkedin.com/in/chuckmccullough BIO]<br />
|-<br />
| Marc Curphey <br />
| Marc will happily speak about the WebAppSec industry, SDLC etc. around Europe. You can see him in action at [http://video.hitb.org/2006.html HITB with John Viega] (big download) <br />
| Europe <br />
| [http://www.linkedin.com/in/curphey BIO]<br />
|-<br />
| [mailto:tomb(at)owasp.org Tom Brennan] <br />
| based in NYC Metro Tom is a long time volunteer and OWASP contributor and [http://www.owasp.org/index.php/About_OWASP International Board Member]. He is available for global speaking venues to educate audiences about the OWASP Foundation core mission, how it works and various projects. In addition he also provides regular talks on honeypot research and case-studies about tactical experiences when conducting [http://en.wikipedia.org/wiki/Red_Team Red Team]/Tiger Team assessments involving the application, network, wireless and physical security - [https://www.owasp.org/index.php/User:Brennan BIO]<br />
| Global <br />
| [http://www.linkedin.com/in/tombrennan BIO]<br />
|-<br />
| [mailto:thesp0nge@owasp.org Paolo Perego] <br />
| Paolo is available to talk about [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Orizon project], safe coding and code review issues around Europe in the near October-December. <br />
| Europe <br />
| [http://www.linkedin.com/in/thesp0nge BIO]<br />
|-<br />
| [mailto:marc.m.morana@gmail.org Marco Morana] <br />
| Marco is available to talk about [http://iac.dtic.mil/iatac/download/security.pdf Software Security Frameworks]and Secure Code Reviews [https://www.cmpevents.com/CSI33/a.asp?option=G&V=3&id=443342 see 07 CSI conference as reference] in USA around November-December and in Europe around January-February <br />
| Europe <br />
| [http://www.linkedin.com/pub/2/a7a/59b BIO]<br />
|-<br />
| [mailto:sebastien.gioria@owasp.fr Sébastien Gioria] <br />
| Sebastien is available to talk about WebAppSec, educational purpose on AppSec in French or at least in english around France/Europe/Canada from middle of March 08. You can find some Talk on the [http://www.owasp.fr Owasp France Chapter] <br />
| France/Europe/Canada <br />
| [http://www.linkedin.com/in/gioria BIO]<br />
|-<br />
| [mailto:mkraushar@gmail.com Mordecai Kraushar] <br />
| Mordecai is available to talk about different topics within the Web application security space. One discussion involves the OWASP project [http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project Vicnum], a flexible vulnerable web application that can be used in 'capture the flag' exercises. <br />
| Northeastern United States <br />
| [http://www.linkedin.com/in/mkraushar BIO]<br />
|-<br />
| [mailto:michael.coates@owasp.org Michael Coates] <br />
| Michael is available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Michael has spoken at multiple OWASP conferences and University security courses on topics such as Introduction to Application Security, Automated Defense Systems in Applications, Real Time Detection and Prevention of Application Worms, and security risks in SSL/TLS. <br />
| USA/San Francisco & Virtual Presentations<br />
| [http://www.linkedin.com/in/mcoates BIO]<br />
|-<br />
| [mailto:tobias.gondrom@owasp.org Tobias Gondrom] <br />
| Tobias is on the London chapter board (and previously Germany chapter lead) and currently member of the OWASP Global Industry committee. He is available to talk on a variety of web application and information security and risk management topics. He gives two different types of presentations - preferred in Asia or Europe: <br>- CISO level: information security, risk management from Secure SDLCs, maturity models, standards and security strategy, to change management and managing application security in large organisations and the OWASP CISO Guide. <br>- Deep technical talks: new security standards and research, involving his work in web security research and as the chair of the web security working group at the IETF. Tobias has spoken at multiple OWASP AppSec and other security conferences, given university guest lectures and full training days on topics like CISO training, browser security, web security, new technologies for channel protection with SSL/TLS, electronic signatures, ...<br />
| Asia and Europe <br>(dual based in both regions)<br />
| [http://uk.linkedin.com/in/gondrom BIO]<br />
|-<br />
| [mailto:dan.cornell@owasp.org Dan Cornell] <br />
| Dan Cornell has over twelve years of experience architecting, developing and securing web-based software systems. He speaks on a variety of software development and software security topics such as Vulnerability Management, Software Security Remediation, and Code Review/Static Analysis. Dan is based in San Antonio, TX and available to fly/drive as needed to the site. <br />
| USA/San Antonio <br />
| [http://www.denimgroup.com/about_team_dan.html BIO]<br />
|-<br />
| [mailto:John.Steven@owasp.org John Steven] <br />
| John speaks on a variety of topics including "How to build your own application security group", "Threat Modeling", "Code Review and Static analysis", as well as other topics. John has spoken at and given tutorials for multiple OWASP conferences. John frequents New York, Boston, Washington DC, and Charlotte, but is available for travel elsewhere. <br />
| Washington, DC/USA <br />
| [http://www.cigital.com/about/team/management.php#jsteven BIO]<br />
|-<br />
| [mailto:blake@owasp.org Blake Cornell] <br />
| Blake is available to speak regarding topics including Security v. HIPPA, Penetration Testing Methodologies, Fuzzing and Blended Threats such as attacking VoIP with the OWASP Top 10. Blake lives in the NY Metro area and is available for speaking at regional, national and world wide events. <br />
| New York, NY/USA <br />
| [http://www.linkedin.com/in/blakecornell BIO]<br />
|-<br />
| [mailto:Nick.Coblentz@gmail.com Nick Coblentz] <br />
| Nick regularly performs research related to secure software development. He is available to present on topics such as the [http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (SAMM)], the [http://nickcoblentz.blogspot.com/2009/06/samm-inteview-template-version-10.html SAMM Interview Template], [http://nickcoblentz.blogspot.com/2009/05/issa-journal-web-application-security.html Building Web Application Security Portfolios], and [http://nickcoblentz.blogspot.com/2009/11/owasp-presentation-on-dec-10-microsoft.html The Microsoft SDL for Agile Development]. Please email Nick if you see articles on his [http://nickcoblentz.blogspot.com/ blog] that you would like him to present. <br />
| USA/Kansas, Oklahoma, Missouri <br />
| [http://www.linkedin.com/in/ncoblentz BIO]<br />
|-<br />
| [mailto:johnccr@yahoo.com Juan Carlos Calderon] <br />
| Juan has being part of the Appliction Security industry for 9 years, currently performs research on application and information security arena. He is available to present "Preparing an strategy for application vulnerability detection", "Owasp Spanish and Internationalization" and "Análisis y efectos del cibercrimen en Mexico"(Analysis and effects of cibercrime in México). He is also open to talk about other topics related to OWASP materials and tools, send him a note to verify the coverage. <br />
| Aguascalientes/México <br />
| [http://www.linkedin.com/in/juancarloscalderon BIO]<br />
|-<br />
| [mailto:edward@owasp.org Edward Bonver] <br />
| Edward has over a decade of experience in the software security field. He currently works for Symantec's Product Security Team, where he brings all aspects of secure software development to product teams across the company. He is a frequent speaker at various industry conferences and OWASP events; topics of interest include Threat Modeling and Security Testing.<br />
| Global(USA/Los Angeles-based)<br />
| [http://www.linkedin.com/in/bonver BIO]<br />
|-<br />
| [mailto:ludovic.petit@owasp.org Ludovic Petit] <br />
| Chapter Leader OWASP France and OWASP Global Connections Committee Member. [https://www.owasp.org/index.php/User:Ludovic_Petit '''Ludovic'''] is living in Paris and is available for speaking on a variety of Web Application Security topics with a Corporate dimension, including about Legal and Law Enforcement. Ludovic is willing to educate about the OWASP Foundation core mission, and explain why WebApp Security is also linked to Legal and Regulatory aspects, so Corporate responsibility. <br />
| France, Europe and elsewhere, if you pay yourself travel expenses.<br />
| [http://www.linkedin.com/in/lpetit BIO]<br />
|-<br />
| [mailto:magno.logan@owasp.org Magno Logan] <br />
| OWASP Paraiba Chapter Leader and OWASP Portuguese Language Project Member. Magno (Logan) Rodrigues has an MBA in Information Security and studied Computer Forensics for one year in New York. He has done many talks about OWASP and it's main projects at national and international events such as [http://www.ensol.org.br/ ENSOL], [http://gts.nic.br/ GTS] and [https://www.owasp.org/index.php/AppSecLatam2011 App Sec Latam 2011]. Topics of interest include: OWASP Top 10, WebGoat, Java Security, E-commerce Security and Computer Forensics.<br />
<br />
| Latin America<br />
| [https://www.owasp.org/index.php/User:Magno_Logan BIO]<br />
|-<br />
| [mailto:wagner.elias@owasp.org Wagner Elias] <br />
| Wagner founded the Brazil chapter is currently Curitiba-Brazil Chapter Leader and available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Wagner has spoken at various conferences in Brazil.<br />
<br />
Topics of interest: Mobile Security; SDL Process and Implementation; Code Review and Application Test<br />
<br />
| Brazil<br />
| [https://www.owasp.org/index.php/User:wagner.elias BIO]<br />
|-<br />
| [mailto:ramiro.pulgar@owasp.org Ramiro Pulgar] <br />
| Chapter Leader OWASP Ecuador. [https://www.owasp.org/index.php/User:Ramiro_Pulgar '''milovisho'''] OWASP Ecuador Chapter Leader <br />
| Ecuador, Latin America, Global<br />
| [http://ec.linkedin.com/in/ramiropulgar BIO]<br />
|-<br />
| [mailto:john.vargas@owasp.org John Vargas] <br />
| Chapter Leader OWASP Perú. [https://www.owasp.org/index.php/User:Jvargas '''John Vargas'''] OWASP Perú Chapter Leader <br />
| Perú, Latin America, Global<br />
| [http://pe.linkedin.com/in/jvargasp BIO]<br />
|-<br />
|}<br />
*Add your name, contact and bio information to become available as OWASP Speaker!</div>Ludovic Petithttps://wiki.owasp.org/index.php?title=France&diff=147675France2013-03-12T15:39:13Z<p>Ludovic Petit: </p>
<hr />
<div>{{Chapter Template|chaptername=France|extra=The '''Chapter Leaders''' are [mailto:ludovic.petit@owasp.org Ludovic Petit] and [mailto:sebastien.gioria@owasp.org Sebastien Gioria]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-france|emailarchives=http://lists.owasp.org/pipermail/owasp-france}}'''<br />
<paypal>France Chapter</paypal><br />
<br />
'''The French Chapter is also available on LinkedIn''': [http://www.linkedin.com/groupInvitation?gid=1638517 '''Join us''', it only takes a minute!]<br />
<br />
== Contacts, Présentations, Contributions & Partenariats ==<br />
<br />
*[mailto:sebastien.gioria@owasp.org Sebastien Gioria] et [mailto:ludovic.petit@owasp.org Ludovic Petit] sont à votre disposition si vous souhaitez des informations et discuter de la plus-value proposée par la Fondation OWASP, ainsi que sur la Sécurité des Applications Web.<br />
<br />
Entreprises, Individuels, Monde Académique, Sponsors, Supports, tout le monde est bienvenu à l'OWASP! L'accès à nos Chapter meetings est gratuit et ouvert à tous.<br />
<br />
Pour les Entreprises souhaitant adhérer à l'OWASP, le montant de l'adhésion annuelle de base est de $5000 US (dont 40% sont reversés au Projet ou au Chapitre de votre choix), déductible à 100% aux USA, et déductible à 60% en France <br />
<br />
Les fonds collectés servent à organiser les meetings du Chapitre, mais aussi et surtout à construire et organiser avec vous une approche collégiale spécifique répondant à vos souhaits (sessions de sensibilisation, meetings internes, interventions de Speakers, etc.). Tout cela peut être discuté avec le Chapitre Français et acté conjointement avec vous si vous souhaitez adhérer à l'OWASP. <br />
<br />
N'hésitez pas à nous solliciter si vous souhaitez discuter d'un sujet particulier, ou si vous souhaitez effectuer une présentation lors d'un meeting du Chapitre France.<br />
<br />
Amis de la Presse écrite et du Multimédia, n'hésitez pas à faire appel à nous si vous souhaitez notre concours pour vos articles et reportages, vous êtes les bienvenus et nous en serions honorés. Utilisez notre savoir-faire dans une perspective gagnant-gagnant!<br />
<br />
Nous restons modestes dans notre approche, nous souhaitons que le Chapitre OWASP France devienne un de vos contacts de référence. '''Ensembles, Chacun fait plus'''!<br />
<br />
'''TEAM stands for... Together Each Achieves More!'''<br />
<br />
<br />
= News =<br />
<br />
==Looking Forward… and Beyond, Distinctiveness Through Security Excellence==<br />
'''Présentation''' : "[https://www.owasp.org/images/5/50/Looking_Forward%E2%80%A6_and_Beyond.pptx Looking Forward… and Beyond]"'''<br />
'''Résumé''' : <br />
Here is a presentation I gave in Sept for a big Software maker in an internal meeting. This presentation aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes, or people and firms interested about OWASP and willing to join the Foundation as Member. The first 2 parts are more an update for those who are not yet familiar with OWASP, the 3rd part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway. Enjoy and feel free to email me, all comments welcome!<br />
<br />
'''Speaker''' : Ludovic Petit <br />
<br />
==28 Mars 2012 Meeting du premier trimestre==<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : "[https://www.owasp.org/images/6/6d/Developer_Top_Ten_Core_Controls_v4.1.pptx Top Ten Web Defenses]"'''<br />
'''Résumé''' : <br />
Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. <br />
This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will also detail several of the key access control anti-patterns commonly found during website security audits. <br />
These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. <br />
In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico <br />
Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. <br />
He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.<br />
'''Enregistrement en ligne sur''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== 7 et 8 Février 2012 - [http://www.microsoft.com/france/mstechdays/ Techdays Microsoft 2012] ==<br />
<br />
Sébastien présentera un talk sur [http://www.microsoft.com/france/mstechdays/programmes/parcours.aspx?SessionID=62e02774-6045-4be8-80ff-8332a793ad4f HTML5et la Sécurité] le 7 Février 2012 à 17h30. <br />
Plus d'informations sur la page dédiée aux TechDays Microsoft 2012. ==<br />
<br />
== 6 Janvier 2012 - Nouveau Groupe de Travail sur la Sécurité des Web Services au [http://www.clusif.fr CLUSIF] ==<br />
<br />
Dans la continuité du Groupe de Travail sur la Sécurité des Application Web initialement créé en 2009, le CLUSIF a lancé un nouveau groupe de travail autour de la sécurité des WebServices. N'hésitez pas à participer si vous êtes intéressés. Le CLUSIF recherche des utilisateurs pour ce groupe de travail et des personnes en environnements Microsoft pour disposer d'un panel le plus large possible pour ce document<br />
<br />
Contact : [mailto:sebastien.gioria@owasp.org Sébastien Gioria]<br />
<br />
== 19 Décembre 2011 - Publication du deuxième document du [http://www.clusif.fr CLUSIF] sur la Sécurité des Applications Web ==<br />
<br />
Le CLUSIF a publié son deuxième document sur la [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Defense-en-profondeur-des-applications-Web.pdf Défense en profondeur des applications Web]. Ce document fait suite au [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf premier document publié en 2009] <br />
<br />
== 15 Décembre 2011 Conférence du [http://www.clusif.fr CLUSIF] sur la [http://www.clusif.fr/fr/infos/event/#conf111215 sécurité des applications Web] ==<br />
<br />
Le CLUSIF a présenté la conférence Sécurité des Applications Web le jeudi 15 décembre 2011 au cercle National des Armées.<br />
Le programme était : <br />
<br />
* Mise en place d'une politique de sécurité applicative : retour d'expérience d'un RSSI par Philippe LARUE - Responsable Sécurité - [http://www.cbp-prevoyance.com/ CBP]<br />
* Revue de code source, ou test sécurité applicatif, quel est le plus efficient pour évaluer un niveau de sécurité applicatif ? par Sébastien GIORIA - Consultant Senior [http://www.groupey.fr Groupe Y] et leader du chapitre Français de [https://www.owasp.org l'OWASP] - OWASP France<br />
* Les enjeux réglementaires de la protection des informations en ligne par Garance MATHIAS - Avocat - Cabinet d'Avocats<br />
<br />
Les présentations sont disponibles sur le site du [http://www.clusif.fr CLUSIF], les vidéos de l'intervention seront aussi disponible.<br />
<br />
== 2 Décembre 2011 - [[OWASP BeNeLux 2011 Conference - University of Luxembourg]] ==<br />
<br />
Ludovic had a talk about "[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd WebApp Security and Legal aspects]" on Dec 2.<br />
<br />
*'''Overview'''<br />
**This presentation aims to be used by anybody willing to spread the voice of OWASP. See this as an Awareness session.<br />
**Use it and use it again. <br />
**Try to open your mind, just met me know if I can help. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/5/55/Do_you..._Legal_-_OWASP_BeNeLux_Day_-_2_Dec_2011.pptx Do you... Legal?]"'''<br />
**The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this. <br />
<br />
<br />
<br />
=== [[EUROPE - ENISA’s Who-is-Who Directory on Network and Information Security]] ===<br />
<br />
We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].<br />
<br />
The ENISA is the European Network and Information Security Agency.<br />
[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities. <br />
This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.<br />
<br />
<br />
= Chapter Meetings 2013 =<br />
<br />
== Q1 2013 ==<br />
'''Date''' : 7 février 2013<br />
'''Lieu''' : Gemalto - Salle Plazza, 6 rue de la Verrerie, 92197 Meudon-sur-Seine <br />
'''Horaire''' : 18h30 à 21h<br />
'''Présentation''' : Update sur les '''Projets OWASP''', Ludovic<br />
'''Présentation''' : '''Evolution du Cadre Légal - Developers, Software makers held liable for code?'''[[https://www.owasp.org/images/2/2a/Chapter_Meeting_OWASP_France_-_7_Feb_2013.pdf]] Ludovic<br />
'''Présentation''' : '''Données personnelles: le nouveau projet de règlement européen'''[http://www.donneespersonnelles.fr/donnees-personnelles-le-nouveau-projet-de-reglement-europeen], Thiébaut Devergranne<br />
'''Breaking News''' : Présentation de l''''OWASP France Day''' que nous souhaitons organiser en mars, Ludovic & Sébastien<br />
'''Appel à contribution''' : '''Traduction OWASP Top Ten 2013''', Ludovic & Sébastien<br />
'''Update''' : '''Relations Partenaires''' & '''Adhésions''', Ely de Travieso<br />
<br />
Pour nous accompagner lors de ce meeting, Thiébaut Devergranne, docteur en droit et consultant. Thiébaut travaille en droit des nouvelles technologies depuis plus de 10 ans, dont 6 passés au sein des services du Premier Ministre.<br />
<br />
''''''Speakers'''''' : Ludovic Petit, Sébastien Gioria, Ely de Travieso, Thiébaut Devergranne<br />
'''Enregistrement en ligne ici''' : https://www.eventbrite.com/event/4615236296<br />
<br />
'''Date''' : 12 mars 2013<br />
'''Lieu''' : Solucom, Tour Franklin, 100-101 Terrasse Boieldieu, 92042 Paris La Défense <br />
'''Horaire''' : 09h00 à 12h30<br />
'''Présentation''' : Secure Coding (en Anglais), Jim Manico<br />
'''Présentation''' : Sécurité Applicative: l’Organisation, clé de la réussite!, Gérôme Billois<br />
'''Présentation''' : OWASP News & Update, Ludovic Petit & Sébastien Gioria<br />
'''Appel à contribution''' : '''Traduction OWASP Top Ten 2013''', Ludovic & Sébastien<br />
<br />
'''Présentation globale''' : '''Chapter Meeting OWASP France 12 Mars'''[[https://www.owasp.org/images/2/2d/Chapter_Meeting_OWASP_France_12_Mars.pdf]]<br />
<br />
Les sujets abordés par Jim Manico: <br />
'''Authentication Best Practices for Developers:''' This module will discuss the security mechanisms found within an authentication (AuthN) layer of a web application. We will review a series of historical authentication threats. We will also discuss a variety of authentication design patterns necessary to build a low-risk high-security web application. Session management threats and best practices will also be covered. This module will include several technical demonstrations and code review labs. <br />
<br />
'''Access Control Design Best Practices:''' Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
<br />
''''''Speakers'''''' : Jim Manico, Gérôme Billois, Ludovic Petit, Sébastien Gioria<br />
'''Enregistrement en ligne obligatoire''' : http://owaspfrance12mars2013.eventbrite.com/<br />
<br />
<br />
= Appel à contribution OWASP France =<br />
<br />
Ici seront relayés les différents appels à contributions du Chapitre (Sponsors, talks, etc.).<br />
<br />
<br />
= Appel à contributions externes =<br />
<br />
Ici seront relayés les appels à contributions que nous estimons interessants pour le Chapitre. <br />
<br />
<br />
<br />
<br />
= Meetings 2012 =<br />
<br />
== Q1 2012 ==<br />
'''Date''' : 28 Mars 2012<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : Web Application Access Control Design Excellence<br />
'''Résumé''' : Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will discuss several of the key access control anti-patterns commonly found during <br />
website security audits. These access control anti-patterns include hard-coded security policies, <br />
lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these<br />
and other access control problems, we will discuss and design a positive access control mechanism <br />
that is data contextual, activity based, configurable, flexible, and deny-by-default - among other<br />
positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico<br />
'''Enregistrement en ligne ici''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== Q2 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q3 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q4 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
<br />
<br />
= 2011 Meetings =<br />
<br />
=== [[May 2011 - Paris Meeting]] ===<br />
<br />
[Logo to be placed here]<br />
<br />
We are honored to welcome '''Jim Manico''' during his European Tour in the Netherlands, Belgium and France.<br />
<br />
*'''Overview'''<br />
**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle. <br />
**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. <br />
**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered. <br />
**If you are interested in participating in the hands on portion of the course, please bring a laptop. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/f/f4/Future_of_XSS_v4.pptx The Ghost of XSS Past, Present and Future. A Defensive Tale]"'''<br />
**This talk will discuss the past methods used for XSS defense that were only partially effective. Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg. <br />
<br />
*'''Speaker'''<br />
**'''Jim Manico''' is a managing partner of Infrared Security with over 15 years of professional web development experience. Jim is also the Chair of the OWASP Connections Committee, one of the Project Managers of the OWASP ESAPI Project, a participant and manager of the OWASP Cheatsheet series, the Producer and host of the OWASP Podcast Series, the Manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project. When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.<br />
<br />
*'''Date'''<br />
**May 24, 2011 <br />
<br />
*'''Venue'''<br />
**Paris<br />
<br />
*'''Registration'''<br />
**[http://www.regonline.com/Register/Checkin.aspx?EventID=971375 Click here]<br />
<br />
<br />
== 26 Avril 2011 ==<br />
<br />
'''Le 26 Avril 2011 dans les locaux de [http://www.groupey.fr/nos-cabinets-paris.html GROUPE Y] :'''<br />
<br />
* 9:00: [https://www.owasp.org/images/2/2f/Agenda_26th_April_2011.pptx Introduction] - '''Ludovic Petit''' & '''Sébastien Gioria'''<br />
* 9:30: [https://www.owasp.org/images/3/36/OPENSAMM2.pptx OpenSAMM] - '''Antonio Fontes''' (Chapter Leader OWASP Geneva) <br />
* 11:00: [https://www.owasp.org/images/c/cf/OWASP_Cloud_Top_10.pptx OWASP Cloud Top 10 Project] - '''Ludovic Petit''' (Chapter Leader OWASP France & OWASP Global Education Committee Member)<br />
* 11:45: [https://www.owasp.org/images/5/5c/ESAPI_Swingset_talk_at_Paris.ppt OWASP ESAPI] - '''Fabio Cerullo''' (Chapter Leader OWASP Ireland & Global Education Committee)<br />
* 14:15: [https://www.owasp.org/images/3/38/OWASP_Testing_Guide.pptx OWASP Testing Guide] - '''Sébastien Gioria''' (French Chapter Leader & OWASP Global Education Committee Member)<br />
* 15:15: [http://o2platform.com OWASP 02 Platform - Live Session] - '''Dinis Cruz''' (OWASP O2 Project Leader)<br />
* 16:30: [https://www.owasp.org/images/9/96/OWASP-Paris2011-VV-CodeReview.pdf OWASP Code Review] - '''Victor Vuillard'''<br />
<br />
= 2009 Meetings =<br />
<br />
'''Le 6 Mai 2009 à 17h30 à [http://www.epitech.eu L'EPITECH] :'''<br />
<br />
* 17h30 : Accueil des participants<br />
* 18h - 18h 15 : [http://www.owasp.org/images/d/dc/OWASP_Paris_Meeting_-_May_2009.pdf Welcome et overview of agenda] '''(Board OWASP France)'''<br />
* 18h30 - 19h : [http://www.owasp.org/images/6/6b/2009-05-06-OWASPFR-WebServices.pdf Attaques sur les Web Services] - '''Renaud Bidou'''<br />
* 19h15 - 19h45 : [http://www.owasp.org/images/8/82/2009-05-06-OWASPFR-OpenSAM.pdf Software Security Initiatives in the Real World] - '''Claudio Merloni'''<br />
* 20h : Close <br />
<br />
A propos des Speakers :<br />
<br />
<br />
'''''Renaud Bidou :''' ''Directeur Technique de DenyAll. Il travaille depuis plus de 10 ans dans la sécurité et a publié de nombreux articles et white-papers touchant à des sujets aussi variés que les dénis de service, les portknockers, les botnets, la mise en place d’un SOC, l’analyse graphique d’attaques ou encore les techniques de contournements.<br />
<br />
<br />
'''''Claudio Merloni : '''''Claudio Merloni est Software Security Consultant chez Fortify Software. Ses expériences dans le domaine de la sécurité embrassent la sécurité applicative, revue de code, architectures sécurisées, analyse des risques, conformité, test de sécurité à niveau réseau, système et applicatif, monitoring, contrôle d'accès. Il a participé a plusieurs conférences, entre lesquelles BlackHat et CONFidence.<br />
<br />
<br />
'''Le Lieu : EPITECH'''<br />
<br />
Amphi 2<br />
<br />
14-16 rue Voltaire<br />
<br />
94276 Kremlin Bicêtre Cedex <br />
<br />
<br />
''Moyens d'accès Métro''<br />
* ligne 7 : Porte d'Italie<br />
<br />
''Bus''<br />
* ligne 47, 125, 131, 185 : Roger Salengro<br />
* ligne 186 : Pierre Brossolette <br/> <br />
<br />
''Voiture''<br />
* périphérique : sortie Porte d'Italie <br />
<br />
<br />
<br />
<br />
= Translation effort =<br />
<br />
* The '''OWASP TOP Ten 2010 in French''' is [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf available]<br />
* 2010-08-30 : La version française du Top 10 2010 est disponible [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] <br />
* 2008-02-15 : Le Top10 2007 est en version Française [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.pdf Format PDF], [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.doc Format Word]<br />
* 2007-11-16 : [https://www.owasp.org/images/5/52/Owasp_tryptique.pdf Folio 2 pages Recto/verso] de présentation pour Infosecurity.<br />
* 2007-02-27 : [[Newsletter_francaise_num%C3%A9ro_1]]<br />
* 2007-06-20 : Présentation de l'OWASP faite à NY en Juin 2007 [https://www.owasp.org/images/7/71/20070620-FR-OWASP_NY_Keynote.ppt]<br />
[[Category:Europe]]<br />
<br />
<br />
<br />
= Old News = <br />
<br />
* 2009-06-09 : [http://www.owasp.org/images/d/d2/20090609-CERT-IST-WAF-v0.1.pdf Intervention sur les WAF] lors du Forum [http://www.cert-ist.com CERT-IST] <br />
* 2009-02-03 : L'OWASP France sera présent à [http://www.pci-portal.com/events/event-info/paris PCI Paris]. La présentation est : [https://www.owasp.org/images/f/fb/20090203-OWASP_PCI-Global_2009_Paris_-_v03.ppt l'OWASP et l'exigence 6.5 de PCI-DSS]<br />
* 2008-11-19 : L'OWASP France sera présent sur [http://www.infosecurity.com.fr/FR/badge?ref=OWAW Infosecurity France] à Paris :<br />
[http://www.infosecurity.com.fr/index.php?argRedirect=FR|badge&Lang=FR&ref=OWAW https://www.owasp.org/images/8/88/Infosecurity.gif]<br />
<br />
* 2008-07-08 : L'OWASP France a présenté le projet OWASP à l'[http://www.ossir.org OSSIR]. La présentation est disponible sur le site de [https://www.owasp.org/images/9/94/20080708-OWASP_OSSIR.ppt l'OWASP]<br />
* 2008-02-15 : Le Top10 2007 est en version Francaise<br />
* 2008-02-11 : Présentation aux [http://www.owasp.org/images/0/09/20080129-OWASP_TechDays_France_.ppt TechDays 2008 Microsoft ]<br />
* 2007-11-22 : Présentation a Infosecurity France [http://www.owasp.org/images/8/85/20071122-OWASP_Infosecurity_France.ppt de l'OWASP]<br />
* 2007-11-07 : Interview dans le [http://www.journaldunet.com/developpeur/itws/071106-securite-applicative-owasp.shtml Journal du Net]<br />
* 2007-10-05 : L'OWASP France présentera les enjeux de la sécurité des [http://www.infosecurity.com.fr/?Jpto=116&KM_Session=f345bb91df954e6cbc0148328f109e94&CurrentNode=518&Lang=FR&IdNode=708 Services WEB à Infosecurity France le 22/11/2007]<br />
* 2006-12-18 : Mise en place de l'association pour supporter le groupe OWASP<br />
* 2006-12-14 : Le Hub OWASP Viaduc a vu le jour http://www.viadeo.com/hub/affichehub/?hubId=002fj37grgb7o7n<br />
* 2006-12-13 : Naissance du chapitre Francais de l'OWASP. Une liste de diffusion est disponible.[http://lists.owasp.org/mailman/listinfo/owasp-france Abonnez vous]<br />
<br />
<br />
<br> __NOTOC__ <headertabs /></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=File:Chapter_Meeting_OWASP_France_12_Mars.pdf&diff=147674File:Chapter Meeting OWASP France 12 Mars.pdf2013-03-12T15:34:18Z<p>Ludovic Petit: </p>
<hr />
<div></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=User:Ludovic_Petit&diff=147673User:Ludovic Petit2013-03-12T15:31:29Z<p>Ludovic Petit: </p>
<hr />
<div>I'm Group Fraud & Security Officer at SFR, 2nd largest French Telecom Operator and International Group with subsidiaries in Morocco and Brazil.<br />
<br />
I'm member of the OWASP since 2004. I'm actively contributing to the OWASP Top Ten Project as French translator since the first version of 2004, as well as other stuff described below. <br />
<br />
'''Chapter Leader [https://www.owasp.org/index.php/France OWASP France]''' and '''[https://www.owasp.org/index.php/OWASP_Connections_Committee OWASP Global Connections Committee]''' '''Member'''.<br />
<br />
I started working with the OWASP Foundation end of 2003 and initiated the first translation of the OWASP Top Ten in another language, in French. Then, I also carried out the French translation of the Top Ten 2007, as well as the Top Ten 2010 translation. I'm currently translating the Top Ten 2013 in French as Project Lead with a team of Benedictins.<br />
<br />
I created the OWASP France Chapter beggining of 2004 and grew it from 2 peers to over 300 members rapidly. I also created a group for the French Chapter on LinkedIn in Jan 2009.<br><br />
<br />
Then in May 2008, I decided to register The OWASP France Chapter as a not-for-profit organization called “Association Loi 1901 reconnue d’utilité publique” in France with Sebastien Gioria, this to prevent the OWASP brand/name from business misuses in France. <br />
<br />
The French Chapter fully complies with the OWASP Foundation’s bylaws, and our activities are directly inline with the OWASP core mission of spreading awareness.<br />
<br />
Take a look at my '''LinkedIn profile''' [http://www.linkedin.com/in/lpetit '''here'''] for more information about me.<br />
<br />
Don't hesitate to drop me an email if you would like to get in touch. '''ludovic.petit@owasp.org'''<br />
<br />
'''Some contributions to OWASP Projects:'''<br />
<br />
* Translator of the OWASP Top Ten in French (All versions)<br />
* Application Security Guide For CISOs (with Marco Morana)<br />
* OWASP Mobile Security Project (with Jack Mannino)<br />
* OWASP Cloud Top10 Project (with Vinay Bensal)<br />
* OWASP Secure Coding Practices - Quick Reference Guide (with Keith Turpin)<br />
<br />
<br />
I also run the [http://www.linkedin.com/e/gis/1638517 OWASP French Chapter on LinkedIn]. Join us!<br></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=France&diff=145378France2013-02-21T16:06:19Z<p>Ludovic Petit: </p>
<hr />
<div>{{Chapter Template|chaptername=France|extra=The '''Chapter Leaders''' are [mailto:ludovic.petit@owasp.org Ludovic Petit] and [mailto:sebastien.gioria@owasp.org Sebastien Gioria]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-france|emailarchives=http://lists.owasp.org/pipermail/owasp-france}}'''<br />
<paypal>France Chapter</paypal><br />
<br />
'''The French Chapter is also available on LinkedIn''': [http://www.linkedin.com/groupInvitation?gid=1638517 '''Join us''', it only takes a minute!]<br />
<br />
== Contacts, Présentations, Contributions & Partenariats ==<br />
<br />
*[mailto:sebastien.gioria@owasp.org Sebastien Gioria] et [mailto:ludovic.petit@owasp.org Ludovic Petit] sont à votre disposition si vous souhaitez des informations et discuter de la plus-value proposée par la Fondation OWASP, ainsi que sur la Sécurité des Applications Web.<br />
<br />
Entreprises, Individuels, Monde Académique, Sponsors, Supports, tout le monde est bienvenu à l'OWASP! L'accès à nos Chapter meetings est gratuit et ouvert à tous.<br />
<br />
Pour les Entreprises souhaitant adhérer à l'OWASP, le montant de l'adhésion annuelle de base est de $5000 US (dont 40% sont reversés au Projet ou au Chapitre de votre choix), déductible à 100% aux USA, et déductible à 60% en France <br />
<br />
Les fonds collectés servent à organiser les meetings du Chapitre, mais aussi et surtout à construire et organiser avec vous une approche collégiale spécifique répondant à vos souhaits (sessions de sensibilisation, meetings internes, interventions de Speakers, etc.). Tout cela peut être discuté avec le Chapitre Français et acté conjointement avec vous si vous souhaitez adhérer à l'OWASP. <br />
<br />
N'hésitez pas à nous solliciter si vous souhaitez discuter d'un sujet particulier, ou si vous souhaitez effectuer une présentation lors d'un meeting du Chapitre France.<br />
<br />
Amis de la Presse écrite et du Multimédia, n'hésitez pas à faire appel à nous si vous souhaitez notre concours pour vos articles et reportages, vous êtes les bienvenus et nous en serions honorés. Utilisez notre savoir-faire dans une perspective gagnant-gagnant!<br />
<br />
Nous restons modestes dans notre approche, nous souhaitons que le Chapitre OWASP France devienne un de vos contacts de référence. '''Ensembles, Chacun fait plus'''!<br />
<br />
'''TEAM stands for... Together Each Achieves More!'''<br />
<br />
<br />
= News =<br />
<br />
==Looking Forward… and Beyond, Distinctiveness Through Security Excellence==<br />
'''Présentation''' : "[https://www.owasp.org/images/5/50/Looking_Forward%E2%80%A6_and_Beyond.pptx Looking Forward… and Beyond]"'''<br />
'''Résumé''' : <br />
Here is a presentation I gave in Sept for a big Software maker in an internal meeting. This presentation aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes, or people and firms interested about OWASP and willing to join the Foundation as Member. The first 2 parts are more an update for those who are not yet familiar with OWASP, the 3rd part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway. Enjoy and feel free to email me, all comments welcome!<br />
<br />
'''Speaker''' : Ludovic Petit <br />
<br />
==28 Mars 2012 Meeting du premier trimestre==<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : "[https://www.owasp.org/images/6/6d/Developer_Top_Ten_Core_Controls_v4.1.pptx Top Ten Web Defenses]"'''<br />
'''Résumé''' : <br />
Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. <br />
This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will also detail several of the key access control anti-patterns commonly found during website security audits. <br />
These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. <br />
In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico <br />
Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. <br />
He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.<br />
'''Enregistrement en ligne sur''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== 7 et 8 Février 2012 - [http://www.microsoft.com/france/mstechdays/ Techdays Microsoft 2012] ==<br />
<br />
Sébastien présentera un talk sur [http://www.microsoft.com/france/mstechdays/programmes/parcours.aspx?SessionID=62e02774-6045-4be8-80ff-8332a793ad4f HTML5et la Sécurité] le 7 Février 2012 à 17h30. <br />
Plus d'informations sur la page dédiée aux TechDays Microsoft 2012. ==<br />
<br />
== 6 Janvier 2012 - Nouveau Groupe de Travail sur la Sécurité des Web Services au [http://www.clusif.fr CLUSIF] ==<br />
<br />
Dans la continuité du Groupe de Travail sur la Sécurité des Application Web initialement créé en 2009, le CLUSIF a lancé un nouveau groupe de travail autour de la sécurité des WebServices. N'hésitez pas à participer si vous êtes intéressés. Le CLUSIF recherche des utilisateurs pour ce groupe de travail et des personnes en environnements Microsoft pour disposer d'un panel le plus large possible pour ce document<br />
<br />
Contact : [mailto:sebastien.gioria@owasp.org Sébastien Gioria]<br />
<br />
== 19 Décembre 2011 - Publication du deuxième document du [http://www.clusif.fr CLUSIF] sur la Sécurité des Applications Web ==<br />
<br />
Le CLUSIF a publié son deuxième document sur la [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Defense-en-profondeur-des-applications-Web.pdf Défense en profondeur des applications Web]. Ce document fait suite au [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf premier document publié en 2009] <br />
<br />
== 15 Décembre 2011 Conférence du [http://www.clusif.fr CLUSIF] sur la [http://www.clusif.fr/fr/infos/event/#conf111215 sécurité des applications Web] ==<br />
<br />
Le CLUSIF a présenté la conférence Sécurité des Applications Web le jeudi 15 décembre 2011 au cercle National des Armées.<br />
Le programme était : <br />
<br />
* Mise en place d'une politique de sécurité applicative : retour d'expérience d'un RSSI par Philippe LARUE - Responsable Sécurité - [http://www.cbp-prevoyance.com/ CBP]<br />
* Revue de code source, ou test sécurité applicatif, quel est le plus efficient pour évaluer un niveau de sécurité applicatif ? par Sébastien GIORIA - Consultant Senior [http://www.groupey.fr Groupe Y] et leader du chapitre Français de [https://www.owasp.org l'OWASP] - OWASP France<br />
* Les enjeux réglementaires de la protection des informations en ligne par Garance MATHIAS - Avocat - Cabinet d'Avocats<br />
<br />
Les présentations sont disponibles sur le site du [http://www.clusif.fr CLUSIF], les vidéos de l'intervention seront aussi disponible.<br />
<br />
== 2 Décembre 2011 - [[OWASP BeNeLux 2011 Conference - University of Luxembourg]] ==<br />
<br />
Ludovic had a talk about "[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd WebApp Security and Legal aspects]" on Dec 2.<br />
<br />
*'''Overview'''<br />
**This presentation aims to be used by anybody willing to spread the voice of OWASP. See this as an Awareness session.<br />
**Use it and use it again. <br />
**Try to open your mind, just met me know if I can help. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/5/55/Do_you..._Legal_-_OWASP_BeNeLux_Day_-_2_Dec_2011.pptx Do you... Legal?]"'''<br />
**The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this. <br />
<br />
<br />
<br />
=== [[EUROPE - ENISA’s Who-is-Who Directory on Network and Information Security]] ===<br />
<br />
We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].<br />
<br />
The ENISA is the European Network and Information Security Agency.<br />
[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities. <br />
This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.<br />
<br />
<br />
= Chapter Meetings 2013 =<br />
<br />
== Q1 2013 ==<br />
'''Date''' : 7 février 2013<br />
'''Lieu''' : Gemalto - Salle Plazza, 6 rue de la Verrerie, 92197 Meudon-sur-Seine <br />
'''Horaire''' : 18h30 à 21h<br />
'''Présentation''' : Update sur les '''Projets OWASP''', Ludovic<br />
'''Présentation''' : '''Evolution du Cadre Légal - Developers, Software makers held liable for code?'''[[https://www.owasp.org/images/2/2a/Chapter_Meeting_OWASP_France_-_7_Feb_2013.pdf]] Ludovic<br />
'''Présentation''' : '''Données personnelles: le nouveau projet de règlement européen'''[http://www.donneespersonnelles.fr/donnees-personnelles-le-nouveau-projet-de-reglement-europeen], Thiébaut Devergranne<br />
'''Breaking News''' : Présentation de l''''OWASP France Day''' que nous souhaitons organiser en mars, Ludovic & Sébastien<br />
'''Appel à contribution''' : '''Traduction OWASP Top Ten 2013''', Ludovic & Sébastien<br />
'''Update''' : '''Relations Partenaires''' & '''Adhésions''', Ely de Travieso<br />
<br />
Pour nous accompagner lors de ce meeting, Thiébaut Devergranne, docteur en droit et consultant. Thiébaut travaille en droit des nouvelles technologies depuis plus de 10 ans, dont 6 passés au sein des services du Premier Ministre.<br />
<br />
''''''Speakers'''''' : Ludovic Petit, Sébastien Gioria, Ely de Travieso, Thiébaut Devergranne<br />
'''Enregistrement en ligne ici''' : https://www.eventbrite.com/event/4615236296<br />
<br />
'''Date''' : 12 mars 2013<br />
'''Lieu''' : Solucom, Tour Franklin, 100-101 Terrasse Boieldieu, 92042 Paris La Défense <br />
'''Horaire''' : 09h00 à 12h30<br />
'''Présentation''' : Secure Coding (en Anglais), Jim Manico<br />
'''Présentation''' : Sécurité Applicative: l’Organisation, clé de la réussite!, Gérôme Billois<br />
'''Présentation''' : OWASP News & Update, Ludovic Petit & Sébastien Gioria<br />
'''Présentation''' : Adhésions et Partenariats, Ely de Travieso<br />
'''Appel à contribution''' : '''Traduction OWASP Top Ten 2013''', Ludovic & Sébastien<br />
<br />
Les sujets suivants seront abordés par Jim Manico: <br />
