OWASP - User contributions [en]

OWASP Threat Dragon

2019-06-30T12:19:16Z

Michael Goodwin: update roadmap progress

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Threat Dragon Project==
An online threat modelling web application including system diagramming and a rule engine to auto-generate threats/mitigations. The focus will be on great UX a powerful rule engine and alignment with other development lifecycle tools.

==Description==

Threat modelling is widely regarded as a powerful way to build security into the design of applications early in the development lifecycle. At its best, it is especially good for

* Ensuring defence-in-depth
* Establishing consistent security design patterns across an application
* Flushing out security requirements and user stories

However, effective adoption by organisations can be difficult. Reasons for this include:

* There are no cross-platform, free tools (that I am aware of)
* The usability of existing tools is not great - productivity for the team is therefore poor, especially in the early stages of adoption
* The learning curve for teams is steep - threat modelling often ends up being left to a small "expert" subset of a team and ignores the valuable perspectives from the wider team
* Integration with other development lifecycle tools (e.g. issue tracking tools) is poor - leading to models being ignored

OWASP Threat Dragon will address this by providing a free, open-source, threat modelling web application for teams implementing the STRIDE approach. The key areas of focus for the tool will be:

* '''Great UX''' - using Threat Dragon should be simple, engaging and fun
* '''A powerful threat/mitigation rule engine''' - this will lower the barrier to entry for teams and allow non-specialists to contribute
* '''Integration points with other development lifecycle tools''' - this will ensure that models slot easily into the development lifecycle and remain relevant as the project evolves

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.apache.org/licenses/LICENSE-2.0 Apache 2.0 License]
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

The source code for the project can be found here:

https://github.com/mike-goodwin/owasp-threat-dragon

You can click here to see a working prototype:

https://threatdragon.org

And (draft) end-user documentation can be found here:

http://docs.threatdragon.org

== Project Leader ==

[mailto:mike.goodwin@owasp.org Mike Goodwin]

== Related Projects ==

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]

|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

|}

=FAQs=

'''Q1:''' Hold on...isn't this the same as [https://github.com/mozilla/seasponge Mozilla's SeaSponge]?

'''A1:''' As I was working on prototyping this, mostly as a way of getting myself properly up to speed with javascript, I found out about SeaSponge via the OWASP leaders mailing list. SeaSponge has a lot in common with this project and I based my implementation of the threat model file download feature on theirs. Maybe they could be merged in the future? Who knows?

= Acknowledgements =
==Contributors==

[mailto:mike.goodwin@owasp.org Mike Goodwin]

= Road Map and Getting Involved =

==Roadmap==
'''Vision for the project:'''

The overall vision for the project is to implement a tool that removes as many barriers as possible for organisations wanting to embed threat modelling into their development lifecycle. Barriers I have seen are:

* Lack of cross platform tooling: Tool needs to be x-platform
* Poor UX in existing tools, productivity is poor: Great UX is a must
* Steep learning curve for adopting teams: Tool to build in expert knowledge to help the team get started
* Models are ignored: Integration with other lifecycle tools is key

'''Initial high level plan:'''

Milestone 1: Alpha release - Basic threat modelling experience

* Architecture review of the existing prototype with refinement/change where required - '''complete: Confirmed JointJs works fine, Storage model changed and addition of Electon based desktop variant. Nools rule engine (no longer supported) replaced by [https://github.com/cachecontrol/json-rules-engine json-rules-engine]. Shifted from Grunt/Bower to NPM/Browserify'''
* Secure design review and implementation of findings
* Development of tests (unit and manual) - '''complete: [https://codecov.io/github/mike-goodwin/owasp-threat-dragon?branch=master Codecov report]'''
* Draft end user documentation - '''complete: [http://mike-goodwin.github.io/owasp-threat-dragon/ GitHub pages]'''
* "Publicity drive" to sign up alpha/beta users and generate feedback - '''Some progress on this. The desktop app has had 13k downloads - unclear how many people are actually using it. The GH repo for the desktop version has 79 stars. The web version gets about 94 unique visitors per day on average and the GH repo has 229 stars.'''

Milestone 2: Beta release - Threat/mitigation rule engine

* Refinement of UX based on feedback from the alpha release
* (Some) feature enhancements based on feedback from the alpha release - '''Implemented some feature requests (e.g. snap-to-grid) and fixed issues reports (e.g. save bugs) by users'''
* Implementation of a rule engine for generation of threats/mitigations
* Updated tests and end-user documentation

Milestone 3: Release 1

* Key refinements, bug fixes and new features based on feedback from the beta release
* Complete end user documentation
* Penetration test

Milestone 4 - Dev lifecycle integration

* Detailed scope to be defined, but in general the vision is to support hooks into issue tracking and requirements management tool so that threats/mitigations can be tracked through to implementation and test

'''Timeframes'''

This is hard to estimate as it could change a lot if there were other developers involved. Based on my current velocity with just me, I would say release 1 could be complete in 1 year (optimistically).

'''Technology'''

The technical architecture is javascript from top to bottom. In the client the key libraries are Angular for the MVC architecture and JointJS for the diagramming. JointJS has a log of great features, but is not a perfect fit for Angular. This needs a review. In the prototype, all storage is done on the client using browser local storage.