'''Authentication Best Practices for Developers:''' This module will discuss the security mechanisms found within an authentication (AuthN) layer of a web application. We will review a series of historical authentication threats. We will also discuss a variety of authentication design patterns necessary to build a low-risk high-security web application. Session management threats and best practices will also be covered. This module will include several technical demonstrations and code review labs. <br />
<br />
'''Access Control Design Best Practices:''' Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
<br />
''''''Speakers'''''' : Jim Manico, Gérôme Billois, Ludovic Petit, Sébastien Gioria, Ely de Travieso<br />
'''Enregistrement en ligne obligatoire''' : http://owaspfrance12mars2013.eventbrite.com/<br />
<br />
<br />
= Appel à contribution OWASP France =<br />
<br />
Ici seront relayés les différents appels à contributions du Chapitre (Sponsors, talks, etc.).<br />
<br />
<br />
= Appel à contributions externes =<br />
<br />
Ici seront relayés les appels à contributions que nous estimons interessants pour le Chapitre. <br />
<br />
<br />
<br />
<br />
= Meetings 2012 =<br />
<br />
== Q1 2012 ==<br />
'''Date''' : 28 Mars 2012<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : Web Application Access Control Design Excellence<br />
'''Résumé''' : Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will discuss several of the key access control anti-patterns commonly found during <br />
website security audits. These access control anti-patterns include hard-coded security policies, <br />
lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these<br />
and other access control problems, we will discuss and design a positive access control mechanism <br />
that is data contextual, activity based, configurable, flexible, and deny-by-default - among other<br />
positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico<br />
'''Enregistrement en ligne ici''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== Q2 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q3 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q4 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
<br />
<br />
= 2011 Meetings =<br />
<br />
=== [[May 2011 - Paris Meeting]] ===<br />
<br />
[Logo to be placed here]<br />
<br />
We are honored to welcome '''Jim Manico''' during his European Tour in the Netherlands, Belgium and France.<br />
<br />
*'''Overview'''<br />
**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle. <br />
**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. <br />
**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered. <br />
**If you are interested in participating in the hands on portion of the course, please bring a laptop. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/f/f4/Future_of_XSS_v4.pptx The Ghost of XSS Past, Present and Future. A Defensive Tale]"'''<br />
**This talk will discuss the past methods used for XSS defense that were only partially effective. Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg. <br />
<br />
*'''Speaker'''<br />
**'''Jim Manico''' is a managing partner of Infrared Security with over 15 years of professional web development experience. Jim is also the Chair of the OWASP Connections Committee, one of the Project Managers of the OWASP ESAPI Project, a participant and manager of the OWASP Cheatsheet series, the Producer and host of the OWASP Podcast Series, the Manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project. When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.<br />
<br />
*'''Date'''<br />
**May 24, 2011 <br />
<br />
*'''Venue'''<br />
**Paris<br />
<br />
*'''Registration'''<br />
**[http://www.regonline.com/Register/Checkin.aspx?EventID=971375 Click here]<br />
<br />
<br />
== 26 Avril 2011 ==<br />
<br />
'''Le 26 Avril 2011 dans les locaux de [http://www.groupey.fr/nos-cabinets-paris.html GROUPE Y] :'''<br />
<br />
* 9:00: [https://www.owasp.org/images/2/2f/Agenda_26th_April_2011.pptx Introduction] - '''Ludovic Petit''' & '''Sébastien Gioria'''<br />
* 9:30: [https://www.owasp.org/images/3/36/OPENSAMM2.pptx OpenSAMM] - '''Antonio Fontes''' (Chapter Leader OWASP Geneva) <br />
* 11:00: [https://www.owasp.org/images/c/cf/OWASP_Cloud_Top_10.pptx OWASP Cloud Top 10 Project] - '''Ludovic Petit''' (Chapter Leader OWASP France & OWASP Global Education Committee Member)<br />
* 11:45: [https://www.owasp.org/images/5/5c/ESAPI_Swingset_talk_at_Paris.ppt OWASP ESAPI] - '''Fabio Cerullo''' (Chapter Leader OWASP Ireland & Global Education Committee)<br />
* 14:15: [https://www.owasp.org/images/3/38/OWASP_Testing_Guide.pptx OWASP Testing Guide] - '''Sébastien Gioria''' (French Chapter Leader & OWASP Global Education Committee Member)<br />
* 15:15: [http://o2platform.com OWASP 02 Platform - Live Session] - '''Dinis Cruz''' (OWASP O2 Project Leader)<br />
* 16:30: [https://www.owasp.org/images/9/96/OWASP-Paris2011-VV-CodeReview.pdf OWASP Code Review] - '''Victor Vuillard'''<br />
<br />
= 2009 Meetings =<br />
<br />
'''Le 6 Mai 2009 à 17h30 à [http://www.epitech.eu L'EPITECH] :'''<br />
<br />
* 17h30 : Accueil des participants<br />
* 18h - 18h 15 : [http://www.owasp.org/images/d/dc/OWASP_Paris_Meeting_-_May_2009.pdf Welcome et overview of agenda] '''(Board OWASP France)'''<br />
* 18h30 - 19h : [http://www.owasp.org/images/6/6b/2009-05-06-OWASPFR-WebServices.pdf Attaques sur les Web Services] - '''Renaud Bidou'''<br />
* 19h15 - 19h45 : [http://www.owasp.org/images/8/82/2009-05-06-OWASPFR-OpenSAM.pdf Software Security Initiatives in the Real World] - '''Claudio Merloni'''<br />
* 20h : Close <br />
<br />
A propos des Speakers :<br />
<br />
<br />
'''''Renaud Bidou :''' ''Directeur Technique de DenyAll. Il travaille depuis plus de 10 ans dans la sécurité et a publié de nombreux articles et white-papers touchant à des sujets aussi variés que les dénis de service, les portknockers, les botnets, la mise en place d’un SOC, l’analyse graphique d’attaques ou encore les techniques de contournements.<br />
<br />
<br />
'''''Claudio Merloni : '''''Claudio Merloni est Software Security Consultant chez Fortify Software. Ses expériences dans le domaine de la sécurité embrassent la sécurité applicative, revue de code, architectures sécurisées, analyse des risques, conformité, test de sécurité à niveau réseau, système et applicatif, monitoring, contrôle d'accès. Il a participé a plusieurs conférences, entre lesquelles BlackHat et CONFidence.<br />
<br />
<br />
'''Le Lieu : EPITECH'''<br />
<br />
Amphi 2<br />
<br />
14-16 rue Voltaire<br />
<br />
94276 Kremlin Bicêtre Cedex <br />
<br />
<br />
''Moyens d'accès Métro''<br />
* ligne 7 : Porte d'Italie<br />
<br />
''Bus''<br />
* ligne 47, 125, 131, 185 : Roger Salengro<br />
* ligne 186 : Pierre Brossolette <br/> <br />
<br />
''Voiture''<br />
* périphérique : sortie Porte d'Italie <br />
<br />
<br />
<br />
<br />
= Translation effort =<br />
<br />
* The '''OWASP TOP Ten 2010 in French''' is [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf available]<br />
* 2010-08-30 : La version française du Top 10 2010 est disponible [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] <br />
* 2008-02-15 : Le Top10 2007 est en version Française [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.pdf Format PDF], [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.doc Format Word]<br />
* 2007-11-16 : [https://www.owasp.org/images/5/52/Owasp_tryptique.pdf Folio 2 pages Recto/verso] de présentation pour Infosecurity.<br />
* 2007-02-27 : [[Newsletter_francaise_num%C3%A9ro_1]]<br />
* 2007-06-20 : Présentation de l'OWASP faite à NY en Juin 2007 [https://www.owasp.org/images/7/71/20070620-FR-OWASP_NY_Keynote.ppt]<br />
[[Category:Europe]]<br />
<br />
<br />
<br />
= Old News = <br />
<br />
* 2009-06-09 : [http://www.owasp.org/images/d/d2/20090609-CERT-IST-WAF-v0.1.pdf Intervention sur les WAF] lors du Forum [http://www.cert-ist.com CERT-IST] <br />
* 2009-02-03 : L'OWASP France sera présent à [http://www.pci-portal.com/events/event-info/paris PCI Paris]. La présentation est : [https://www.owasp.org/images/f/fb/20090203-OWASP_PCI-Global_2009_Paris_-_v03.ppt l'OWASP et l'exigence 6.5 de PCI-DSS]<br />
* 2008-11-19 : L'OWASP France sera présent sur [http://www.infosecurity.com.fr/FR/badge?ref=OWAW Infosecurity France] à Paris :<br />
[http://www.infosecurity.com.fr/index.php?argRedirect=FR|badge&Lang=FR&ref=OWAW https://www.owasp.org/images/8/88/Infosecurity.gif]<br />
<br />
* 2008-07-08 : L'OWASP France a présenté le projet OWASP à l'[http://www.ossir.org OSSIR]. La présentation est disponible sur le site de [https://www.owasp.org/images/9/94/20080708-OWASP_OSSIR.ppt l'OWASP]<br />
* 2008-02-15 : Le Top10 2007 est en version Francaise<br />
* 2008-02-11 : Présentation aux [http://www.owasp.org/images/0/09/20080129-OWASP_TechDays_France_.ppt TechDays 2008 Microsoft ]<br />
* 2007-11-22 : Présentation a Infosecurity France [http://www.owasp.org/images/8/85/20071122-OWASP_Infosecurity_France.ppt de l'OWASP]<br />
* 2007-11-07 : Interview dans le [http://www.journaldunet.com/developpeur/itws/071106-securite-applicative-owasp.shtml Journal du Net]<br />
* 2007-10-05 : L'OWASP France présentera les enjeux de la sécurité des [http://www.infosecurity.com.fr/?Jpto=116&KM_Session=f345bb91df954e6cbc0148328f109e94&CurrentNode=518&Lang=FR&IdNode=708 Services WEB à Infosecurity France le 22/11/2007]<br />
* 2006-12-18 : Mise en place de l'association pour supporter le groupe OWASP<br />
* 2006-12-14 : Le Hub OWASP Viaduc a vu le jour http://www.viadeo.com/hub/affichehub/?hubId=002fj37grgb7o7n<br />
* 2006-12-13 : Naissance du chapitre Francais de l'OWASP. Une liste de diffusion est disponible.[http://lists.owasp.org/mailman/listinfo/owasp-france Abonnez vous]<br />
<br />
<br />
<br> __NOTOC__ <headertabs /></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=France&diff=143782France2013-02-08T13:38:34Z<p>Ludovic Petit: </p>
<hr />
<div>{{Chapter Template|chaptername=France|extra=The '''Chapter Leaders''' are [mailto:ludovic.petit@owasp.org Ludovic Petit] and [mailto:sebastien.gioria@owasp.org Sebastien Gioria]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-france|emailarchives=http://lists.owasp.org/pipermail/owasp-france}}'''<br />
<paypal>France Chapter</paypal><br />
<br />
'''The French Chapter is also available on LinkedIn''': [http://www.linkedin.com/groupInvitation?gid=1638517 '''Join us''', it only takes a minute!]<br />
<br />
== Contacts, Présentations, Contributions & Partenariats ==<br />
<br />
*[mailto:sebastien.gioria@owasp.org Sebastien Gioria] et [mailto:ludovic.petit@owasp.org Ludovic Petit] sont à votre disposition si vous souhaitez des informations et discuter de la plus-value proposée par la Fondation OWASP, ainsi que sur la Sécurité des Applications Web.<br />
<br />
Entreprises, Individuels, Monde Académique, Sponsors, Supports, tout le monde est bienvenu à l'OWASP! L'accès à nos Chapter meetings est gratuit et ouvert à tous.<br />
<br />
Pour les Entreprises souhaitant adhérer à l'OWASP, le montant de l'adhésion annuelle de base est de $5000 US (dont 40% sont reversés au Projet ou au Chapitre de votre choix), déductible à 100% aux USA, et déductible à 60% en France <br />
<br />
Les fonds collectés servent à organiser les meetings du Chapitre, mais aussi et surtout à construire et organiser avec vous une approche collégiale spécifique répondant à vos souhaits (sessions de sensibilisation, meetings internes, interventions de Speakers, etc.). Tout cela peut être discuté avec le Chapitre Français et acté conjointement avec vous si vous souhaitez adhérer à l'OWASP. <br />
<br />
N'hésitez pas à nous solliciter si vous souhaitez discuter d'un sujet particulier, ou si vous souhaitez effectuer une présentation lors d'un meeting du Chapitre France.<br />
<br />
Amis de la Presse écrite et du Multimédia, n'hésitez pas à faire appel à nous si vous souhaitez notre concours pour vos articles et reportages, vous êtes les bienvenus et nous en serions honorés. Utilisez notre savoir-faire dans une perspective gagnant-gagnant!<br />
<br />
Nous restons modestes dans notre approche, nous souhaitons que le Chapitre OWASP France devienne un de vos contacts de référence. '''Ensembles, Chacun fait plus'''!<br />
<br />
'''TEAM stands for... Together Each Achieves More!'''<br />
<br />
<br />
= News =<br />
<br />
==Looking Forward… and Beyond, Distinctiveness Through Security Excellence==<br />
'''Présentation''' : "[https://www.owasp.org/images/5/50/Looking_Forward%E2%80%A6_and_Beyond.pptx Looking Forward… and Beyond]"'''<br />
'''Résumé''' : <br />
Here is a presentation I gave in Sept for a big Software maker in an internal meeting. This presentation aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes, or people and firms interested about OWASP and willing to join the Foundation as Member. The first 2 parts are more an update for those who are not yet familiar with OWASP, the 3rd part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway. Enjoy and feel free to email me, all comments welcome!<br />
<br />
'''Speaker''' : Ludovic Petit <br />
<br />
==28 Mars 2012 Meeting du premier trimestre==<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : "[https://www.owasp.org/images/6/6d/Developer_Top_Ten_Core_Controls_v4.1.pptx Top Ten Web Defenses]"'''<br />
'''Résumé''' : <br />
Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. <br />
This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will also detail several of the key access control anti-patterns commonly found during website security audits. <br />
These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. <br />
In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico <br />
Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. <br />
He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.<br />
'''Enregistrement en ligne sur''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== 7 et 8 Février 2012 - [http://www.microsoft.com/france/mstechdays/ Techdays Microsoft 2012] ==<br />
<br />
Sébastien présentera un talk sur [http://www.microsoft.com/france/mstechdays/programmes/parcours.aspx?SessionID=62e02774-6045-4be8-80ff-8332a793ad4f HTML5et la Sécurité] le 7 Février 2012 à 17h30. <br />
Plus d'informations sur la page dédiée aux TechDays Microsoft 2012. ==<br />
<br />
== 6 Janvier 2012 - Nouveau Groupe de Travail sur la Sécurité des Web Services au [http://www.clusif.fr CLUSIF] ==<br />
<br />
Dans la continuité du Groupe de Travail sur la Sécurité des Application Web initialement créé en 2009, le CLUSIF a lancé un nouveau groupe de travail autour de la sécurité des WebServices. N'hésitez pas à participer si vous êtes intéressés. Le CLUSIF recherche des utilisateurs pour ce groupe de travail et des personnes en environnements Microsoft pour disposer d'un panel le plus large possible pour ce document<br />
<br />
Contact : [mailto:sebastien.gioria@owasp.org Sébastien Gioria]<br />
<br />
== 19 Décembre 2011 - Publication du deuxième document du [http://www.clusif.fr CLUSIF] sur la Sécurité des Applications Web ==<br />
<br />
Le CLUSIF a publié son deuxième document sur la [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Defense-en-profondeur-des-applications-Web.pdf Défense en profondeur des applications Web]. Ce document fait suite au [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf premier document publié en 2009] <br />
<br />
== 15 Décembre 2011 Conférence du [http://www.clusif.fr CLUSIF] sur la [http://www.clusif.fr/fr/infos/event/#conf111215 sécurité des applications Web] ==<br />
<br />
Le CLUSIF a présenté la conférence Sécurité des Applications Web le jeudi 15 décembre 2011 au cercle National des Armées.<br />
Le programme était : <br />
<br />
* Mise en place d'une politique de sécurité applicative : retour d'expérience d'un RSSI par Philippe LARUE - Responsable Sécurité - [http://www.cbp-prevoyance.com/ CBP]<br />
* Revue de code source, ou test sécurité applicatif, quel est le plus efficient pour évaluer un niveau de sécurité applicatif ? par Sébastien GIORIA - Consultant Senior [http://www.groupey.fr Groupe Y] et leader du chapitre Français de [https://www.owasp.org l'OWASP] - OWASP France<br />
* Les enjeux réglementaires de la protection des informations en ligne par Garance MATHIAS - Avocat - Cabinet d'Avocats<br />
<br />
Les présentations sont disponibles sur le site du [http://www.clusif.fr CLUSIF], les vidéos de l'intervention seront aussi disponible.<br />
<br />
== 2 Décembre 2011 - [[OWASP BeNeLux 2011 Conference - University of Luxembourg]] ==<br />
<br />
Ludovic had a talk about "[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd WebApp Security and Legal aspects]" on Dec 2.<br />
<br />
*'''Overview'''<br />
**This presentation aims to be used by anybody willing to spread the voice of OWASP. See this as an Awareness session.<br />
**Use it and use it again. <br />
**Try to open your mind, just met me know if I can help. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/5/55/Do_you..._Legal_-_OWASP_BeNeLux_Day_-_2_Dec_2011.pptx Do you... Legal?]"'''<br />
**The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this. <br />
<br />
<br />
<br />
=== [[EUROPE - ENISA’s Who-is-Who Directory on Network and Information Security]] ===<br />
<br />
We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].<br />
<br />
The ENISA is the European Network and Information Security Agency.<br />
[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities. <br />
This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.<br />
<br />
<br />
= Chapter Meetings 2013 =<br />
<br />
== Q1 2013 ==<br />
'''Date''' : 7 février 2013<br />
'''Lieu''' : Gemalto - Salle Plazza, 6 rue de la Verrerie, 92197 Meudon-sur-Seine <br />
'''Horaire''' : 18h30 à 21h<br />
'''Présentation''' : Update sur les '''Projets OWASP''', Ludovic<br />
'''Présentation''' : '''Evolution du Cadre Légal - Developers, Software makers held liable for code?'''[[https://www.owasp.org/images/2/2a/Chapter_Meeting_OWASP_France_-_7_Feb_2013.pdf]] Ludovic<br />
'''Présentation''' : '''Données personnelles: le nouveau projet de règlement européen'''[http://www.donneespersonnelles.fr/donnees-personnelles-le-nouveau-projet-de-reglement-europeen], Thiébaut Devergranne<br />
'''Breaking News''' : Présentation de l''''OWASP France Day''' que nous souhaitons organiser en mars, Ludovic & Sébastien<br />
'''Appel à contribution''' : '''Traduction OWASP Top Ten 2013''', Ludovic & Sébastien<br />
'''Update''' : '''Relations Partenaires''' & '''Adhésions''', Ely de Travieso<br />
<br />
Pour nous accompagner lors de ce meeting, Thiébaut Devergranne, docteur en droit et consultant. Thiébaut travaille en droit des nouvelles technologies depuis plus de 10 ans, dont 6 passés au sein des services du Premier Ministre.<br />
<br />
''''''Speakers'''''' : Ludovic Petit, Sébastien Gioria, Ely de Travieso, Thiébaut Devergranne<br />
'''Enregistrement en ligne ici''' : https://www.eventbrite.com/event/4615236296<br />
<br />
<br />
<br />
= Appel à contribution OWASP France =<br />
<br />
Ici seront relayés les différents appels à contributions du Chapitre (Sponsors, talks, etc.).<br />
<br />
<br />
= Appel à contributions externes =<br />
<br />
Ici seront relayés les appels à contributions que nous estimons interessants pour le Chapitre. <br />
<br />
<br />
<br />
<br />
= Meetings 2012 =<br />
<br />
== Q1 2012 ==<br />
'''Date''' : 28 Mars 2012<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : Web Application Access Control Design Excellence<br />
'''Résumé''' : Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will discuss several of the key access control anti-patterns commonly found during <br />
website security audits. These access control anti-patterns include hard-coded security policies, <br />
lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these<br />
and other access control problems, we will discuss and design a positive access control mechanism <br />
that is data contextual, activity based, configurable, flexible, and deny-by-default - among other<br />
positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico<br />
'''Enregistrement en ligne ici''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== Q2 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q3 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q4 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
<br />
<br />
= 2011 Meetings =<br />
<br />
=== [[May 2011 - Paris Meeting]] ===<br />
<br />
[Logo to be placed here]<br />
<br />
We are honored to welcome '''Jim Manico''' during his European Tour in the Netherlands, Belgium and France.<br />
<br />
*'''Overview'''<br />
**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle. <br />
**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. <br />
**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered. <br />
**If you are interested in participating in the hands on portion of the course, please bring a laptop. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/f/f4/Future_of_XSS_v4.pptx The Ghost of XSS Past, Present and Future. A Defensive Tale]"'''<br />
**This talk will discuss the past methods used for XSS defense that were only partially effective. Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg. <br />
<br />
*'''Speaker'''<br />
**'''Jim Manico''' is a managing partner of Infrared Security with over 15 years of professional web development experience. Jim is also the Chair of the OWASP Connections Committee, one of the Project Managers of the OWASP ESAPI Project, a participant and manager of the OWASP Cheatsheet series, the Producer and host of the OWASP Podcast Series, the Manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project. When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.<br />
<br />
*'''Date'''<br />
**May 24, 2011 <br />
<br />
*'''Venue'''<br />
**Paris<br />
<br />
*'''Registration'''<br />
**[http://www.regonline.com/Register/Checkin.aspx?EventID=971375 Click here]<br />
<br />
<br />
== 26 Avril 2011 ==<br />
<br />
'''Le 26 Avril 2011 dans les locaux de [http://www.groupey.fr/nos-cabinets-paris.html GROUPE Y] :'''<br />
<br />
* 9:00: [https://www.owasp.org/images/2/2f/Agenda_26th_April_2011.pptx Introduction] - '''Ludovic Petit''' & '''Sébastien Gioria'''<br />
* 9:30: [https://www.owasp.org/images/3/36/OPENSAMM2.pptx OpenSAMM] - '''Antonio Fontes''' (Chapter Leader OWASP Geneva) <br />
* 11:00: [https://www.owasp.org/images/c/cf/OWASP_Cloud_Top_10.pptx OWASP Cloud Top 10 Project] - '''Ludovic Petit''' (Chapter Leader OWASP France & OWASP Global Education Committee Member)<br />
* 11:45: [https://www.owasp.org/images/5/5c/ESAPI_Swingset_talk_at_Paris.ppt OWASP ESAPI] - '''Fabio Cerullo''' (Chapter Leader OWASP Ireland & Global Education Committee)<br />
* 14:15: [https://www.owasp.org/images/3/38/OWASP_Testing_Guide.pptx OWASP Testing Guide] - '''Sébastien Gioria''' (French Chapter Leader & OWASP Global Education Committee Member)<br />
* 15:15: [http://o2platform.com OWASP 02 Platform - Live Session] - '''Dinis Cruz''' (OWASP O2 Project Leader)<br />
* 16:30: [https://www.owasp.org/images/9/96/OWASP-Paris2011-VV-CodeReview.pdf OWASP Code Review] - '''Victor Vuillard'''<br />
<br />
= 2009 Meetings =<br />
<br />
'''Le 6 Mai 2009 à 17h30 à [http://www.epitech.eu L'EPITECH] :'''<br />
<br />
* 17h30 : Accueil des participants<br />
* 18h - 18h 15 : [http://www.owasp.org/images/d/dc/OWASP_Paris_Meeting_-_May_2009.pdf Welcome et overview of agenda] '''(Board OWASP France)'''<br />
* 18h30 - 19h : [http://www.owasp.org/images/6/6b/2009-05-06-OWASPFR-WebServices.pdf Attaques sur les Web Services] - '''Renaud Bidou'''<br />
* 19h15 - 19h45 : [http://www.owasp.org/images/8/82/2009-05-06-OWASPFR-OpenSAM.pdf Software Security Initiatives in the Real World] - '''Claudio Merloni'''<br />
* 20h : Close <br />
<br />
A propos des Speakers :<br />
<br />
<br />
'''''Renaud Bidou :''' ''Directeur Technique de DenyAll. Il travaille depuis plus de 10 ans dans la sécurité et a publié de nombreux articles et white-papers touchant à des sujets aussi variés que les dénis de service, les portknockers, les botnets, la mise en place d’un SOC, l’analyse graphique d’attaques ou encore les techniques de contournements.<br />
<br />
<br />
'''''Claudio Merloni : '''''Claudio Merloni est Software Security Consultant chez Fortify Software. Ses expériences dans le domaine de la sécurité embrassent la sécurité applicative, revue de code, architectures sécurisées, analyse des risques, conformité, test de sécurité à niveau réseau, système et applicatif, monitoring, contrôle d'accès. Il a participé a plusieurs conférences, entre lesquelles BlackHat et CONFidence.<br />
<br />
<br />
'''Le Lieu : EPITECH'''<br />
<br />
Amphi 2<br />
<br />
14-16 rue Voltaire<br />
<br />
94276 Kremlin Bicêtre Cedex <br />
<br />
<br />
''Moyens d'accès Métro''<br />
* ligne 7 : Porte d'Italie<br />
<br />
''Bus''<br />
* ligne 47, 125, 131, 185 : Roger Salengro<br />
* ligne 186 : Pierre Brossolette <br/> <br />
<br />
''Voiture''<br />
* périphérique : sortie Porte d'Italie <br />
<br />
<br />
<br />
<br />
= Translation effort =<br />
<br />
* The '''OWASP TOP Ten 2010 in French''' is [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf available]<br />
* 2010-08-30 : La version française du Top 10 2010 est disponible [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] <br />
* 2008-02-15 : Le Top10 2007 est en version Française [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.pdf Format PDF], [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.doc Format Word]<br />
* 2007-11-16 : [https://www.owasp.org/images/5/52/Owasp_tryptique.pdf Folio 2 pages Recto/verso] de présentation pour Infosecurity.<br />
* 2007-02-27 : [[Newsletter_francaise_num%C3%A9ro_1]]<br />
* 2007-06-20 : Présentation de l'OWASP faite à NY en Juin 2007 [https://www.owasp.org/images/7/71/20070620-FR-OWASP_NY_Keynote.ppt]<br />
[[Category:Europe]]<br />
<br />
<br />
<br />
= Old News = <br />
<br />
* 2009-06-09 : [http://www.owasp.org/images/d/d2/20090609-CERT-IST-WAF-v0.1.pdf Intervention sur les WAF] lors du Forum [http://www.cert-ist.com CERT-IST] <br />
* 2009-02-03 : L'OWASP France sera présent à [http://www.pci-portal.com/events/event-info/paris PCI Paris]. La présentation est : [https://www.owasp.org/images/f/fb/20090203-OWASP_PCI-Global_2009_Paris_-_v03.ppt l'OWASP et l'exigence 6.5 de PCI-DSS]<br />
* 2008-11-19 : L'OWASP France sera présent sur [http://www.infosecurity.com.fr/FR/badge?ref=OWAW Infosecurity France] à Paris :<br />
[http://www.infosecurity.com.fr/index.php?argRedirect=FR|badge&Lang=FR&ref=OWAW https://www.owasp.org/images/8/88/Infosecurity.gif]<br />
<br />
* 2008-07-08 : L'OWASP France a présenté le projet OWASP à l'[http://www.ossir.org OSSIR]. La présentation est disponible sur le site de [https://www.owasp.org/images/9/94/20080708-OWASP_OSSIR.ppt l'OWASP]<br />
* 2008-02-15 : Le Top10 2007 est en version Francaise<br />
* 2008-02-11 : Présentation aux [http://www.owasp.org/images/0/09/20080129-OWASP_TechDays_France_.ppt TechDays 2008 Microsoft ]<br />
* 2007-11-22 : Présentation a Infosecurity France [http://www.owasp.org/images/8/85/20071122-OWASP_Infosecurity_France.ppt de l'OWASP]<br />
* 2007-11-07 : Interview dans le [http://www.journaldunet.com/developpeur/itws/071106-securite-applicative-owasp.shtml Journal du Net]<br />
* 2007-10-05 : L'OWASP France présentera les enjeux de la sécurité des [http://www.infosecurity.com.fr/?Jpto=116&KM_Session=f345bb91df954e6cbc0148328f109e94&CurrentNode=518&Lang=FR&IdNode=708 Services WEB à Infosecurity France le 22/11/2007]<br />
* 2006-12-18 : Mise en place de l'association pour supporter le groupe OWASP<br />
* 2006-12-14 : Le Hub OWASP Viaduc a vu le jour http://www.viadeo.com/hub/affichehub/?hubId=002fj37grgb7o7n<br />
* 2006-12-13 : Naissance du chapitre Francais de l'OWASP. Une liste de diffusion est disponible.[http://lists.owasp.org/mailman/listinfo/owasp-france Abonnez vous]<br />
<br />
<br />
<br> __NOTOC__ <headertabs /></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=France&diff=143781France2013-02-08T13:37:29Z<p>Ludovic Petit: </p>
<hr />
<div>{{Chapter Template|chaptername=France|extra=The '''Chapter Leaders''' are [mailto:ludovic.petit@owasp.org Ludovic Petit] and [mailto:sebastien.gioria@owasp.org Sebastien Gioria]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-france|emailarchives=http://lists.owasp.org/pipermail/owasp-france}}'''<br />
<paypal>France Chapter</paypal><br />
<br />
'''The French Chapter is also available on LinkedIn''': [http://www.linkedin.com/groupInvitation?gid=1638517 '''Join us''', it only takes a minute!]<br />
<br />
== Contacts, Présentations, Contributions & Partenariats ==<br />
<br />
*[mailto:sebastien.gioria@owasp.org Sebastien Gioria] et [mailto:ludovic.petit@owasp.org Ludovic Petit] sont à votre disposition si vous souhaitez des informations et discuter de la plus-value proposée par la Fondation OWASP, ainsi que sur la Sécurité des Applications Web.<br />
<br />
Entreprises, Individuels, Monde Académique, Sponsors, Supports, tout le monde est bienvenu à l'OWASP! L'accès à nos Chapter meetings est gratuit et ouvert à tous.<br />
<br />
Pour les Entreprises souhaitant adhérer à l'OWASP, le montant de l'adhésion annuelle de base est de $5000 US (dont 40% sont reversés au Projet ou au Chapitre de votre choix), déductible à 100% aux USA, et déductible à 60% en France <br />
<br />
Les fonds collectés servent à organiser les meetings du Chapitre, mais aussi et surtout à construire et organiser avec vous une approche collégiale spécifique répondant à vos souhaits (sessions de sensibilisation, meetings internes, interventions de Speakers, etc.). Tout cela peut être discuté avec le Chapitre Français et acté conjointement avec vous si vous souhaitez adhérer à l'OWASP. <br />
<br />
N'hésitez pas à nous solliciter si vous souhaitez discuter d'un sujet particulier, ou si vous souhaitez effectuer une présentation lors d'un meeting du Chapitre France.<br />
<br />
Amis de la Presse écrite et du Multimédia, n'hésitez pas à faire appel à nous si vous souhaitez notre concours pour vos articles et reportages, vous êtes les bienvenus et nous en serions honorés. Utilisez notre savoir-faire dans une perspective gagnant-gagnant!<br />
<br />
Nous restons modestes dans notre approche, nous souhaitons que le Chapitre OWASP France devienne un de vos contacts de référence. '''Ensembles, Chacun fait plus'''!<br />
<br />
'''TEAM stands for... Together Each Achieves More!'''<br />
<br />
<br />
= News =<br />
<br />
==Looking Forward… and Beyond, Distinctiveness Through Security Excellence==<br />
'''Présentation''' : "[https://www.owasp.org/images/5/50/Looking_Forward%E2%80%A6_and_Beyond.pptx Looking Forward… and Beyond]"'''<br />
'''Résumé''' : <br />
Here is a presentation I gave in Sept for a big Software maker in an internal meeting. This presentation aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes, or people and firms interested about OWASP and willing to join the Foundation as Member. The first 2 parts are more an update for those who are not yet familiar with OWASP, the 3rd part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway. Enjoy and feel free to email me, all comments welcome!<br />
<br />
'''Speaker''' : Ludovic Petit <br />
<br />
==28 Mars 2012 Meeting du premier trimestre==<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : "[https://www.owasp.org/images/6/6d/Developer_Top_Ten_Core_Controls_v4.1.pptx Top Ten Web Defenses]"'''<br />
'''Résumé''' : <br />
Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. <br />
This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will also detail several of the key access control anti-patterns commonly found during website security audits. <br />
These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. <br />
In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico <br />
Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. <br />
He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.<br />
'''Enregistrement en ligne sur''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== 7 et 8 Février 2012 - [http://www.microsoft.com/france/mstechdays/ Techdays Microsoft 2012] ==<br />
<br />
Sébastien présentera un talk sur [http://www.microsoft.com/france/mstechdays/programmes/parcours.aspx?SessionID=62e02774-6045-4be8-80ff-8332a793ad4f HTML5et la Sécurité] le 7 Février 2012 à 17h30. <br />
Plus d'informations sur la page dédiée aux TechDays Microsoft 2012. ==<br />
<br />
== 6 Janvier 2012 - Nouveau Groupe de Travail sur la Sécurité des Web Services au [http://www.clusif.fr CLUSIF] ==<br />
<br />
Dans la continuité du Groupe de Travail sur la Sécurité des Application Web initialement créé en 2009, le CLUSIF a lancé un nouveau groupe de travail autour de la sécurité des WebServices. N'hésitez pas à participer si vous êtes intéressés. Le CLUSIF recherche des utilisateurs pour ce groupe de travail et des personnes en environnements Microsoft pour disposer d'un panel le plus large possible pour ce document<br />
<br />
Contact : [mailto:sebastien.gioria@owasp.org Sébastien Gioria]<br />
<br />
== 19 Décembre 2011 - Publication du deuxième document du [http://www.clusif.fr CLUSIF] sur la Sécurité des Applications Web ==<br />
<br />
Le CLUSIF a publié son deuxième document sur la [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Defense-en-profondeur-des-applications-Web.pdf Défense en profondeur des applications Web]. Ce document fait suite au [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf premier document publié en 2009] <br />
<br />
== 15 Décembre 2011 Conférence du [http://www.clusif.fr CLUSIF] sur la [http://www.clusif.fr/fr/infos/event/#conf111215 sécurité des applications Web] ==<br />
<br />
Le CLUSIF a présenté la conférence Sécurité des Applications Web le jeudi 15 décembre 2011 au cercle National des Armées.<br />
Le programme était : <br />
<br />
* Mise en place d'une politique de sécurité applicative : retour d'expérience d'un RSSI par Philippe LARUE - Responsable Sécurité - [http://www.cbp-prevoyance.com/ CBP]<br />
* Revue de code source, ou test sécurité applicatif, quel est le plus efficient pour évaluer un niveau de sécurité applicatif ? par Sébastien GIORIA - Consultant Senior [http://www.groupey.fr Groupe Y] et leader du chapitre Français de [https://www.owasp.org l'OWASP] - OWASP France<br />
* Les enjeux réglementaires de la protection des informations en ligne par Garance MATHIAS - Avocat - Cabinet d'Avocats<br />
<br />
Les présentations sont disponibles sur le site du [http://www.clusif.fr CLUSIF], les vidéos de l'intervention seront aussi disponible.<br />
<br />
== 2 Décembre 2011 - [[OWASP BeNeLux 2011 Conference - University of Luxembourg]] ==<br />
<br />
Ludovic had a talk about "[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd WebApp Security and Legal aspects]" on Dec 2.<br />
<br />
*'''Overview'''<br />
**This presentation aims to be used by anybody willing to spread the voice of OWASP. See this as an Awareness session.<br />
**Use it and use it again. <br />
**Try to open your mind, just met me know if I can help. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/5/55/Do_you..._Legal_-_OWASP_BeNeLux_Day_-_2_Dec_2011.pptx Do you... Legal?]"'''<br />
**The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this. <br />
<br />
<br />
<br />
=== [[EUROPE - ENISA’s Who-is-Who Directory on Network and Information Security]] ===<br />
<br />
We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].<br />
<br />
The ENISA is the European Network and Information Security Agency.<br />
[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities. <br />
This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.<br />
<br />
<br />
= Chapter Meetings 2013 =<br />
<br />
== Q1 2013 ==<br />
'''Date''' : 7 février 2013<br />
'''Lieu''' : Gemalto - Salle Plazza, 6 rue de la Verrerie, 92197 Meudon-sur-Seine <br />
'''Horaire''' : 18h30 à 21h<br />
'''Présentation''' : Update sur les '''Projets OWASP''', Ludovic<br />
'''Présentation''' : '''Evolution du Cadre Légal - Developers, Software makers held liable for code?'''[[https://www.owasp.org/images/2/2a/Chapter_Meeting_OWASP_France_-_7_Feb_2013.pdf]] Ludovic<br />
'''Présentation''' : '''Données personnelles: le nouveau projet de règlement européen'''[http://www.donneespersonnelles.fr/donnees-personnelles-le-nouveau-projet-de-reglement-europeen], Thiébaut Devergranne<br />
'''Breaking News''' : Présentation de l''''OWASP France Day''' que nous souhaitons organiser en mars, Ludovic & Sébastien<br />
'''Appel à contribution''' : '''Traduction OWASP Top Ten 2013''', Ludovic & Sébastien<br />
'''Update''' : '''Relations Partenaires''' & '''Adhésions''', Ely de Travieso<br />
<br />
Pour nous accompagner lors de ce meeting, Thiébaut Devergranne, docteur en droit et consultant. Thiébaut travaille en droit des nouvelles technologies depuis plus de 10 ans, dont 6 passés au sein des services du Premier Ministre.<br />
<br />
Présentation de Thiébaut Devergranne disponible sur [http://www.example.com link title]<br />
http://www.donneespersonnelles.fr/donnees-personnelles-le-nouveau-projet-de-reglement-europeen.<br />
<br />
''''''Speakers'''''' : Ludovic Petit, Sébastien Gioria, Ely de Travieso, Thiébaut Devergranne<br />
'''Enregistrement en ligne ici''' : https://www.eventbrite.com/event/4615236296<br />
<br />
<br />
<br />
= Appel à contribution OWASP France =<br />
<br />
Ici seront relayés les différents appels à contributions du Chapitre (Sponsors, talks, etc.).<br />
<br />
<br />
= Appel à contributions externes =<br />
<br />
Ici seront relayés les appels à contributions que nous estimons interessants pour le Chapitre. <br />
<br />
<br />
<br />
<br />
= Meetings 2012 =<br />
<br />
== Q1 2012 ==<br />
'''Date''' : 28 Mars 2012<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : Web Application Access Control Design Excellence<br />
'''Résumé''' : Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will discuss several of the key access control anti-patterns commonly found during <br />
website security audits. These access control anti-patterns include hard-coded security policies, <br />
lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these<br />
and other access control problems, we will discuss and design a positive access control mechanism <br />
that is data contextual, activity based, configurable, flexible, and deny-by-default - among other<br />
positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico<br />
'''Enregistrement en ligne ici''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== Q2 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q3 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q4 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
<br />
<br />
= 2011 Meetings =<br />
<br />
=== [[May 2011 - Paris Meeting]] ===<br />
<br />
[Logo to be placed here]<br />
<br />
We are honored to welcome '''Jim Manico''' during his European Tour in the Netherlands, Belgium and France.<br />
<br />
*'''Overview'''<br />
**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle. <br />
**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. <br />
**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered. <br />
**If you are interested in participating in the hands on portion of the course, please bring a laptop. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/f/f4/Future_of_XSS_v4.pptx The Ghost of XSS Past, Present and Future. A Defensive Tale]"'''<br />
**This talk will discuss the past methods used for XSS defense that were only partially effective. Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg. <br />
<br />
*'''Speaker'''<br />
**'''Jim Manico''' is a managing partner of Infrared Security with over 15 years of professional web development experience. Jim is also the Chair of the OWASP Connections Committee, one of the Project Managers of the OWASP ESAPI Project, a participant and manager of the OWASP Cheatsheet series, the Producer and host of the OWASP Podcast Series, the Manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project. When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.<br />
<br />
*'''Date'''<br />
**May 24, 2011 <br />
<br />
*'''Venue'''<br />
**Paris<br />
<br />
*'''Registration'''<br />
**[http://www.regonline.com/Register/Checkin.aspx?EventID=971375 Click here]<br />
<br />
<br />
== 26 Avril 2011 ==<br />
<br />
'''Le 26 Avril 2011 dans les locaux de [http://www.groupey.fr/nos-cabinets-paris.html GROUPE Y] :'''<br />
<br />
* 9:00: [https://www.owasp.org/images/2/2f/Agenda_26th_April_2011.pptx Introduction] - '''Ludovic Petit''' & '''Sébastien Gioria'''<br />
* 9:30: [https://www.owasp.org/images/3/36/OPENSAMM2.pptx OpenSAMM] - '''Antonio Fontes''' (Chapter Leader OWASP Geneva) <br />
* 11:00: [https://www.owasp.org/images/c/cf/OWASP_Cloud_Top_10.pptx OWASP Cloud Top 10 Project] - '''Ludovic Petit''' (Chapter Leader OWASP France & OWASP Global Education Committee Member)<br />
* 11:45: [https://www.owasp.org/images/5/5c/ESAPI_Swingset_talk_at_Paris.ppt OWASP ESAPI] - '''Fabio Cerullo''' (Chapter Leader OWASP Ireland & Global Education Committee)<br />
* 14:15: [https://www.owasp.org/images/3/38/OWASP_Testing_Guide.pptx OWASP Testing Guide] - '''Sébastien Gioria''' (French Chapter Leader & OWASP Global Education Committee Member)<br />
* 15:15: [http://o2platform.com OWASP 02 Platform - Live Session] - '''Dinis Cruz''' (OWASP O2 Project Leader)<br />
* 16:30: [https://www.owasp.org/images/9/96/OWASP-Paris2011-VV-CodeReview.pdf OWASP Code Review] - '''Victor Vuillard'''<br />
<br />
= 2009 Meetings =<br />
<br />
'''Le 6 Mai 2009 à 17h30 à [http://www.epitech.eu L'EPITECH] :'''<br />
<br />
* 17h30 : Accueil des participants<br />
* 18h - 18h 15 : [http://www.owasp.org/images/d/dc/OWASP_Paris_Meeting_-_May_2009.pdf Welcome et overview of agenda] '''(Board OWASP France)'''<br />
* 18h30 - 19h : [http://www.owasp.org/images/6/6b/2009-05-06-OWASPFR-WebServices.pdf Attaques sur les Web Services] - '''Renaud Bidou'''<br />
* 19h15 - 19h45 : [http://www.owasp.org/images/8/82/2009-05-06-OWASPFR-OpenSAM.pdf Software Security Initiatives in the Real World] - '''Claudio Merloni'''<br />
* 20h : Close <br />
<br />
A propos des Speakers :<br />
<br />
<br />
'''''Renaud Bidou :''' ''Directeur Technique de DenyAll. Il travaille depuis plus de 10 ans dans la sécurité et a publié de nombreux articles et white-papers touchant à des sujets aussi variés que les dénis de service, les portknockers, les botnets, la mise en place d’un SOC, l’analyse graphique d’attaques ou encore les techniques de contournements.<br />
<br />
<br />
'''''Claudio Merloni : '''''Claudio Merloni est Software Security Consultant chez Fortify Software. Ses expériences dans le domaine de la sécurité embrassent la sécurité applicative, revue de code, architectures sécurisées, analyse des risques, conformité, test de sécurité à niveau réseau, système et applicatif, monitoring, contrôle d'accès. Il a participé a plusieurs conférences, entre lesquelles BlackHat et CONFidence.<br />
<br />
<br />
'''Le Lieu : EPITECH'''<br />
<br />
Amphi 2<br />
<br />
14-16 rue Voltaire<br />
<br />
94276 Kremlin Bicêtre Cedex <br />
<br />
<br />
''Moyens d'accès Métro''<br />
* ligne 7 : Porte d'Italie<br />
<br />
''Bus''<br />
* ligne 47, 125, 131, 185 : Roger Salengro<br />
* ligne 186 : Pierre Brossolette <br/> <br />
<br />
''Voiture''<br />
* périphérique : sortie Porte d'Italie <br />
<br />
<br />
<br />
<br />
= Translation effort =<br />
<br />
* The '''OWASP TOP Ten 2010 in French''' is [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf available]<br />
* 2010-08-30 : La version française du Top 10 2010 est disponible [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] <br />
* 2008-02-15 : Le Top10 2007 est en version Française [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.pdf Format PDF], [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.doc Format Word]<br />
* 2007-11-16 : [https://www.owasp.org/images/5/52/Owasp_tryptique.pdf Folio 2 pages Recto/verso] de présentation pour Infosecurity.<br />
* 2007-02-27 : [[Newsletter_francaise_num%C3%A9ro_1]]<br />
* 2007-06-20 : Présentation de l'OWASP faite à NY en Juin 2007 [https://www.owasp.org/images/7/71/20070620-FR-OWASP_NY_Keynote.ppt]<br />
[[Category:Europe]]<br />
<br />
<br />
<br />
= Old News = <br />
<br />
* 2009-06-09 : [http://www.owasp.org/images/d/d2/20090609-CERT-IST-WAF-v0.1.pdf Intervention sur les WAF] lors du Forum [http://www.cert-ist.com CERT-IST] <br />
* 2009-02-03 : L'OWASP France sera présent à [http://www.pci-portal.com/events/event-info/paris PCI Paris]. La présentation est : [https://www.owasp.org/images/f/fb/20090203-OWASP_PCI-Global_2009_Paris_-_v03.ppt l'OWASP et l'exigence 6.5 de PCI-DSS]<br />
* 2008-11-19 : L'OWASP France sera présent sur [http://www.infosecurity.com.fr/FR/badge?ref=OWAW Infosecurity France] à Paris :<br />
[http://www.infosecurity.com.fr/index.php?argRedirect=FR|badge&Lang=FR&ref=OWAW https://www.owasp.org/images/8/88/Infosecurity.gif]<br />
<br />
* 2008-07-08 : L'OWASP France a présenté le projet OWASP à l'[http://www.ossir.org OSSIR]. La présentation est disponible sur le site de [https://www.owasp.org/images/9/94/20080708-OWASP_OSSIR.ppt l'OWASP]<br />
* 2008-02-15 : Le Top10 2007 est en version Francaise<br />
* 2008-02-11 : Présentation aux [http://www.owasp.org/images/0/09/20080129-OWASP_TechDays_France_.ppt TechDays 2008 Microsoft ]<br />
* 2007-11-22 : Présentation a Infosecurity France [http://www.owasp.org/images/8/85/20071122-OWASP_Infosecurity_France.ppt de l'OWASP]<br />
* 2007-11-07 : Interview dans le [http://www.journaldunet.com/developpeur/itws/071106-securite-applicative-owasp.shtml Journal du Net]<br />
* 2007-10-05 : L'OWASP France présentera les enjeux de la sécurité des [http://www.infosecurity.com.fr/?Jpto=116&KM_Session=f345bb91df954e6cbc0148328f109e94&CurrentNode=518&Lang=FR&IdNode=708 Services WEB à Infosecurity France le 22/11/2007]<br />
* 2006-12-18 : Mise en place de l'association pour supporter le groupe OWASP<br />
* 2006-12-14 : Le Hub OWASP Viaduc a vu le jour http://www.viadeo.com/hub/affichehub/?hubId=002fj37grgb7o7n<br />
* 2006-12-13 : Naissance du chapitre Francais de l'OWASP. Une liste de diffusion est disponible.[http://lists.owasp.org/mailman/listinfo/owasp-france Abonnez vous]<br />
<br />
<br />
<br> __NOTOC__ <headertabs /></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=France&diff=143780France2013-02-08T13:30:39Z<p>Ludovic Petit: </p>
<hr />
<div>{{Chapter Template|chaptername=France|extra=The '''Chapter Leaders''' are [mailto:ludovic.petit@owasp.org Ludovic Petit] and [mailto:sebastien.gioria@owasp.org Sebastien Gioria]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-france|emailarchives=http://lists.owasp.org/pipermail/owasp-france}}'''<br />
<paypal>France Chapter</paypal><br />
<br />
'''The French Chapter is also available on LinkedIn''': [http://www.linkedin.com/groupInvitation?gid=1638517 '''Join us''', it only takes a minute!]<br />
<br />
== Contacts, Présentations, Contributions & Partenariats ==<br />
<br />
*[mailto:sebastien.gioria@owasp.org Sebastien Gioria] et [mailto:ludovic.petit@owasp.org Ludovic Petit] sont à votre disposition si vous souhaitez des informations et discuter de la plus-value proposée par la Fondation OWASP, ainsi que sur la Sécurité des Applications Web.<br />
<br />
Entreprises, Individuels, Monde Académique, Sponsors, Supports, tout le monde est bienvenu à l'OWASP! L'accès à nos Chapter meetings est gratuit et ouvert à tous.<br />
<br />
Pour les Entreprises souhaitant adhérer à l'OWASP, le montant de l'adhésion annuelle de base est de $5000 US (dont 40% sont reversés au Projet ou au Chapitre de votre choix), déductible à 100% aux USA, et déductible à 60% en France <br />
<br />
Les fonds collectés servent à organiser les meetings du Chapitre, mais aussi et surtout à construire et organiser avec vous une approche collégiale spécifique répondant à vos souhaits (sessions de sensibilisation, meetings internes, interventions de Speakers, etc.). Tout cela peut être discuté avec le Chapitre Français et acté conjointement avec vous si vous souhaitez adhérer à l'OWASP. <br />
<br />
N'hésitez pas à nous solliciter si vous souhaitez discuter d'un sujet particulier, ou si vous souhaitez effectuer une présentation lors d'un meeting du Chapitre France.<br />
<br />
Amis de la Presse écrite et du Multimédia, n'hésitez pas à faire appel à nous si vous souhaitez notre concours pour vos articles et reportages, vous êtes les bienvenus et nous en serions honorés. Utilisez notre savoir-faire dans une perspective gagnant-gagnant!<br />
<br />
Nous restons modestes dans notre approche, nous souhaitons que le Chapitre OWASP France devienne un de vos contacts de référence. '''Ensembles, Chacun fait plus'''!<br />
<br />
'''TEAM stands for... Together Each Achieves More!'''<br />
<br />
<br />
= News =<br />
<br />
==Looking Forward… and Beyond, Distinctiveness Through Security Excellence==<br />
'''Présentation''' : "[https://www.owasp.org/images/5/50/Looking_Forward%E2%80%A6_and_Beyond.pptx Looking Forward… and Beyond]"'''<br />
'''Résumé''' : <br />
Here is a presentation I gave in Sept for a big Software maker in an internal meeting. This presentation aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes, or people and firms interested about OWASP and willing to join the Foundation as Member. The first 2 parts are more an update for those who are not yet familiar with OWASP, the 3rd part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway. Enjoy and feel free to email me, all comments welcome!<br />
<br />
'''Speaker''' : Ludovic Petit <br />
<br />
==28 Mars 2012 Meeting du premier trimestre==<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : "[https://www.owasp.org/images/6/6d/Developer_Top_Ten_Core_Controls_v4.1.pptx Top Ten Web Defenses]"'''<br />
'''Résumé''' : <br />
Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. <br />
This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will also detail several of the key access control anti-patterns commonly found during website security audits. <br />
These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. <br />
In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico <br />
Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. <br />
He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.<br />
'''Enregistrement en ligne sur''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== 7 et 8 Février 2012 - [http://www.microsoft.com/france/mstechdays/ Techdays Microsoft 2012] ==<br />
<br />
Sébastien présentera un talk sur [http://www.microsoft.com/france/mstechdays/programmes/parcours.aspx?SessionID=62e02774-6045-4be8-80ff-8332a793ad4f HTML5et la Sécurité] le 7 Février 2012 à 17h30. <br />
Plus d'informations sur la page dédiée aux TechDays Microsoft 2012. ==<br />
<br />
== 6 Janvier 2012 - Nouveau Groupe de Travail sur la Sécurité des Web Services au [http://www.clusif.fr CLUSIF] ==<br />
<br />
Dans la continuité du Groupe de Travail sur la Sécurité des Application Web initialement créé en 2009, le CLUSIF a lancé un nouveau groupe de travail autour de la sécurité des WebServices. N'hésitez pas à participer si vous êtes intéressés. Le CLUSIF recherche des utilisateurs pour ce groupe de travail et des personnes en environnements Microsoft pour disposer d'un panel le plus large possible pour ce document<br />
<br />
Contact : [mailto:sebastien.gioria@owasp.org Sébastien Gioria]<br />
<br />
== 19 Décembre 2011 - Publication du deuxième document du [http://www.clusif.fr CLUSIF] sur la Sécurité des Applications Web ==<br />
<br />
Le CLUSIF a publié son deuxième document sur la [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Defense-en-profondeur-des-applications-Web.pdf Défense en profondeur des applications Web]. Ce document fait suite au [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf premier document publié en 2009] <br />
<br />
== 15 Décembre 2011 Conférence du [http://www.clusif.fr CLUSIF] sur la [http://www.clusif.fr/fr/infos/event/#conf111215 sécurité des applications Web] ==<br />
<br />
Le CLUSIF a présenté la conférence Sécurité des Applications Web le jeudi 15 décembre 2011 au cercle National des Armées.<br />
Le programme était : <br />
<br />
* Mise en place d'une politique de sécurité applicative : retour d'expérience d'un RSSI par Philippe LARUE - Responsable Sécurité - [http://www.cbp-prevoyance.com/ CBP]<br />
* Revue de code source, ou test sécurité applicatif, quel est le plus efficient pour évaluer un niveau de sécurité applicatif ? par Sébastien GIORIA - Consultant Senior [http://www.groupey.fr Groupe Y] et leader du chapitre Français de [https://www.owasp.org l'OWASP] - OWASP France<br />
* Les enjeux réglementaires de la protection des informations en ligne par Garance MATHIAS - Avocat - Cabinet d'Avocats<br />
<br />
Les présentations sont disponibles sur le site du [http://www.clusif.fr CLUSIF], les vidéos de l'intervention seront aussi disponible.<br />
<br />
== 2 Décembre 2011 - [[OWASP BeNeLux 2011 Conference - University of Luxembourg]] ==<br />
<br />
Ludovic had a talk about "[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd WebApp Security and Legal aspects]" on Dec 2.<br />
<br />
*'''Overview'''<br />
**This presentation aims to be used by anybody willing to spread the voice of OWASP. See this as an Awareness session.<br />
**Use it and use it again. <br />
**Try to open your mind, just met me know if I can help. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/5/55/Do_you..._Legal_-_OWASP_BeNeLux_Day_-_2_Dec_2011.pptx Do you... Legal?]"'''<br />
**The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this. <br />
<br />
<br />
<br />
=== [[EUROPE - ENISA’s Who-is-Who Directory on Network and Information Security]] ===<br />
<br />
We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].<br />
<br />
The ENISA is the European Network and Information Security Agency.<br />
[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities. <br />
This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.<br />
<br />
<br />
= Chapter Meetings 2013 =<br />
<br />
== Q1 2013 ==<br />
'''Date''' : 7 février 2013<br />
'''Lieu''' : Gemalto - Salle Plazza, 6 rue de la Verrerie, 92197 Meudon-sur-Seine <br />
'''Horaire''' : 18h30 à 21h<br />
'''Présentation''' : Update sur les Projets OWASP, Ludovic<br />
'''Présentation''' : Evolution du Cadre Légal - Developers, Software makers held liable for code?[[https://www.owasp.org/images/2/2a/Chapter_Meeting_OWASP_France_-_7_Feb_2013.pdf]] Ludovic<br />
'''Présentation''' : Données personnelles: le nouveau projet de règlement européen[http://www.donneespersonnelles.fr/donnees-personnelles-le-nouveau-projet-de-reglement-europeen], Thiébaut Devergranne<br />
'''Présentation''' : Présentation de l'OWASP France Day que nous souhaitons organiser en mars, Ludovic & Sébastien<br />
'''Présentation''' : Traduction OWASP Top Ten 2013, Ludovic & Sébastien<br />
'''Présentation''' : Relations Partenaires & Adhésions, Ely de Travieso<br />
<br />
Pour nous accompagner lors de ce meeting, Thiébaut Devergranne, docteur en droit et consultant. Thiébaut travaille en droit des nouvelles technologies depuis plus de 10 ans, dont 6 passés au sein des services du Premier Ministre.<br />
<br />
Présentation de Thiébaut Devergranne disponible sur [http://www.example.com link title]<br />
http://www.donneespersonnelles.fr/donnees-personnelles-le-nouveau-projet-de-reglement-europeen.<br />
<br />
'''Speakers''' : Ludovic Petit, Sébastien Gioria, Ely de Travieso, Thiébaut Devergranne<br />
'''Enregistrement en ligne ici''' : https://www.eventbrite.com/event/4615236296<br />
<br />
<br />
<br />
= Appel à contribution OWASP France =<br />
<br />
Ici seront relayés les différents appels à contributions du Chapitre (Sponsors, talks, etc.).<br />
<br />
<br />
= Appel à contributions externes =<br />
<br />
Ici seront relayés les appels à contributions que nous estimons interessants pour le Chapitre. <br />
<br />
<br />
<br />
<br />
= Meetings 2012 =<br />
<br />
== Q1 2012 ==<br />
'''Date''' : 28 Mars 2012<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : Web Application Access Control Design Excellence<br />
'''Résumé''' : Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will discuss several of the key access control anti-patterns commonly found during <br />
website security audits. These access control anti-patterns include hard-coded security policies, <br />
lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these<br />
and other access control problems, we will discuss and design a positive access control mechanism <br />
that is data contextual, activity based, configurable, flexible, and deny-by-default - among other<br />
positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico<br />
'''Enregistrement en ligne ici''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== Q2 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q3 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q4 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
<br />
<br />
= 2011 Meetings =<br />
<br />
=== [[May 2011 - Paris Meeting]] ===<br />
<br />
[Logo to be placed here]<br />
<br />
We are honored to welcome '''Jim Manico''' during his European Tour in the Netherlands, Belgium and France.<br />
<br />
*'''Overview'''<br />
**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle. <br />
**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. <br />
**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered. <br />
**If you are interested in participating in the hands on portion of the course, please bring a laptop. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/f/f4/Future_of_XSS_v4.pptx The Ghost of XSS Past, Present and Future. A Defensive Tale]"'''<br />
**This talk will discuss the past methods used for XSS defense that were only partially effective. Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg. <br />
<br />
*'''Speaker'''<br />
**'''Jim Manico''' is a managing partner of Infrared Security with over 15 years of professional web development experience. Jim is also the Chair of the OWASP Connections Committee, one of the Project Managers of the OWASP ESAPI Project, a participant and manager of the OWASP Cheatsheet series, the Producer and host of the OWASP Podcast Series, the Manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project. When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.<br />
<br />
*'''Date'''<br />
**May 24, 2011 <br />
<br />
*'''Venue'''<br />
**Paris<br />
<br />
*'''Registration'''<br />
**[http://www.regonline.com/Register/Checkin.aspx?EventID=971375 Click here]<br />
<br />
<br />
== 26 Avril 2011 ==<br />
<br />
'''Le 26 Avril 2011 dans les locaux de [http://www.groupey.fr/nos-cabinets-paris.html GROUPE Y] :'''<br />
<br />
* 9:00: [https://www.owasp.org/images/2/2f/Agenda_26th_April_2011.pptx Introduction] - '''Ludovic Petit''' & '''Sébastien Gioria'''<br />
* 9:30: [https://www.owasp.org/images/3/36/OPENSAMM2.pptx OpenSAMM] - '''Antonio Fontes''' (Chapter Leader OWASP Geneva) <br />
* 11:00: [https://www.owasp.org/images/c/cf/OWASP_Cloud_Top_10.pptx OWASP Cloud Top 10 Project] - '''Ludovic Petit''' (Chapter Leader OWASP France & OWASP Global Education Committee Member)<br />
* 11:45: [https://www.owasp.org/images/5/5c/ESAPI_Swingset_talk_at_Paris.ppt OWASP ESAPI] - '''Fabio Cerullo''' (Chapter Leader OWASP Ireland & Global Education Committee)<br />
* 14:15: [https://www.owasp.org/images/3/38/OWASP_Testing_Guide.pptx OWASP Testing Guide] - '''Sébastien Gioria''' (French Chapter Leader & OWASP Global Education Committee Member)<br />
* 15:15: [http://o2platform.com OWASP 02 Platform - Live Session] - '''Dinis Cruz''' (OWASP O2 Project Leader)<br />
* 16:30: [https://www.owasp.org/images/9/96/OWASP-Paris2011-VV-CodeReview.pdf OWASP Code Review] - '''Victor Vuillard'''<br />
<br />
= 2009 Meetings =<br />
<br />
'''Le 6 Mai 2009 à 17h30 à [http://www.epitech.eu L'EPITECH] :'''<br />
<br />
* 17h30 : Accueil des participants<br />
* 18h - 18h 15 : [http://www.owasp.org/images/d/dc/OWASP_Paris_Meeting_-_May_2009.pdf Welcome et overview of agenda] '''(Board OWASP France)'''<br />
* 18h30 - 19h : [http://www.owasp.org/images/6/6b/2009-05-06-OWASPFR-WebServices.pdf Attaques sur les Web Services] - '''Renaud Bidou'''<br />
* 19h15 - 19h45 : [http://www.owasp.org/images/8/82/2009-05-06-OWASPFR-OpenSAM.pdf Software Security Initiatives in the Real World] - '''Claudio Merloni'''<br />
* 20h : Close <br />
<br />
A propos des Speakers :<br />
<br />
<br />
'''''Renaud Bidou :''' ''Directeur Technique de DenyAll. Il travaille depuis plus de 10 ans dans la sécurité et a publié de nombreux articles et white-papers touchant à des sujets aussi variés que les dénis de service, les portknockers, les botnets, la mise en place d’un SOC, l’analyse graphique d’attaques ou encore les techniques de contournements.<br />
<br />
<br />
'''''Claudio Merloni : '''''Claudio Merloni est Software Security Consultant chez Fortify Software. Ses expériences dans le domaine de la sécurité embrassent la sécurité applicative, revue de code, architectures sécurisées, analyse des risques, conformité, test de sécurité à niveau réseau, système et applicatif, monitoring, contrôle d'accès. Il a participé a plusieurs conférences, entre lesquelles BlackHat et CONFidence.<br />
<br />
<br />
'''Le Lieu : EPITECH'''<br />
<br />
Amphi 2<br />
<br />
14-16 rue Voltaire<br />
<br />
94276 Kremlin Bicêtre Cedex <br />
<br />
<br />
''Moyens d'accès Métro''<br />
* ligne 7 : Porte d'Italie<br />
<br />
''Bus''<br />
* ligne 47, 125, 131, 185 : Roger Salengro<br />
* ligne 186 : Pierre Brossolette <br/> <br />
<br />
''Voiture''<br />
* périphérique : sortie Porte d'Italie <br />
<br />
<br />
<br />
<br />
= Translation effort =<br />
<br />
* The '''OWASP TOP Ten 2010 in French''' is [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf available]<br />
* 2010-08-30 : La version française du Top 10 2010 est disponible [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] <br />
* 2008-02-15 : Le Top10 2007 est en version Française [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.pdf Format PDF], [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.doc Format Word]<br />
* 2007-11-16 : [https://www.owasp.org/images/5/52/Owasp_tryptique.pdf Folio 2 pages Recto/verso] de présentation pour Infosecurity.<br />
* 2007-02-27 : [[Newsletter_francaise_num%C3%A9ro_1]]<br />
* 2007-06-20 : Présentation de l'OWASP faite à NY en Juin 2007 [https://www.owasp.org/images/7/71/20070620-FR-OWASP_NY_Keynote.ppt]<br />
[[Category:Europe]]<br />
<br />
<br />
<br />
= Old News = <br />
<br />
* 2009-06-09 : [http://www.owasp.org/images/d/d2/20090609-CERT-IST-WAF-v0.1.pdf Intervention sur les WAF] lors du Forum [http://www.cert-ist.com CERT-IST] <br />
* 2009-02-03 : L'OWASP France sera présent à [http://www.pci-portal.com/events/event-info/paris PCI Paris]. La présentation est : [https://www.owasp.org/images/f/fb/20090203-OWASP_PCI-Global_2009_Paris_-_v03.ppt l'OWASP et l'exigence 6.5 de PCI-DSS]<br />
* 2008-11-19 : L'OWASP France sera présent sur [http://www.infosecurity.com.fr/FR/badge?ref=OWAW Infosecurity France] à Paris :<br />
[http://www.infosecurity.com.fr/index.php?argRedirect=FR|badge&Lang=FR&ref=OWAW https://www.owasp.org/images/8/88/Infosecurity.gif]<br />
<br />
* 2008-07-08 : L'OWASP France a présenté le projet OWASP à l'[http://www.ossir.org OSSIR]. La présentation est disponible sur le site de [https://www.owasp.org/images/9/94/20080708-OWASP_OSSIR.ppt l'OWASP]<br />
* 2008-02-15 : Le Top10 2007 est en version Francaise<br />
* 2008-02-11 : Présentation aux [http://www.owasp.org/images/0/09/20080129-OWASP_TechDays_France_.ppt TechDays 2008 Microsoft ]<br />
* 2007-11-22 : Présentation a Infosecurity France [http://www.owasp.org/images/8/85/20071122-OWASP_Infosecurity_France.ppt de l'OWASP]<br />
* 2007-11-07 : Interview dans le [http://www.journaldunet.com/developpeur/itws/071106-securite-applicative-owasp.shtml Journal du Net]<br />
* 2007-10-05 : L'OWASP France présentera les enjeux de la sécurité des [http://www.infosecurity.com.fr/?Jpto=116&KM_Session=f345bb91df954e6cbc0148328f109e94&CurrentNode=518&Lang=FR&IdNode=708 Services WEB à Infosecurity France le 22/11/2007]<br />
* 2006-12-18 : Mise en place de l'association pour supporter le groupe OWASP<br />
* 2006-12-14 : Le Hub OWASP Viaduc a vu le jour http://www.viadeo.com/hub/affichehub/?hubId=002fj37grgb7o7n<br />
* 2006-12-13 : Naissance du chapitre Francais de l'OWASP. Une liste de diffusion est disponible.[http://lists.owasp.org/mailman/listinfo/owasp-france Abonnez vous]<br />
<br />
<br />
<br> __NOTOC__ <headertabs /></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=France&diff=143779France2013-02-08T13:29:29Z<p>Ludovic Petit: </p>
<hr />
<div>{{Chapter Template|chaptername=France|extra=The '''Chapter Leaders''' are [mailto:ludovic.petit@owasp.org Ludovic Petit] and [mailto:sebastien.gioria@owasp.org Sebastien Gioria]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-france|emailarchives=http://lists.owasp.org/pipermail/owasp-france}}'''<br />
<paypal>France Chapter</paypal><br />
<br />
'''The French Chapter is also available on LinkedIn''': [http://www.linkedin.com/groupInvitation?gid=1638517 '''Join us''', it only takes a minute!]<br />
<br />
== Contacts, Présentations, Contributions & Partenariats ==<br />
<br />
*[mailto:sebastien.gioria@owasp.org Sebastien Gioria] et [mailto:ludovic.petit@owasp.org Ludovic Petit] sont à votre disposition si vous souhaitez des informations et discuter de la plus-value proposée par la Fondation OWASP, ainsi que sur la Sécurité des Applications Web.<br />
<br />
Entreprises, Individuels, Monde Académique, Sponsors, Supports, tout le monde est bienvenu à l'OWASP! L'accès à nos Chapter meetings est gratuit et ouvert à tous.<br />
<br />
Pour les Entreprises souhaitant adhérer à l'OWASP, le montant de l'adhésion annuelle de base est de $5000 US (dont 40% sont reversés au Projet ou au Chapitre de votre choix), déductible à 100% aux USA, et déductible à 60% en France <br />
<br />
Les fonds collectés servent à organiser les meetings du Chapitre, mais aussi et surtout à construire et organiser avec vous une approche collégiale spécifique répondant à vos souhaits (sessions de sensibilisation, meetings internes, interventions de Speakers, etc.). Tout cela peut être discuté avec le Chapitre Français et acté conjointement avec vous si vous souhaitez adhérer à l'OWASP. <br />
<br />
N'hésitez pas à nous solliciter si vous souhaitez discuter d'un sujet particulier, ou si vous souhaitez effectuer une présentation lors d'un meeting du Chapitre France.<br />
<br />
Amis de la Presse écrite et du Multimédia, n'hésitez pas à faire appel à nous si vous souhaitez notre concours pour vos articles et reportages, vous êtes les bienvenus et nous en serions honorés. Utilisez notre savoir-faire dans une perspective gagnant-gagnant!<br />
<br />
Nous restons modestes dans notre approche, nous souhaitons que le Chapitre OWASP France devienne un de vos contacts de référence. '''Ensembles, Chacun fait plus'''!<br />
<br />
'''TEAM stands for... Together Each Achieves More!'''<br />
<br />
<br />
= News =<br />
<br />
==Looking Forward… and Beyond, Distinctiveness Through Security Excellence==<br />
'''Présentation''' : "[https://www.owasp.org/images/5/50/Looking_Forward%E2%80%A6_and_Beyond.pptx Looking Forward… and Beyond]"'''<br />
'''Résumé''' : <br />
Here is a presentation I gave in Sept for a big Software maker in an internal meeting. This presentation aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes, or people and firms interested about OWASP and willing to join the Foundation as Member. The first 2 parts are more an update for those who are not yet familiar with OWASP, the 3rd part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway. Enjoy and feel free to email me, all comments welcome!<br />
<br />
'''Speaker''' : Ludovic Petit <br />
<br />
==28 Mars 2012 Meeting du premier trimestre==<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : "[https://www.owasp.org/images/6/6d/Developer_Top_Ten_Core_Controls_v4.1.pptx Top Ten Web Defenses]"'''<br />
'''Résumé''' : <br />
Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. <br />
This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will also detail several of the key access control anti-patterns commonly found during website security audits. <br />
These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. <br />
In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico <br />
Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. <br />
He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.<br />
'''Enregistrement en ligne sur''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== 7 et 8 Février 2012 - [http://www.microsoft.com/france/mstechdays/ Techdays Microsoft 2012] ==<br />
<br />
Sébastien présentera un talk sur [http://www.microsoft.com/france/mstechdays/programmes/parcours.aspx?SessionID=62e02774-6045-4be8-80ff-8332a793ad4f HTML5et la Sécurité] le 7 Février 2012 à 17h30. <br />
Plus d'informations sur la page dédiée aux TechDays Microsoft 2012. ==<br />
<br />
== 6 Janvier 2012 - Nouveau Groupe de Travail sur la Sécurité des Web Services au [http://www.clusif.fr CLUSIF] ==<br />
<br />
Dans la continuité du Groupe de Travail sur la Sécurité des Application Web initialement créé en 2009, le CLUSIF a lancé un nouveau groupe de travail autour de la sécurité des WebServices. N'hésitez pas à participer si vous êtes intéressés. Le CLUSIF recherche des utilisateurs pour ce groupe de travail et des personnes en environnements Microsoft pour disposer d'un panel le plus large possible pour ce document<br />
<br />
Contact : [mailto:sebastien.gioria@owasp.org Sébastien Gioria]<br />
<br />
== 19 Décembre 2011 - Publication du deuxième document du [http://www.clusif.fr CLUSIF] sur la Sécurité des Applications Web ==<br />
<br />
Le CLUSIF a publié son deuxième document sur la [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Defense-en-profondeur-des-applications-Web.pdf Défense en profondeur des applications Web]. Ce document fait suite au [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf premier document publié en 2009] <br />
<br />
== 15 Décembre 2011 Conférence du [http://www.clusif.fr CLUSIF] sur la [http://www.clusif.fr/fr/infos/event/#conf111215 sécurité des applications Web] ==<br />
<br />
Le CLUSIF a présenté la conférence Sécurité des Applications Web le jeudi 15 décembre 2011 au cercle National des Armées.<br />
Le programme était : <br />
<br />
* Mise en place d'une politique de sécurité applicative : retour d'expérience d'un RSSI par Philippe LARUE - Responsable Sécurité - [http://www.cbp-prevoyance.com/ CBP]<br />
* Revue de code source, ou test sécurité applicatif, quel est le plus efficient pour évaluer un niveau de sécurité applicatif ? par Sébastien GIORIA - Consultant Senior [http://www.groupey.fr Groupe Y] et leader du chapitre Français de [https://www.owasp.org l'OWASP] - OWASP France<br />
* Les enjeux réglementaires de la protection des informations en ligne par Garance MATHIAS - Avocat - Cabinet d'Avocats<br />
<br />
Les présentations sont disponibles sur le site du [http://www.clusif.fr CLUSIF], les vidéos de l'intervention seront aussi disponible.<br />
<br />
== 2 Décembre 2011 - [[OWASP BeNeLux 2011 Conference - University of Luxembourg]] ==<br />
<br />
Ludovic had a talk about "[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd WebApp Security and Legal aspects]" on Dec 2.<br />
<br />
*'''Overview'''<br />
**This presentation aims to be used by anybody willing to spread the voice of OWASP. See this as an Awareness session.<br />
**Use it and use it again. <br />
**Try to open your mind, just met me know if I can help. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/5/55/Do_you..._Legal_-_OWASP_BeNeLux_Day_-_2_Dec_2011.pptx Do you... Legal?]"'''<br />
**The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this. <br />
<br />
<br />
<br />
=== [[EUROPE - ENISA’s Who-is-Who Directory on Network and Information Security]] ===<br />
<br />
We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].<br />
<br />
The ENISA is the European Network and Information Security Agency.<br />
[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities. <br />
This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.<br />
<br />
<br />
= Chapter Meetings 2013 =<br />
<br />
== Q1 2013 ==<br />
'''Date''' : 7 février 2013<br />
'''Lieu''' : Gemalto - Salle Plazza, 6 rue de la Verrerie, 92197 Meudon-sur-Seine <br />
'''Horaire''' : 18h30 à 21h<br />
'''Présentation''' : Update sur les Projets OWASP, Ludovic<br />
'''Présentation''' : Evolution du Cadre Légal - Developers, Software makers held liable for code? Ludovic<br />
'''Présentation''' : Données personnelles: le nouveau projet de règlement européen[http://www.donneespersonnelles.fr/donnees-personnelles-le-nouveau-projet-de-reglement-europeen], Thiébaut Devergranne<br />
'''Présentation''' : Présentation de l'OWASP France Day que nous souhaitons organiser en mars, Ludovic & Sébastien<br />
'''Présentation''' : Traduction OWASP Top Ten 2013, Ludovic & Sébastien<br />
'''Présentation''' : Relations Partenaires & Adhésions, Ely de Travieso<br />
<br />
Pour nous accompagner lors de ce meeting, Thiébaut Devergranne, docteur en droit et consultant. Thiébaut travaille en droit des nouvelles technologies depuis plus de 10 ans, dont 6 passés au sein des services du Premier Ministre.<br />
<br />
Présentation de Thiébaut Devergranne disponible sur [http://www.example.com link title]<br />
http://www.donneespersonnelles.fr/donnees-personnelles-le-nouveau-projet-de-reglement-europeen.<br />
<br />
'''Speakers''' : Ludovic Petit, Sébastien Gioria, Ely de Travieso, Thiébaut Devergranne<br />
'''Enregistrement en ligne ici''' : https://www.eventbrite.com/event/4615236296<br />
<br />
<br />
<br />
= Appel à contribution OWASP France =<br />
<br />
Ici seront relayés les différents appels à contributions du Chapitre (Sponsors, talks, etc.).<br />
<br />
<br />
= Appel à contributions externes =<br />
<br />
Ici seront relayés les appels à contributions que nous estimons interessants pour le Chapitre. <br />
<br />
<br />
<br />
<br />
= Meetings 2012 =<br />
<br />
== Q1 2012 ==<br />
'''Date''' : 28 Mars 2012<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : Web Application Access Control Design Excellence<br />
'''Résumé''' : Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will discuss several of the key access control anti-patterns commonly found during <br />
website security audits. These access control anti-patterns include hard-coded security policies, <br />
lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these<br />
and other access control problems, we will discuss and design a positive access control mechanism <br />
that is data contextual, activity based, configurable, flexible, and deny-by-default - among other<br />
positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico<br />
'''Enregistrement en ligne ici''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== Q2 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q3 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q4 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
<br />
<br />
= 2011 Meetings =<br />
<br />
=== [[May 2011 - Paris Meeting]] ===<br />
<br />
[Logo to be placed here]<br />
<br />
We are honored to welcome '''Jim Manico''' during his European Tour in the Netherlands, Belgium and France.<br />
<br />
*'''Overview'''<br />
**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle. <br />
**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. <br />
**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered. <br />
**If you are interested in participating in the hands on portion of the course, please bring a laptop. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/f/f4/Future_of_XSS_v4.pptx The Ghost of XSS Past, Present and Future. A Defensive Tale]"'''<br />
**This talk will discuss the past methods used for XSS defense that were only partially effective. Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg. <br />
<br />
*'''Speaker'''<br />
**'''Jim Manico''' is a managing partner of Infrared Security with over 15 years of professional web development experience. Jim is also the Chair of the OWASP Connections Committee, one of the Project Managers of the OWASP ESAPI Project, a participant and manager of the OWASP Cheatsheet series, the Producer and host of the OWASP Podcast Series, the Manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project. When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.<br />
<br />
*'''Date'''<br />
**May 24, 2011 <br />
<br />
*'''Venue'''<br />
**Paris<br />
<br />
*'''Registration'''<br />
**[http://www.regonline.com/Register/Checkin.aspx?EventID=971375 Click here]<br />
<br />
<br />
== 26 Avril 2011 ==<br />
<br />
'''Le 26 Avril 2011 dans les locaux de [http://www.groupey.fr/nos-cabinets-paris.html GROUPE Y] :'''<br />
<br />
* 9:00: [https://www.owasp.org/images/2/2f/Agenda_26th_April_2011.pptx Introduction] - '''Ludovic Petit''' & '''Sébastien Gioria'''<br />
* 9:30: [https://www.owasp.org/images/3/36/OPENSAMM2.pptx OpenSAMM] - '''Antonio Fontes''' (Chapter Leader OWASP Geneva) <br />
* 11:00: [https://www.owasp.org/images/c/cf/OWASP_Cloud_Top_10.pptx OWASP Cloud Top 10 Project] - '''Ludovic Petit''' (Chapter Leader OWASP France & OWASP Global Education Committee Member)<br />
* 11:45: [https://www.owasp.org/images/5/5c/ESAPI_Swingset_talk_at_Paris.ppt OWASP ESAPI] - '''Fabio Cerullo''' (Chapter Leader OWASP Ireland & Global Education Committee)<br />
* 14:15: [https://www.owasp.org/images/3/38/OWASP_Testing_Guide.pptx OWASP Testing Guide] - '''Sébastien Gioria''' (French Chapter Leader & OWASP Global Education Committee Member)<br />
* 15:15: [http://o2platform.com OWASP 02 Platform - Live Session] - '''Dinis Cruz''' (OWASP O2 Project Leader)<br />
* 16:30: [https://www.owasp.org/images/9/96/OWASP-Paris2011-VV-CodeReview.pdf OWASP Code Review] - '''Victor Vuillard'''<br />
<br />
= 2009 Meetings =<br />
<br />
'''Le 6 Mai 2009 à 17h30 à [http://www.epitech.eu L'EPITECH] :'''<br />
<br />
* 17h30 : Accueil des participants<br />
* 18h - 18h 15 : [http://www.owasp.org/images/d/dc/OWASP_Paris_Meeting_-_May_2009.pdf Welcome et overview of agenda] '''(Board OWASP France)'''<br />
* 18h30 - 19h : [http://www.owasp.org/images/6/6b/2009-05-06-OWASPFR-WebServices.pdf Attaques sur les Web Services] - '''Renaud Bidou'''<br />
* 19h15 - 19h45 : [http://www.owasp.org/images/8/82/2009-05-06-OWASPFR-OpenSAM.pdf Software Security Initiatives in the Real World] - '''Claudio Merloni'''<br />
* 20h : Close <br />
<br />
A propos des Speakers :<br />
<br />
<br />
'''''Renaud Bidou :''' ''Directeur Technique de DenyAll. Il travaille depuis plus de 10 ans dans la sécurité et a publié de nombreux articles et white-papers touchant à des sujets aussi variés que les dénis de service, les portknockers, les botnets, la mise en place d’un SOC, l’analyse graphique d’attaques ou encore les techniques de contournements.<br />
<br />
<br />
'''''Claudio Merloni : '''''Claudio Merloni est Software Security Consultant chez Fortify Software. Ses expériences dans le domaine de la sécurité embrassent la sécurité applicative, revue de code, architectures sécurisées, analyse des risques, conformité, test de sécurité à niveau réseau, système et applicatif, monitoring, contrôle d'accès. Il a participé a plusieurs conférences, entre lesquelles BlackHat et CONFidence.<br />
<br />
<br />
'''Le Lieu : EPITECH'''<br />
<br />
Amphi 2<br />
<br />
14-16 rue Voltaire<br />
<br />
94276 Kremlin Bicêtre Cedex <br />
<br />
<br />
''Moyens d'accès Métro''<br />
* ligne 7 : Porte d'Italie<br />
<br />
''Bus''<br />
* ligne 47, 125, 131, 185 : Roger Salengro<br />
* ligne 186 : Pierre Brossolette <br/> <br />
<br />
''Voiture''<br />
* périphérique : sortie Porte d'Italie <br />
<br />
<br />
<br />
<br />
= Translation effort =<br />
<br />
* The '''OWASP TOP Ten 2010 in French''' is [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf available]<br />
* 2010-08-30 : La version française du Top 10 2010 est disponible [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] <br />
* 2008-02-15 : Le Top10 2007 est en version Française [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.pdf Format PDF], [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.doc Format Word]<br />
* 2007-11-16 : [https://www.owasp.org/images/5/52/Owasp_tryptique.pdf Folio 2 pages Recto/verso] de présentation pour Infosecurity.<br />
* 2007-02-27 : [[Newsletter_francaise_num%C3%A9ro_1]]<br />
* 2007-06-20 : Présentation de l'OWASP faite à NY en Juin 2007 [https://www.owasp.org/images/7/71/20070620-FR-OWASP_NY_Keynote.ppt]<br />
[[Category:Europe]]<br />
<br />
<br />
<br />
= Old News = <br />
<br />
* 2009-06-09 : [http://www.owasp.org/images/d/d2/20090609-CERT-IST-WAF-v0.1.pdf Intervention sur les WAF] lors du Forum [http://www.cert-ist.com CERT-IST] <br />
* 2009-02-03 : L'OWASP France sera présent à [http://www.pci-portal.com/events/event-info/paris PCI Paris]. La présentation est : [https://www.owasp.org/images/f/fb/20090203-OWASP_PCI-Global_2009_Paris_-_v03.ppt l'OWASP et l'exigence 6.5 de PCI-DSS]<br />
* 2008-11-19 : L'OWASP France sera présent sur [http://www.infosecurity.com.fr/FR/badge?ref=OWAW Infosecurity France] à Paris :<br />
[http://www.infosecurity.com.fr/index.php?argRedirect=FR|badge&Lang=FR&ref=OWAW https://www.owasp.org/images/8/88/Infosecurity.gif]<br />
<br />
* 2008-07-08 : L'OWASP France a présenté le projet OWASP à l'[http://www.ossir.org OSSIR]. La présentation est disponible sur le site de [https://www.owasp.org/images/9/94/20080708-OWASP_OSSIR.ppt l'OWASP]<br />
* 2008-02-15 : Le Top10 2007 est en version Francaise<br />
* 2008-02-11 : Présentation aux [http://www.owasp.org/images/0/09/20080129-OWASP_TechDays_France_.ppt TechDays 2008 Microsoft ]<br />
* 2007-11-22 : Présentation a Infosecurity France [http://www.owasp.org/images/8/85/20071122-OWASP_Infosecurity_France.ppt de l'OWASP]<br />
* 2007-11-07 : Interview dans le [http://www.journaldunet.com/developpeur/itws/071106-securite-applicative-owasp.shtml Journal du Net]<br />
* 2007-10-05 : L'OWASP France présentera les enjeux de la sécurité des [http://www.infosecurity.com.fr/?Jpto=116&KM_Session=f345bb91df954e6cbc0148328f109e94&CurrentNode=518&Lang=FR&IdNode=708 Services WEB à Infosecurity France le 22/11/2007]<br />
* 2006-12-18 : Mise en place de l'association pour supporter le groupe OWASP<br />
* 2006-12-14 : Le Hub OWASP Viaduc a vu le jour http://www.viadeo.com/hub/affichehub/?hubId=002fj37grgb7o7n<br />
* 2006-12-13 : Naissance du chapitre Francais de l'OWASP. Une liste de diffusion est disponible.[http://lists.owasp.org/mailman/listinfo/owasp-france Abonnez vous]<br />
<br />
<br />
<br> __NOTOC__ <headertabs /></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=France&diff=143778France2013-02-08T13:28:21Z<p>Ludovic Petit: </p>
<hr />
<div>{{Chapter Template|chaptername=France|extra=The '''Chapter Leaders''' are [mailto:ludovic.petit@owasp.org Ludovic Petit] and [mailto:sebastien.gioria@owasp.org Sebastien Gioria]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-france|emailarchives=http://lists.owasp.org/pipermail/owasp-france}}'''<br />
<paypal>France Chapter</paypal><br />
<br />
'''The French Chapter is also available on LinkedIn''': [http://www.linkedin.com/groupInvitation?gid=1638517 '''Join us''', it only takes a minute!]<br />
<br />
== Contacts, Présentations, Contributions & Partenariats ==<br />
<br />
*[mailto:sebastien.gioria@owasp.org Sebastien Gioria] et [mailto:ludovic.petit@owasp.org Ludovic Petit] sont à votre disposition si vous souhaitez des informations et discuter de la plus-value proposée par la Fondation OWASP, ainsi que sur la Sécurité des Applications Web.<br />
<br />
Entreprises, Individuels, Monde Académique, Sponsors, Supports, tout le monde est bienvenu à l'OWASP! L'accès à nos Chapter meetings est gratuit et ouvert à tous.<br />
<br />
Pour les Entreprises souhaitant adhérer à l'OWASP, le montant de l'adhésion annuelle de base est de $5000 US (dont 40% sont reversés au Projet ou au Chapitre de votre choix), déductible à 100% aux USA, et déductible à 60% en France <br />
<br />
Les fonds collectés servent à organiser les meetings du Chapitre, mais aussi et surtout à construire et organiser avec vous une approche collégiale spécifique répondant à vos souhaits (sessions de sensibilisation, meetings internes, interventions de Speakers, etc.). Tout cela peut être discuté avec le Chapitre Français et acté conjointement avec vous si vous souhaitez adhérer à l'OWASP. <br />
<br />
N'hésitez pas à nous solliciter si vous souhaitez discuter d'un sujet particulier, ou si vous souhaitez effectuer une présentation lors d'un meeting du Chapitre France.<br />
<br />
Amis de la Presse écrite et du Multimédia, n'hésitez pas à faire appel à nous si vous souhaitez notre concours pour vos articles et reportages, vous êtes les bienvenus et nous en serions honorés. Utilisez notre savoir-faire dans une perspective gagnant-gagnant!<br />
<br />
Nous restons modestes dans notre approche, nous souhaitons que le Chapitre OWASP France devienne un de vos contacts de référence. '''Ensembles, Chacun fait plus'''!<br />
<br />
'''TEAM stands for... Together Each Achieves More!'''<br />
<br />
<br />
= News =<br />
<br />
==Looking Forward… and Beyond, Distinctiveness Through Security Excellence==<br />
'''Présentation''' : "[https://www.owasp.org/images/5/50/Looking_Forward%E2%80%A6_and_Beyond.pptx Looking Forward… and Beyond]"'''<br />
'''Résumé''' : <br />
Here is a presentation I gave in Sept for a big Software maker in an internal meeting. This presentation aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes, or people and firms interested about OWASP and willing to join the Foundation as Member. The first 2 parts are more an update for those who are not yet familiar with OWASP, the 3rd part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway. Enjoy and feel free to email me, all comments welcome!<br />
<br />
'''Speaker''' : Ludovic Petit <br />
<br />
==28 Mars 2012 Meeting du premier trimestre==<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : "[https://www.owasp.org/images/6/6d/Developer_Top_Ten_Core_Controls_v4.1.pptx Top Ten Web Defenses]"'''<br />
'''Résumé''' : <br />
Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. <br />
This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will also detail several of the key access control anti-patterns commonly found during website security audits. <br />
These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. <br />
In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico <br />
Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. <br />
He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.<br />
'''Enregistrement en ligne sur''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== 7 et 8 Février 2012 - [http://www.microsoft.com/france/mstechdays/ Techdays Microsoft 2012] ==<br />
<br />
Sébastien présentera un talk sur [http://www.microsoft.com/france/mstechdays/programmes/parcours.aspx?SessionID=62e02774-6045-4be8-80ff-8332a793ad4f HTML5et la Sécurité] le 7 Février 2012 à 17h30. <br />
Plus d'informations sur la page dédiée aux TechDays Microsoft 2012. ==<br />
<br />
== 6 Janvier 2012 - Nouveau Groupe de Travail sur la Sécurité des Web Services au [http://www.clusif.fr CLUSIF] ==<br />
<br />
Dans la continuité du Groupe de Travail sur la Sécurité des Application Web initialement créé en 2009, le CLUSIF a lancé un nouveau groupe de travail autour de la sécurité des WebServices. N'hésitez pas à participer si vous êtes intéressés. Le CLUSIF recherche des utilisateurs pour ce groupe de travail et des personnes en environnements Microsoft pour disposer d'un panel le plus large possible pour ce document<br />
<br />
Contact : [mailto:sebastien.gioria@owasp.org Sébastien Gioria]<br />
<br />
== 19 Décembre 2011 - Publication du deuxième document du [http://www.clusif.fr CLUSIF] sur la Sécurité des Applications Web ==<br />
<br />
Le CLUSIF a publié son deuxième document sur la [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Defense-en-profondeur-des-applications-Web.pdf Défense en profondeur des applications Web]. Ce document fait suite au [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf premier document publié en 2009] <br />
<br />
== 15 Décembre 2011 Conférence du [http://www.clusif.fr CLUSIF] sur la [http://www.clusif.fr/fr/infos/event/#conf111215 sécurité des applications Web] ==<br />
<br />
Le CLUSIF a présenté la conférence Sécurité des Applications Web le jeudi 15 décembre 2011 au cercle National des Armées.<br />
Le programme était : <br />
<br />
* Mise en place d'une politique de sécurité applicative : retour d'expérience d'un RSSI par Philippe LARUE - Responsable Sécurité - [http://www.cbp-prevoyance.com/ CBP]<br />
* Revue de code source, ou test sécurité applicatif, quel est le plus efficient pour évaluer un niveau de sécurité applicatif ? par Sébastien GIORIA - Consultant Senior [http://www.groupey.fr Groupe Y] et leader du chapitre Français de [https://www.owasp.org l'OWASP] - OWASP France<br />
* Les enjeux réglementaires de la protection des informations en ligne par Garance MATHIAS - Avocat - Cabinet d'Avocats<br />
<br />
Les présentations sont disponibles sur le site du [http://www.clusif.fr CLUSIF], les vidéos de l'intervention seront aussi disponible.<br />
<br />
== 2 Décembre 2011 - [[OWASP BeNeLux 2011 Conference - University of Luxembourg]] ==<br />
<br />
Ludovic had a talk about "[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd WebApp Security and Legal aspects]" on Dec 2.<br />
<br />
*'''Overview'''<br />
**This presentation aims to be used by anybody willing to spread the voice of OWASP. See this as an Awareness session.<br />
**Use it and use it again. <br />
**Try to open your mind, just met me know if I can help. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/5/55/Do_you..._Legal_-_OWASP_BeNeLux_Day_-_2_Dec_2011.pptx Do you... Legal?]"'''<br />
**The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this. <br />
<br />
<br />
<br />
=== [[EUROPE - ENISA’s Who-is-Who Directory on Network and Information Security]] ===<br />
<br />
We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].<br />
<br />
The ENISA is the European Network and Information Security Agency.<br />
[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities. <br />
This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.<br />
<br />
<br />
= Chapter Meetings 2013 =<br />
<br />
== Q1 2013 ==<br />
'''Date''' : 7 février 2013<br />
'''Lieu''' : Gemalto - Salle Plazza, 6 rue de la Verrerie, 92197 Meudon-sur-Seine <br />
'''Horaire''' : 18h30 à 21h<br />
'''Présentation''' : Update sur les Projets OWASP, Ludovic<br />
'''Présentation''' : Evolution du Cadre Légal - Developers, Software makers held liable for code? Ludovic<br />
'''Présentation''' : [Données personnelles: le nouveau projet de règlement européen]http://www.donneespersonnelles.fr/donnees-personnelles-le-nouveau-projet-de-reglement-europeen, Thiébaut Devergranne<br />
'''Présentation''' : Présentation de l'OWASP France Day que nous souhaitons organiser en mars, Ludovic & Sébastien<br />
'''Présentation''' : Traduction OWASP Top Ten 2013, Ludovic & Sébastien<br />
'''Présentation''' : Relations Partenaires & Adhésions, Ely de Travieso<br />
<br />
Pour nous accompagner lors de ce meeting, Thiébaut Devergranne, docteur en droit et consultant. Thiébaut travaille en droit des nouvelles technologies depuis plus de 10 ans, dont 6 passés au sein des services du Premier Ministre.<br />
<br />
Présentation de Thiébaut Devergranne disponible sur [http://www.example.com link title]<br />
http://www.donneespersonnelles.fr/donnees-personnelles-le-nouveau-projet-de-reglement-europeen.<br />
<br />
'''Speakers''' : Ludovic Petit, Sébastien Gioria, Ely de Travieso, Thiébaut Devergranne<br />
'''Enregistrement en ligne ici''' : https://www.eventbrite.com/event/4615236296<br />
<br />
<br />
<br />
= Appel à contribution OWASP France =<br />
<br />
Ici seront relayés les différents appels à contributions du Chapitre (Sponsors, talks, etc.).<br />
<br />
<br />
= Appel à contributions externes =<br />
<br />
Ici seront relayés les appels à contributions que nous estimons interessants pour le Chapitre. <br />
<br />
<br />
<br />
<br />
= Meetings 2012 =<br />
<br />
== Q1 2012 ==<br />
'''Date''' : 28 Mars 2012<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : Web Application Access Control Design Excellence<br />
'''Résumé''' : Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will discuss several of the key access control anti-patterns commonly found during <br />
website security audits. These access control anti-patterns include hard-coded security policies, <br />
lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these<br />
and other access control problems, we will discuss and design a positive access control mechanism <br />
that is data contextual, activity based, configurable, flexible, and deny-by-default - among other<br />
positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico<br />
'''Enregistrement en ligne ici''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== Q2 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q3 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q4 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
<br />
<br />
= 2011 Meetings =<br />
<br />
=== [[May 2011 - Paris Meeting]] ===<br />
<br />
[Logo to be placed here]<br />
<br />
We are honored to welcome '''Jim Manico''' during his European Tour in the Netherlands, Belgium and France.<br />
<br />
*'''Overview'''<br />
**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle. <br />
**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. <br />
**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered. <br />
**If you are interested in participating in the hands on portion of the course, please bring a laptop. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/f/f4/Future_of_XSS_v4.pptx The Ghost of XSS Past, Present and Future. A Defensive Tale]"'''<br />
**This talk will discuss the past methods used for XSS defense that were only partially effective. Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg. <br />
<br />
*'''Speaker'''<br />
**'''Jim Manico''' is a managing partner of Infrared Security with over 15 years of professional web development experience. Jim is also the Chair of the OWASP Connections Committee, one of the Project Managers of the OWASP ESAPI Project, a participant and manager of the OWASP Cheatsheet series, the Producer and host of the OWASP Podcast Series, the Manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project. When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.<br />
<br />
*'''Date'''<br />
**May 24, 2011 <br />
<br />
*'''Venue'''<br />
**Paris<br />
<br />
*'''Registration'''<br />
**[http://www.regonline.com/Register/Checkin.aspx?EventID=971375 Click here]<br />
<br />
<br />
== 26 Avril 2011 ==<br />
<br />
'''Le 26 Avril 2011 dans les locaux de [http://www.groupey.fr/nos-cabinets-paris.html GROUPE Y] :'''<br />
<br />
* 9:00: [https://www.owasp.org/images/2/2f/Agenda_26th_April_2011.pptx Introduction] - '''Ludovic Petit''' & '''Sébastien Gioria'''<br />
* 9:30: [https://www.owasp.org/images/3/36/OPENSAMM2.pptx OpenSAMM] - '''Antonio Fontes''' (Chapter Leader OWASP Geneva) <br />
* 11:00: [https://www.owasp.org/images/c/cf/OWASP_Cloud_Top_10.pptx OWASP Cloud Top 10 Project] - '''Ludovic Petit''' (Chapter Leader OWASP France & OWASP Global Education Committee Member)<br />
* 11:45: [https://www.owasp.org/images/5/5c/ESAPI_Swingset_talk_at_Paris.ppt OWASP ESAPI] - '''Fabio Cerullo''' (Chapter Leader OWASP Ireland & Global Education Committee)<br />
* 14:15: [https://www.owasp.org/images/3/38/OWASP_Testing_Guide.pptx OWASP Testing Guide] - '''Sébastien Gioria''' (French Chapter Leader & OWASP Global Education Committee Member)<br />
* 15:15: [http://o2platform.com OWASP 02 Platform - Live Session] - '''Dinis Cruz''' (OWASP O2 Project Leader)<br />
* 16:30: [https://www.owasp.org/images/9/96/OWASP-Paris2011-VV-CodeReview.pdf OWASP Code Review] - '''Victor Vuillard'''<br />
<br />
= 2009 Meetings =<br />
<br />
'''Le 6 Mai 2009 à 17h30 à [http://www.epitech.eu L'EPITECH] :'''<br />
<br />
* 17h30 : Accueil des participants<br />
* 18h - 18h 15 : [http://www.owasp.org/images/d/dc/OWASP_Paris_Meeting_-_May_2009.pdf Welcome et overview of agenda] '''(Board OWASP France)'''<br />
* 18h30 - 19h : [http://www.owasp.org/images/6/6b/2009-05-06-OWASPFR-WebServices.pdf Attaques sur les Web Services] - '''Renaud Bidou'''<br />
* 19h15 - 19h45 : [http://www.owasp.org/images/8/82/2009-05-06-OWASPFR-OpenSAM.pdf Software Security Initiatives in the Real World] - '''Claudio Merloni'''<br />
* 20h : Close <br />
<br />
A propos des Speakers :<br />
<br />
<br />
'''''Renaud Bidou :''' ''Directeur Technique de DenyAll. Il travaille depuis plus de 10 ans dans la sécurité et a publié de nombreux articles et white-papers touchant à des sujets aussi variés que les dénis de service, les portknockers, les botnets, la mise en place d’un SOC, l’analyse graphique d’attaques ou encore les techniques de contournements.<br />
<br />
<br />
'''''Claudio Merloni : '''''Claudio Merloni est Software Security Consultant chez Fortify Software. Ses expériences dans le domaine de la sécurité embrassent la sécurité applicative, revue de code, architectures sécurisées, analyse des risques, conformité, test de sécurité à niveau réseau, système et applicatif, monitoring, contrôle d'accès. Il a participé a plusieurs conférences, entre lesquelles BlackHat et CONFidence.<br />
<br />
<br />
'''Le Lieu : EPITECH'''<br />
<br />
Amphi 2<br />
<br />
14-16 rue Voltaire<br />
<br />
94276 Kremlin Bicêtre Cedex <br />
<br />
<br />
''Moyens d'accès Métro''<br />
* ligne 7 : Porte d'Italie<br />
<br />
''Bus''<br />
* ligne 47, 125, 131, 185 : Roger Salengro<br />
* ligne 186 : Pierre Brossolette <br/> <br />
<br />
''Voiture''<br />
* périphérique : sortie Porte d'Italie <br />
<br />
<br />
<br />
<br />
= Translation effort =<br />
<br />
* The '''OWASP TOP Ten 2010 in French''' is [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf available]<br />
* 2010-08-30 : La version française du Top 10 2010 est disponible [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] <br />
* 2008-02-15 : Le Top10 2007 est en version Française [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.pdf Format PDF], [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.doc Format Word]<br />
* 2007-11-16 : [https://www.owasp.org/images/5/52/Owasp_tryptique.pdf Folio 2 pages Recto/verso] de présentation pour Infosecurity.<br />
* 2007-02-27 : [[Newsletter_francaise_num%C3%A9ro_1]]<br />
* 2007-06-20 : Présentation de l'OWASP faite à NY en Juin 2007 [https://www.owasp.org/images/7/71/20070620-FR-OWASP_NY_Keynote.ppt]<br />
[[Category:Europe]]<br />
<br />
<br />
<br />
= Old News = <br />
<br />
* 2009-06-09 : [http://www.owasp.org/images/d/d2/20090609-CERT-IST-WAF-v0.1.pdf Intervention sur les WAF] lors du Forum [http://www.cert-ist.com CERT-IST] <br />
* 2009-02-03 : L'OWASP France sera présent à [http://www.pci-portal.com/events/event-info/paris PCI Paris]. La présentation est : [https://www.owasp.org/images/f/fb/20090203-OWASP_PCI-Global_2009_Paris_-_v03.ppt l'OWASP et l'exigence 6.5 de PCI-DSS]<br />
* 2008-11-19 : L'OWASP France sera présent sur [http://www.infosecurity.com.fr/FR/badge?ref=OWAW Infosecurity France] à Paris :<br />
[http://www.infosecurity.com.fr/index.php?argRedirect=FR|badge&Lang=FR&ref=OWAW https://www.owasp.org/images/8/88/Infosecurity.gif]<br />
<br />
* 2008-07-08 : L'OWASP France a présenté le projet OWASP à l'[http://www.ossir.org OSSIR]. La présentation est disponible sur le site de [https://www.owasp.org/images/9/94/20080708-OWASP_OSSIR.ppt l'OWASP]<br />
* 2008-02-15 : Le Top10 2007 est en version Francaise<br />
* 2008-02-11 : Présentation aux [http://www.owasp.org/images/0/09/20080129-OWASP_TechDays_France_.ppt TechDays 2008 Microsoft ]<br />
* 2007-11-22 : Présentation a Infosecurity France [http://www.owasp.org/images/8/85/20071122-OWASP_Infosecurity_France.ppt de l'OWASP]<br />
* 2007-11-07 : Interview dans le [http://www.journaldunet.com/developpeur/itws/071106-securite-applicative-owasp.shtml Journal du Net]<br />
* 2007-10-05 : L'OWASP France présentera les enjeux de la sécurité des [http://www.infosecurity.com.fr/?Jpto=116&KM_Session=f345bb91df954e6cbc0148328f109e94&CurrentNode=518&Lang=FR&IdNode=708 Services WEB à Infosecurity France le 22/11/2007]<br />
* 2006-12-18 : Mise en place de l'association pour supporter le groupe OWASP<br />
* 2006-12-14 : Le Hub OWASP Viaduc a vu le jour http://www.viadeo.com/hub/affichehub/?hubId=002fj37grgb7o7n<br />
* 2006-12-13 : Naissance du chapitre Francais de l'OWASP. Une liste de diffusion est disponible.[http://lists.owasp.org/mailman/listinfo/owasp-france Abonnez vous]<br />
<br />
<br />
<br> __NOTOC__ <headertabs /></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=File:Chapter_Meeting_OWASP_France_-_7_Feb_2013.pdf&diff=143777File:Chapter Meeting OWASP France - 7 Feb 2013.pdf2013-02-08T13:25:36Z<p>Ludovic Petit: </p>
<hr />
<div></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=France&diff=143776France2013-02-08T13:24:01Z<p>Ludovic Petit: </p>
<hr />
<div>{{Chapter Template|chaptername=France|extra=The '''Chapter Leaders''' are [mailto:ludovic.petit@owasp.org Ludovic Petit] and [mailto:sebastien.gioria@owasp.org Sebastien Gioria]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-france|emailarchives=http://lists.owasp.org/pipermail/owasp-france}}'''<br />
<paypal>France Chapter</paypal><br />
<br />
'''The French Chapter is also available on LinkedIn''': [http://www.linkedin.com/groupInvitation?gid=1638517 '''Join us''', it only takes a minute!]<br />
<br />
== Contacts, Présentations, Contributions & Partenariats ==<br />
<br />
*[mailto:sebastien.gioria@owasp.org Sebastien Gioria] et [mailto:ludovic.petit@owasp.org Ludovic Petit] sont à votre disposition si vous souhaitez des informations et discuter de la plus-value proposée par la Fondation OWASP, ainsi que sur la Sécurité des Applications Web.<br />
<br />
Entreprises, Individuels, Monde Académique, Sponsors, Supports, tout le monde est bienvenu à l'OWASP! L'accès à nos Chapter meetings est gratuit et ouvert à tous.<br />
<br />
Pour les Entreprises souhaitant adhérer à l'OWASP, le montant de l'adhésion annuelle de base est de $5000 US (dont 40% sont reversés au Projet ou au Chapitre de votre choix), déductible à 100% aux USA, et déductible à 60% en France <br />
<br />
Les fonds collectés servent à organiser les meetings du Chapitre, mais aussi et surtout à construire et organiser avec vous une approche collégiale spécifique répondant à vos souhaits (sessions de sensibilisation, meetings internes, interventions de Speakers, etc.). Tout cela peut être discuté avec le Chapitre Français et acté conjointement avec vous si vous souhaitez adhérer à l'OWASP. <br />
<br />
N'hésitez pas à nous solliciter si vous souhaitez discuter d'un sujet particulier, ou si vous souhaitez effectuer une présentation lors d'un meeting du Chapitre France.<br />
<br />
Amis de la Presse écrite et du Multimédia, n'hésitez pas à faire appel à nous si vous souhaitez notre concours pour vos articles et reportages, vous êtes les bienvenus et nous en serions honorés. Utilisez notre savoir-faire dans une perspective gagnant-gagnant!<br />
<br />
Nous restons modestes dans notre approche, nous souhaitons que le Chapitre OWASP France devienne un de vos contacts de référence. '''Ensembles, Chacun fait plus'''!<br />
<br />
'''TEAM stands for... Together Each Achieves More!'''<br />
<br />
<br />
= News =<br />
<br />
==Looking Forward… and Beyond, Distinctiveness Through Security Excellence==<br />
'''Présentation''' : "[https://www.owasp.org/images/5/50/Looking_Forward%E2%80%A6_and_Beyond.pptx Looking Forward… and Beyond]"'''<br />
'''Résumé''' : <br />
Here is a presentation I gave in Sept for a big Software maker in an internal meeting. This presentation aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes, or people and firms interested about OWASP and willing to join the Foundation as Member. The first 2 parts are more an update for those who are not yet familiar with OWASP, the 3rd part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway. Enjoy and feel free to email me, all comments welcome!<br />
<br />
'''Speaker''' : Ludovic Petit <br />
<br />
==28 Mars 2012 Meeting du premier trimestre==<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : "[https://www.owasp.org/images/6/6d/Developer_Top_Ten_Core_Controls_v4.1.pptx Top Ten Web Defenses]"'''<br />
'''Résumé''' : <br />
Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. <br />
This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will also detail several of the key access control anti-patterns commonly found during website security audits. <br />
These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. <br />
In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico <br />
Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. <br />
He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.<br />
'''Enregistrement en ligne sur''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== 7 et 8 Février 2012 - [http://www.microsoft.com/france/mstechdays/ Techdays Microsoft 2012] ==<br />
<br />
Sébastien présentera un talk sur [http://www.microsoft.com/france/mstechdays/programmes/parcours.aspx?SessionID=62e02774-6045-4be8-80ff-8332a793ad4f HTML5et la Sécurité] le 7 Février 2012 à 17h30. <br />
Plus d'informations sur la page dédiée aux TechDays Microsoft 2012. ==<br />
<br />
== 6 Janvier 2012 - Nouveau Groupe de Travail sur la Sécurité des Web Services au [http://www.clusif.fr CLUSIF] ==<br />
<br />
Dans la continuité du Groupe de Travail sur la Sécurité des Application Web initialement créé en 2009, le CLUSIF a lancé un nouveau groupe de travail autour de la sécurité des WebServices. N'hésitez pas à participer si vous êtes intéressés. Le CLUSIF recherche des utilisateurs pour ce groupe de travail et des personnes en environnements Microsoft pour disposer d'un panel le plus large possible pour ce document<br />
<br />
Contact : [mailto:sebastien.gioria@owasp.org Sébastien Gioria]<br />
<br />
== 19 Décembre 2011 - Publication du deuxième document du [http://www.clusif.fr CLUSIF] sur la Sécurité des Applications Web ==<br />
<br />
Le CLUSIF a publié son deuxième document sur la [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Defense-en-profondeur-des-applications-Web.pdf Défense en profondeur des applications Web]. Ce document fait suite au [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf premier document publié en 2009] <br />
<br />
== 15 Décembre 2011 Conférence du [http://www.clusif.fr CLUSIF] sur la [http://www.clusif.fr/fr/infos/event/#conf111215 sécurité des applications Web] ==<br />
<br />
Le CLUSIF a présenté la conférence Sécurité des Applications Web le jeudi 15 décembre 2011 au cercle National des Armées.<br />
Le programme était : <br />
<br />
* Mise en place d'une politique de sécurité applicative : retour d'expérience d'un RSSI par Philippe LARUE - Responsable Sécurité - [http://www.cbp-prevoyance.com/ CBP]<br />
* Revue de code source, ou test sécurité applicatif, quel est le plus efficient pour évaluer un niveau de sécurité applicatif ? par Sébastien GIORIA - Consultant Senior [http://www.groupey.fr Groupe Y] et leader du chapitre Français de [https://www.owasp.org l'OWASP] - OWASP France<br />
* Les enjeux réglementaires de la protection des informations en ligne par Garance MATHIAS - Avocat - Cabinet d'Avocats<br />
<br />
Les présentations sont disponibles sur le site du [http://www.clusif.fr CLUSIF], les vidéos de l'intervention seront aussi disponible.<br />
<br />
== 2 Décembre 2011 - [[OWASP BeNeLux 2011 Conference - University of Luxembourg]] ==<br />
<br />
Ludovic had a talk about "[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd WebApp Security and Legal aspects]" on Dec 2.<br />
<br />
*'''Overview'''<br />
**This presentation aims to be used by anybody willing to spread the voice of OWASP. See this as an Awareness session.<br />
**Use it and use it again. <br />
**Try to open your mind, just met me know if I can help. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/5/55/Do_you..._Legal_-_OWASP_BeNeLux_Day_-_2_Dec_2011.pptx Do you... Legal?]"'''<br />
**The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this. <br />
<br />
<br />
<br />
=== [[EUROPE - ENISA’s Who-is-Who Directory on Network and Information Security]] ===<br />
<br />
We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].<br />
<br />
The ENISA is the European Network and Information Security Agency.<br />
[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities. <br />
This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.<br />
<br />
<br />
= Chapter Meetings 2013 =<br />
<br />
== Q1 2013 ==<br />
'''Date''' : 7 février 2013<br />
'''Lieu''' : Gemalto - Salle Plazza, 6 rue de la Verrerie, 92197 Meudon-sur-Seine <br />
'''Horaire''' : 18h30 à 21h<br />
'''Présentation''' : Update sur les Projets OWASP, Ludovic<br />
'''Présentation''' : Evolution du Cadre Légal - Developers, Software makers held liable for code? Ludovic<br />
'''Présentation''' : Données personnelles: le nouveau projet de règlement européen, Thiébaut Devergranne<br />
'''Présentation''' : Présentation de l'OWASP France Day que nous souhaitons organiser en mars, Ludovic & Sébastien<br />
'''Présentation''' : Traduction OWASP Top Ten 2013, Ludovic & Sébastien<br />
'''Présentation''' : Relations Partenaires & Adhésions, Ely de Travieso<br />
<br />
Pour nous accompagner lors de ce meeting, Thiébaut Devergranne, docteur en droit et consultant. Thiébaut travaille en droit des nouvelles technologies depuis plus de 10 ans, dont 6 passés au sein des services du Premier Ministre.<br />
<br />
Présentation de Thiébaut Devergranne disponible sur http://www.donneespersonnelles.fr/donnees-personnelles-le-nouveau-projet-de-reglement-europeen.<br />
<br />
'''Speakers''' : Ludovic Petit, Sébastien Gioria, Ely de Travieso, Thiébaut Devergranne<br />
'''Enregistrement en ligne ici''' : https://www.eventbrite.com/event/4615236296<br />
<br />
<br />
<br />
= Appel à contribution OWASP France =<br />
<br />
Ici seront relayés les différents appels à contributions du Chapitre (Sponsors, talks, etc.).<br />
<br />
<br />
= Appel à contributions externes =<br />
<br />
Ici seront relayés les appels à contributions que nous estimons interessants pour le Chapitre. <br />
<br />
<br />
<br />
<br />
= Meetings 2012 =<br />
<br />
== Q1 2012 ==<br />
'''Date''' : 28 Mars 2012<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : Web Application Access Control Design Excellence<br />
'''Résumé''' : Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will discuss several of the key access control anti-patterns commonly found during <br />
website security audits. These access control anti-patterns include hard-coded security policies, <br />
lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these<br />
and other access control problems, we will discuss and design a positive access control mechanism <br />
that is data contextual, activity based, configurable, flexible, and deny-by-default - among other<br />
positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico<br />
'''Enregistrement en ligne ici''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== Q2 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q3 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q4 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
<br />
<br />
= 2011 Meetings =<br />
<br />
=== [[May 2011 - Paris Meeting]] ===<br />
<br />
[Logo to be placed here]<br />
<br />
We are honored to welcome '''Jim Manico''' during his European Tour in the Netherlands, Belgium and France.<br />
<br />
*'''Overview'''<br />
**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle. <br />
**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. <br />
**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered. <br />
**If you are interested in participating in the hands on portion of the course, please bring a laptop. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/f/f4/Future_of_XSS_v4.pptx The Ghost of XSS Past, Present and Future. A Defensive Tale]"'''<br />
**This talk will discuss the past methods used for XSS defense that were only partially effective. Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg. <br />
<br />
*'''Speaker'''<br />
**'''Jim Manico''' is a managing partner of Infrared Security with over 15 years of professional web development experience. Jim is also the Chair of the OWASP Connections Committee, one of the Project Managers of the OWASP ESAPI Project, a participant and manager of the OWASP Cheatsheet series, the Producer and host of the OWASP Podcast Series, the Manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project. When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.<br />
<br />
*'''Date'''<br />
**May 24, 2011 <br />
<br />
*'''Venue'''<br />
**Paris<br />
<br />
*'''Registration'''<br />
**[http://www.regonline.com/Register/Checkin.aspx?EventID=971375 Click here]<br />
<br />
<br />
== 26 Avril 2011 ==<br />
<br />
'''Le 26 Avril 2011 dans les locaux de [http://www.groupey.fr/nos-cabinets-paris.html GROUPE Y] :'''<br />
<br />
* 9:00: [https://www.owasp.org/images/2/2f/Agenda_26th_April_2011.pptx Introduction] - '''Ludovic Petit''' & '''Sébastien Gioria'''<br />
* 9:30: [https://www.owasp.org/images/3/36/OPENSAMM2.pptx OpenSAMM] - '''Antonio Fontes''' (Chapter Leader OWASP Geneva) <br />
* 11:00: [https://www.owasp.org/images/c/cf/OWASP_Cloud_Top_10.pptx OWASP Cloud Top 10 Project] - '''Ludovic Petit''' (Chapter Leader OWASP France & OWASP Global Education Committee Member)<br />
* 11:45: [https://www.owasp.org/images/5/5c/ESAPI_Swingset_talk_at_Paris.ppt OWASP ESAPI] - '''Fabio Cerullo''' (Chapter Leader OWASP Ireland & Global Education Committee)<br />
* 14:15: [https://www.owasp.org/images/3/38/OWASP_Testing_Guide.pptx OWASP Testing Guide] - '''Sébastien Gioria''' (French Chapter Leader & OWASP Global Education Committee Member)<br />
* 15:15: [http://o2platform.com OWASP 02 Platform - Live Session] - '''Dinis Cruz''' (OWASP O2 Project Leader)<br />
* 16:30: [https://www.owasp.org/images/9/96/OWASP-Paris2011-VV-CodeReview.pdf OWASP Code Review] - '''Victor Vuillard'''<br />
<br />
= 2009 Meetings =<br />
<br />
'''Le 6 Mai 2009 à 17h30 à [http://www.epitech.eu L'EPITECH] :'''<br />
<br />
* 17h30 : Accueil des participants<br />
* 18h - 18h 15 : [http://www.owasp.org/images/d/dc/OWASP_Paris_Meeting_-_May_2009.pdf Welcome et overview of agenda] '''(Board OWASP France)'''<br />
* 18h30 - 19h : [http://www.owasp.org/images/6/6b/2009-05-06-OWASPFR-WebServices.pdf Attaques sur les Web Services] - '''Renaud Bidou'''<br />
* 19h15 - 19h45 : [http://www.owasp.org/images/8/82/2009-05-06-OWASPFR-OpenSAM.pdf Software Security Initiatives in the Real World] - '''Claudio Merloni'''<br />
* 20h : Close <br />
<br />
A propos des Speakers :<br />
<br />
<br />
'''''Renaud Bidou :''' ''Directeur Technique de DenyAll. Il travaille depuis plus de 10 ans dans la sécurité et a publié de nombreux articles et white-papers touchant à des sujets aussi variés que les dénis de service, les portknockers, les botnets, la mise en place d’un SOC, l’analyse graphique d’attaques ou encore les techniques de contournements.<br />
<br />
<br />
'''''Claudio Merloni : '''''Claudio Merloni est Software Security Consultant chez Fortify Software. Ses expériences dans le domaine de la sécurité embrassent la sécurité applicative, revue de code, architectures sécurisées, analyse des risques, conformité, test de sécurité à niveau réseau, système et applicatif, monitoring, contrôle d'accès. Il a participé a plusieurs conférences, entre lesquelles BlackHat et CONFidence.<br />
<br />
<br />
'''Le Lieu : EPITECH'''<br />
<br />
Amphi 2<br />
<br />
14-16 rue Voltaire<br />
<br />
94276 Kremlin Bicêtre Cedex <br />
<br />
<br />
''Moyens d'accès Métro''<br />
* ligne 7 : Porte d'Italie<br />
<br />
''Bus''<br />
* ligne 47, 125, 131, 185 : Roger Salengro<br />
* ligne 186 : Pierre Brossolette <br/> <br />
<br />
''Voiture''<br />
* périphérique : sortie Porte d'Italie <br />
<br />
<br />
<br />
<br />
= Translation effort =<br />
<br />
* The '''OWASP TOP Ten 2010 in French''' is [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf available]<br />
* 2010-08-30 : La version française du Top 10 2010 est disponible [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] <br />
* 2008-02-15 : Le Top10 2007 est en version Française [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.pdf Format PDF], [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.doc Format Word]<br />
* 2007-11-16 : [https://www.owasp.org/images/5/52/Owasp_tryptique.pdf Folio 2 pages Recto/verso] de présentation pour Infosecurity.<br />
* 2007-02-27 : [[Newsletter_francaise_num%C3%A9ro_1]]<br />
* 2007-06-20 : Présentation de l'OWASP faite à NY en Juin 2007 [https://www.owasp.org/images/7/71/20070620-FR-OWASP_NY_Keynote.ppt]<br />
[[Category:Europe]]<br />
<br />
<br />
<br />
= Old News = <br />
<br />
* 2009-06-09 : [http://www.owasp.org/images/d/d2/20090609-CERT-IST-WAF-v0.1.pdf Intervention sur les WAF] lors du Forum [http://www.cert-ist.com CERT-IST] <br />
* 2009-02-03 : L'OWASP France sera présent à [http://www.pci-portal.com/events/event-info/paris PCI Paris]. La présentation est : [https://www.owasp.org/images/f/fb/20090203-OWASP_PCI-Global_2009_Paris_-_v03.ppt l'OWASP et l'exigence 6.5 de PCI-DSS]<br />
* 2008-11-19 : L'OWASP France sera présent sur [http://www.infosecurity.com.fr/FR/badge?ref=OWAW Infosecurity France] à Paris :<br />
[http://www.infosecurity.com.fr/index.php?argRedirect=FR|badge&Lang=FR&ref=OWAW https://www.owasp.org/images/8/88/Infosecurity.gif]<br />
<br />
* 2008-07-08 : L'OWASP France a présenté le projet OWASP à l'[http://www.ossir.org OSSIR]. La présentation est disponible sur le site de [https://www.owasp.org/images/9/94/20080708-OWASP_OSSIR.ppt l'OWASP]<br />
* 2008-02-15 : Le Top10 2007 est en version Francaise<br />
* 2008-02-11 : Présentation aux [http://www.owasp.org/images/0/09/20080129-OWASP_TechDays_France_.ppt TechDays 2008 Microsoft ]<br />
* 2007-11-22 : Présentation a Infosecurity France [http://www.owasp.org/images/8/85/20071122-OWASP_Infosecurity_France.ppt de l'OWASP]<br />
* 2007-11-07 : Interview dans le [http://www.journaldunet.com/developpeur/itws/071106-securite-applicative-owasp.shtml Journal du Net]<br />
* 2007-10-05 : L'OWASP France présentera les enjeux de la sécurité des [http://www.infosecurity.com.fr/?Jpto=116&KM_Session=f345bb91df954e6cbc0148328f109e94&CurrentNode=518&Lang=FR&IdNode=708 Services WEB à Infosecurity France le 22/11/2007]<br />
* 2006-12-18 : Mise en place de l'association pour supporter le groupe OWASP<br />
* 2006-12-14 : Le Hub OWASP Viaduc a vu le jour http://www.viadeo.com/hub/affichehub/?hubId=002fj37grgb7o7n<br />
* 2006-12-13 : Naissance du chapitre Francais de l'OWASP. Une liste de diffusion est disponible.[http://lists.owasp.org/mailman/listinfo/owasp-france Abonnez vous]<br />
<br />
<br />
<br> __NOTOC__ <headertabs /></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=France&diff=143775France2013-02-08T13:21:05Z<p>Ludovic Petit: </p>
<hr />
<div>{{Chapter Template|chaptername=France|extra=The '''Chapter Leaders''' are [mailto:ludovic.petit@owasp.org Ludovic Petit] and [mailto:sebastien.gioria@owasp.org Sebastien Gioria]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-france|emailarchives=http://lists.owasp.org/pipermail/owasp-france}}'''<br />
<paypal>France Chapter</paypal><br />
<br />
'''The French Chapter is also available on LinkedIn''': [http://www.linkedin.com/groupInvitation?gid=1638517 '''Join us''', it only takes a minute!]<br />
<br />
== Contacts, Présentations, Contributions & Partenariats ==<br />
<br />
*[mailto:sebastien.gioria@owasp.org Sebastien Gioria] et [mailto:ludovic.petit@owasp.org Ludovic Petit] sont à votre disposition si vous souhaitez des informations et discuter de la plus-value proposée par la Fondation OWASP, ainsi que sur la Sécurité des Applications Web.<br />
<br />
Entreprises, Individuels, Monde Académique, Sponsors, Supports, tout le monde est bienvenu à l'OWASP! L'accès à nos Chapter meetings est gratuit et ouvert à tous.<br />
<br />
Pour les Entreprises souhaitant adhérer à l'OWASP, le montant de l'adhésion annuelle de base est de $5000 US (dont 40% sont reversés au Projet ou au Chapitre de votre choix), déductible à 100% aux USA, et déductible à 60% en France <br />
<br />
Les fonds collectés servent à organiser les meetings du Chapitre, mais aussi et surtout à construire et organiser avec vous une approche collégiale spécifique répondant à vos souhaits (sessions de sensibilisation, meetings internes, interventions de Speakers, etc.). Tout cela peut être discuté avec le Chapitre Français et acté conjointement avec vous si vous souhaitez adhérer à l'OWASP. <br />
<br />
N'hésitez pas à nous solliciter si vous souhaitez discuter d'un sujet particulier, ou si vous souhaitez effectuer une présentation lors d'un meeting du Chapitre France.<br />
<br />
Amis de la Presse écrite et du Multimédia, n'hésitez pas à faire appel à nous si vous souhaitez notre concours pour vos articles et reportages, vous êtes les bienvenus et nous en serions honorés. Utilisez notre savoir-faire dans une perspective gagnant-gagnant!<br />
<br />
Nous restons modestes dans notre approche, nous souhaitons que le Chapitre OWASP France devienne un de vos contacts de référence. '''Ensembles, Chacun fait plus'''!<br />
<br />
'''TEAM stands for... Together Each Achieves More!'''<br />
<br />
<br />
= News =<br />
<br />
==Looking Forward… and Beyond, Distinctiveness Through Security Excellence==<br />
'''Présentation''' : "[https://www.owasp.org/images/5/50/Looking_Forward%E2%80%A6_and_Beyond.pptx Looking Forward… and Beyond]"'''<br />
'''Résumé''' : <br />
Here is a presentation I gave in Sept for a big Software maker in an internal meeting. This presentation aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes, or people and firms interested about OWASP and willing to join the Foundation as Member. The first 2 parts are more an update for those who are not yet familiar with OWASP, the 3rd part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway. Enjoy and feel free to email me, all comments welcome!<br />
<br />
'''Speaker''' : Ludovic Petit <br />
<br />
==28 Mars 2012 Meeting du premier trimestre==<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : "[https://www.owasp.org/images/6/6d/Developer_Top_Ten_Core_Controls_v4.1.pptx Top Ten Web Defenses]"'''<br />
'''Résumé''' : <br />
Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. <br />
This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will also detail several of the key access control anti-patterns commonly found during website security audits. <br />
These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. <br />
In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico <br />
Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. <br />
He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.<br />
'''Enregistrement en ligne sur''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== 7 et 8 Février 2012 - [http://www.microsoft.com/france/mstechdays/ Techdays Microsoft 2012] ==<br />
<br />
Sébastien présentera un talk sur [http://www.microsoft.com/france/mstechdays/programmes/parcours.aspx?SessionID=62e02774-6045-4be8-80ff-8332a793ad4f HTML5et la Sécurité] le 7 Février 2012 à 17h30. <br />
Plus d'informations sur la page dédiée aux TechDays Microsoft 2012. ==<br />
<br />
== 6 Janvier 2012 - Nouveau Groupe de Travail sur la Sécurité des Web Services au [http://www.clusif.fr CLUSIF] ==<br />
<br />
Dans la continuité du Groupe de Travail sur la Sécurité des Application Web initialement créé en 2009, le CLUSIF a lancé un nouveau groupe de travail autour de la sécurité des WebServices. N'hésitez pas à participer si vous êtes intéressés. Le CLUSIF recherche des utilisateurs pour ce groupe de travail et des personnes en environnements Microsoft pour disposer d'un panel le plus large possible pour ce document<br />
<br />
Contact : [mailto:sebastien.gioria@owasp.org Sébastien Gioria]<br />
<br />
== 19 Décembre 2011 - Publication du deuxième document du [http://www.clusif.fr CLUSIF] sur la Sécurité des Applications Web ==<br />
<br />
Le CLUSIF a publié son deuxième document sur la [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Defense-en-profondeur-des-applications-Web.pdf Défense en profondeur des applications Web]. Ce document fait suite au [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf premier document publié en 2009] <br />
<br />
== 15 Décembre 2011 Conférence du [http://www.clusif.fr CLUSIF] sur la [http://www.clusif.fr/fr/infos/event/#conf111215 sécurité des applications Web] ==<br />
<br />
Le CLUSIF a présenté la conférence Sécurité des Applications Web le jeudi 15 décembre 2011 au cercle National des Armées.<br />
Le programme était : <br />
<br />
* Mise en place d'une politique de sécurité applicative : retour d'expérience d'un RSSI par Philippe LARUE - Responsable Sécurité - [http://www.cbp-prevoyance.com/ CBP]<br />
* Revue de code source, ou test sécurité applicatif, quel est le plus efficient pour évaluer un niveau de sécurité applicatif ? par Sébastien GIORIA - Consultant Senior [http://www.groupey.fr Groupe Y] et leader du chapitre Français de [https://www.owasp.org l'OWASP] - OWASP France<br />
* Les enjeux réglementaires de la protection des informations en ligne par Garance MATHIAS - Avocat - Cabinet d'Avocats<br />
<br />
Les présentations sont disponibles sur le site du [http://www.clusif.fr CLUSIF], les vidéos de l'intervention seront aussi disponible.<br />
<br />
== 2 Décembre 2011 - [[OWASP BeNeLux 2011 Conference - University of Luxembourg]] ==<br />
<br />
Ludovic had a talk about "[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd WebApp Security and Legal aspects]" on Dec 2.<br />
<br />
*'''Overview'''<br />
**This presentation aims to be used by anybody willing to spread the voice of OWASP. See this as an Awareness session.<br />
**Use it and use it again. <br />
**Try to open your mind, just met me know if I can help. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/5/55/Do_you..._Legal_-_OWASP_BeNeLux_Day_-_2_Dec_2011.pptx Do you... Legal?]"'''<br />
**The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this. <br />
<br />
<br />
<br />
=== [[EUROPE - ENISA’s Who-is-Who Directory on Network and Information Security]] ===<br />
<br />
We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].<br />
<br />
The ENISA is the European Network and Information Security Agency.<br />
[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities. <br />
This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.<br />
<br />
<br />
= Chapter Meetings 2013 =<br />
<br />
== Q1 2013 ==<br />
'''Date''' : 7 février 2013<br />
'''Lieu''' : Gemalto - Salle Plazza, 6 rue de la Verrerie, 92197 Meudon-sur-Seine <br />
'''Horaire''' : 18h30 à 21h<br />
'''Présentation''' : Update sur les Projets OWASP, Ludovic<br />
'''Présentation''' : Evolution du Cadre Légal - Developers, Software makers held liable for code? Ludovic<br />
'''Présentation''' : Données personnelles: le nouveau projet de règlement européen, Thiébaut Devergranne<br />
'''Présentation''' : Présentation de l'OWASP France Day que nous souhaitons organiser en mars, Ludovic & Sébastien<br />
'''Présentation''' : Traduction OWASP Top Ten 2013, Ludovic & Sébastien<br />
'''Présentation''' : Relations Partenaires & Adhésions, Ely de Travieso<br />
'''Résumé''' : Pour nous accompagner lors de ce meeting, Thiébaut Devergranne, docteur en droit et consultant. <br />
Thiébaut travaille en droit des nouvelles technologies depuis plus de 10 ans, dont 6 passés au sein des services du Premier Ministre.<br />
<br />
Présentation de Thiébaut Devergranne disponible sur http://www.donneespersonnelles.fr/donnees-personnelles-le-nouveau-projet-de-reglement-europeen.<br />
<br />
'''Speakers''' : Ludovic Petit, Sébastien Gioria, Ely de Travieso, Thiébaut Devergranne<br />
'''Enregistrement en ligne ici''' : https://www.eventbrite.com/event/4615236296<br />
<br />
<br />
<br />
= Appel à contribution OWASP France =<br />
<br />
Ici seront relayés les différents appels à contributions du Chapitre (Sponsors, talks, etc.).<br />
<br />
<br />
= Appel à contributions externes =<br />
<br />
Ici seront relayés les appels à contributions que nous estimons interessants pour le Chapitre. <br />
<br />
<br />
<br />
<br />
= Meetings 2012 =<br />
<br />
== Q1 2012 ==<br />
'''Date''' : 28 Mars 2012<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : Web Application Access Control Design Excellence<br />
'''Résumé''' : Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will discuss several of the key access control anti-patterns commonly found during <br />
website security audits. These access control anti-patterns include hard-coded security policies, <br />
lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these<br />
and other access control problems, we will discuss and design a positive access control mechanism <br />
that is data contextual, activity based, configurable, flexible, and deny-by-default - among other<br />
positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico<br />
'''Enregistrement en ligne ici''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== Q2 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q3 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q4 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
<br />
<br />
= 2011 Meetings =<br />
<br />
=== [[May 2011 - Paris Meeting]] ===<br />
<br />
[Logo to be placed here]<br />
<br />
We are honored to welcome '''Jim Manico''' during his European Tour in the Netherlands, Belgium and France.<br />
<br />
*'''Overview'''<br />
**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle. <br />
**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. <br />
**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered. <br />
**If you are interested in participating in the hands on portion of the course, please bring a laptop. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/f/f4/Future_of_XSS_v4.pptx The Ghost of XSS Past, Present and Future. A Defensive Tale]"'''<br />
**This talk will discuss the past methods used for XSS defense that were only partially effective. Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg. <br />
<br />
*'''Speaker'''<br />
**'''Jim Manico''' is a managing partner of Infrared Security with over 15 years of professional web development experience. Jim is also the Chair of the OWASP Connections Committee, one of the Project Managers of the OWASP ESAPI Project, a participant and manager of the OWASP Cheatsheet series, the Producer and host of the OWASP Podcast Series, the Manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project. When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.<br />
<br />
*'''Date'''<br />
**May 24, 2011 <br />
<br />
*'''Venue'''<br />
**Paris<br />
<br />
*'''Registration'''<br />
**[http://www.regonline.com/Register/Checkin.aspx?EventID=971375 Click here]<br />
<br />
<br />
== 26 Avril 2011 ==<br />
<br />
'''Le 26 Avril 2011 dans les locaux de [http://www.groupey.fr/nos-cabinets-paris.html GROUPE Y] :'''<br />
<br />
* 9:00: [https://www.owasp.org/images/2/2f/Agenda_26th_April_2011.pptx Introduction] - '''Ludovic Petit''' & '''Sébastien Gioria'''<br />
* 9:30: [https://www.owasp.org/images/3/36/OPENSAMM2.pptx OpenSAMM] - '''Antonio Fontes''' (Chapter Leader OWASP Geneva) <br />
* 11:00: [https://www.owasp.org/images/c/cf/OWASP_Cloud_Top_10.pptx OWASP Cloud Top 10 Project] - '''Ludovic Petit''' (Chapter Leader OWASP France & OWASP Global Education Committee Member)<br />
* 11:45: [https://www.owasp.org/images/5/5c/ESAPI_Swingset_talk_at_Paris.ppt OWASP ESAPI] - '''Fabio Cerullo''' (Chapter Leader OWASP Ireland & Global Education Committee)<br />
* 14:15: [https://www.owasp.org/images/3/38/OWASP_Testing_Guide.pptx OWASP Testing Guide] - '''Sébastien Gioria''' (French Chapter Leader & OWASP Global Education Committee Member)<br />
* 15:15: [http://o2platform.com OWASP 02 Platform - Live Session] - '''Dinis Cruz''' (OWASP O2 Project Leader)<br />
* 16:30: [https://www.owasp.org/images/9/96/OWASP-Paris2011-VV-CodeReview.pdf OWASP Code Review] - '''Victor Vuillard'''<br />
<br />
= 2009 Meetings =<br />
<br />
'''Le 6 Mai 2009 à 17h30 à [http://www.epitech.eu L'EPITECH] :'''<br />
<br />
* 17h30 : Accueil des participants<br />
* 18h - 18h 15 : [http://www.owasp.org/images/d/dc/OWASP_Paris_Meeting_-_May_2009.pdf Welcome et overview of agenda] '''(Board OWASP France)'''<br />
* 18h30 - 19h : [http://www.owasp.org/images/6/6b/2009-05-06-OWASPFR-WebServices.pdf Attaques sur les Web Services] - '''Renaud Bidou'''<br />
* 19h15 - 19h45 : [http://www.owasp.org/images/8/82/2009-05-06-OWASPFR-OpenSAM.pdf Software Security Initiatives in the Real World] - '''Claudio Merloni'''<br />
* 20h : Close <br />
<br />
A propos des Speakers :<br />
<br />
<br />
'''''Renaud Bidou :''' ''Directeur Technique de DenyAll. Il travaille depuis plus de 10 ans dans la sécurité et a publié de nombreux articles et white-papers touchant à des sujets aussi variés que les dénis de service, les portknockers, les botnets, la mise en place d’un SOC, l’analyse graphique d’attaques ou encore les techniques de contournements.<br />
<br />
<br />
'''''Claudio Merloni : '''''Claudio Merloni est Software Security Consultant chez Fortify Software. Ses expériences dans le domaine de la sécurité embrassent la sécurité applicative, revue de code, architectures sécurisées, analyse des risques, conformité, test de sécurité à niveau réseau, système et applicatif, monitoring, contrôle d'accès. Il a participé a plusieurs conférences, entre lesquelles BlackHat et CONFidence.<br />
<br />
<br />
'''Le Lieu : EPITECH'''<br />
<br />
Amphi 2<br />
<br />
14-16 rue Voltaire<br />
<br />
94276 Kremlin Bicêtre Cedex <br />
<br />
<br />
''Moyens d'accès Métro''<br />
* ligne 7 : Porte d'Italie<br />
<br />
''Bus''<br />
* ligne 47, 125, 131, 185 : Roger Salengro<br />
* ligne 186 : Pierre Brossolette <br/> <br />
<br />
''Voiture''<br />
* périphérique : sortie Porte d'Italie <br />
<br />
<br />
<br />
<br />
= Translation effort =<br />
<br />
* The '''OWASP TOP Ten 2010 in French''' is [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf available]<br />
* 2010-08-30 : La version française du Top 10 2010 est disponible [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] <br />
* 2008-02-15 : Le Top10 2007 est en version Française [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.pdf Format PDF], [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.doc Format Word]<br />
* 2007-11-16 : [https://www.owasp.org/images/5/52/Owasp_tryptique.pdf Folio 2 pages Recto/verso] de présentation pour Infosecurity.<br />
* 2007-02-27 : [[Newsletter_francaise_num%C3%A9ro_1]]<br />
* 2007-06-20 : Présentation de l'OWASP faite à NY en Juin 2007 [https://www.owasp.org/images/7/71/20070620-FR-OWASP_NY_Keynote.ppt]<br />
[[Category:Europe]]<br />
<br />
<br />
<br />
= Old News = <br />
<br />
* 2009-06-09 : [http://www.owasp.org/images/d/d2/20090609-CERT-IST-WAF-v0.1.pdf Intervention sur les WAF] lors du Forum [http://www.cert-ist.com CERT-IST] <br />
* 2009-02-03 : L'OWASP France sera présent à [http://www.pci-portal.com/events/event-info/paris PCI Paris]. La présentation est : [https://www.owasp.org/images/f/fb/20090203-OWASP_PCI-Global_2009_Paris_-_v03.ppt l'OWASP et l'exigence 6.5 de PCI-DSS]<br />
* 2008-11-19 : L'OWASP France sera présent sur [http://www.infosecurity.com.fr/FR/badge?ref=OWAW Infosecurity France] à Paris :<br />
[http://www.infosecurity.com.fr/index.php?argRedirect=FR|badge&Lang=FR&ref=OWAW https://www.owasp.org/images/8/88/Infosecurity.gif]<br />
<br />
* 2008-07-08 : L'OWASP France a présenté le projet OWASP à l'[http://www.ossir.org OSSIR]. La présentation est disponible sur le site de [https://www.owasp.org/images/9/94/20080708-OWASP_OSSIR.ppt l'OWASP]<br />
* 2008-02-15 : Le Top10 2007 est en version Francaise<br />
* 2008-02-11 : Présentation aux [http://www.owasp.org/images/0/09/20080129-OWASP_TechDays_France_.ppt TechDays 2008 Microsoft ]<br />
* 2007-11-22 : Présentation a Infosecurity France [http://www.owasp.org/images/8/85/20071122-OWASP_Infosecurity_France.ppt de l'OWASP]<br />
* 2007-11-07 : Interview dans le [http://www.journaldunet.com/developpeur/itws/071106-securite-applicative-owasp.shtml Journal du Net]<br />
* 2007-10-05 : L'OWASP France présentera les enjeux de la sécurité des [http://www.infosecurity.com.fr/?Jpto=116&KM_Session=f345bb91df954e6cbc0148328f109e94&CurrentNode=518&Lang=FR&IdNode=708 Services WEB à Infosecurity France le 22/11/2007]<br />
* 2006-12-18 : Mise en place de l'association pour supporter le groupe OWASP<br />
* 2006-12-14 : Le Hub OWASP Viaduc a vu le jour http://www.viadeo.com/hub/affichehub/?hubId=002fj37grgb7o7n<br />
* 2006-12-13 : Naissance du chapitre Francais de l'OWASP. Une liste de diffusion est disponible.[http://lists.owasp.org/mailman/listinfo/owasp-france Abonnez vous]<br />
<br />
<br />
<br> __NOTOC__ <headertabs /></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=File:Looking_Forward%E2%80%A6_and_Beyond.pptx&diff=143475File:Looking Forward… and Beyond.pptx2013-02-05T12:47:07Z<p>Ludovic Petit: uploaded a new version of &quot;File:Looking Forward… and Beyond.pptx&quot;</p>
<hr />
<div>Here is just for information the slide deck of a presentation I gave in Sept for a big Software maker in an internal meeting (the name has been anonymized on request).<br />
Even if most of you already know the stuff, this presentation has been structured and aims to be re-used at your convenience depending the needs / your context.<br />
Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes or when talking memberships for joining OWASP.<br />
The first 2 parts are more an update for those who are not yet familiar with OWASP, the third part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway.</div>Ludovic Petithttps://wiki.owasp.org/index.php?title=File:Looking_Forward%E2%80%A6_and_Beyond.pptx&diff=143351File:Looking Forward… and Beyond.pptx2013-02-04T13:32:33Z<p>Ludovic Petit: uploaded a new version of &quot;File:Looking Forward… and Beyond.pptx&quot;</p>
<hr />
<div>Here is just for information the slide deck of a presentation I gave in Sept for a big Software maker in an internal meeting (the name has been anonymized on request).<br />
Even if most of you already know the stuff, this presentation has been structured and aims to be re-used at your convenience depending the needs / your context.<br />
Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes or when talking memberships for joining OWASP.<br />
The first 2 parts are more an update for those who are not yet familiar with OWASP, the third part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway.</div>Ludovic Petithttps://wiki.owasp.org/index.php?title=France&diff=142708France2013-01-23T16:06:38Z<p>Ludovic Petit: </p>
<hr />
<div>{{Chapter Template|chaptername=France|extra=The '''Chapter Leaders''' are [mailto:ludovic.petit@owasp.org Ludovic Petit] and [mailto:sebastien.gioria@owasp.org Sebastien Gioria]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-france|emailarchives=http://lists.owasp.org/pipermail/owasp-france}}'''<br />
<paypal>France Chapter</paypal><br />
<br />
'''The French Chapter is also available on LinkedIn''': [http://www.linkedin.com/groupInvitation?gid=1638517 '''Join us''', it only takes a minute!]<br />
<br />
== Contacts, Présentations, Contributions & Partenariats ==<br />
<br />
*[mailto:sebastien.gioria@owasp.org Sebastien Gioria] et [mailto:ludovic.petit@owasp.org Ludovic Petit] sont à votre disposition si vous souhaitez des informations et discuter de la plus-value proposée par la Fondation OWASP, ainsi que sur la Sécurité des Applications Web.<br />
<br />
Entreprises, Individuels, Monde Académique, Sponsors, Supports, tout le monde est bienvenu à l'OWASP! L'accès à nos Chapter meetings est gratuit et ouvert à tous.<br />
<br />
Pour les Entreprises souhaitant adhérer à l'OWASP, le montant de l'adhésion annuelle de base est de $5000 US (dont 40% sont reversés au Projet ou au Chapitre de votre choix), déductible à 100% aux USA, et déductible à 60% en France <br />
<br />
Les fonds collectés servent à organiser les meetings du Chapitre, mais aussi et surtout à construire et organiser avec vous une approche collégiale spécifique répondant à vos souhaits (sessions de sensibilisation, meetings internes, interventions de Speakers, etc.). Tout cela peut être discuté avec le Chapitre Français et acté conjointement avec vous si vous souhaitez adhérer à l'OWASP. <br />
<br />
N'hésitez pas à nous solliciter si vous souhaitez discuter d'un sujet particulier, ou si vous souhaitez effectuer une présentation lors d'un meeting du Chapitre France.<br />
<br />
Amis de la Presse écrite et du Multimédia, n'hésitez pas à faire appel à nous si vous souhaitez notre concours pour vos articles et reportages, vous êtes les bienvenus et nous en serions honorés. Utilisez notre savoir-faire dans une perspective gagnant-gagnant!<br />
<br />
Nous restons modestes dans notre approche, nous souhaitons que le Chapitre OWASP France devienne un de vos contacts de référence. '''Ensembles, Chacun fait plus'''!<br />
<br />
'''TEAM stands for... Together Each Achieves More!'''<br />
<br />
<br />
= News =<br />
<br />
==Looking Forward… and Beyond, Distinctiveness Through Security Excellence==<br />
'''Présentation''' : "[https://www.owasp.org/images/5/50/Looking_Forward%E2%80%A6_and_Beyond.pptx Looking Forward… and Beyond]"'''<br />
'''Résumé''' : <br />
Here is a presentation I gave in Sept for a big Software maker in an internal meeting. This presentation aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes, or people and firms interested about OWASP and willing to join the Foundation as Member. The first 2 parts are more an update for those who are not yet familiar with OWASP, the 3rd part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway. Enjoy and feel free to email me, all comments welcome!<br />
<br />
'''Speaker''' : Ludovic Petit <br />
<br />
==28 Mars 2012 Meeting du premier trimestre==<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : "[https://www.owasp.org/images/6/6d/Developer_Top_Ten_Core_Controls_v4.1.pptx Top Ten Web Defenses]"'''<br />
'''Résumé''' : <br />
Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. <br />
This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will also detail several of the key access control anti-patterns commonly found during website security audits. <br />
These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. <br />
In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico <br />
Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. <br />
He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.<br />
'''Enregistrement en ligne sur''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== 7 et 8 Février 2012 - [http://www.microsoft.com/france/mstechdays/ Techdays Microsoft 2012] ==<br />
<br />
Sébastien présentera un talk sur [http://www.microsoft.com/france/mstechdays/programmes/parcours.aspx?SessionID=62e02774-6045-4be8-80ff-8332a793ad4f HTML5et la Sécurité] le 7 Février 2012 à 17h30. <br />
Plus d'informations sur la page dédiée aux TechDays Microsoft 2012. ==<br />
<br />
== 6 Janvier 2012 - Nouveau Groupe de Travail sur la Sécurité des Web Services au [http://www.clusif.fr CLUSIF] ==<br />
<br />
Dans la continuité du Groupe de Travail sur la Sécurité des Application Web initialement créé en 2009, le CLUSIF a lancé un nouveau groupe de travail autour de la sécurité des WebServices. N'hésitez pas à participer si vous êtes intéressés. Le CLUSIF recherche des utilisateurs pour ce groupe de travail et des personnes en environnements Microsoft pour disposer d'un panel le plus large possible pour ce document<br />
<br />
Contact : [mailto:sebastien.gioria@owasp.org Sébastien Gioria]<br />
<br />
== 19 Décembre 2011 - Publication du deuxième document du [http://www.clusif.fr CLUSIF] sur la Sécurité des Applications Web ==<br />
<br />
Le CLUSIF a publié son deuxième document sur la [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Defense-en-profondeur-des-applications-Web.pdf Défense en profondeur des applications Web]. Ce document fait suite au [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf premier document publié en 2009] <br />
<br />
== 15 Décembre 2011 Conférence du [http://www.clusif.fr CLUSIF] sur la [http://www.clusif.fr/fr/infos/event/#conf111215 sécurité des applications Web] ==<br />
<br />
Le CLUSIF a présenté la conférence Sécurité des Applications Web le jeudi 15 décembre 2011 au cercle National des Armées.<br />
Le programme était : <br />
<br />
* Mise en place d'une politique de sécurité applicative : retour d'expérience d'un RSSI par Philippe LARUE - Responsable Sécurité - [http://www.cbp-prevoyance.com/ CBP]<br />
* Revue de code source, ou test sécurité applicatif, quel est le plus efficient pour évaluer un niveau de sécurité applicatif ? par Sébastien GIORIA - Consultant Senior [http://www.groupey.fr Groupe Y] et leader du chapitre Français de [https://www.owasp.org l'OWASP] - OWASP France<br />
* Les enjeux réglementaires de la protection des informations en ligne par Garance MATHIAS - Avocat - Cabinet d'Avocats<br />
<br />
Les présentations sont disponibles sur le site du [http://www.clusif.fr CLUSIF], les vidéos de l'intervention seront aussi disponible.<br />
<br />
== 2 Décembre 2011 - [[OWASP BeNeLux 2011 Conference - University of Luxembourg]] ==<br />
<br />
Ludovic had a talk about "[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd WebApp Security and Legal aspects]" on Dec 2.<br />
<br />
*'''Overview'''<br />
**This presentation aims to be used by anybody willing to spread the voice of OWASP. See this as an Awareness session.<br />
**Use it and use it again. <br />
**Try to open your mind, just met me know if I can help. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/5/55/Do_you..._Legal_-_OWASP_BeNeLux_Day_-_2_Dec_2011.pptx Do you... Legal?]"'''<br />
**The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this. <br />
<br />
<br />
<br />
=== [[EUROPE - ENISA’s Who-is-Who Directory on Network and Information Security]] ===<br />
<br />
We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].<br />
<br />
The ENISA is the European Network and Information Security Agency.<br />
[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities. <br />
This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.<br />
<br />
<br />
<br />
= Appel à contribution OWASP France =<br />
<br />
Ici seront relayés les différents appels à contributions du Chapitre (Sponsors, talks, etc.).<br />
<br />
<br />
= Appel à contributions externes =<br />
<br />
Ici seront relayés les appels à contributions que nous estimons interessants pour le Chapitre. <br />
<br />
<br />
<br />
<br />
= Meetings 2012 =<br />
<br />
== Q1 2012 ==<br />
'''Date''' : 28 Mars 2012<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : Web Application Access Control Design Excellence<br />
'''Résumé''' : Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will discuss several of the key access control anti-patterns commonly found during <br />
website security audits. These access control anti-patterns include hard-coded security policies, <br />
lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these<br />
and other access control problems, we will discuss and design a positive access control mechanism <br />
that is data contextual, activity based, configurable, flexible, and deny-by-default - among other<br />
positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico<br />
'''Enregistrement en ligne ici''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== Q2 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q3 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q4 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
<br />
<br />
= 2011 Meetings =<br />
<br />
=== [[May 2011 - Paris Meeting]] ===<br />
<br />
[Logo to be placed here]<br />
<br />
We are honored to welcome '''Jim Manico''' during his European Tour in the Netherlands, Belgium and France.<br />
<br />
*'''Overview'''<br />
**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle. <br />
**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. <br />
**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered. <br />
**If you are interested in participating in the hands on portion of the course, please bring a laptop. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/f/f4/Future_of_XSS_v4.pptx The Ghost of XSS Past, Present and Future. A Defensive Tale]"'''<br />
**This talk will discuss the past methods used for XSS defense that were only partially effective. Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg. <br />
<br />
*'''Speaker'''<br />
**'''Jim Manico''' is a managing partner of Infrared Security with over 15 years of professional web development experience. Jim is also the Chair of the OWASP Connections Committee, one of the Project Managers of the OWASP ESAPI Project, a participant and manager of the OWASP Cheatsheet series, the Producer and host of the OWASP Podcast Series, the Manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project. When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.<br />
<br />
*'''Date'''<br />
**May 24, 2011 <br />
<br />
*'''Venue'''<br />
**Paris<br />
<br />
*'''Registration'''<br />
**[http://www.regonline.com/Register/Checkin.aspx?EventID=971375 Click here]<br />
<br />
<br />
== 26 Avril 2011 ==<br />
<br />
'''Le 26 Avril 2011 dans les locaux de [http://www.groupey.fr/nos-cabinets-paris.html GROUPE Y] :'''<br />
<br />
* 9:00: [https://www.owasp.org/images/2/2f/Agenda_26th_April_2011.pptx Introduction] - '''Ludovic Petit''' & '''Sébastien Gioria'''<br />
* 9:30: [https://www.owasp.org/images/3/36/OPENSAMM2.pptx OpenSAMM] - '''Antonio Fontes''' (Chapter Leader OWASP Geneva) <br />
* 11:00: [https://www.owasp.org/images/c/cf/OWASP_Cloud_Top_10.pptx OWASP Cloud Top 10 Project] - '''Ludovic Petit''' (Chapter Leader OWASP France & OWASP Global Education Committee Member)<br />
* 11:45: [https://www.owasp.org/images/5/5c/ESAPI_Swingset_talk_at_Paris.ppt OWASP ESAPI] - '''Fabio Cerullo''' (Chapter Leader OWASP Ireland & Global Education Committee)<br />
* 14:15: [https://www.owasp.org/images/3/38/OWASP_Testing_Guide.pptx OWASP Testing Guide] - '''Sébastien Gioria''' (French Chapter Leader & OWASP Global Education Committee Member)<br />
* 15:15: [http://o2platform.com OWASP 02 Platform - Live Session] - '''Dinis Cruz''' (OWASP O2 Project Leader)<br />
* 16:30: [https://www.owasp.org/images/9/96/OWASP-Paris2011-VV-CodeReview.pdf OWASP Code Review] - '''Victor Vuillard'''<br />
<br />
= 2009 Meetings =<br />
<br />
'''Le 6 Mai 2009 à 17h30 à [http://www.epitech.eu L'EPITECH] :'''<br />
<br />
* 17h30 : Accueil des participants<br />
* 18h - 18h 15 : [http://www.owasp.org/images/d/dc/OWASP_Paris_Meeting_-_May_2009.pdf Welcome et overview of agenda] '''(Board OWASP France)'''<br />
* 18h30 - 19h : [http://www.owasp.org/images/6/6b/2009-05-06-OWASPFR-WebServices.pdf Attaques sur les Web Services] - '''Renaud Bidou'''<br />
* 19h15 - 19h45 : [http://www.owasp.org/images/8/82/2009-05-06-OWASPFR-OpenSAM.pdf Software Security Initiatives in the Real World] - '''Claudio Merloni'''<br />
* 20h : Close <br />
<br />
A propos des Speakers :<br />
<br />
<br />
'''''Renaud Bidou :''' ''Directeur Technique de DenyAll. Il travaille depuis plus de 10 ans dans la sécurité et a publié de nombreux articles et white-papers touchant à des sujets aussi variés que les dénis de service, les portknockers, les botnets, la mise en place d’un SOC, l’analyse graphique d’attaques ou encore les techniques de contournements.<br />
<br />
<br />
'''''Claudio Merloni : '''''Claudio Merloni est Software Security Consultant chez Fortify Software. Ses expériences dans le domaine de la sécurité embrassent la sécurité applicative, revue de code, architectures sécurisées, analyse des risques, conformité, test de sécurité à niveau réseau, système et applicatif, monitoring, contrôle d'accès. Il a participé a plusieurs conférences, entre lesquelles BlackHat et CONFidence.<br />
<br />
<br />
'''Le Lieu : EPITECH'''<br />
<br />
Amphi 2<br />
<br />
14-16 rue Voltaire<br />
<br />
94276 Kremlin Bicêtre Cedex <br />
<br />
<br />
''Moyens d'accès Métro''<br />
* ligne 7 : Porte d'Italie<br />
<br />
''Bus''<br />
* ligne 47, 125, 131, 185 : Roger Salengro<br />
* ligne 186 : Pierre Brossolette <br/> <br />
<br />
''Voiture''<br />
* périphérique : sortie Porte d'Italie <br />
<br />
<br />
<br />
<br />
= Translation effort =<br />
<br />
* The '''OWASP TOP Ten 2010 in French''' is [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf available]<br />
* 2010-08-30 : La version française du Top 10 2010 est disponible [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] <br />
* 2008-02-15 : Le Top10 2007 est en version Française [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.pdf Format PDF], [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.doc Format Word]<br />
* 2007-11-16 : [https://www.owasp.org/images/5/52/Owasp_tryptique.pdf Folio 2 pages Recto/verso] de présentation pour Infosecurity.<br />
* 2007-02-27 : [[Newsletter_francaise_num%C3%A9ro_1]]<br />
* 2007-06-20 : Présentation de l'OWASP faite à NY en Juin 2007 [https://www.owasp.org/images/7/71/20070620-FR-OWASP_NY_Keynote.ppt]<br />
[[Category:Europe]]<br />
<br />
<br />
<br />
= Old News = <br />
<br />
* 2009-06-09 : [http://www.owasp.org/images/d/d2/20090609-CERT-IST-WAF-v0.1.pdf Intervention sur les WAF] lors du Forum [http://www.cert-ist.com CERT-IST] <br />
* 2009-02-03 : L'OWASP France sera présent à [http://www.pci-portal.com/events/event-info/paris PCI Paris]. La présentation est : [https://www.owasp.org/images/f/fb/20090203-OWASP_PCI-Global_2009_Paris_-_v03.ppt l'OWASP et l'exigence 6.5 de PCI-DSS]<br />
* 2008-11-19 : L'OWASP France sera présent sur [http://www.infosecurity.com.fr/FR/badge?ref=OWAW Infosecurity France] à Paris :<br />
[http://www.infosecurity.com.fr/index.php?argRedirect=FR|badge&Lang=FR&ref=OWAW https://www.owasp.org/images/8/88/Infosecurity.gif]<br />
<br />
* 2008-07-08 : L'OWASP France a présenté le projet OWASP à l'[http://www.ossir.org OSSIR]. La présentation est disponible sur le site de [https://www.owasp.org/images/9/94/20080708-OWASP_OSSIR.ppt l'OWASP]<br />
* 2008-02-15 : Le Top10 2007 est en version Francaise<br />
* 2008-02-11 : Présentation aux [http://www.owasp.org/images/0/09/20080129-OWASP_TechDays_France_.ppt TechDays 2008 Microsoft ]<br />
* 2007-11-22 : Présentation a Infosecurity France [http://www.owasp.org/images/8/85/20071122-OWASP_Infosecurity_France.ppt de l'OWASP]<br />
* 2007-11-07 : Interview dans le [http://www.journaldunet.com/developpeur/itws/071106-securite-applicative-owasp.shtml Journal du Net]<br />
* 2007-10-05 : L'OWASP France présentera les enjeux de la sécurité des [http://www.infosecurity.com.fr/?Jpto=116&KM_Session=f345bb91df954e6cbc0148328f109e94&CurrentNode=518&Lang=FR&IdNode=708 Services WEB à Infosecurity France le 22/11/2007]<br />
* 2006-12-18 : Mise en place de l'association pour supporter le groupe OWASP<br />
* 2006-12-14 : Le Hub OWASP Viaduc a vu le jour http://www.viadeo.com/hub/affichehub/?hubId=002fj37grgb7o7n<br />
* 2006-12-13 : Naissance du chapitre Francais de l'OWASP. Une liste de diffusion est disponible.[http://lists.owasp.org/mailman/listinfo/owasp-france Abonnez vous]<br />
<br />
<br />
<br> __NOTOC__ <headertabs /></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=France&diff=142707France2013-01-23T16:05:48Z<p>Ludovic Petit: </p>
<hr />
<div>{{Chapter Template|chaptername=France|extra=The '''Chapter Leaders''' are [mailto:ludovic.petit@owasp.org Ludovic Petit] and [mailto:sebastien.gioria@owasp.org Sebastien Gioria]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-france|emailarchives=http://lists.owasp.org/pipermail/owasp-france}}'''<br />
<paypal>France Chapter</paypal><br />
<br />
'''The French Chapter is also available on LinkedIn''': [http://www.linkedin.com/groupInvitation?gid=1638517 '''Join us''', it only takes a minute!]<br />
<br />
== Contacts, Présentations, Contributions & Partenariats ==<br />
<br />
*[mailto:sebastien.gioria@owasp.org Sebastien Gioria] et [mailto:ludovic.petit@owasp.org Ludovic Petit] sont à votre disposition si vous souhaitez des informations et discuter de la plus-value proposée par la Fondation OWASP, ainsi que sur la Sécurité des Applications Web.<br />
<br />
Entreprises, Individuels, Monde Académique, Sponsors, Supports, tout le monde est bienvenu à l'OWASP! L'accès à nos Chapter meetings est gratuit et ouvert à tous.<br />
<br />
Pour les Entreprises souhaitant adhérer à l'OWASP, le montant de l'adhésion annuelle de base est de $5000 US (dont 40% sont reversés au Projet ou au Chapitre de votre choix), déductible à 100% aux USA, et déductible à 60% en France <br />
<br />
Les fonds collectés servent à organiser les meetings du Chapitre, mais aussi et surtout à construire et organiser avec vous une approche collégiale spécifique répondant à vos souhaits (sessions de sensibilisation, meetings internes, interventions de Speakers, etc.). Tout cela peut être discuté avec le Chapitre Français et acté conjointement avec vous si vous souhaitez adhérer à l'OWASP. <br />
<br />
N'hésitez pas à nous solliciter si vous souhaitez discuter d'un sujet particulier, ou si vous souhaitez effectuer une présentation lors d'un meeting du Chapitre France.<br />
<br />
Amis de la Presse écrite et du Multimédia, n'hésitez pas à faire appel à nous si vous souhaitez notre concours pour vos articles et reportages, vous êtes les bienvenus et nous en serions honorés. Nous avons nous aussi besoin de vous. Utilisez notre savoir-faire dans une perspective gagnant-gagnant!<br />
<br />
Nous restons modestes dans notre approche, nous souhaitons que le Chapitre OWASP France devienne un de vos contacts de référence. '''Ensembles, Chacun fait plus'''!<br />
<br />
'''TEAM stands for... Together Each Achieves More!'''<br />
<br />
<br />
= News =<br />
<br />
==Looking Forward… and Beyond, Distinctiveness Through Security Excellence==<br />
'''Présentation''' : "[https://www.owasp.org/images/5/50/Looking_Forward%E2%80%A6_and_Beyond.pptx Looking Forward… and Beyond]"'''<br />
'''Résumé''' : <br />
Here is a presentation I gave in Sept for a big Software maker in an internal meeting. This presentation aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes, or people and firms interested about OWASP and willing to join the Foundation as Member. The first 2 parts are more an update for those who are not yet familiar with OWASP, the 3rd part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway. Enjoy and feel free to email me, all comments welcome!<br />
<br />
'''Speaker''' : Ludovic Petit <br />
<br />
==28 Mars 2012 Meeting du premier trimestre==<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : "[https://www.owasp.org/images/6/6d/Developer_Top_Ten_Core_Controls_v4.1.pptx Top Ten Web Defenses]"'''<br />
'''Résumé''' : <br />
Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. <br />
This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will also detail several of the key access control anti-patterns commonly found during website security audits. <br />
These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. <br />
In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico <br />
Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. <br />
He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.<br />
'''Enregistrement en ligne sur''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== 7 et 8 Février 2012 - [http://www.microsoft.com/france/mstechdays/ Techdays Microsoft 2012] ==<br />
<br />
Sébastien présentera un talk sur [http://www.microsoft.com/france/mstechdays/programmes/parcours.aspx?SessionID=62e02774-6045-4be8-80ff-8332a793ad4f HTML5et la Sécurité] le 7 Février 2012 à 17h30. <br />
Plus d'informations sur la page dédiée aux TechDays Microsoft 2012. ==<br />
<br />
== 6 Janvier 2012 - Nouveau Groupe de Travail sur la Sécurité des Web Services au [http://www.clusif.fr CLUSIF] ==<br />
<br />
Dans la continuité du Groupe de Travail sur la Sécurité des Application Web initialement créé en 2009, le CLUSIF a lancé un nouveau groupe de travail autour de la sécurité des WebServices. N'hésitez pas à participer si vous êtes intéressés. Le CLUSIF recherche des utilisateurs pour ce groupe de travail et des personnes en environnements Microsoft pour disposer d'un panel le plus large possible pour ce document<br />
<br />
Contact : [mailto:sebastien.gioria@owasp.org Sébastien Gioria]<br />
<br />
== 19 Décembre 2011 - Publication du deuxième document du [http://www.clusif.fr CLUSIF] sur la Sécurité des Applications Web ==<br />
<br />
Le CLUSIF a publié son deuxième document sur la [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Defense-en-profondeur-des-applications-Web.pdf Défense en profondeur des applications Web]. Ce document fait suite au [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf premier document publié en 2009] <br />
<br />
== 15 Décembre 2011 Conférence du [http://www.clusif.fr CLUSIF] sur la [http://www.clusif.fr/fr/infos/event/#conf111215 sécurité des applications Web] ==<br />
<br />
Le CLUSIF a présenté la conférence Sécurité des Applications Web le jeudi 15 décembre 2011 au cercle National des Armées.<br />
Le programme était : <br />
<br />
* Mise en place d'une politique de sécurité applicative : retour d'expérience d'un RSSI par Philippe LARUE - Responsable Sécurité - [http://www.cbp-prevoyance.com/ CBP]<br />
* Revue de code source, ou test sécurité applicatif, quel est le plus efficient pour évaluer un niveau de sécurité applicatif ? par Sébastien GIORIA - Consultant Senior [http://www.groupey.fr Groupe Y] et leader du chapitre Français de [https://www.owasp.org l'OWASP] - OWASP France<br />
* Les enjeux réglementaires de la protection des informations en ligne par Garance MATHIAS - Avocat - Cabinet d'Avocats<br />
<br />
Les présentations sont disponibles sur le site du [http://www.clusif.fr CLUSIF], les vidéos de l'intervention seront aussi disponible.<br />
<br />
== 2 Décembre 2011 - [[OWASP BeNeLux 2011 Conference - University of Luxembourg]] ==<br />
<br />
Ludovic had a talk about "[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd WebApp Security and Legal aspects]" on Dec 2.<br />
<br />
*'''Overview'''<br />
**This presentation aims to be used by anybody willing to spread the voice of OWASP. See this as an Awareness session.<br />
**Use it and use it again. <br />
**Try to open your mind, just met me know if I can help. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/5/55/Do_you..._Legal_-_OWASP_BeNeLux_Day_-_2_Dec_2011.pptx Do you... Legal?]"'''<br />
**The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this. <br />
<br />
<br />
<br />
=== [[EUROPE - ENISA’s Who-is-Who Directory on Network and Information Security]] ===<br />
<br />
We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].<br />
<br />
The ENISA is the European Network and Information Security Agency.<br />
[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities. <br />
This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.<br />
<br />
<br />
<br />
= Appel à contribution OWASP France =<br />
<br />
Ici seront relayés les différents appels à contributions du Chapitre (Sponsors, talks, etc.).<br />
<br />
<br />
= Appel à contributions externes =<br />
<br />
Ici seront relayés les appels à contributions que nous estimons interessants pour le Chapitre. <br />
<br />
<br />
<br />
<br />
= Meetings 2012 =<br />
<br />
== Q1 2012 ==<br />
'''Date''' : 28 Mars 2012<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : Web Application Access Control Design Excellence<br />
'''Résumé''' : Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will discuss several of the key access control anti-patterns commonly found during <br />
website security audits. These access control anti-patterns include hard-coded security policies, <br />
lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these<br />
and other access control problems, we will discuss and design a positive access control mechanism <br />
that is data contextual, activity based, configurable, flexible, and deny-by-default - among other<br />
positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico<br />
'''Enregistrement en ligne ici''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== Q2 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q3 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q4 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
<br />
<br />
= 2011 Meetings =<br />
<br />
=== [[May 2011 - Paris Meeting]] ===<br />
<br />
[Logo to be placed here]<br />
<br />
We are honored to welcome '''Jim Manico''' during his European Tour in the Netherlands, Belgium and France.<br />
<br />
*'''Overview'''<br />
**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle. <br />
**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. <br />
**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered. <br />
**If you are interested in participating in the hands on portion of the course, please bring a laptop. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/f/f4/Future_of_XSS_v4.pptx The Ghost of XSS Past, Present and Future. A Defensive Tale]"'''<br />
**This talk will discuss the past methods used for XSS defense that were only partially effective. Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg. <br />
<br />
*'''Speaker'''<br />
**'''Jim Manico''' is a managing partner of Infrared Security with over 15 years of professional web development experience. Jim is also the Chair of the OWASP Connections Committee, one of the Project Managers of the OWASP ESAPI Project, a participant and manager of the OWASP Cheatsheet series, the Producer and host of the OWASP Podcast Series, the Manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project. When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.<br />
<br />
*'''Date'''<br />
**May 24, 2011 <br />
<br />
*'''Venue'''<br />
**Paris<br />
<br />
*'''Registration'''<br />
**[http://www.regonline.com/Register/Checkin.aspx?EventID=971375 Click here]<br />
<br />
<br />
== 26 Avril 2011 ==<br />
<br />
'''Le 26 Avril 2011 dans les locaux de [http://www.groupey.fr/nos-cabinets-paris.html GROUPE Y] :'''<br />
<br />
* 9:00: [https://www.owasp.org/images/2/2f/Agenda_26th_April_2011.pptx Introduction] - '''Ludovic Petit''' & '''Sébastien Gioria'''<br />
* 9:30: [https://www.owasp.org/images/3/36/OPENSAMM2.pptx OpenSAMM] - '''Antonio Fontes''' (Chapter Leader OWASP Geneva) <br />
* 11:00: [https://www.owasp.org/images/c/cf/OWASP_Cloud_Top_10.pptx OWASP Cloud Top 10 Project] - '''Ludovic Petit''' (Chapter Leader OWASP France & OWASP Global Education Committee Member)<br />
* 11:45: [https://www.owasp.org/images/5/5c/ESAPI_Swingset_talk_at_Paris.ppt OWASP ESAPI] - '''Fabio Cerullo''' (Chapter Leader OWASP Ireland & Global Education Committee)<br />
* 14:15: [https://www.owasp.org/images/3/38/OWASP_Testing_Guide.pptx OWASP Testing Guide] - '''Sébastien Gioria''' (French Chapter Leader & OWASP Global Education Committee Member)<br />
* 15:15: [http://o2platform.com OWASP 02 Platform - Live Session] - '''Dinis Cruz''' (OWASP O2 Project Leader)<br />
* 16:30: [https://www.owasp.org/images/9/96/OWASP-Paris2011-VV-CodeReview.pdf OWASP Code Review] - '''Victor Vuillard'''<br />
<br />
= 2009 Meetings =<br />
<br />
'''Le 6 Mai 2009 à 17h30 à [http://www.epitech.eu L'EPITECH] :'''<br />
<br />
* 17h30 : Accueil des participants<br />
* 18h - 18h 15 : [http://www.owasp.org/images/d/dc/OWASP_Paris_Meeting_-_May_2009.pdf Welcome et overview of agenda] '''(Board OWASP France)'''<br />
* 18h30 - 19h : [http://www.owasp.org/images/6/6b/2009-05-06-OWASPFR-WebServices.pdf Attaques sur les Web Services] - '''Renaud Bidou'''<br />
* 19h15 - 19h45 : [http://www.owasp.org/images/8/82/2009-05-06-OWASPFR-OpenSAM.pdf Software Security Initiatives in the Real World] - '''Claudio Merloni'''<br />
* 20h : Close <br />
<br />
A propos des Speakers :<br />
<br />
<br />
'''''Renaud Bidou :''' ''Directeur Technique de DenyAll. Il travaille depuis plus de 10 ans dans la sécurité et a publié de nombreux articles et white-papers touchant à des sujets aussi variés que les dénis de service, les portknockers, les botnets, la mise en place d’un SOC, l’analyse graphique d’attaques ou encore les techniques de contournements.<br />
<br />
<br />
'''''Claudio Merloni : '''''Claudio Merloni est Software Security Consultant chez Fortify Software. Ses expériences dans le domaine de la sécurité embrassent la sécurité applicative, revue de code, architectures sécurisées, analyse des risques, conformité, test de sécurité à niveau réseau, système et applicatif, monitoring, contrôle d'accès. Il a participé a plusieurs conférences, entre lesquelles BlackHat et CONFidence.<br />
<br />
<br />
'''Le Lieu : EPITECH'''<br />
<br />
Amphi 2<br />
<br />
14-16 rue Voltaire<br />
<br />
94276 Kremlin Bicêtre Cedex <br />
<br />
<br />
''Moyens d'accès Métro''<br />
* ligne 7 : Porte d'Italie<br />
<br />
''Bus''<br />
* ligne 47, 125, 131, 185 : Roger Salengro<br />
* ligne 186 : Pierre Brossolette <br/> <br />
<br />
''Voiture''<br />
* périphérique : sortie Porte d'Italie <br />
<br />
<br />
<br />
<br />
= Translation effort =<br />
<br />
* The '''OWASP TOP Ten 2010 in French''' is [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf available]<br />
* 2010-08-30 : La version française du Top 10 2010 est disponible [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] <br />
* 2008-02-15 : Le Top10 2007 est en version Française [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.pdf Format PDF], [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.doc Format Word]<br />
* 2007-11-16 : [https://www.owasp.org/images/5/52/Owasp_tryptique.pdf Folio 2 pages Recto/verso] de présentation pour Infosecurity.<br />
* 2007-02-27 : [[Newsletter_francaise_num%C3%A9ro_1]]<br />
* 2007-06-20 : Présentation de l'OWASP faite à NY en Juin 2007 [https://www.owasp.org/images/7/71/20070620-FR-OWASP_NY_Keynote.ppt]<br />
[[Category:Europe]]<br />
<br />
<br />
<br />
= Old News = <br />
<br />
* 2009-06-09 : [http://www.owasp.org/images/d/d2/20090609-CERT-IST-WAF-v0.1.pdf Intervention sur les WAF] lors du Forum [http://www.cert-ist.com CERT-IST] <br />
* 2009-02-03 : L'OWASP France sera présent à [http://www.pci-portal.com/events/event-info/paris PCI Paris]. La présentation est : [https://www.owasp.org/images/f/fb/20090203-OWASP_PCI-Global_2009_Paris_-_v03.ppt l'OWASP et l'exigence 6.5 de PCI-DSS]<br />
* 2008-11-19 : L'OWASP France sera présent sur [http://www.infosecurity.com.fr/FR/badge?ref=OWAW Infosecurity France] à Paris :<br />
[http://www.infosecurity.com.fr/index.php?argRedirect=FR|badge&Lang=FR&ref=OWAW https://www.owasp.org/images/8/88/Infosecurity.gif]<br />
<br />
* 2008-07-08 : L'OWASP France a présenté le projet OWASP à l'[http://www.ossir.org OSSIR]. La présentation est disponible sur le site de [https://www.owasp.org/images/9/94/20080708-OWASP_OSSIR.ppt l'OWASP]<br />
* 2008-02-15 : Le Top10 2007 est en version Francaise<br />
* 2008-02-11 : Présentation aux [http://www.owasp.org/images/0/09/20080129-OWASP_TechDays_France_.ppt TechDays 2008 Microsoft ]<br />
* 2007-11-22 : Présentation a Infosecurity France [http://www.owasp.org/images/8/85/20071122-OWASP_Infosecurity_France.ppt de l'OWASP]<br />
* 2007-11-07 : Interview dans le [http://www.journaldunet.com/developpeur/itws/071106-securite-applicative-owasp.shtml Journal du Net]<br />
* 2007-10-05 : L'OWASP France présentera les enjeux de la sécurité des [http://www.infosecurity.com.fr/?Jpto=116&KM_Session=f345bb91df954e6cbc0148328f109e94&CurrentNode=518&Lang=FR&IdNode=708 Services WEB à Infosecurity France le 22/11/2007]<br />
* 2006-12-18 : Mise en place de l'association pour supporter le groupe OWASP<br />
* 2006-12-14 : Le Hub OWASP Viaduc a vu le jour http://www.viadeo.com/hub/affichehub/?hubId=002fj37grgb7o7n<br />
* 2006-12-13 : Naissance du chapitre Francais de l'OWASP. Une liste de diffusion est disponible.[http://lists.owasp.org/mailman/listinfo/owasp-france Abonnez vous]<br />
<br />
<br />
<br> __NOTOC__ <headertabs /></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=France&diff=142706France2013-01-23T16:02:43Z<p>Ludovic Petit: </p>
<hr />
<div>{{Chapter Template|chaptername=France|extra=The '''Chapter Leaders''' are [mailto:ludovic.petit@owasp.org Ludovic Petit] and [mailto:sebastien.gioria@owasp.org Sebastien Gioria]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-france|emailarchives=http://lists.owasp.org/pipermail/owasp-france}}'''<br />
<paypal>France Chapter</paypal><br />
<br />
'''The French Chapter is also available on LinkedIn''': [http://www.linkedin.com/groupInvitation?gid=1638517 '''Join us''', it only takes a minute!]<br />
<br />
== Contacts, Présentations, Contributions & Partenariats ==<br />
<br />
*[mailto:sebastien.gioria@owasp.org Sebastien Gioria] et [mailto:ludovic.petit@owasp.org Ludovic Petit] sont à votre disposition si vous souhaitez des informations et discuter de la plus-value proposée par la Fondation OWASP, ainsi que sur la Sécurité des Applications Web.<br />
<br />
Entreprises, Individuels, Monde Académique, Sponsors, Supports, tout le monde est bienvenu à l'OWASP! L'accès à nos Chapter meetings est gratuit et ouvert à tous.<br />
<br />
Pour les Entreprises souhaitant adhérer à l'OWASP, le montant de l'adhésion annuelle de base est de $5000 US (dont 40% sont reversés au Projet ou au Chapitre de votre choix), déductible à 100% aux USA, et déductible à 60% en France <br />
<br />
Les fonds collectés servent à organiser les meetings du Chapitre, mais aussi et surtout à construire et organiser avec vous une approche collégiale spécifique répondant à vos souhaits (sessions de sensibilisation, meetings internes, interventions de Speakers, etc.). Tout cela peut être discuté avec le Chapitre Français et acté conjointement avec vous si vous souhaitez adhérer à l'OWASP. <br />
<br />
N'hésitez pas à nous solliciter si vous souhaitez discuter d'un sujet particulier, ou si vous souhaitez effectuer une présentation lors d'un meeting du Chapitre France.<br />
<br />
Amis de la Presse écrite et du Multimédia, n'hésitez pas à faire appel à nous si vous souhaitez notre concours pour vos articles et reportages, vous êtes les bienvenus et nous en serions honorés. Nous avons nous aussi besoin de vous.<br />
<br />
Nous restons modestes dans notre approche, mais nous souhaitons vraiment que le Chapitre OWASP France devienne un de vos contacts de référence. '''Ensembles, Chacun fait plus'''!<br />
<br />
'''TEAM stands for... Together Each Achieves More!'''<br />
<br />
<br />
= News =<br />
<br />
==Looking Forward… and Beyond, Distinctiveness Through Security Excellence==<br />
'''Présentation''' : "[https://www.owasp.org/images/5/50/Looking_Forward%E2%80%A6_and_Beyond.pptx Looking Forward… and Beyond]"'''<br />
'''Résumé''' : <br />
Here is a presentation I gave in Sept for a big Software maker in an internal meeting. This presentation aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes, or people and firms interested about OWASP and willing to join the Foundation as Member. The first 2 parts are more an update for those who are not yet familiar with OWASP, the 3rd part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway. Enjoy and feel free to email me, all comments welcome!<br />
<br />
'''Speaker''' : Ludovic Petit <br />
<br />
==28 Mars 2012 Meeting du premier trimestre==<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : "[https://www.owasp.org/images/6/6d/Developer_Top_Ten_Core_Controls_v4.1.pptx Top Ten Web Defenses]"'''<br />
'''Résumé''' : <br />
Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. <br />
This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will also detail several of the key access control anti-patterns commonly found during website security audits. <br />
These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. <br />
In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico <br />
Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. <br />
He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.<br />
'''Enregistrement en ligne sur''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== 7 et 8 Février 2012 - [http://www.microsoft.com/france/mstechdays/ Techdays Microsoft 2012] ==<br />
<br />
Sébastien présentera un talk sur [http://www.microsoft.com/france/mstechdays/programmes/parcours.aspx?SessionID=62e02774-6045-4be8-80ff-8332a793ad4f HTML5et la Sécurité] le 7 Février 2012 à 17h30. <br />
Plus d'informations sur la page dédiée aux TechDays Microsoft 2012. ==<br />
<br />
== 6 Janvier 2012 - Nouveau Groupe de Travail sur la Sécurité des Web Services au [http://www.clusif.fr CLUSIF] ==<br />
<br />
Dans la continuité du Groupe de Travail sur la Sécurité des Application Web initialement créé en 2009, le CLUSIF a lancé un nouveau groupe de travail autour de la sécurité des WebServices. N'hésitez pas à participer si vous êtes intéressés. Le CLUSIF recherche des utilisateurs pour ce groupe de travail et des personnes en environnements Microsoft pour disposer d'un panel le plus large possible pour ce document<br />
<br />
Contact : [mailto:sebastien.gioria@owasp.org Sébastien Gioria]<br />
<br />
== 19 Décembre 2011 - Publication du deuxième document du [http://www.clusif.fr CLUSIF] sur la Sécurité des Applications Web ==<br />
<br />
Le CLUSIF a publié son deuxième document sur la [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Defense-en-profondeur-des-applications-Web.pdf Défense en profondeur des applications Web]. Ce document fait suite au [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf premier document publié en 2009] <br />
<br />
== 15 Décembre 2011 Conférence du [http://www.clusif.fr CLUSIF] sur la [http://www.clusif.fr/fr/infos/event/#conf111215 sécurité des applications Web] ==<br />
<br />
Le CLUSIF a présenté la conférence Sécurité des Applications Web le jeudi 15 décembre 2011 au cercle National des Armées.<br />
Le programme était : <br />
<br />
* Mise en place d'une politique de sécurité applicative : retour d'expérience d'un RSSI par Philippe LARUE - Responsable Sécurité - [http://www.cbp-prevoyance.com/ CBP]<br />
* Revue de code source, ou test sécurité applicatif, quel est le plus efficient pour évaluer un niveau de sécurité applicatif ? par Sébastien GIORIA - Consultant Senior [http://www.groupey.fr Groupe Y] et leader du chapitre Français de [https://www.owasp.org l'OWASP] - OWASP France<br />
* Les enjeux réglementaires de la protection des informations en ligne par Garance MATHIAS - Avocat - Cabinet d'Avocats<br />
<br />
Les présentations sont disponibles sur le site du [http://www.clusif.fr CLUSIF], les vidéos de l'intervention seront aussi disponible.<br />
<br />
== 2 Décembre 2011 - [[OWASP BeNeLux 2011 Conference - University of Luxembourg]] ==<br />
<br />
Ludovic had a talk about "[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd WebApp Security and Legal aspects]" on Dec 2.<br />
<br />
*'''Overview'''<br />
**This presentation aims to be used by anybody willing to spread the voice of OWASP. See this as an Awareness session.<br />
**Use it and use it again. <br />
**Try to open your mind, just met me know if I can help. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/5/55/Do_you..._Legal_-_OWASP_BeNeLux_Day_-_2_Dec_2011.pptx Do you... Legal?]"'''<br />
**The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this. <br />
<br />
<br />
<br />
=== [[EUROPE - ENISA’s Who-is-Who Directory on Network and Information Security]] ===<br />
<br />
We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].<br />
<br />
The ENISA is the European Network and Information Security Agency.<br />
[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities. <br />
This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.<br />
<br />
<br />
<br />
= Appel à contribution OWASP France =<br />
<br />
Ici seront relayés les différents appels à contributions du Chapitre (Sponsors, talks, etc.).<br />
<br />
<br />
= Appel à contributions externes =<br />
<br />
Ici seront relayés les appels à contributions que nous estimons interessants pour le Chapitre. <br />
<br />
<br />
<br />
<br />
= Meetings 2012 =<br />
<br />
== Q1 2012 ==<br />
'''Date''' : 28 Mars 2012<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : Web Application Access Control Design Excellence<br />
'''Résumé''' : Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will discuss several of the key access control anti-patterns commonly found during <br />
website security audits. These access control anti-patterns include hard-coded security policies, <br />
lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these<br />
and other access control problems, we will discuss and design a positive access control mechanism <br />
that is data contextual, activity based, configurable, flexible, and deny-by-default - among other<br />
positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico<br />
'''Enregistrement en ligne ici''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== Q2 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q3 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q4 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
<br />
<br />
= 2011 Meetings =<br />
<br />
=== [[May 2011 - Paris Meeting]] ===<br />
<br />
[Logo to be placed here]<br />
<br />
We are honored to welcome '''Jim Manico''' during his European Tour in the Netherlands, Belgium and France.<br />
<br />
*'''Overview'''<br />
**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle. <br />
**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. <br />
**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered. <br />
**If you are interested in participating in the hands on portion of the course, please bring a laptop. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/f/f4/Future_of_XSS_v4.pptx The Ghost of XSS Past, Present and Future. A Defensive Tale]"'''<br />
**This talk will discuss the past methods used for XSS defense that were only partially effective. Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg. <br />
<br />
*'''Speaker'''<br />
**'''Jim Manico''' is a managing partner of Infrared Security with over 15 years of professional web development experience. Jim is also the Chair of the OWASP Connections Committee, one of the Project Managers of the OWASP ESAPI Project, a participant and manager of the OWASP Cheatsheet series, the Producer and host of the OWASP Podcast Series, the Manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project. When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.<br />
<br />
*'''Date'''<br />
**May 24, 2011 <br />
<br />
*'''Venue'''<br />
**Paris<br />
<br />
*'''Registration'''<br />
**[http://www.regonline.com/Register/Checkin.aspx?EventID=971375 Click here]<br />
<br />
<br />
== 26 Avril 2011 ==<br />
<br />
'''Le 26 Avril 2011 dans les locaux de [http://www.groupey.fr/nos-cabinets-paris.html GROUPE Y] :'''<br />
<br />
* 9:00: [https://www.owasp.org/images/2/2f/Agenda_26th_April_2011.pptx Introduction] - '''Ludovic Petit''' & '''Sébastien Gioria'''<br />
* 9:30: [https://www.owasp.org/images/3/36/OPENSAMM2.pptx OpenSAMM] - '''Antonio Fontes''' (Chapter Leader OWASP Geneva) <br />
* 11:00: [https://www.owasp.org/images/c/cf/OWASP_Cloud_Top_10.pptx OWASP Cloud Top 10 Project] - '''Ludovic Petit''' (Chapter Leader OWASP France & OWASP Global Education Committee Member)<br />
* 11:45: [https://www.owasp.org/images/5/5c/ESAPI_Swingset_talk_at_Paris.ppt OWASP ESAPI] - '''Fabio Cerullo''' (Chapter Leader OWASP Ireland & Global Education Committee)<br />
* 14:15: [https://www.owasp.org/images/3/38/OWASP_Testing_Guide.pptx OWASP Testing Guide] - '''Sébastien Gioria''' (French Chapter Leader & OWASP Global Education Committee Member)<br />
* 15:15: [http://o2platform.com OWASP 02 Platform - Live Session] - '''Dinis Cruz''' (OWASP O2 Project Leader)<br />
* 16:30: [https://www.owasp.org/images/9/96/OWASP-Paris2011-VV-CodeReview.pdf OWASP Code Review] - '''Victor Vuillard'''<br />
<br />
= 2009 Meetings =<br />
<br />
'''Le 6 Mai 2009 à 17h30 à [http://www.epitech.eu L'EPITECH] :'''<br />
<br />
* 17h30 : Accueil des participants<br />
* 18h - 18h 15 : [http://www.owasp.org/images/d/dc/OWASP_Paris_Meeting_-_May_2009.pdf Welcome et overview of agenda] '''(Board OWASP France)'''<br />
* 18h30 - 19h : [http://www.owasp.org/images/6/6b/2009-05-06-OWASPFR-WebServices.pdf Attaques sur les Web Services] - '''Renaud Bidou'''<br />
* 19h15 - 19h45 : [http://www.owasp.org/images/8/82/2009-05-06-OWASPFR-OpenSAM.pdf Software Security Initiatives in the Real World] - '''Claudio Merloni'''<br />
* 20h : Close <br />
<br />
A propos des Speakers :<br />
<br />
<br />
'''''Renaud Bidou :''' ''Directeur Technique de DenyAll. Il travaille depuis plus de 10 ans dans la sécurité et a publié de nombreux articles et white-papers touchant à des sujets aussi variés que les dénis de service, les portknockers, les botnets, la mise en place d’un SOC, l’analyse graphique d’attaques ou encore les techniques de contournements.<br />
<br />
<br />
'''''Claudio Merloni : '''''Claudio Merloni est Software Security Consultant chez Fortify Software. Ses expériences dans le domaine de la sécurité embrassent la sécurité applicative, revue de code, architectures sécurisées, analyse des risques, conformité, test de sécurité à niveau réseau, système et applicatif, monitoring, contrôle d'accès. Il a participé a plusieurs conférences, entre lesquelles BlackHat et CONFidence.<br />
<br />
<br />
'''Le Lieu : EPITECH'''<br />
<br />
Amphi 2<br />
<br />
14-16 rue Voltaire<br />
<br />
94276 Kremlin Bicêtre Cedex <br />
<br />
<br />
''Moyens d'accès Métro''<br />
* ligne 7 : Porte d'Italie<br />
<br />
''Bus''<br />
* ligne 47, 125, 131, 185 : Roger Salengro<br />
* ligne 186 : Pierre Brossolette <br/> <br />
<br />
''Voiture''<br />
* périphérique : sortie Porte d'Italie <br />
<br />
<br />
<br />
<br />
= Translation effort =<br />
<br />
* The '''OWASP TOP Ten 2010 in French''' is [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf available]<br />
* 2010-08-30 : La version française du Top 10 2010 est disponible [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] <br />
* 2008-02-15 : Le Top10 2007 est en version Française [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.pdf Format PDF], [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.doc Format Word]<br />
* 2007-11-16 : [https://www.owasp.org/images/5/52/Owasp_tryptique.pdf Folio 2 pages Recto/verso] de présentation pour Infosecurity.<br />
* 2007-02-27 : [[Newsletter_francaise_num%C3%A9ro_1]]<br />
* 2007-06-20 : Présentation de l'OWASP faite à NY en Juin 2007 [https://www.owasp.org/images/7/71/20070620-FR-OWASP_NY_Keynote.ppt]<br />
[[Category:Europe]]<br />
<br />
<br />
<br />
= Old News = <br />
<br />
* 2009-06-09 : [http://www.owasp.org/images/d/d2/20090609-CERT-IST-WAF-v0.1.pdf Intervention sur les WAF] lors du Forum [http://www.cert-ist.com CERT-IST] <br />
* 2009-02-03 : L'OWASP France sera présent à [http://www.pci-portal.com/events/event-info/paris PCI Paris]. La présentation est : [https://www.owasp.org/images/f/fb/20090203-OWASP_PCI-Global_2009_Paris_-_v03.ppt l'OWASP et l'exigence 6.5 de PCI-DSS]<br />
* 2008-11-19 : L'OWASP France sera présent sur [http://www.infosecurity.com.fr/FR/badge?ref=OWAW Infosecurity France] à Paris :<br />
[http://www.infosecurity.com.fr/index.php?argRedirect=FR|badge&Lang=FR&ref=OWAW https://www.owasp.org/images/8/88/Infosecurity.gif]<br />
<br />
* 2008-07-08 : L'OWASP France a présenté le projet OWASP à l'[http://www.ossir.org OSSIR]. La présentation est disponible sur le site de [https://www.owasp.org/images/9/94/20080708-OWASP_OSSIR.ppt l'OWASP]<br />
* 2008-02-15 : Le Top10 2007 est en version Francaise<br />
* 2008-02-11 : Présentation aux [http://www.owasp.org/images/0/09/20080129-OWASP_TechDays_France_.ppt TechDays 2008 Microsoft ]<br />
* 2007-11-22 : Présentation a Infosecurity France [http://www.owasp.org/images/8/85/20071122-OWASP_Infosecurity_France.ppt de l'OWASP]<br />
* 2007-11-07 : Interview dans le [http://www.journaldunet.com/developpeur/itws/071106-securite-applicative-owasp.shtml Journal du Net]<br />
* 2007-10-05 : L'OWASP France présentera les enjeux de la sécurité des [http://www.infosecurity.com.fr/?Jpto=116&KM_Session=f345bb91df954e6cbc0148328f109e94&CurrentNode=518&Lang=FR&IdNode=708 Services WEB à Infosecurity France le 22/11/2007]<br />
* 2006-12-18 : Mise en place de l'association pour supporter le groupe OWASP<br />
* 2006-12-14 : Le Hub OWASP Viaduc a vu le jour http://www.viadeo.com/hub/affichehub/?hubId=002fj37grgb7o7n<br />
* 2006-12-13 : Naissance du chapitre Francais de l'OWASP. Une liste de diffusion est disponible.[http://lists.owasp.org/mailman/listinfo/owasp-france Abonnez vous]<br />
<br />
<br />
<br> __NOTOC__ <headertabs /></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=France&diff=142405France2013-01-16T22:14:07Z<p>Ludovic Petit: </p>
<hr />
<div>{{Chapter Template|chaptername=France|extra=The '''Chapter Leaders''' are [mailto:ludovic.petit@owasp.org Ludovic Petit] and [mailto:sebastien.gioria@owasp.org Sebastien Gioria]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-france|emailarchives=http://lists.owasp.org/pipermail/owasp-france}}'''<br />
<paypal>France Chapter</paypal><br />
<br />
'''The French Chapter is also available on LinkedIn''': [http://www.linkedin.com/groupInvitation?gid=1638517 '''Join us''', it only takes a minute!]<br />
<br />
== Contacts, Présentations, Contributions & Partenariats ==<br />
<br />
*[mailto:sebastien.gioria@owasp.org Sebastien Gioria] et [mailto:ludovic.petit@owasp.org Ludovic Petit] sont à votre disposition si vous souhaitez des informations et discuter de la plus-value proposée par la Fondation OWASP, ainsi que sur la Sécurité des Applications Web.<br />
<br />
Entreprises, Individuels, Monde Académique, Sponsors, Supports, tout le monde est bienvenu à l'OWASP! L'accès à nos Chapter meetings est gratuit et ouvert à tous.<br />
<br />
Pour les Entreprises souhaitant adhérer à l'OWASP, le montant de l'adhésion annuelle de base est de $5000 US (dont 40% sont reversés au Projet ou au Chapitre de votre choix), déductible à 100% aux USA, et déductible à 60% en France <br />
<br />
Les fonds collectés servent à organiser les meetings du Chapitre, mais aussi et surtout à construire et organiser avec vous une approche collégiale spécifique répondant à vos souhaits (sessions de sensibilisation, meetings internes, interventions de Speakers, etc.). Tout cela peut être discuté avec le Chapitre Français et acté conjointement avec vous si vous souhaitez adhérer à l'OWASP. <br />
<br />
N'hésitez pas à nous solliciter si vous souhaitez discuter d'un sujet particulier, ou si vous souhaitez effectuer une présentation lors d'un meeting du Chapitre France.<br />
<br />
Amis de la Presse écrite et du Multimédia, n'hésitez pas à faire appel à nous si vous souhaitez notre concours pour vos articles et reportages, vous êtes les bienvenus et nous en serions honorés. Nous avons nous aussi besoin de vous.<br />
<br />
Nous restons modestes dans notre approche, mais nous souhaitons vraiment que le Chapitre OWASP France devienne un de vos contacts de référence. '''Ensembles, Chacun fait plus'''!<br />
<br />
'''TEAM stands for... Together Each Achieves More!'''<br />
<br />
<br />
= News =<br />
<br />
==Looking Forward… and Beyond, Distinctiveness Through Security Excellence==<br />
'''Présentation''' : "[https://www.owasp.org/images/5/50/Looking_Forward%E2%80%A6_and_Beyond.pptx Looking Forward… and Beyond]"'''<br />
'''Résumé''' : <br />
Here is a presentation I gave in Sept for a big Software maker in an internal meeting (the name has been anonymized on request). This presentation aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes, or people and firms interested about OWASP and willing to join the Foundation as Member. The first 2 parts are more an update for those who are not yet familiar with OWASP, the 3rd part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway. Enjoy and feel free to email me, all comments welcome!<br />
<br />
'''Speaker''' : Ludovic Petit <br />
<br />
==28 Mars 2012 Meeting du premier trimestre==<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : "[https://www.owasp.org/images/6/6d/Developer_Top_Ten_Core_Controls_v4.1.pptx Top Ten Web Defenses]"'''<br />
'''Résumé''' : <br />
Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. <br />
This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will also detail several of the key access control anti-patterns commonly found during website security audits. <br />
These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. <br />
In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico <br />
Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. <br />
He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.<br />
'''Enregistrement en ligne sur''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== 7 et 8 Février 2012 - [http://www.microsoft.com/france/mstechdays/ Techdays Microsoft 2012] ==<br />
<br />
Sébastien présentera un talk sur [http://www.microsoft.com/france/mstechdays/programmes/parcours.aspx?SessionID=62e02774-6045-4be8-80ff-8332a793ad4f HTML5et la Sécurité] le 7 Février 2012 à 17h30. <br />
Plus d'informations sur la page dédiée aux TechDays Microsoft 2012. ==<br />
<br />
== 6 Janvier 2012 - Nouveau Groupe de Travail sur la Sécurité des Web Services au [http://www.clusif.fr CLUSIF] ==<br />
<br />
Dans la continuité du Groupe de Travail sur la Sécurité des Application Web initialement créé en 2009, le CLUSIF a lancé un nouveau groupe de travail autour de la sécurité des WebServices. N'hésitez pas à participer si vous êtes intéressés. Le CLUSIF recherche des utilisateurs pour ce groupe de travail et des personnes en environnements Microsoft pour disposer d'un panel le plus large possible pour ce document<br />
<br />
Contact : [mailto:sebastien.gioria@owasp.org Sébastien Gioria]<br />
<br />
== 19 Décembre 2011 - Publication du deuxième document du [http://www.clusif.fr CLUSIF] sur la Sécurité des Applications Web ==<br />
<br />
Le CLUSIF a publié son deuxième document sur la [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Defense-en-profondeur-des-applications-Web.pdf Défense en profondeur des applications Web]. Ce document fait suite au [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf premier document publié en 2009] <br />
<br />
== 15 Décembre 2011 Conférence du [http://www.clusif.fr CLUSIF] sur la [http://www.clusif.fr/fr/infos/event/#conf111215 sécurité des applications Web] ==<br />
<br />
Le CLUSIF a présenté la conférence Sécurité des Applications Web le jeudi 15 décembre 2011 au cercle National des Armées.<br />
Le programme était : <br />
<br />
* Mise en place d'une politique de sécurité applicative : retour d'expérience d'un RSSI par Philippe LARUE - Responsable Sécurité - [http://www.cbp-prevoyance.com/ CBP]<br />
* Revue de code source, ou test sécurité applicatif, quel est le plus efficient pour évaluer un niveau de sécurité applicatif ? par Sébastien GIORIA - Consultant Senior [http://www.groupey.fr Groupe Y] et leader du chapitre Français de [https://www.owasp.org l'OWASP] - OWASP France<br />
* Les enjeux réglementaires de la protection des informations en ligne par Garance MATHIAS - Avocat - Cabinet d'Avocats<br />
<br />
Les présentations sont disponibles sur le site du [http://www.clusif.fr CLUSIF], les vidéos de l'intervention seront aussi disponible.<br />
<br />
== 2 Décembre 2011 - [[OWASP BeNeLux 2011 Conference - University of Luxembourg]] ==<br />
<br />
Ludovic had a talk about "[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd WebApp Security and Legal aspects]" on Dec 2.<br />
<br />
*'''Overview'''<br />
**This presentation aims to be used by anybody willing to spread the voice of OWASP. See this as an Awareness session.<br />
**Use it and use it again. <br />
**Try to open your mind, just met me know if I can help. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/5/55/Do_you..._Legal_-_OWASP_BeNeLux_Day_-_2_Dec_2011.pptx Do you... Legal?]"'''<br />
**The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this. <br />
<br />
<br />
<br />
=== [[EUROPE - ENISA’s Who-is-Who Directory on Network and Information Security]] ===<br />
<br />
We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].<br />
<br />
The ENISA is the European Network and Information Security Agency.<br />
[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities. <br />
This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.<br />
<br />
<br />
<br />
= Appel à contribution OWASP France =<br />
<br />
Ici seront relayés les différents appels à contributions du Chapitre (Sponsors, talks, etc.).<br />
<br />
<br />
= Appel à contributions externes =<br />
<br />
Ici seront relayés les appels à contributions que nous estimons interessants pour le Chapitre. <br />
<br />
<br />
<br />
<br />
= Meetings 2012 =<br />
<br />
== Q1 2012 ==<br />
'''Date''' : 28 Mars 2012<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : Web Application Access Control Design Excellence<br />
'''Résumé''' : Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will discuss several of the key access control anti-patterns commonly found during <br />
website security audits. These access control anti-patterns include hard-coded security policies, <br />
lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these<br />
and other access control problems, we will discuss and design a positive access control mechanism <br />
that is data contextual, activity based, configurable, flexible, and deny-by-default - among other<br />
positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico<br />
'''Enregistrement en ligne ici''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== Q2 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q3 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q4 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
<br />
<br />
= 2011 Meetings =<br />
<br />
=== [[May 2011 - Paris Meeting]] ===<br />
<br />
[Logo to be placed here]<br />
<br />
We are honored to welcome '''Jim Manico''' during his European Tour in the Netherlands, Belgium and France.<br />
<br />
*'''Overview'''<br />
**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle. <br />
**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. <br />
**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered. <br />
**If you are interested in participating in the hands on portion of the course, please bring a laptop. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/f/f4/Future_of_XSS_v4.pptx The Ghost of XSS Past, Present and Future. A Defensive Tale]"'''<br />
**This talk will discuss the past methods used for XSS defense that were only partially effective. Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg. <br />
<br />
*'''Speaker'''<br />
**'''Jim Manico''' is a managing partner of Infrared Security with over 15 years of professional web development experience. Jim is also the Chair of the OWASP Connections Committee, one of the Project Managers of the OWASP ESAPI Project, a participant and manager of the OWASP Cheatsheet series, the Producer and host of the OWASP Podcast Series, the Manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project. When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.<br />
<br />
*'''Date'''<br />
**May 24, 2011 <br />
<br />
*'''Venue'''<br />
**Paris<br />
<br />
*'''Registration'''<br />
**[http://www.regonline.com/Register/Checkin.aspx?EventID=971375 Click here]<br />
<br />
<br />
== 26 Avril 2011 ==<br />
<br />
'''Le 26 Avril 2011 dans les locaux de [http://www.groupey.fr/nos-cabinets-paris.html GROUPE Y] :'''<br />
<br />
* 9:00: [https://www.owasp.org/images/2/2f/Agenda_26th_April_2011.pptx Introduction] - '''Ludovic Petit''' & '''Sébastien Gioria'''<br />
* 9:30: [https://www.owasp.org/images/3/36/OPENSAMM2.pptx OpenSAMM] - '''Antonio Fontes''' (Chapter Leader OWASP Geneva) <br />
* 11:00: [https://www.owasp.org/images/c/cf/OWASP_Cloud_Top_10.pptx OWASP Cloud Top 10 Project] - '''Ludovic Petit''' (Chapter Leader OWASP France & OWASP Global Education Committee Member)<br />
* 11:45: [https://www.owasp.org/images/5/5c/ESAPI_Swingset_talk_at_Paris.ppt OWASP ESAPI] - '''Fabio Cerullo''' (Chapter Leader OWASP Ireland & Global Education Committee)<br />
* 14:15: [https://www.owasp.org/images/3/38/OWASP_Testing_Guide.pptx OWASP Testing Guide] - '''Sébastien Gioria''' (French Chapter Leader & OWASP Global Education Committee Member)<br />
* 15:15: [http://o2platform.com OWASP 02 Platform - Live Session] - '''Dinis Cruz''' (OWASP O2 Project Leader)<br />
* 16:30: [https://www.owasp.org/images/9/96/OWASP-Paris2011-VV-CodeReview.pdf OWASP Code Review] - '''Victor Vuillard'''<br />
<br />
= 2009 Meetings =<br />
<br />
'''Le 6 Mai 2009 à 17h30 à [http://www.epitech.eu L'EPITECH] :'''<br />
<br />
* 17h30 : Accueil des participants<br />
* 18h - 18h 15 : [http://www.owasp.org/images/d/dc/OWASP_Paris_Meeting_-_May_2009.pdf Welcome et overview of agenda] '''(Board OWASP France)'''<br />
* 18h30 - 19h : [http://www.owasp.org/images/6/6b/2009-05-06-OWASPFR-WebServices.pdf Attaques sur les Web Services] - '''Renaud Bidou'''<br />
* 19h15 - 19h45 : [http://www.owasp.org/images/8/82/2009-05-06-OWASPFR-OpenSAM.pdf Software Security Initiatives in the Real World] - '''Claudio Merloni'''<br />
* 20h : Close <br />
<br />
A propos des Speakers :<br />
<br />
<br />
'''''Renaud Bidou :''' ''Directeur Technique de DenyAll. Il travaille depuis plus de 10 ans dans la sécurité et a publié de nombreux articles et white-papers touchant à des sujets aussi variés que les dénis de service, les portknockers, les botnets, la mise en place d’un SOC, l’analyse graphique d’attaques ou encore les techniques de contournements.<br />
<br />
<br />
'''''Claudio Merloni : '''''Claudio Merloni est Software Security Consultant chez Fortify Software. Ses expériences dans le domaine de la sécurité embrassent la sécurité applicative, revue de code, architectures sécurisées, analyse des risques, conformité, test de sécurité à niveau réseau, système et applicatif, monitoring, contrôle d'accès. Il a participé a plusieurs conférences, entre lesquelles BlackHat et CONFidence.<br />
<br />
<br />
'''Le Lieu : EPITECH'''<br />
<br />
Amphi 2<br />
<br />
14-16 rue Voltaire<br />
<br />
94276 Kremlin Bicêtre Cedex <br />
<br />
<br />
''Moyens d'accès Métro''<br />
* ligne 7 : Porte d'Italie<br />
<br />
''Bus''<br />
* ligne 47, 125, 131, 185 : Roger Salengro<br />
* ligne 186 : Pierre Brossolette <br/> <br />
<br />
''Voiture''<br />
* périphérique : sortie Porte d'Italie <br />
<br />
<br />
<br />
<br />
= Translation effort =<br />
<br />
* The '''OWASP TOP Ten 2010 in French''' is [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf available]<br />
* 2010-08-30 : La version française du Top 10 2010 est disponible [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] <br />
* 2008-02-15 : Le Top10 2007 est en version Française [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.pdf Format PDF], [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.doc Format Word]<br />
* 2007-11-16 : [https://www.owasp.org/images/5/52/Owasp_tryptique.pdf Folio 2 pages Recto/verso] de présentation pour Infosecurity.<br />
* 2007-02-27 : [[Newsletter_francaise_num%C3%A9ro_1]]<br />
* 2007-06-20 : Présentation de l'OWASP faite à NY en Juin 2007 [https://www.owasp.org/images/7/71/20070620-FR-OWASP_NY_Keynote.ppt]<br />
[[Category:Europe]]<br />
<br />
<br />
<br />
= Old News = <br />
<br />
* 2009-06-09 : [http://www.owasp.org/images/d/d2/20090609-CERT-IST-WAF-v0.1.pdf Intervention sur les WAF] lors du Forum [http://www.cert-ist.com CERT-IST] <br />
* 2009-02-03 : L'OWASP France sera présent à [http://www.pci-portal.com/events/event-info/paris PCI Paris]. La présentation est : [https://www.owasp.org/images/f/fb/20090203-OWASP_PCI-Global_2009_Paris_-_v03.ppt l'OWASP et l'exigence 6.5 de PCI-DSS]<br />
* 2008-11-19 : L'OWASP France sera présent sur [http://www.infosecurity.com.fr/FR/badge?ref=OWAW Infosecurity France] à Paris :<br />
[http://www.infosecurity.com.fr/index.php?argRedirect=FR|badge&Lang=FR&ref=OWAW https://www.owasp.org/images/8/88/Infosecurity.gif]<br />
<br />
* 2008-07-08 : L'OWASP France a présenté le projet OWASP à l'[http://www.ossir.org OSSIR]. La présentation est disponible sur le site de [https://www.owasp.org/images/9/94/20080708-OWASP_OSSIR.ppt l'OWASP]<br />
* 2008-02-15 : Le Top10 2007 est en version Francaise<br />
* 2008-02-11 : Présentation aux [http://www.owasp.org/images/0/09/20080129-OWASP_TechDays_France_.ppt TechDays 2008 Microsoft ]<br />
* 2007-11-22 : Présentation a Infosecurity France [http://www.owasp.org/images/8/85/20071122-OWASP_Infosecurity_France.ppt de l'OWASP]<br />
* 2007-11-07 : Interview dans le [http://www.journaldunet.com/developpeur/itws/071106-securite-applicative-owasp.shtml Journal du Net]<br />
* 2007-10-05 : L'OWASP France présentera les enjeux de la sécurité des [http://www.infosecurity.com.fr/?Jpto=116&KM_Session=f345bb91df954e6cbc0148328f109e94&CurrentNode=518&Lang=FR&IdNode=708 Services WEB à Infosecurity France le 22/11/2007]<br />
* 2006-12-18 : Mise en place de l'association pour supporter le groupe OWASP<br />
* 2006-12-14 : Le Hub OWASP Viaduc a vu le jour http://www.viadeo.com/hub/affichehub/?hubId=002fj37grgb7o7n<br />
* 2006-12-13 : Naissance du chapitre Francais de l'OWASP. Une liste de diffusion est disponible.[http://lists.owasp.org/mailman/listinfo/owasp-france Abonnez vous]<br />
<br />
<br />
<br> __NOTOC__ <headertabs /></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=France&diff=142404France2013-01-16T22:10:12Z<p>Ludovic Petit: </p>
<hr />
<div>{{Chapter Template|chaptername=France|extra=The '''Chapter Leaders''' are [mailto:ludovic.petit@owasp.org Ludovic Petit'''] and [mailto:sebastien.gioria@owasp.org Sebastien Gioria]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-france|emailarchives=http://lists.owasp.org/pipermail/owasp-france}}'''<br />
<paypal>France Chapter</paypal><br />
<br />
'''The French Chapter is also available on LinkedIn''': [http://www.linkedin.com/groupInvitation?gid=1638517 '''Join us''', it only takes a minute!]<br />
<br />
== Contacts, Présentations, Contributions & Partenariats ==<br />
<br />
*[mailto:sebastien.gioria@owasp.org Sebastien Gioria] et [mailto:ludovic.petit@owasp.org Ludovic Petit] sont à votre disposition si vous souhaitez des informations et discuter de la plus-value proposée par la Fondation OWASP, ainsi que sur la Sécurité des Applications Web.<br />
<br />
Entreprises, Individuels, Monde Académique, Sponsors, Supports, tout le monde est bienvenu à l'OWASP! L'accès à nos Chapter meetings est gratuit et ouvert à tous.<br />
<br />
Pour les Entreprises souhaitant adhérer à l'OWASP, le montant de l'adhésion annuelle de base est de $5000 US (dont 40% sont reversés au Projet ou au Chapitre de votre choix), déductible à 100% aux USA, et déductible à 60% en France <br />
<br />
Les fonds collectés servent à organiser les meetings du Chapitre, mais aussi et surtout à construire et organiser avec vous une approche collégiale spécifique répondant à vos souhaits (sessions de sensibilisation, meetings internes, interventions de Speakers, etc.). Tout cela peut être discuté avec le Chapitre Français et acté conjointement avec vous si vous souhaitez adhérer à l'OWASP. <br />
<br />
N'hésitez pas à nous solliciter si vous souhaitez discuter d'un sujet particulier, ou si vous souhaitez effectuer une présentation lors d'un meeting du Chapitre France.<br />
<br />
Amis de la Presse écrite et du Multimédia, n'hésitez pas à faire appel à nous si vous souhaitez notre concours pour vos articles et reportages, vous êtes les bienvenus et nous en serions honorés. Nous avons nous aussi besoin de vous.<br />
<br />
Nous restons modestes dans notre approche, mais nous souhaitons vraiment que le Chapitre OWASP France devienne un de vos contacts de référence. '''Ensembles, Chacun fait plus'''!<br />
<br />
'''TEAM stands for... Together Each Achieves More!'''<br />
<br />
<br />
= News =<br />
<br />
==Looking Forward… and Beyond, Distinctiveness Through Security Excellence==<br />
'''Présentation''' : "[https://www.owasp.org/images/5/50/Looking_Forward%E2%80%A6_and_Beyond.pptx Looking Forward… and Beyond]"'''<br />
'''Résumé''' : <br />
Here is a presentation I gave in Sept for a big Software maker in an internal meeting (the name has been anonymized on request). This presentation aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes, or people and firms interested about OWASP and willing to join the Foundation as Member. The first 2 parts are more an update for those who are not yet familiar with OWASP, the 3rd part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway. Enjoy and feel free to email me, all comments welcome!<br />
<br />
'''Speaker''' : Ludovic Petit <br />
<br />
==28 Mars 2012 Meeting du premier trimestre==<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : "[https://www.owasp.org/images/6/6d/Developer_Top_Ten_Core_Controls_v4.1.pptx Top Ten Web Defenses]"'''<br />
'''Résumé''' : <br />
Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. <br />
This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will also detail several of the key access control anti-patterns commonly found during website security audits. <br />
These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. <br />
In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico <br />
Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. <br />
He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.<br />
'''Enregistrement en ligne sur''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== 7 et 8 Février 2012 - [http://www.microsoft.com/france/mstechdays/ Techdays Microsoft 2012] ==<br />
<br />
Sébastien présentera un talk sur [http://www.microsoft.com/france/mstechdays/programmes/parcours.aspx?SessionID=62e02774-6045-4be8-80ff-8332a793ad4f HTML5et la Sécurité] le 7 Février 2012 à 17h30. <br />
Plus d'informations sur la page dédiée aux TechDays Microsoft 2012. ==<br />
<br />
== 6 Janvier 2012 - Nouveau Groupe de Travail sur la Sécurité des Web Services au [http://www.clusif.fr CLUSIF] ==<br />
<br />
Dans la continuité du Groupe de Travail sur la Sécurité des Application Web initialement créé en 2009, le CLUSIF a lancé un nouveau groupe de travail autour de la sécurité des WebServices. N'hésitez pas à participer si vous êtes intéressés. Le CLUSIF recherche des utilisateurs pour ce groupe de travail et des personnes en environnements Microsoft pour disposer d'un panel le plus large possible pour ce document<br />
<br />
Contact : [mailto:sebastien.gioria@owasp.org Sébastien Gioria]<br />
<br />
== 19 Décembre 2011 - Publication du deuxième document du [http://www.clusif.fr CLUSIF] sur la Sécurité des Applications Web ==<br />
<br />
Le CLUSIF a publié son deuxième document sur la [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Defense-en-profondeur-des-applications-Web.pdf Défense en profondeur des applications Web]. Ce document fait suite au [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf premier document publié en 2009] <br />
<br />
== 15 Décembre 2011 Conférence du [http://www.clusif.fr CLUSIF] sur la [http://www.clusif.fr/fr/infos/event/#conf111215 sécurité des applications Web] ==<br />
<br />
Le CLUSIF a présenté la conférence Sécurité des Applications Web le jeudi 15 décembre 2011 au cercle National des Armées.<br />
Le programme était : <br />
<br />
* Mise en place d'une politique de sécurité applicative : retour d'expérience d'un RSSI par Philippe LARUE - Responsable Sécurité - [http://www.cbp-prevoyance.com/ CBP]<br />
* Revue de code source, ou test sécurité applicatif, quel est le plus efficient pour évaluer un niveau de sécurité applicatif ? par Sébastien GIORIA - Consultant Senior [http://www.groupey.fr Groupe Y] et leader du chapitre Français de [https://www.owasp.org l'OWASP] - OWASP France<br />
* Les enjeux réglementaires de la protection des informations en ligne par Garance MATHIAS - Avocat - Cabinet d'Avocats<br />
<br />
Les présentations sont disponibles sur le site du [http://www.clusif.fr CLUSIF], les vidéos de l'intervention seront aussi disponible.<br />
<br />
== 2 Décembre 2011 - [[OWASP BeNeLux 2011 Conference - University of Luxembourg]] ==<br />
<br />
Ludovic had a talk about "[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd WebApp Security and Legal aspects]" on Dec 2.<br />
<br />
*'''Overview'''<br />
**This presentation aims to be used by anybody willing to spread the voice of OWASP. See this as an Awareness session.<br />
**Use it and use it again. <br />
**Try to open your mind, just met me know if I can help. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/5/55/Do_you..._Legal_-_OWASP_BeNeLux_Day_-_2_Dec_2011.pptx Do you... Legal?]"'''<br />
**The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this. <br />
<br />
<br />
<br />
=== [[EUROPE - ENISA’s Who-is-Who Directory on Network and Information Security]] ===<br />
<br />
We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].<br />
<br />
The ENISA is the European Network and Information Security Agency.<br />
[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities. <br />
This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.<br />
<br />
<br />
<br />
= Appel à contribution OWASP France =<br />
<br />
Ici seront relayés les différents appels à contributions du Chapitre (Sponsors, talks, etc.).<br />
<br />
<br />
= Appel à contributions externes =<br />
<br />
Ici seront relayés les appels à contributions que nous estimons interessants pour le Chapitre. <br />
<br />
<br />
<br />
<br />
= Meetings 2012 =<br />
<br />
== Q1 2012 ==<br />
'''Date''' : 28 Mars 2012<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : Web Application Access Control Design Excellence<br />
'''Résumé''' : Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will discuss several of the key access control anti-patterns commonly found during <br />
website security audits. These access control anti-patterns include hard-coded security policies, <br />
lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these<br />
and other access control problems, we will discuss and design a positive access control mechanism <br />
that is data contextual, activity based, configurable, flexible, and deny-by-default - among other<br />
positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico<br />
'''Enregistrement en ligne ici''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== Q2 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q3 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q4 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
<br />
<br />
= 2011 Meetings =<br />
<br />
=== [[May 2011 - Paris Meeting]] ===<br />
<br />
[Logo to be placed here]<br />
<br />
We are honored to welcome '''Jim Manico''' during his European Tour in the Netherlands, Belgium and France.<br />
<br />
*'''Overview'''<br />
**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle. <br />
**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. <br />
**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered. <br />
**If you are interested in participating in the hands on portion of the course, please bring a laptop. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/f/f4/Future_of_XSS_v4.pptx The Ghost of XSS Past, Present and Future. A Defensive Tale]"'''<br />
**This talk will discuss the past methods used for XSS defense that were only partially effective. Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg. <br />
<br />
*'''Speaker'''<br />
**'''Jim Manico''' is a managing partner of Infrared Security with over 15 years of professional web development experience. Jim is also the Chair of the OWASP Connections Committee, one of the Project Managers of the OWASP ESAPI Project, a participant and manager of the OWASP Cheatsheet series, the Producer and host of the OWASP Podcast Series, the Manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project. When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.<br />
<br />
*'''Date'''<br />
**May 24, 2011 <br />
<br />
*'''Venue'''<br />
**Paris<br />
<br />
*'''Registration'''<br />
**[http://www.regonline.com/Register/Checkin.aspx?EventID=971375 Click here]<br />
<br />
<br />
== 26 Avril 2011 ==<br />
<br />
'''Le 26 Avril 2011 dans les locaux de [http://www.groupey.fr/nos-cabinets-paris.html GROUPE Y] :'''<br />
<br />
* 9:00: [https://www.owasp.org/images/2/2f/Agenda_26th_April_2011.pptx Introduction] - '''Ludovic Petit''' & '''Sébastien Gioria'''<br />
* 9:30: [https://www.owasp.org/images/3/36/OPENSAMM2.pptx OpenSAMM] - '''Antonio Fontes''' (Chapter Leader OWASP Geneva) <br />
* 11:00: [https://www.owasp.org/images/c/cf/OWASP_Cloud_Top_10.pptx OWASP Cloud Top 10 Project] - '''Ludovic Petit''' (Chapter Leader OWASP France & OWASP Global Education Committee Member)<br />
* 11:45: [https://www.owasp.org/images/5/5c/ESAPI_Swingset_talk_at_Paris.ppt OWASP ESAPI] - '''Fabio Cerullo''' (Chapter Leader OWASP Ireland & Global Education Committee)<br />
* 14:15: [https://www.owasp.org/images/3/38/OWASP_Testing_Guide.pptx OWASP Testing Guide] - '''Sébastien Gioria''' (French Chapter Leader & OWASP Global Education Committee Member)<br />
* 15:15: [http://o2platform.com OWASP 02 Platform - Live Session] - '''Dinis Cruz''' (OWASP O2 Project Leader)<br />
* 16:30: [https://www.owasp.org/images/9/96/OWASP-Paris2011-VV-CodeReview.pdf OWASP Code Review] - '''Victor Vuillard'''<br />
<br />
= 2009 Meetings =<br />
<br />
'''Le 6 Mai 2009 à 17h30 à [http://www.epitech.eu L'EPITECH] :'''<br />
<br />
* 17h30 : Accueil des participants<br />
* 18h - 18h 15 : [http://www.owasp.org/images/d/dc/OWASP_Paris_Meeting_-_May_2009.pdf Welcome et overview of agenda] '''(Board OWASP France)'''<br />
* 18h30 - 19h : [http://www.owasp.org/images/6/6b/2009-05-06-OWASPFR-WebServices.pdf Attaques sur les Web Services] - '''Renaud Bidou'''<br />
* 19h15 - 19h45 : [http://www.owasp.org/images/8/82/2009-05-06-OWASPFR-OpenSAM.pdf Software Security Initiatives in the Real World] - '''Claudio Merloni'''<br />
* 20h : Close <br />
<br />
A propos des Speakers :<br />
<br />
<br />
'''''Renaud Bidou :''' ''Directeur Technique de DenyAll. Il travaille depuis plus de 10 ans dans la sécurité et a publié de nombreux articles et white-papers touchant à des sujets aussi variés que les dénis de service, les portknockers, les botnets, la mise en place d’un SOC, l’analyse graphique d’attaques ou encore les techniques de contournements.<br />
<br />
<br />
'''''Claudio Merloni : '''''Claudio Merloni est Software Security Consultant chez Fortify Software. Ses expériences dans le domaine de la sécurité embrassent la sécurité applicative, revue de code, architectures sécurisées, analyse des risques, conformité, test de sécurité à niveau réseau, système et applicatif, monitoring, contrôle d'accès. Il a participé a plusieurs conférences, entre lesquelles BlackHat et CONFidence.<br />
<br />
<br />
'''Le Lieu : EPITECH'''<br />
<br />
Amphi 2<br />
<br />
14-16 rue Voltaire<br />
<br />
94276 Kremlin Bicêtre Cedex <br />
<br />
<br />
''Moyens d'accès Métro''<br />
* ligne 7 : Porte d'Italie<br />
<br />
''Bus''<br />
* ligne 47, 125, 131, 185 : Roger Salengro<br />
* ligne 186 : Pierre Brossolette <br/> <br />
<br />
''Voiture''<br />
* périphérique : sortie Porte d'Italie <br />
<br />
<br />
<br />
<br />
= Translation effort =<br />
<br />
* The '''OWASP TOP Ten 2010 in French''' is [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf available]<br />
* 2010-08-30 : La version française du Top 10 2010 est disponible [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] <br />
* 2008-02-15 : Le Top10 2007 est en version Française [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.pdf Format PDF], [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.doc Format Word]<br />
* 2007-11-16 : [https://www.owasp.org/images/5/52/Owasp_tryptique.pdf Folio 2 pages Recto/verso] de présentation pour Infosecurity.<br />
* 2007-02-27 : [[Newsletter_francaise_num%C3%A9ro_1]]<br />
* 2007-06-20 : Présentation de l'OWASP faite à NY en Juin 2007 [https://www.owasp.org/images/7/71/20070620-FR-OWASP_NY_Keynote.ppt]<br />
[[Category:Europe]]<br />
<br />
<br />
<br />
= Old News = <br />
<br />
* 2009-06-09 : [http://www.owasp.org/images/d/d2/20090609-CERT-IST-WAF-v0.1.pdf Intervention sur les WAF] lors du Forum [http://www.cert-ist.com CERT-IST] <br />
* 2009-02-03 : L'OWASP France sera présent à [http://www.pci-portal.com/events/event-info/paris PCI Paris]. La présentation est : [https://www.owasp.org/images/f/fb/20090203-OWASP_PCI-Global_2009_Paris_-_v03.ppt l'OWASP et l'exigence 6.5 de PCI-DSS]<br />
* 2008-11-19 : L'OWASP France sera présent sur [http://www.infosecurity.com.fr/FR/badge?ref=OWAW Infosecurity France] à Paris :<br />
[http://www.infosecurity.com.fr/index.php?argRedirect=FR|badge&Lang=FR&ref=OWAW https://www.owasp.org/images/8/88/Infosecurity.gif]<br />
<br />
* 2008-07-08 : L'OWASP France a présenté le projet OWASP à l'[http://www.ossir.org OSSIR]. La présentation est disponible sur le site de [https://www.owasp.org/images/9/94/20080708-OWASP_OSSIR.ppt l'OWASP]<br />
* 2008-02-15 : Le Top10 2007 est en version Francaise<br />
* 2008-02-11 : Présentation aux [http://www.owasp.org/images/0/09/20080129-OWASP_TechDays_France_.ppt TechDays 2008 Microsoft ]<br />
* 2007-11-22 : Présentation a Infosecurity France [http://www.owasp.org/images/8/85/20071122-OWASP_Infosecurity_France.ppt de l'OWASP]<br />
* 2007-11-07 : Interview dans le [http://www.journaldunet.com/developpeur/itws/071106-securite-applicative-owasp.shtml Journal du Net]<br />
* 2007-10-05 : L'OWASP France présentera les enjeux de la sécurité des [http://www.infosecurity.com.fr/?Jpto=116&KM_Session=f345bb91df954e6cbc0148328f109e94&CurrentNode=518&Lang=FR&IdNode=708 Services WEB à Infosecurity France le 22/11/2007]<br />
* 2006-12-18 : Mise en place de l'association pour supporter le groupe OWASP<br />
* 2006-12-14 : Le Hub OWASP Viaduc a vu le jour http://www.viadeo.com/hub/affichehub/?hubId=002fj37grgb7o7n<br />
* 2006-12-13 : Naissance du chapitre Francais de l'OWASP. Une liste de diffusion est disponible.[http://lists.owasp.org/mailman/listinfo/owasp-france Abonnez vous]<br />
<br />
<br />
<br> __NOTOC__ <headertabs /></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=File:Looking_Forward%E2%80%A6_and_Beyond.pptx&diff=138381File:Looking Forward… and Beyond.pptx2012-10-30T16:24:32Z<p>Ludovic Petit: uploaded a new version of &quot;File:Looking Forward… and Beyond.pptx&quot;</p>
<hr />
<div>Here is just for information the slide deck of a presentation I gave in Sept for a big Software maker in an internal meeting (the name has been anonymized on request).<br />
Even if most of you already know the stuff, this presentation has been structured and aims to be re-used at your convenience depending the needs / your context.<br />
Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes or when talking memberships for joining OWASP.<br />
The first 2 parts are more an update for those who are not yet familiar with OWASP, the third part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway.</div>Ludovic Petithttps://wiki.owasp.org/index.php?title=File:Looking_Forward%E2%80%A6_and_Beyond.pptx&diff=138380File:Looking Forward… and Beyond.pptx2012-10-30T16:19:23Z<p>Ludovic Petit: uploaded a new version of &quot;File:Looking Forward… and Beyond.pptx&quot;</p>
<hr />
<div>Here is just for information the slide deck of a presentation I gave in Sept for a big Software maker in an internal meeting (the name has been anonymized on request).<br />
Even if most of you already know the stuff, this presentation has been structured and aims to be re-used at your convenience depending the needs / your context.<br />
Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes or when talking memberships for joining OWASP.<br />
The first 2 parts are more an update for those who are not yet familiar with OWASP, the third part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway.</div>Ludovic Petithttps://wiki.owasp.org/index.php?title=File:Looking_Forward%E2%80%A6_and_Beyond.pptx&diff=138379File:Looking Forward… and Beyond.pptx2012-10-30T16:18:41Z<p>Ludovic Petit: uploaded a new version of &quot;File:Looking Forward… and Beyond.pptx&quot;</p>
<hr />
<div>Here is just for information the slide deck of a presentation I gave in Sept for a big Software maker in an internal meeting (the name has been anonymized on request).<br />
Even if most of you already know the stuff, this presentation has been structured and aims to be re-used at your convenience depending the needs / your context.<br />
Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes or when talking memberships for joining OWASP.<br />
The first 2 parts are more an update for those who are not yet familiar with OWASP, the third part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway.</div>Ludovic Petithttps://wiki.owasp.org/index.php?title=France&diff=138296France2012-10-29T10:18:33Z<p>Ludovic Petit: </p>
<hr />
<div>{{Chapter Template|chaptername=France|extra=The '''Chapter Leaders''' are [mailto:sebastien.gioria@owasp.org Sebastien Gioria] and [mailto:ludovic.petit@owasp.org Ludovic Petit''']|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-france|emailarchives=http://lists.owasp.org/pipermail/owasp-france}}'''<br />
<paypal>France Chapter</paypal><br />
<br />
'''The French Chapter is also available on LinkedIn''': [http://www.linkedin.com/groupInvitation?gid=1638517 '''Join us''', it only takes a minute!]<br />
<br />
== Contacts et Propositions de Présentations/Contributions ==<br />
<br />
*[mailto:sebastien.gioria@owasp.org S&eacute;bastien Gioria] et [mailto:ludovic.petit@owasp.org Ludovic Petit] sont à votre disposition si vous souhaitez des informations sur l'OWASP ainsi que sur la Sécurité des Applications Web.<br />
<br />
Entreprises, Individuels, Monde Académique, Sponsors, Supports, tout le monde est bienvenu à l'OWASP.<br />
<br />
Pour les Entreprises souhaitant adhérer à l'OWASP, le montant de l'adhésion annuelle de $5000 US (dont 40% est reversé au Chapitre de votre choix) est 100% déductible! <br />
<br />
Les fonds collectés servent à organiser les meetings du Chapitre, mais aussi et surtout à construire et organiser avec vous une approche spécifique en fonction de vos souhaits (sessions de sensibilisation, meetings internes, interventions de Speakers, etc.). Tout cela peut être discuté avec le Chapitre Français et acté conjointement avec vous si vous souhaitez adhérer à l'OWASP. <br />
<br />
N'hésitez pas à nous solliciter si vous souhaitez discuter d'un sujet particulier, ou si vous souhaitez effectuer une présentation lors d'un meeting du Chapitre France.<br />
<br />
Amis de la Presse écrite et du Multimédia, n'hésitez pas à faire appel à nous si vous souhaitez notre concours pour vos articles et reportages, vous êtes les bienvenus et nous en serions honorés. Nous avons nous aussi besoin de vous.<br />
<br />
Nous restons modestes dans notre approche, mais nous souhaitons vraiment que le Chapitre OWASP France devienne un de vos contacts de référence. '''Ensembles, Chacun fait plus'''!<br />
<br />
'''TEAM stands for... Together Each Achieves More!'''<br />
<br />
<br />
= News =<br />
<br />
==Looking Forward… and Beyond, Distinctiveness Through Security Excellence==<br />
'''Présentation''' : "[https://www.owasp.org/images/5/50/Looking_Forward%E2%80%A6_and_Beyond.pptx Looking Forward… and Beyond]"'''<br />
'''Résumé''' : <br />
Here is a presentation I gave in Sept for a big Software maker in an internal meeting (the name has been anonymized on request). This presentation aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes, or people and firms interested about OWASP and willing to join the Foundation as Member. The first 2 parts are more an update for those who are not yet familiar with OWASP, the 3rd part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway. Enjoy and feel free to email me, all comments welcome!<br />
<br />
'''Speaker''' : Ludovic Petit <br />
<br />
==28 Mars 2012 Meeting du premier trimestre==<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : "[https://www.owasp.org/images/6/6d/Developer_Top_Ten_Core_Controls_v4.1.pptx Top Ten Web Defenses]"'''<br />
'''Résumé''' : <br />
Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. <br />
This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will also detail several of the key access control anti-patterns commonly found during website security audits. <br />
These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. <br />
In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico <br />
Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. <br />
He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.<br />
'''Enregistrement en ligne sur''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== 7 et 8 Février 2012 - [http://www.microsoft.com/france/mstechdays/ Techdays Microsoft 2012] ==<br />
<br />
Sébastien présentera un talk sur [http://www.microsoft.com/france/mstechdays/programmes/parcours.aspx?SessionID=62e02774-6045-4be8-80ff-8332a793ad4f HTML5et la Sécurité] le 7 Février 2012 à 17h30. <br />
Plus d'informations sur la page dédiée aux TechDays Microsoft 2012. ==<br />
<br />
== 6 Janvier 2012 - Nouveau Groupe de Travail sur la Sécurité des Web Services au [http://www.clusif.fr CLUSIF] ==<br />
<br />
Dans la continuité du Groupe de Travail sur la Sécurité des Application Web initialement créé en 2009, le CLUSIF a lancé un nouveau groupe de travail autour de la sécurité des WebServices. N'hésitez pas à participer si vous êtes intéressés. Le CLUSIF recherche des utilisateurs pour ce groupe de travail et des personnes en environnements Microsoft pour disposer d'un panel le plus large possible pour ce document<br />
<br />
Contact : [mailto:sebastien.gioria@owasp.org Sébastien Gioria]<br />
<br />
== 19 Décembre 2011 - Publication du deuxième document du [http://www.clusif.fr CLUSIF] sur la Sécurité des Applications Web ==<br />
<br />
Le CLUSIF a publié son deuxième document sur la [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Defense-en-profondeur-des-applications-Web.pdf Défense en profondeur des applications Web]. Ce document fait suite au [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf premier document publié en 2009] <br />
<br />
== 15 Décembre 2011 Conférence du [http://www.clusif.fr CLUSIF] sur la [http://www.clusif.fr/fr/infos/event/#conf111215 sécurité des applications Web] ==<br />
<br />
Le CLUSIF a présenté la conférence Sécurité des Applications Web le jeudi 15 décembre 2011 au cercle National des Armées.<br />
Le programme était : <br />
<br />
* Mise en place d'une politique de sécurité applicative : retour d'expérience d'un RSSI par Philippe LARUE - Responsable Sécurité - [http://www.cbp-prevoyance.com/ CBP]<br />
* Revue de code source, ou test sécurité applicatif, quel est le plus efficient pour évaluer un niveau de sécurité applicatif ? par Sébastien GIORIA - Consultant Senior [http://www.groupey.fr Groupe Y] et leader du chapitre Français de [https://www.owasp.org l'OWASP] - OWASP France<br />
* Les enjeux réglementaires de la protection des informations en ligne par Garance MATHIAS - Avocat - Cabinet d'Avocats<br />
<br />
Les présentations sont disponibles sur le site du [http://www.clusif.fr CLUSIF], les vidéos de l'intervention seront aussi disponible.<br />
<br />
== 2 Décembre 2011 - [[OWASP BeNeLux 2011 Conference - University of Luxembourg]] ==<br />
<br />
Ludovic had a talk about "[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd WebApp Security and Legal aspects]" on Dec 2.<br />
<br />
*'''Overview'''<br />
**This presentation aims to be used by anybody willing to spread the voice of OWASP. See this as an Awareness session.<br />
**Use it and use it again. <br />
**Try to open your mind, just met me know if I can help. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/5/55/Do_you..._Legal_-_OWASP_BeNeLux_Day_-_2_Dec_2011.pptx Do you... Legal?]"'''<br />
**The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this. <br />
<br />
<br />
<br />
=== [[EUROPE - ENISA’s Who-is-Who Directory on Network and Information Security]] ===<br />
<br />
We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].<br />
<br />
The ENISA is the European Network and Information Security Agency.<br />
[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities. <br />
This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.<br />
<br />
<br />
<br />
= Appel à contribution OWASP France =<br />
<br />
Ici seront relayés les différents appels à contributions du Chapitre (Sponsors, talks, etc.).<br />
<br />
<br />
= Appel à contributions externes =<br />
<br />
Ici seront relayés les appels à contributions que nous estimons interessants pour le Chapitre. <br />
<br />
<br />
<br />
<br />
= Meetings 2012 =<br />
<br />
== Q1 2012 ==<br />
'''Date''' : 28 Mars 2012<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : Web Application Access Control Design Excellence<br />
'''Résumé''' : Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will discuss several of the key access control anti-patterns commonly found during <br />
website security audits. These access control anti-patterns include hard-coded security policies, <br />
lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these<br />
and other access control problems, we will discuss and design a positive access control mechanism <br />
that is data contextual, activity based, configurable, flexible, and deny-by-default - among other<br />
positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico<br />
'''Enregistrement en ligne ici''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== Q2 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q3 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q4 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
<br />
<br />
= 2011 Meetings =<br />
<br />
=== [[May 2011 - Paris Meeting]] ===<br />
<br />
[Logo to be placed here]<br />
<br />
We are honored to welcome '''Jim Manico''' during his European Tour in the Netherlands, Belgium and France.<br />
<br />
*'''Overview'''<br />
**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle. <br />
**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. <br />
**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered. <br />
**If you are interested in participating in the hands on portion of the course, please bring a laptop. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/f/f4/Future_of_XSS_v4.pptx The Ghost of XSS Past, Present and Future. A Defensive Tale]"'''<br />
**This talk will discuss the past methods used for XSS defense that were only partially effective. Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg. <br />
<br />
*'''Speaker'''<br />
**'''Jim Manico''' is a managing partner of Infrared Security with over 15 years of professional web development experience. Jim is also the Chair of the OWASP Connections Committee, one of the Project Managers of the OWASP ESAPI Project, a participant and manager of the OWASP Cheatsheet series, the Producer and host of the OWASP Podcast Series, the Manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project. When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.<br />
<br />
*'''Date'''<br />
**May 24, 2011 <br />
<br />
*'''Venue'''<br />
**Paris<br />
<br />
*'''Registration'''<br />
**[http://www.regonline.com/Register/Checkin.aspx?EventID=971375 Click here]<br />
<br />
<br />
== 26 Avril 2011 ==<br />
<br />
'''Le 26 Avril 2011 dans les locaux de [http://www.groupey.fr/nos-cabinets-paris.html GROUPE Y] :'''<br />
<br />
* 9:00: [https://www.owasp.org/images/2/2f/Agenda_26th_April_2011.pptx Introduction] - '''Ludovic Petit''' & '''Sébastien Gioria'''<br />
* 9:30: [https://www.owasp.org/images/3/36/OPENSAMM2.pptx OpenSAMM] - '''Antonio Fontes''' (Chapter Leader OWASP Geneva) <br />
* 11:00: [https://www.owasp.org/images/c/cf/OWASP_Cloud_Top_10.pptx OWASP Cloud Top 10 Project] - '''Ludovic Petit''' (Chapter Leader OWASP France & OWASP Global Education Committee Member)<br />
* 11:45: [https://www.owasp.org/images/5/5c/ESAPI_Swingset_talk_at_Paris.ppt OWASP ESAPI] - '''Fabio Cerullo''' (Chapter Leader OWASP Ireland & Global Education Committee)<br />
* 14:15: [https://www.owasp.org/images/3/38/OWASP_Testing_Guide.pptx OWASP Testing Guide] - '''Sébastien Gioria''' (French Chapter Leader & OWASP Global Education Committee Member)<br />
* 15:15: [http://o2platform.com OWASP 02 Platform - Live Session] - '''Dinis Cruz''' (OWASP O2 Project Leader)<br />
* 16:30: [https://www.owasp.org/images/9/96/OWASP-Paris2011-VV-CodeReview.pdf OWASP Code Review] - '''Victor Vuillard'''<br />
<br />
= 2009 Meetings =<br />
<br />
'''Le 6 Mai 2009 à 17h30 à [http://www.epitech.eu L'EPITECH] :'''<br />
<br />
* 17h30 : Accueil des participants<br />
* 18h - 18h 15 : [http://www.owasp.org/images/d/dc/OWASP_Paris_Meeting_-_May_2009.pdf Welcome et overview of agenda] '''(Board OWASP France)'''<br />
* 18h30 - 19h : [http://www.owasp.org/images/6/6b/2009-05-06-OWASPFR-WebServices.pdf Attaques sur les Web Services] - '''Renaud Bidou'''<br />
* 19h15 - 19h45 : [http://www.owasp.org/images/8/82/2009-05-06-OWASPFR-OpenSAM.pdf Software Security Initiatives in the Real World] - '''Claudio Merloni'''<br />
* 20h : Close <br />
<br />
A propos des Speakers :<br />
<br />
<br />
'''''Renaud Bidou :''' ''Directeur Technique de DenyAll. Il travaille depuis plus de 10 ans dans la sécurité et a publié de nombreux articles et white-papers touchant à des sujets aussi variés que les dénis de service, les portknockers, les botnets, la mise en place d’un SOC, l’analyse graphique d’attaques ou encore les techniques de contournements.<br />
<br />
<br />
'''''Claudio Merloni : '''''Claudio Merloni est Software Security Consultant chez Fortify Software. Ses expériences dans le domaine de la sécurité embrassent la sécurité applicative, revue de code, architectures sécurisées, analyse des risques, conformité, test de sécurité à niveau réseau, système et applicatif, monitoring, contrôle d'accès. Il a participé a plusieurs conférences, entre lesquelles BlackHat et CONFidence.<br />
<br />
<br />
'''Le Lieu : EPITECH'''<br />
<br />
Amphi 2<br />
<br />
14-16 rue Voltaire<br />
<br />
94276 Kremlin Bicêtre Cedex <br />
<br />
<br />
''Moyens d'accès Métro''<br />
* ligne 7 : Porte d'Italie<br />
<br />
''Bus''<br />
* ligne 47, 125, 131, 185 : Roger Salengro<br />
* ligne 186 : Pierre Brossolette <br/> <br />
<br />
''Voiture''<br />
* périphérique : sortie Porte d'Italie <br />
<br />
<br />
<br />
<br />
= Translation effort =<br />
<br />
* The '''OWASP TOP Ten 2010 in French''' is [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf available]<br />
* 2010-08-30 : La version française du Top 10 2010 est disponible [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] <br />
* 2008-02-15 : Le Top10 2007 est en version Française [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.pdf Format PDF], [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.doc Format Word]<br />
* 2007-11-16 : [https://www.owasp.org/images/5/52/Owasp_tryptique.pdf Folio 2 pages Recto/verso] de présentation pour Infosecurity.<br />
* 2007-02-27 : [[Newsletter_francaise_num%C3%A9ro_1]]<br />
* 2007-06-20 : Présentation de l'OWASP faite à NY en Juin 2007 [https://www.owasp.org/images/7/71/20070620-FR-OWASP_NY_Keynote.ppt]<br />
[[Category:Europe]]<br />
<br />
<br />
<br />
= Old News = <br />
<br />
* 2009-06-09 : [http://www.owasp.org/images/d/d2/20090609-CERT-IST-WAF-v0.1.pdf Intervention sur les WAF] lors du Forum [http://www.cert-ist.com CERT-IST] <br />
* 2009-02-03 : L'OWASP France sera présent à [http://www.pci-portal.com/events/event-info/paris PCI Paris]. La présentation est : [https://www.owasp.org/images/f/fb/20090203-OWASP_PCI-Global_2009_Paris_-_v03.ppt l'OWASP et l'exigence 6.5 de PCI-DSS]<br />
* 2008-11-19 : L'OWASP France sera présent sur [http://www.infosecurity.com.fr/FR/badge?ref=OWAW Infosecurity France] à Paris :<br />
[http://www.infosecurity.com.fr/index.php?argRedirect=FR|badge&Lang=FR&ref=OWAW https://www.owasp.org/images/8/88/Infosecurity.gif]<br />
<br />
* 2008-07-08 : L'OWASP France a présenté le projet OWASP à l'[http://www.ossir.org OSSIR]. La présentation est disponible sur le site de [https://www.owasp.org/images/9/94/20080708-OWASP_OSSIR.ppt l'OWASP]<br />
* 2008-02-15 : Le Top10 2007 est en version Francaise<br />
* 2008-02-11 : Présentation aux [http://www.owasp.org/images/0/09/20080129-OWASP_TechDays_France_.ppt TechDays 2008 Microsoft ]<br />
* 2007-11-22 : Présentation a Infosecurity France [http://www.owasp.org/images/8/85/20071122-OWASP_Infosecurity_France.ppt de l'OWASP]<br />
* 2007-11-07 : Interview dans le [http://www.journaldunet.com/developpeur/itws/071106-securite-applicative-owasp.shtml Journal du Net]<br />
* 2007-10-05 : L'OWASP France présentera les enjeux de la sécurité des [http://www.infosecurity.com.fr/?Jpto=116&KM_Session=f345bb91df954e6cbc0148328f109e94&CurrentNode=518&Lang=FR&IdNode=708 Services WEB à Infosecurity France le 22/11/2007]<br />
* 2006-12-18 : Mise en place de l'association pour supporter le groupe OWASP<br />
* 2006-12-14 : Le Hub OWASP Viaduc a vu le jour http://www.viadeo.com/hub/affichehub/?hubId=002fj37grgb7o7n<br />
* 2006-12-13 : Naissance du chapitre Francais de l'OWASP. Une liste de diffusion est disponible.[http://lists.owasp.org/mailman/listinfo/owasp-france Abonnez vous]<br />
<br />
<br />
<br> __NOTOC__ <headertabs /></div>Ludovic Petithttps://wiki.owasp.org/index.php?title=File:Looking_Forward%E2%80%A6_and_Beyond.pptx&diff=138295File:Looking Forward… and Beyond.pptx2012-10-29T10:11:06Z<p>Ludovic Petit: uploaded a new version of &quot;File:Looking Forward… and Beyond.pptx&quot;</p>
<hr />
<div>Here is just for information the slide deck of a presentation I gave in Sept for a big Software maker in an internal meeting (the name has been anonymized on request).<br />
Even if most of you already know the stuff, this presentation has been structured and aims to be re-used at your convenience depending the needs / your context.<br />
Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes or when talking memberships for joining OWASP.<br />
The first 2 parts are more an update for those who are not yet familiar with OWASP, the third part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway.</div>Ludovic Petithttps://wiki.owasp.org/index.php?title=Category:OWASP_Speakers_Project&diff=138137Category:OWASP Speakers Project2012-10-25T14:55:57Z<p>Ludovic Petit: </p>
<hr />
<div>This program lead by [[:user:Knoblochmartin|Martin Knobloch]] helps local chapters or application security conferences to find OWASP related speakers to have OWASP presenters on site.<br />
<br />
This program allows two parties to find each other:<br />
<br />
* Local chapters or application security events that want to attract an OWASP speaker<br />
* OWASP speakers to entertain OWASP presentations and that want to see the world<br />
<br />
For sponsorship, see the [[:Category:OWASP_on_the_Move_Project|OWASP on the Move Project]] page<br />
<br />
== available presentations ==<br />
<br />
== available speakers ==<br />
<br />
If you want to (re)do an OWASP related presentation, propose them here with your availability boundaries (timing/geographical) <br />
<br />
*Add your name, contact and bio information to become available as OWASP Speaker!<br />
<br />
{| class="prettytable"<br />
|-<br />
! Name <br />
! Introduction <br />
! Available Area <br />
! Bios<br />
|-<br />
| [mailto:Robert(at)ZakonGroup.com Robert H'obbes' Zakon] <br />
| Presenter on Web Application Security, OWASP Top 10, PHP Security, and assorted other topics. Training sessions taught at events such as [http://www.zakongroup.com/technology/services-training.shtml OWASP, ACSAC, and CCS]. Based in New Hampshire, and available for travel worldwide. Fluent in English, and able to converse in Portuguese. A developer and consultant for the past decade, formerly a Principal Engineer with MITRE's InfoSec Group. <br />
| Global (USA/NH-based) <br />
| [http://www.zakon.org/robert/vitae.html BIO]<br />
|-<br />
| [mailto:jmcgovern@virtusa.com James McGovern] <br />
| Presenter on Enterprise Architecture and Web Application Security, SOA Web Services Security and Federated Identity. <br />
| Global (USA/CT-based) <br />
| [http://www.linkedin.com/in/jamesmcgovern BIO]<br />
|-<br />
| [mailto:chuck(at)McCulloughAssociates.com Chuck McCullough] <br />
| Chuck provides training sessions to developers on the Top 10. Chuck welcomes speaking opportunities to any group. Chuck is available in the Texas area and at various other locations in the USA. <br />
| USA/Texas <br />
| [http://www.linkedin.com/in/chuckmccullough BIO]<br />
|-<br />
| Marc Curphey <br />
| Marc will happily speak about the WebAppSec industry, SDLC etc. around Europe. You can see him in action at [http://video.hitb.org/2006.html HITB with John Viega] (big download) <br />
| Europe <br />
| [http://www.linkedin.com/in/curphey BIO]<br />
|-<br />
| [mailto:tomb(at)owasp.org Tom Brennan] <br />
| based in NYC Metro Tom is a long time volunteer and OWASP contributor and [http://www.owasp.org/index.php/About_OWASP International Board Member]. He is available for global speaking venues to educate audiences about the OWASP Foundation core mission, how it works and various projects. In addition he also provides regular talks on honeypot research and case-studies about tactical experiences when conducting [http://en.wikipedia.org/wiki/Red_Team Red Team]/Tiger Team assessments involving the application, network, wireless and physical security - [https://www.owasp.org/index.php/User:Brennan BIO]<br />
| Global <br />
| [http://www.linkedin.com/in/tombrennan BIO]<br />
|-<br />
| [mailto:thesp0nge@owasp.org Paolo Perego] <br />
| Paolo is available to talk about [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Orizon project], safe coding and code review issues around Europe in the near October-December. <br />
| Europe <br />
| [http://www.linkedin.com/in/thesp0nge BIO]<br />
|-<br />
| [mailto:marc.m.morana@gmail.org Marco Morana] <br />
| Marco is available to talk about [http://iac.dtic.mil/iatac/download/security.pdf Software Security Frameworks]and Secure Code Reviews [https://www.cmpevents.com/CSI33/a.asp?option=G&V=3&id=443342 see 07 CSI conference as reference] in USA around November-December and in Europe around January-February <br />
| Europe <br />
| [http://www.linkedin.com/pub/2/a7a/59b BIO]<br />
|-<br />
| [mailto:sebastien.gioria@owasp.fr Sébastien Gioria] <br />
| Sebastien is available to talk about WebAppSec, educational purpose on AppSec in French or at least in english around France/Europe/Canada from middle of March 08. You can find some Talk on the [http://www.owasp.fr Owasp France Chapter] <br />
| France/Europe/Canada <br />
| [http://www.linkedin.com/in/gioria BIO]<br />
|-<br />
| [mailto:mkraushar@gmail.com Mordecai Kraushar] <br />
| Mordecai is available to talk about different topics within the Web application security space. One discussion involves the OWASP project [http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project Vicnum], a flexible vulnerable web application that can be used in 'capture the flag' exercises. <br />
| Northeastern United States <br />
| [http://www.linkedin.com/in/mkraushar BIO]<br />
|-<br />
| [mailto:michael.coates@owasp.org Michael Coates] <br />
| Michael is available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Michael has spoken at multiple OWASP conferences and University security courses on topics such as Introduction to Application Security, Automated Defense Systems in Applications, Real Time Detection and Prevention of Application Worms, and security risks in SSL/TLS. <br />
| USA/San Francisco & Virtual Presentations<br />
| [http://www.linkedin.com/in/mcoates BIO]<br />
|-<br />
| [mailto:tobias.gondrom@owasp.org Tobias Gondrom] <br />
| Tobias is on the London chapter board (and previously Germany chapter lead) and currently member of the OWASP Global Industry committee. He is available to talk on a variety of web application and information security and risk management topics. He gives two different types of presentations - preferred in Asia or Europe: <br>- CISO level: information security, risk management from Secure SDLCs, maturity models, standards and security strategy, to change management and managing application security in large organisations and the OWASP CISO Guide. <br>- Deep technical talks: new security standards and research, involving his work in web security research and as the chair of the web security working group at the IETF. Tobias has spoken at multiple OWASP AppSec and other security conferences, given university guest lectures and full training days on topics like CISO training, browser security, web security, new technologies for channel protection with SSL/TLS, electronic signatures, ...<br />
| Asia and Europe <br>(dual based in both regions)<br />
| [http://uk.linkedin.com/in/gondrom BIO]<br />
|-<br />
| [mailto:dan.cornell@owasp.org Dan Cornell] <br />
| Dan Cornell has over twelve years of experience architecting, developing and securing web-based software systems. He speaks on a variety of software development and software security topics such as Vulnerability Management, Software Security Remediation, and Code Review/Static Analysis. Dan is based in San Antonio, TX and available to fly/drive as needed to the site. <br />
| USA/San Antonio <br />
| [http://www.denimgroup.com/about_team_dan.html BIO]<br />
|-<br />
| [mailto:John.Steven@owasp.org John Steven] <br />
| John speaks on a variety of topics including "How to build your own application security group", "Threat Modeling", "Code Review and Static analysis", as well as other topics. John has spoken at and given tutorials for multiple OWASP conferences. John frequents New York, Boston, Washington DC, and Charlotte, but is available for travel elsewhere. <br />
| Washington, DC/USA <br />
| [http://www.cigital.com/about/team/management.php#jsteven BIO]<br />
|-<br />
| [mailto:blake@owasp.org Blake Cornell] <br />
| Blake is available to speak regarding topics including Security v. HIPPA, Penetration Testing Methodologies, Fuzzing and Blended Threats such as attacking VoIP with the OWASP Top 10. Blake lives in the NY Metro area and is available for speaking at regional, national and world wide events. <br />
| New York, NY/USA <br />
| [http://www.linkedin.com/in/blakecornell BIO]<br />
|-<br />
| [mailto:Nick.Coblentz@gmail.com Nick Coblentz] <br />
| Nick regularly performs research related to secure software development. He is available to present on topics such as the [http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (SAMM)], the [http://nickcoblentz.blogspot.com/2009/06/samm-inteview-template-version-10.html SAMM Interview Template], [http://nickcoblentz.blogspot.com/2009/05/issa-journal-web-application-security.html Building Web Application Security Portfolios], and [http://nickcoblentz.blogspot.com/2009/11/owasp-presentation-on-dec-10-microsoft.html The Microsoft SDL for Agile Development]. Please email Nick if you see articles on his [http://nickcoblentz.blogspot.com/ blog] that you would like him to present. <br />
| USA/Kansas, Oklahoma, Missouri <br />
| [http://www.linkedin.com/in/ncoblentz BIO]<br />
|-<br />
| [mailto:johnccr@yahoo.com Juan Carlos Calderon] <br />
| Juan has being part of the Appliction Security industry for 9 years, currently performs research on application and information security arena. He is available to present "Preparing an strategy for application vulnerability detection", "Owasp Spanish and Internationalization" and "Análisis y efectos del cibercrimen en Mexico"(Analysis and effects of cibercrime in México). He is also open to talk about other topics related to OWASP materials and tools, send him a note to verify the coverage. <br />
| Aguascalientes/México <br />
| [http://www.linkedin.com/in/juancarloscalderon BIO]<br />
|-<br />
| [mailto:edward@owasp.org Edward Bonver] <br />
| Edward has over a decade of experience in the software security field. He currently works for Symantec's Product Security Team, where he brings all aspects of secure software development to product teams across the company. He is a frequent speaker at various industry conferences and OWASP events; topics of interest include Threat Modeling and Security Testing.<br />
| Global(USA/Los Angeles-based)<br />
| [http://www.linkedin.com/in/bonver BIO]<br />
|-<br />
| [mailto:ludovic.petit@owasp.org Ludovic Petit] <br />
| Chapter Leader OWASP France and OWASP Global Connections Committee Member. [https://www.owasp.org/index.php/User:Ludovic_Petit '''Ludovic'''] is living in Paris and is available for speaking on a variety of Web Application Security topics, with however a preference for topics related to Legal responsibilities and Law Enforcement. Ludovic is willing to educate about the OWASP Foundation core mission, and explain why WebApp Security is also linked to Legal and Regulatory aspects. Who is accountable for what, what about each other's responsabilities as well as the Corporate Responsability when dealing with WebApp Security. <br />
| France, Europe and elsewhere, if you make yourself the payment of the travel/lodging expenses.<br />
| [http://www.linkedin.com/in/lpetit BIO]<br />
|-<br />
| [mailto:magno.logan@owasp.org Magno Logan] <br />
| OWASP Paraiba Chapter Leader and OWASP Portuguese Language Project Member. Magno (Logan) Rodrigues has an MBA in Information Security and studied Computer Forensics for one year in New York. He has done many talks about OWASP and it's main projects at national and international events such as [http://www.ensol.org.br/ ENSOL], [http://gts.nic.br/ GTS] and [https://www.owasp.org/index.php/AppSecLatam2011 App Sec Latam 2011]. Topics of interest include: OWASP Top 10, WebGoat, Java Security, E-commerce Security and Computer Forensics.<br />
<br />
| Latin America<br />
| [https://www.owasp.org/index.php/User:Magno_Logan BIO]<br />
|-<br />
| [mailto:wagner.elias@owasp.org Wagner Elias] <br />
| Wagner founded the Brazil chapter is currently Curitiba-Brazil Chapter Leader and available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Wagner has spoken at various conferences in Brazil.<br />
<br />
Topics of interest: Mobile Security; SDL Process and Implementation; Code Review and Application Test<br />
<br />
| Brazil<br />
| [https://www.owasp.org/index.php/User:wagner.elias BIO]<br />
|-<br />
| [mailto:ramiro.pulgar@owasp.org Ramiro Pulgar] <br />
| Chapter Leader OWASP Ecuador. [https://www.owasp.org/index.php/User:Ramiro_Pulgar '''milovisho'''] OWASP Ecuador Chapter Leader <br />
| Ecuador, Latin America, Global<br />
| [http://ec.linkedin.com/in/ramiropulgar BIO]<br />
|}<br />
<br />
*Add your name, contact and bio information to become available as OWASP Speaker!</div>Ludovic Petithttps://wiki.owasp.org/index.php?title=Category:OWASP_Speakers_Project&diff=138136Category:OWASP Speakers Project2012-10-25T14:28:55Z<p>Ludovic Petit: </p>
<hr />
<div>This program lead by [[:user:Knoblochmartin|Martin Knobloch]] helps local chapters or application security conferences to find OWASP related speakers to have OWASP presenters on site.<br />
<br />
This program allows two parties to find each other:<br />
<br />
* Local chapters or application security events that want to attract an OWASP speaker<br />
* OWASP speakers to entertain OWASP presentations and that want to see the world<br />
<br />
For sponsorship, see the [[:Category:OWASP_on_the_Move_Project|OWASP on the Move Project]] page<br />
<br />
== available presentations ==<br />
<br />
== available speakers ==<br />
<br />
If you want to (re)do an OWASP related presentation, propose them here with your availability boundaries (timing/geographical) <br />
<br />
*Add your name, contact and bio information to become available as OWASP Speaker!<br />
<br />
{| class="prettytable"<br />
|-<br />
! Name <br />
! Introduction <br />
! Available Area <br />
! Bios<br />
|-<br />
| [mailto:Robert(at)ZakonGroup.com Robert H'obbes' Zakon] <br />
| Presenter on Web Application Security, OWASP Top 10, PHP Security, and assorted other topics. Training sessions taught at events such as [http://www.zakongroup.com/technology/services-training.shtml OWASP, ACSAC, and CCS]. Based in New Hampshire, and available for travel worldwide. Fluent in English, and able to converse in Portuguese. A developer and consultant for the past decade, formerly a Principal Engineer with MITRE's InfoSec Group. <br />
| Global (USA/NH-based) <br />
| [http://www.zakon.org/robert/vitae.html BIO]<br />
|-<br />
| [mailto:jmcgovern@virtusa.com James McGovern] <br />
| Presenter on Enterprise Architecture and Web Application Security, SOA Web Services Security and Federated Identity. <br />
| Global (USA/CT-based) <br />
| [http://www.linkedin.com/in/jamesmcgovern BIO]<br />
|-<br />
| [mailto:chuck(at)McCulloughAssociates.com Chuck McCullough] <br />
| Chuck provides training sessions to developers on the Top 10. Chuck welcomes speaking opportunities to any group. Chuck is available in the Texas area and at various other locations in the USA. <br />
| USA/Texas <br />
| [http://www.linkedin.com/in/chuckmccullough BIO]<br />
|-<br />
| Marc Curphey <br />
| Marc will happily speak about the WebAppSec industry, SDLC etc. around Europe. You can see him in action at [http://video.hitb.org/2006.html HITB with John Viega] (big download) <br />
| Europe <br />
| [http://www.linkedin.com/in/curphey BIO]<br />
|-<br />
| [mailto:tomb(at)owasp.org Tom Brennan] <br />
| based in NYC Metro Tom is a long time volunteer and OWASP contributor and [http://www.owasp.org/index.php/About_OWASP International Board Member]. He is available for global speaking venues to educate audiences about the OWASP Foundation core mission, how it works and various projects. In addition he also provides regular talks on honeypot research and case-studies about tactical experiences when conducting [http://en.wikipedia.org/wiki/Red_Team Red Team]/Tiger Team assessments involving the application, network, wireless and physical security - [https://www.owasp.org/index.php/User:Brennan BIO]<br />
| Global <br />
| [http://www.linkedin.com/in/tombrennan BIO]<br />
|-<br />
| [mailto:thesp0nge@owasp.org Paolo Perego] <br />
| Paolo is available to talk about [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Orizon project], safe coding and code review issues around Europe in the near October-December. <br />
| Europe <br />
| [http://www.linkedin.com/in/thesp0nge BIO]<br />
|-<br />
| [mailto:marc.m.morana@gmail.org Marco Morana] <br />
| Marco is available to talk about [http://iac.dtic.mil/iatac/download/security.pdf Software Security Frameworks]and Secure Code Reviews [https://www.cmpevents.com/CSI33/a.asp?option=G&V=3&id=443342 see 07 CSI conference as reference] in USA around November-December and in Europe around January-February <br />
| Europe <br />
| [http://www.linkedin.com/pub/2/a7a/59b BIO]<br />
|-<br />
| [mailto:sebastien.gioria@owasp.fr Sébastien Gioria] <br />
| Sebastien is available to talk about WebAppSec, educational purpose on AppSec in French or at least in english around France/Europe/Canada from middle of March 08. You can find some Talk on the [http://www.owasp.fr Owasp France Chapter] <br />
| France/Europe/Canada <br />
| [http://www.linkedin.com/in/gioria BIO]<br />
|-<br />
| [mailto:mkraushar@gmail.com Mordecai Kraushar] <br />
| Mordecai is available to talk about different topics within the Web application security space. One discussion involves the OWASP project [http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project Vicnum], a flexible vulnerable web application that can be used in 'capture the flag' exercises. <br />
| Northeastern United States <br />
| [http://www.linkedin.com/in/mkraushar BIO]<br />
|-<br />
| [mailto:michael.coates@owasp.org Michael Coates] <br />
| Michael is available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Michael has spoken at multiple OWASP conferences and University security courses on topics such as Introduction to Application Security, Automated Defense Systems in Applications, Real Time Detection and Prevention of Application Worms, and security risks in SSL/TLS. <br />
| USA/San Francisco & Virtual Presentations<br />
| [http://www.linkedin.com/in/mcoates BIO]<br />
|-<br />
| [mailto:tobias.gondrom@owasp.org Tobias Gondrom] <br />
| Tobias is on the London chapter board (and previously Germany chapter lead) and currently member of the OWASP Global Industry committee. He is available to talk on a variety of web application and information security and risk management topics. He gives two different types of presentations - preferred in Asia or Europe: <br>- CISO level: information security, risk management from Secure SDLCs, maturity models, standards and security strategy, to change management and managing application security in large organisations and the OWASP CISO Guide. <br>- Deep technical talks: new security standards and research, involving his work in web security research and as the chair of the web security working group at the IETF. Tobias has spoken at multiple OWASP AppSec and other security conferences, given university guest lectures and full training days on topics like CISO training, browser security, web security, new technologies for channel protection with SSL/TLS, electronic signatures, ...<br />
| Asia and Europe <br>(dual based in both regions)<br />
| [http://uk.linkedin.com/in/gondrom BIO]<br />
|-<br />
| [mailto:dan.cornell@owasp.org Dan Cornell] <br />
| Dan Cornell has over twelve years of experience architecting, developing and securing web-based software systems. He speaks on a variety of software development and software security topics such as Vulnerability Management, Software Security Remediation, and Code Review/Static Analysis. Dan is based in San Antonio, TX and available to fly/drive as needed to the site. <br />
| USA/San Antonio <br />
| [http://www.denimgroup.com/about_team_dan.html BIO]<br />
|-<br />
| [mailto:John.Steven@owasp.org John Steven] <br />
| John speaks on a variety of topics including "How to build your own application security group", "Threat Modeling", "Code Review and Static analysis", as well as other topics. John has spoken at and given tutorials for multiple OWASP conferences. John frequents New York, Boston, Washington DC, and Charlotte, but is available for travel elsewhere. <br />
| Washington, DC/USA <br />
| [http://www.cigital.com/about/team/management.php#jsteven BIO]<br />
|-<br />
| [mailto:blake@owasp.org Blake Cornell] <br />
| Blake is available to speak regarding topics including Security v. HIPPA, Penetration Testing Methodologies, Fuzzing and Blended Threats such as attacking VoIP with the OWASP Top 10. Blake lives in the NY Metro area and is available for speaking at regional, national and world wide events. <br />
| New York, NY/USA <br />
| [http://www.linkedin.com/in/blakecornell BIO]<br />
|-<br />
| [mailto:Nick.Coblentz@gmail.com Nick Coblentz] <br />
| Nick regularly performs research related to secure software development. He is available to present on topics such as the [http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (SAMM)], the [http://nickcoblentz.blogspot.com/2009/06/samm-inteview-template-version-10.html SAMM Interview Template], [http://nickcoblentz.blogspot.com/2009/05/issa-journal-web-application-security.html Building Web Application Security Portfolios], and [http://nickcoblentz.blogspot.com/2009/11/owasp-presentation-on-dec-10-microsoft.html The Microsoft SDL for Agile Development]. Please email Nick if you see articles on his [http://nickcoblentz.blogspot.com/ blog] that you would like him to present. <br />
| USA/Kansas, Oklahoma, Missouri <br />
| [http://www.linkedin.com/in/ncoblentz BIO]<br />
|-<br />
| [mailto:johnccr@yahoo.com Juan Carlos Calderon] <br />
| Juan has being part of the Appliction Security industry for 9 years, currently performs research on application and information security arena. He is available to present "Preparing an strategy for application vulnerability detection", "Owasp Spanish and Internationalization" and "Análisis y efectos del cibercrimen en Mexico"(Analysis and effects of cibercrime in México). He is also open to talk about other topics related to OWASP materials and tools, send him a note to verify the coverage. <br />
| Aguascalientes/México <br />
| [http://www.linkedin.com/in/juancarloscalderon BIO]<br />
|-<br />
| [mailto:edward@owasp.org Edward Bonver] <br />
| Edward has over a decade of experience in the software security field. He currently works for Symantec's Product Security Team, where he brings all aspects of secure software development to product teams across the company. He is a frequent speaker at various industry conferences and OWASP events; topics of interest include Threat Modeling and Security Testing.<br />
| Global(USA/Los Angeles-based)<br />
| [http://www.linkedin.com/in/bonver BIO]<br />
|-<br />
| [mailto:ludovic.petit@owasp.org Ludovic Petit] <br />
| Chapter Leader OWASP France and OWASP Global Connections Committee Member. [https://www.owasp.org/index.php/User:Ludovic_Petit '''Ludovic'''] is living in Paris and is available for speaking on a variety of Web Application Security topics, with however a preference for topics related to Legal responsibilities and Law Enforcement. Ludovic is willing to educate about the OWASP Foundation core mission, and explain why WebApp Security is also linked to Legal and Regulatory aspects. Who is accountable for what, what about each other's responsabilities as well as the Corporate Responsability when dealing with WebApp Security. <br />
| France, Europe and elsewhere, if you make yourself the payment of travel expenses.<br />
| [http://www.linkedin.com/in/lpetit BIO]<br />
|-<br />
| [mailto:magno.logan@owasp.org Magno Logan] <br />
| OWASP Paraiba Chapter Leader and OWASP Portuguese Language Project Member. Magno (Logan) Rodrigues has an MBA in Information Security and studied Computer Forensics for one year in New York. He has done many talks about OWASP and it's main projects at national and international events such as [http://www.ensol.org.br/ ENSOL], [http://gts.nic.br/ GTS] and [https://www.owasp.org/index.php/AppSecLatam2011 App Sec Latam 2011]. Topics of interest include: OWASP Top 10, WebGoat, Java Security, E-commerce Security and Computer Forensics.<br />
<br />
| Latin America<br />
| [https://www.owasp.org/index.php/User:Magno_Logan BIO]<br />
|-<br />
| [mailto:wagner.elias@owasp.org Wagner Elias] <br />
| Wagner founded the Brazil chapter is currently Curitiba-Brazil Chapter Leader and available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Wagner has spoken at various conferences in Brazil.<br />
<br />
Topics of interest: Mobile Security; SDL Process and Implementation; Code Review and Application Test<br />
<br />
| Brazil<br />
| [https://www.owasp.org/index.php/User:wagner.elias BIO]<br />
|-<br />
| [mailto:ramiro.pulgar@owasp.org Ramiro Pulgar] <br />
| Chapter Leader OWASP Ecuador. [https://www.owasp.org/index.php/User:Ramiro_Pulgar '''milovisho'''] OWASP Ecuador Chapter Leader <br />
| Ecuador, Latin America, Global<br />
| [http://ec.linkedin.com/in/ramiropulgar BIO]<br />
|}<br />
<br />
*Add your name, contact and bio information to become available as OWASP Speaker!</div>Ludovic Petithttps://wiki.owasp.org/index.php?title=Category:OWASP_Speakers_Project&diff=138135Category:OWASP Speakers Project2012-10-25T14:26:59Z<p>Ludovic Petit: </p>
<hr />
<div>This program lead by [[:user:Knoblochmartin|Martin Knobloch]] helps local chapters or application security conferences to find OWASP related speakers to have OWASP presenters on site.<br />
<br />
This program allows two parties to find each other:<br />
<br />
* Local chapters or application security events that want to attract an OWASP speaker<br />
* OWASP speakers to entertain OWASP presentations and that want to see the world<br />
<br />
For sponsorship, see the [[:Category:OWASP_on_the_Move_Project|OWASP on the Move Project]] page<br />
<br />
== available presentations ==<br />
<br />
== available speakers ==<br />
<br />
If you want to (re)do an OWASP related presentation, propose them here with your availability boundaries (timing/geographical) <br />
<br />
*Add your name, contact and bio information to become available as OWASP Speaker!<br />
<br />
{| class="prettytable"<br />
|-<br />
! Name <br />
! Introduction <br />
! Available Area <br />
! Bios<br />
|-<br />
| [mailto:Robert(at)ZakonGroup.com Robert H'obbes' Zakon] <br />
| Presenter on Web Application Security, OWASP Top 10, PHP Security, and assorted other topics. Training sessions taught at events such as [http://www.zakongroup.com/technology/services-training.shtml OWASP, ACSAC, and CCS]. Based in New Hampshire, and available for travel worldwide. Fluent in English, and able to converse in Portuguese. A developer and consultant for the past decade, formerly a Principal Engineer with MITRE's InfoSec Group. <br />
| Global (USA/NH-based) <br />
| [http://www.zakon.org/robert/vitae.html BIO]<br />
|-<br />
| [mailto:jmcgovern@virtusa.com James McGovern] <br />
| Presenter on Enterprise Architecture and Web Application Security, SOA Web Services Security and Federated Identity. <br />
| Global (USA/CT-based) <br />
| [http://www.linkedin.com/in/jamesmcgovern BIO]<br />
|-<br />
| [mailto:chuck(at)McCulloughAssociates.com Chuck McCullough] <br />
| Chuck provides training sessions to developers on the Top 10. Chuck welcomes speaking opportunities to any group. Chuck is available in the Texas area and at various other locations in the USA. <br />
| USA/Texas <br />
| [http://www.linkedin.com/in/chuckmccullough BIO]<br />
|-<br />
| Marc Curphey <br />
| Marc will happily speak about the WebAppSec industry, SDLC etc. around Europe. You can see him in action at [http://video.hitb.org/2006.html HITB with John Viega] (big download) <br />
| Europe <br />
| [http://www.linkedin.com/in/curphey BIO]<br />
|-<br />
| [mailto:tomb(at)owasp.org Tom Brennan] <br />
| based in NYC Metro Tom is a long time volunteer and OWASP contributor and [http://www.owasp.org/index.php/About_OWASP International Board Member]. He is available for global speaking venues to educate audiences about the OWASP Foundation core mission, how it works and various projects. In addition he also provides regular talks on honeypot research and case-studies about tactical experiences when conducting [http://en.wikipedia.org/wiki/Red_Team Red Team]/Tiger Team assessments involving the application, network, wireless and physical security - [https://www.owasp.org/index.php/User:Brennan BIO]<br />
| Global <br />
| [http://www.linkedin.com/in/tombrennan BIO]<br />
|-<br />
| [mailto:thesp0nge@owasp.org Paolo Perego] <br />
| Paolo is available to talk about [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Orizon project], safe coding and code review issues around Europe in the near October-December. <br />
| Europe <br />
| [http://www.linkedin.com/in/thesp0nge BIO]<br />
|-<br />
| [mailto:marc.m.morana@gmail.org Marco Morana] <br />
| Marco is available to talk about [http://iac.dtic.mil/iatac/download/security.pdf Software Security Frameworks]and Secure Code Reviews [https://www.cmpevents.com/CSI33/a.asp?option=G&V=3&id=443342 see 07 CSI conference as reference] in USA around November-December and in Europe around January-February <br />
| Europe <br />
| [http://www.linkedin.com/pub/2/a7a/59b BIO]<br />
|-<br />
| [mailto:sebastien.gioria@owasp.fr Sébastien Gioria] <br />
| Sebastien is available to talk about WebAppSec, educational purpose on AppSec in French or at least in english around France/Europe/Canada from middle of March 08. You can find some Talk on the [http://www.owasp.fr Owasp France Chapter] <br />
| France/Europe/Canada <br />
| [http://www.linkedin.com/in/gioria BIO]<br />
|-<br />
| [mailto:mkraushar@gmail.com Mordecai Kraushar] <br />
| Mordecai is available to talk about different topics within the Web application security space. One discussion involves the OWASP project [http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project Vicnum], a flexible vulnerable web application that can be used in 'capture the flag' exercises. <br />
| Northeastern United States <br />
| [http://www.linkedin.com/in/mkraushar BIO]<br />
|-<br />
| [mailto:michael.coates@owasp.org Michael Coates] <br />
| Michael is available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Michael has spoken at multiple OWASP conferences and University security courses on topics such as Introduction to Application Security, Automated Defense Systems in Applications, Real Time Detection and Prevention of Application Worms, and security risks in SSL/TLS. <br />
| USA/San Francisco & Virtual Presentations<br />
| [http://www.linkedin.com/in/mcoates BIO]<br />
|-<br />
| [mailto:tobias.gondrom@owasp.org Tobias Gondrom] <br />
| Tobias is on the London chapter board (and previously Germany chapter lead) and currently member of the OWASP Global Industry committee. He is available to talk on a variety of web application and information security and risk management topics. He gives two different types of presentations - preferred in Asia or Europe: <br>- CISO level: information security, risk management from Secure SDLCs, maturity models, standards and security strategy, to change management and managing application security in large organisations and the OWASP CISO Guide. <br>- Deep technical talks: new security standards and research, involving his work in web security research and as the chair of the web security working group at the IETF. Tobias has spoken at multiple OWASP AppSec and other security conferences, given university guest lectures and full training days on topics like CISO training, browser security, web security, new technologies for channel protection with SSL/TLS, electronic signatures, ...<br />
| Asia and Europe <br>(dual based in both regions)<br />
| [http://uk.linkedin.com/in/gondrom BIO]<br />
|-<br />
| [mailto:dan.cornell@owasp.org Dan Cornell] <br />
| Dan Cornell has over twelve years of experience architecting, developing and securing web-based software systems. He speaks on a variety of software development and software security topics such as Vulnerability Management, Software Security Remediation, and Code Review/Static Analysis. Dan is based in San Antonio, TX and available to fly/drive as needed to the site. <br />
| USA/San Antonio <br />
| [http://www.denimgroup.com/about_team_dan.html BIO]<br />
|-<br />
| [mailto:John.Steven@owasp.org John Steven] <br />
| John speaks on a variety of topics including "How to build your own application security group", "Threat Modeling", "Code Review and Static analysis", as well as other topics. John has spoken at and given tutorials for multiple OWASP conferences. John frequents New York, Boston, Washington DC, and Charlotte, but is available for travel elsewhere. <br />
| Washington, DC/USA <br />
| [http://www.cigital.com/about/team/management.php#jsteven BIO]<br />
|-<br />
| [mailto:blake@owasp.org Blake Cornell] <br />
| Blake is available to speak regarding topics including Security v. HIPPA, Penetration Testing Methodologies, Fuzzing and Blended Threats such as attacking VoIP with the OWASP Top 10. Blake lives in the NY Metro area and is available for speaking at regional, national and world wide events. <br />
| New York, NY/USA <br />
| [http://www.linkedin.com/in/blakecornell BIO]<br />
|-<br />
| [mailto:Nick.Coblentz@gmail.com Nick Coblentz] <br />
| Nick regularly performs research related to secure software development. He is available to present on topics such as the [http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (SAMM)], the [http://nickcoblentz.blogspot.com/2009/06/samm-inteview-template-version-10.html SAMM Interview Template], [http://nickcoblentz.blogspot.com/2009/05/issa-journal-web-application-security.html Building Web Application Security Portfolios], and [http://nickcoblentz.blogspot.com/2009/11/owasp-presentation-on-dec-10-microsoft.html The Microsoft SDL for Agile Development]. Please email Nick if you see articles on his [http://nickcoblentz.blogspot.com/ blog] that you would like him to present. <br />
| USA/Kansas, Oklahoma, Missouri <br />
| [http://www.linkedin.com/in/ncoblentz BIO]<br />
|-<br />
| [mailto:johnccr@yahoo.com Juan Carlos Calderon] <br />
| Juan has being part of the Appliction Security industry for 9 years, currently performs research on application and information security arena. He is available to present "Preparing an strategy for application vulnerability detection", "Owasp Spanish and Internationalization" and "Análisis y efectos del cibercrimen en Mexico"(Analysis and effects of cibercrime in México). He is also open to talk about other topics related to OWASP materials and tools, send him a note to verify the coverage. <br />
| Aguascalientes/México <br />
| [http://www.linkedin.com/in/juancarloscalderon BIO]<br />
|-<br />
| [mailto:edward@owasp.org Edward Bonver] <br />
| Edward has over a decade of experience in the software security field. He currently works for Symantec's Product Security Team, where he brings all aspects of secure software development to product teams across the company. He is a frequent speaker at various industry conferences and OWASP events; topics of interest include Threat Modeling and Security Testing.<br />
| Global(USA/Los Angeles-based)<br />
| [http://www.linkedin.com/in/bonver BIO]<br />
|-<br />
| [mailto:ludovic.petit@owasp.org Ludovic Petit] <br />
| Chapter Leader OWASP France and OWASP Global Connections Committee Member. [https://www.owasp.org/index.php/User:Ludovic_Petit '''Ludovic'''] is living in Paris and is available for speaking on a variety of Web Application Security topics, with however a preference for topics related to Legal responsibilities and Law Enforcement. Ludovic is willing to educate about the OWASP Foundation core mission, and explain why WebApp Security is also linked to Legal and Regulatory aspects. Who is accountable for what, what about each other's responsabilities as well as the Corporate Responsability when dealing with WebApp Security. <br />
| France, Europe and elsewhere, depending on my availabilities and if you make yourself the payment of travel expenses.<br />
| [http://www.linkedin.com/in/lpetit BIO]<br />
|-<br />
| [mailto:magno.logan@owasp.org Magno Logan] <br />
| OWASP Paraiba Chapter Leader and OWASP Portuguese Language Project Member. Magno (Logan) Rodrigues has an MBA in Information Security and studied Computer Forensics for one year in New York. He has done many talks about OWASP and it's main projects at national and international events such as [http://www.ensol.org.br/ ENSOL], [http://gts.nic.br/ GTS] and [https://www.owasp.org/index.php/AppSecLatam2011 App Sec Latam 2011]. Topics of interest include: OWASP Top 10, WebGoat, Java Security, E-commerce Security and Computer Forensics.<br />
<br />
| Latin America<br />
| [https://www.owasp.org/index.php/User:Magno_Logan BIO]<br />
|-<br />
| [mailto:wagner.elias@owasp.org Wagner Elias] <br />
| Wagner founded the Brazil chapter is currently Curitiba-Brazil Chapter Leader and available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Wagner has spoken at various conferences in Brazil.<br />
<br />
Topics of interest: Mobile Security; SDL Process and Implementation; Code Review and Application Test<br />
<br />
| Brazil<br />
| [https://www.owasp.org/index.php/User:wagner.elias BIO]<br />
|-<br />
| [mailto:ramiro.pulgar@owasp.org Ramiro Pulgar] <br />
| Chapter Leader OWASP Ecuador. [https://www.owasp.org/index.php/User:Ramiro_Pulgar '''milovisho'''] OWASP Ecuador Chapter Leader <br />
| Ecuador, Latin America, Global<br />
| [http://ec.linkedin.com/in/ramiropulgar BIO]<br />
|}<br />
<br />
*Add your name, contact and bio information to become available as OWASP Speaker!</div>Ludovic Petithttps://wiki.owasp.org/index.php?title=France&diff=138075France2012-10-23T13:37:58Z<p>Ludovic Petit: </p>
<hr />
<div>{{Chapter Template|chaptername=France|extra=The '''Chapter Leaders''' are [mailto:sebastien.gioria@owasp.org Sebastien Gioria] and [mailto:ludovic.petit@owasp.org Ludovic Petit''']|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-france|emailarchives=http://lists.owasp.org/pipermail/owasp-france}}'''<br />
<paypal>France Chapter</paypal><br />
<br />
'''The French Chapter is also available on LinkedIn''': [http://www.linkedin.com/groupInvitation?gid=1638517 '''Join us''', it only takes a minute!]<br />
<br />
== Contacts et Propositions de Présentations/Contributions ==<br />
<br />
*[mailto:sebastien.gioria@owasp.org S&eacute;bastien Gioria] et [mailto:ludovic.petit@owasp.org Ludovic Petit] sont à votre disposition si vous souhaitez des informations sur l'OWASP ainsi que sur la Sécurité des Applications Web.<br />
<br />
Entreprises, Individuels, Monde Académique, Sponsors, Supports, tout le monde est bienvenu à l'OWASP.<br />
<br />
Pour les Entreprises souhaitant adhérer à l'OWASP, le montant de l'adhésion annuelle de $5000 US (dont 40% est reversé au Chapitre de votre choix) est 100% déductible! <br />
<br />
Les fonds collectés servent à organiser les meetings du Chapitre, mais aussi et surtout à construire et organiser avec vous une approche spécifique en fonction de vos souhaits (sessions de sensibilisation, meetings internes, interventions de Speakers, etc.). Tout cela peut être discuté avec le Chapitre Français et acté conjointement avec vous si vous souhaitez adhérer à l'OWASP. <br />
<br />
N'hésitez pas à nous solliciter si vous souhaitez discuter d'un sujet particulier, ou si vous souhaitez effectuer une présentation lors d'un meeting du Chapitre France.<br />
<br />
Amis de la Presse écrite et du Multimédia, n'hésitez pas à faire appel à nous si vous souhaitez notre concours pour vos articles et reportages, vous êtes les bienvenus et nous en serions honorés. Nous avons nous aussi besoin de vous.<br />
<br />
Nous restons modestes dans notre approche, mais nous souhaitons vraiment que le Chapitre OWASP France devienne un de vos contacts de référence. '''Ensembles, Chacun fait plus'''!<br />
<br />
'''TEAM stands for... Together Each Achieves More!'''<br />
<br />
<br />
= News =<br />
<br />
==Looking Forward… and Beyond, Distinctiveness Through Security Excellence==<br />
'''Présentation''' : "[https://www.owasp.org/images/5/50/Looking_Forward%E2%80%A6_and_Beyond.pptx Looking Forward… and Beyond]"'''<br />
'''Résumé''' : <br />
Here is a presentation I gave in Sept for a big Software maker in an internal meeting (the name has been anonymized on request).<br />
Even if most of you already know the stuff, this presentation has been structured and aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes or when talking memberships for joining OWASP. <br />
The first 2 parts are more an update for those who are not yet familiar with OWASP, the third part being more specific because about a hot topic that is gaining importance in the context of Application Security.<br />
1st part is about OWASP.<br />
2nd part is an update about the main OWASP Projects and Reboot.<br />
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"<br />
I hope this helps anyway. Enjoy!<br />
<br />
'''Speaker''' : Ludovic Petit <br />
<br />
==28 Mars 2012 Meeting du premier trimestre==<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : "[https://www.owasp.org/images/6/6d/Developer_Top_Ten_Core_Controls_v4.1.pptx Top Ten Web Defenses]"'''<br />
'''Résumé''' : <br />
Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. <br />
This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications. <br />
Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will also detail several of the key access control anti-patterns commonly found during website security audits. <br />
These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. <br />
In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico <br />
Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. <br />
He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.<br />
'''Enregistrement en ligne sur''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== 7 et 8 Février 2012 - [http://www.microsoft.com/france/mstechdays/ Techdays Microsoft 2012] ==<br />
<br />
Sébastien présentera un talk sur [http://www.microsoft.com/france/mstechdays/programmes/parcours.aspx?SessionID=62e02774-6045-4be8-80ff-8332a793ad4f HTML5et la Sécurité] le 7 Février 2012 à 17h30. <br />
Plus d'informations sur la page dédiée aux TechDays Microsoft 2012. ==<br />
<br />
== 6 Janvier 2012 - Nouveau Groupe de Travail sur la Sécurité des Web Services au [http://www.clusif.fr CLUSIF] ==<br />
<br />
Dans la continuité du Groupe de Travail sur la Sécurité des Application Web initialement créé en 2009, le CLUSIF a lancé un nouveau groupe de travail autour de la sécurité des WebServices. N'hésitez pas à participer si vous êtes intéressés. Le CLUSIF recherche des utilisateurs pour ce groupe de travail et des personnes en environnements Microsoft pour disposer d'un panel le plus large possible pour ce document<br />
<br />
Contact : [mailto:sebastien.gioria@owasp.org Sébastien Gioria]<br />
<br />
== 19 Décembre 2011 - Publication du deuxième document du [http://www.clusif.fr CLUSIF] sur la Sécurité des Applications Web ==<br />
<br />
Le CLUSIF a publié son deuxième document sur la [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Defense-en-profondeur-des-applications-Web.pdf Défense en profondeur des applications Web]. Ce document fait suite au [http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf premier document publié en 2009] <br />
<br />
== 15 Décembre 2011 Conférence du [http://www.clusif.fr CLUSIF] sur la [http://www.clusif.fr/fr/infos/event/#conf111215 sécurité des applications Web] ==<br />
<br />
Le CLUSIF a présenté la conférence Sécurité des Applications Web le jeudi 15 décembre 2011 au cercle National des Armées.<br />
Le programme était : <br />
<br />
* Mise en place d'une politique de sécurité applicative : retour d'expérience d'un RSSI par Philippe LARUE - Responsable Sécurité - [http://www.cbp-prevoyance.com/ CBP]<br />
* Revue de code source, ou test sécurité applicatif, quel est le plus efficient pour évaluer un niveau de sécurité applicatif ? par Sébastien GIORIA - Consultant Senior [http://www.groupey.fr Groupe Y] et leader du chapitre Français de [https://www.owasp.org l'OWASP] - OWASP France<br />
* Les enjeux réglementaires de la protection des informations en ligne par Garance MATHIAS - Avocat - Cabinet d'Avocats<br />
<br />
Les présentations sont disponibles sur le site du [http://www.clusif.fr CLUSIF], les vidéos de l'intervention seront aussi disponible.<br />
<br />
== 2 Décembre 2011 - [[OWASP BeNeLux 2011 Conference - University of Luxembourg]] ==<br />
<br />
Ludovic had a talk about "[https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#tab=Conference.2C_December_2nd WebApp Security and Legal aspects]" on Dec 2.<br />
<br />
*'''Overview'''<br />
**This presentation aims to be used by anybody willing to spread the voice of OWASP. See this as an Awareness session.<br />
**Use it and use it again. <br />
**Try to open your mind, just met me know if I can help. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/5/55/Do_you..._Legal_-_OWASP_BeNeLux_Day_-_2_Dec_2011.pptx Do you... Legal?]"'''<br />
**The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this. <br />
<br />
<br />
<br />
=== [[EUROPE - ENISA’s Who-is-Who Directory on Network and Information Security]] ===<br />
<br />
We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].<br />
<br />
The ENISA is the European Network and Information Security Agency.<br />
[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities. <br />
This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.<br />
<br />
<br />
<br />
= Appel à contribution OWASP France =<br />
<br />
Ici seront relayés les différents appels à contributions du Chapitre (Sponsors, talks, etc.).<br />
<br />
<br />
= Appel à contributions externes =<br />
<br />
Ici seront relayés les appels à contributions que nous estimons interessants pour le Chapitre. <br />
<br />
<br />
<br />
<br />
= Meetings 2012 =<br />
<br />
== Q1 2012 ==<br />
'''Date''' : 28 Mars 2012<br />
'''Lieu''' : Groupe Y Audit - 69 Rue de la Boëtie - 75 Paris - Métro Saint Philippe du Roule <br />
'''Horaire''' : Ouverture des portes 17h30 - Début de la présentation 18h<br />
'''Présentation''' : Web Application Access Control Design Excellence<br />
'''Résumé''' : Access Control is a necessary security control at almost every layer within a web application. <br />
This talk will discuss several of the key access control anti-patterns commonly found during <br />
website security audits. These access control anti-patterns include hard-coded security policies, <br />
lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these<br />
and other access control problems, we will discuss and design a positive access control mechanism <br />
that is data contextual, activity based, configurable, flexible, and deny-by-default - among other<br />
positive design attributes that make up a robust web-based access-control mechanism.<br />
'''Speaker''' : Jim Manico<br />
'''Enregistrement en ligne ici''' : http://201203owaspfr.eventbrite.com/<br />
<br />
== Q2 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q3 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
== Q4 2012 ==<br />
* Date : To be defined<br />
* Time : To be defined<br />
* Venue : Groupe Y Audit - 69 Rue de la Boëtie - 75008 Paris<br />
* Program :<br />
** Talk 1 : <br />
*** Lang : <br />
***Speaker bio<br />
<br />
** Talk 2 : <br />
***Speaker bio<br />
*** Lang : <br />
<br />
<br />
<br />
= 2011 Meetings =<br />
<br />
=== [[May 2011 - Paris Meeting]] ===<br />
<br />
[Logo to be placed here]<br />
<br />
We are honored to welcome '''Jim Manico''' during his European Tour in the Netherlands, Belgium and France.<br />
<br />
*'''Overview'''<br />
**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle. <br />
**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them. <br />
**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered. <br />
**If you are interested in participating in the hands on portion of the course, please bring a laptop. <br />
<br />
*'''Abstract Title: "[https://www.owasp.org/images/f/f4/Future_of_XSS_v4.pptx The Ghost of XSS Past, Present and Future. A Defensive Tale]"'''<br />
**This talk will discuss the past methods used for XSS defense that were only partially effective. Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg. <br />
<br />
*'''Speaker'''<br />
**'''Jim Manico''' is a managing partner of Infrared Security with over 15 years of professional web development experience. Jim is also the Chair of the OWASP Connections Committee, one of the Project Managers of the OWASP ESAPI Project, a participant and manager of the OWASP Cheatsheet series, the Producer and host of the OWASP Podcast Series, the Manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project. When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.<br />
<br />
*'''Date'''<br />
**May 24, 2011 <br />
<br />
*'''Venue'''<br />
**Paris<br />
<br />
*'''Registration'''<br />
**[http://www.regonline.com/Register/Checkin.aspx?EventID=971375 Click here]<br />
<br />
<br />
== 26 Avril 2011 ==<br />
<br />
'''Le 26 Avril 2011 dans les locaux de [http://www.groupey.fr/nos-cabinets-paris.html GROUPE Y] :'''<br />
<br />
* 9:00: [https://www.owasp.org/images/2/2f/Agenda_26th_April_2011.pptx Introduction] - '''Ludovic Petit''' & '''Sébastien Gioria'''<br />
* 9:30: [https://www.owasp.org/images/3/36/OPENSAMM2.pptx OpenSAMM] - '''Antonio Fontes''' (Chapter Leader OWASP Geneva) <br />
* 11:00: [https://www.owasp.org/images/c/cf/OWASP_Cloud_Top_10.pptx OWASP Cloud Top 10 Project] - '''Ludovic Petit''' (Chapter Leader OWASP France & OWASP Global Education Committee Member)<br />
* 11:45: [https://www.owasp.org/images/5/5c/ESAPI_Swingset_talk_at_Paris.ppt OWASP ESAPI] - '''Fabio Cerullo''' (Chapter Leader OWASP Ireland & Global Education Committee)<br />
* 14:15: [https://www.owasp.org/images/3/38/OWASP_Testing_Guide.pptx OWASP Testing Guide] - '''Sébastien Gioria''' (French Chapter Leader & OWASP Global Education Committee Member)<br />
* 15:15: [http://o2platform.com OWASP 02 Platform - Live Session] - '''Dinis Cruz''' (OWASP O2 Project Leader)<br />
* 16:30: [https://www.owasp.org/images/9/96/OWASP-Paris2011-VV-CodeReview.pdf OWASP Code Review] - '''Victor Vuillard'''<br />
<br />
= 2009 Meetings =<br />
<br />
'''Le 6 Mai 2009 à 17h30 à [http://www.epitech.eu L'EPITECH] :'''<br />
<br />
* 17h30 : Accueil des participants<br />
* 18h - 18h 15 : [http://www.owasp.org/images/d/dc/OWASP_Paris_Meeting_-_May_2009.pdf Welcome et overview of agenda] '''(Board OWASP France)'''<br />
* 18h30 - 19h : [http://www.owasp.org/images/6/6b/2009-05-06-OWASPFR-WebServices.pdf Attaques sur les Web Services] - '''Renaud Bidou'''<br />
* 19h15 - 19h45 : [http://www.owasp.org/images/8/82/2009-05-06-OWASPFR-OpenSAM.pdf Software Security Initiatives in the Real World] - '''Claudio Merloni'''<br />
* 20h : Close <br />
<br />
A propos des Speakers :<br />
<br />
<br />
'''''Renaud Bidou :''' ''Directeur Technique de DenyAll. Il travaille depuis plus de 10 ans dans la sécurité et a publié de nombreux articles et white-papers touchant à des sujets aussi variés que les dénis de service, les portknockers, les botnets, la mise en place d’un SOC, l’analyse graphique d’attaques ou encore les techniques de contournements.<br />
<br />
<br />
'''''Claudio Merloni : '''''Claudio Merloni est Software Security Consultant chez Fortify Software. Ses expériences dans le domaine de la sécurité embrassent la sécurité applicative, revue de code, architectures sécurisées, analyse des risques, conformité, test de sécurité à niveau réseau, système et applicatif, monitoring, contrôle d'accès. Il a participé a plusieurs conférences, entre lesquelles BlackHat et CONFidence.<br />
<br />
<br />
'''Le Lieu : EPITECH'''<br />
<br />
Amphi 2<br />
<br />
14-16 rue Voltaire<br />
<br />
94276 Kremlin Bicêtre Cedex <br />
<br />
<br />
''Moyens d'accès Métro''<br />
* ligne 7 : Porte d'Italie<br />
<br />
''Bus''<br />
* ligne 47, 125, 131, 185 : Roger Salengro<br />
* ligne 186 : Pierre Brossolette <br/> <br />
<br />
''Voiture''<br />
* périphérique : sortie Porte d'Italie <br />
<br />
<br />
<br />
<br />
= Translation effort =<br />
<br />
* The '''OWASP TOP Ten 2010 in French''' is [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf available]<br />
* 2010-08-30 : La version française du Top 10 2010 est disponible [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project] <br />
* 2008-02-15 : Le Top10 2007 est en version Française [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.pdf Format PDF], [https://www.owasp.org/index.php/Image:OWASP_Top_10_2007_-_French.doc Format Word]<br />
* 2007-11-16 : [https://www.owasp.org/images/5/52/Owasp_tryptique.pdf Folio 2 pages Recto/verso] de présentation pour Infosecurity.<br />
* 2007-02-27 : [[Newsletter_francaise_num%C3%A9ro_1]]<br />
* 2007-06-20 : Présentation de l'OWASP faite à NY en Juin 2007 [https://www.owasp.org/images/7/71/20070620-FR-OWASP_NY_Keynote.ppt]<br />
[[Category:Europe]]<br />
<br />
<br />
<br />
= Old News = <br />
<br />
* 2009-06-09 : [http://www.owasp.org/images/d/d2/20090609-CERT-IST-WAF-v0.1.pdf Intervention sur les WAF] lors du Forum [http://www.cert-ist.com CERT-IST] <br />
* 2009-02-03 : L'OWASP France sera présent à [http://www.pci-portal.com/events/event-info/paris PCI Paris]. La présentation est : [https://www.owasp.org/images/f/fb/20090203-OWASP_PCI-Global_2009_Paris_-_v03.ppt l'OWASP et l'exigence 6.5 de PCI-DSS]<br />
* 2008-11-19 : L'OWASP France sera présent sur [http://www.infosecurity.com.fr/FR/badge?ref=OWAW Infosecurity France] à Paris :<br />
[http://www.infosecurity.com.fr/index.php?argRedirect=FR|badge&Lang=FR&ref=OWAW https://www.owasp.org/images/8/88/Infosecurity.gif]<br />
<br />
* 2008-07-08 : L'OWASP France a présenté le projet OWASP à l'[http://www.ossir.org OSSIR]. La présentation est disponible sur le site de [https://www.owasp.org/images/9/94/20080708-OWASP_OSSIR.ppt l'OWASP]<br />
* 2008-02-15 : Le Top10 2007 est en version Francaise<br />
* 2008-02-11 : Présentation aux [http://www.owasp.org/images/0/09/20080129-OWASP_TechDays_France_.ppt TechDays 2008 Microsoft ]<br />
* 2007-11-22 : Présentation a Infosecurity France [http://www.owasp.org/images/8/85/20071122-OWASP_Infosecurity_France.ppt de l'OWASP]<br />
* 2007-11-07 : Interview dans le [http://www.journaldunet.com/developpeur/itws/071106-securite-applicative-owasp.shtml Journal du Net]<br />
* 2007-10-05 : L'OWASP France présentera les enjeux de la sécurité des [http://www.infosecurity.com.fr/?Jpto=116&KM_Session=f345bb91df954e6cbc0148328f109e94&CurrentNode=518&Lang=FR&IdNode=708 Services WEB à Infosecurity France le 22/11/2007]<br />
* 2006-12-18 : Mise en place de l'association pour supporter le groupe OWASP<br />
* 2006-12-14 : Le Hub OWASP Viaduc a vu le jour http://www.viadeo.com/hub/affichehub/?hubId=002fj37grgb7o7n<br />
* 2006-12-13 : Naissance du chapitre Francais de l'OWASP. Une liste de diffusion est disponible.[http://lists.owasp.org/mailman/listinfo/owasp-france Abonnez vous]<br />
<br />
<br />
<br> __NOTOC__ <headertabs /></div>Ludovic Petit