Following an architecture review the following key changes were made:

* A new Electron based, installable desktop variant was introduced using the local file system for model storage
* The web variant was changed to use GitHub for model storage - other source control systems will follow (e.g. BitBucket)
* Seperation of common code into a new NPM package, shared between the web and desktop variants
* The Nools rule engine will be replaced since it is no longer maintained

'''Challenges'''

* Getting enough usage of the alpha and beta to get the UX and rule engine right
* Finding a sustainable way to host it, especially to support deeper GitHub/BitBucket/Etc. integration

==Getting Involved==

===Alpha testers===

Great user experience is one of the key goals for the project and to get that right it needs some users! If you would like to try the tool out, that would be great. A working prototype can be found at:

https://threatdragon.org/

The desktop variant (for Windows and OSX) can be downloaded from:

https://github.com/mike-goodwin/owasp-threat-dragon-desktop/releases

To help you get started, take a look at the (draft) docs:

[http://mike-goodwin.github.io/owasp-threat-dragon/ http://docs.threatdragon.org/]

If you are still having problems, let me know and I will be pleased to help (mike.goodwin@owasp.org). All feedback is ''very'' welcome. Either email me or put an issue on GitHub

https://github.com/mike-goodwin/owasp-threat-dragon/issues

===Coding===

Coding help of any kind is always welcome. The project builds easily (let me know if you have any problems) so getting up and running should be simple.

===Threat rule engine===

If you are not into javascript, you can still help! We need to build a powerful threat generation rule engine to replace the stubbed one that is in place for the prototype. If you can contribute in this area by defining rule, that would be great.

=Minimum Viable Product=

1) Application source code for a threat modeling tool

2) End user documentation for the tool

3) An online hosted version of the tool

4) An installable, cross-platform desktop version of the tool

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Threat Dragon

2019-06-30T12:14:25Z

Michael Goodwin: update roadmap progress

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Threat Dragon Project==
An online threat modelling web application including system diagramming and a rule engine to auto-generate threats/mitigations. The focus will be on great UX a powerful rule engine and alignment with other development lifecycle tools.

==Description==

Threat modelling is widely regarded as a powerful way to build security into the design of applications early in the development lifecycle. At its best, it is especially good for

* Ensuring defence-in-depth
* Establishing consistent security design patterns across an application
* Flushing out security requirements and user stories

However, effective adoption by organisations can be difficult. Reasons for this include:

* There are no cross-platform, free tools (that I am aware of)
* The usability of existing tools is not great - productivity for the team is therefore poor, especially in the early stages of adoption
* The learning curve for teams is steep - threat modelling often ends up being left to a small "expert" subset of a team and ignores the valuable perspectives from the wider team
* Integration with other development lifecycle tools (e.g. issue tracking tools) is poor - leading to models being ignored

OWASP Threat Dragon will address this by providing a free, open-source, threat modelling web application for teams implementing the STRIDE approach. The key areas of focus for the tool will be:

* '''Great UX''' - using Threat Dragon should be simple, engaging and fun
* '''A powerful threat/mitigation rule engine''' - this will lower the barrier to entry for teams and allow non-specialists to contribute
* '''Integration points with other development lifecycle tools''' - this will ensure that models slot easily into the development lifecycle and remain relevant as the project evolves

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.apache.org/licenses/LICENSE-2.0 Apache 2.0 License]
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

The source code for the project can be found here:

https://github.com/mike-goodwin/owasp-threat-dragon

You can click here to see a working prototype:

https://threatdragon.org

And (draft) end-user documentation can be found here:

http://docs.threatdragon.org

== Project Leader ==

[mailto:mike.goodwin@owasp.org Mike Goodwin]

== Related Projects ==

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]

|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

|}

=FAQs=

'''Q1:''' Hold on...isn't this the same as [https://github.com/mozilla/seasponge Mozilla's SeaSponge]?

'''A1:''' As I was working on prototyping this, mostly as a way of getting myself properly up to speed with javascript, I found out about SeaSponge via the OWASP leaders mailing list. SeaSponge has a lot in common with this project and I based my implementation of the threat model file download feature on theirs. Maybe they could be merged in the future? Who knows?

= Acknowledgements =
==Contributors==

[mailto:mike.goodwin@owasp.org Mike Goodwin]

= Road Map and Getting Involved =

==Roadmap==
'''Vision for the project:'''

The overall vision for the project is to implement a tool that removes as many barriers as possible for organisations wanting to embed threat modelling into their development lifecycle. Barriers I have seen are:

* Lack of cross platform tooling: Tool needs to be x-platform
* Poor UX in existing tools, productivity is poor: Great UX is a must
* Steep learning curve for adopting teams: Tool to build in expert knowledge to help the team get started
* Models are ignored: Integration with other lifecycle tools is key

'''Initial high level plan:'''

Milestone 1: Alpha release - Basic threat modelling experience

* Architecture review of the existing prototype with refinement/change where required - '''complete: Confirmed JointJs works fine, Storage model changed and addition of Electon based desktop variant. Nools rule engine (no longer supported) replaced by [https://github.com/cachecontrol/json-rules-engine json-rules-engine]. Shifted from Grunt/Bower to NPM/Browserify'''
* Secure design review and implementation of findings
* Development of tests (unit and manual) - '''complete: [https://codecov.io/github/mike-goodwin/owasp-threat-dragon?branch=master Codecov report]'''
* Draft end user documentation - '''complete: [http://mike-goodwin.github.io/owasp-threat-dragon/ GitHub pages]'''
* "Publicity drive" to sign up alpha/beta users and generate feedback

Milestone 2: Beta release - Threat/mitigation rule engine

* Refinement of UX based on feedback from the alpha release
* (Some) feature enhancements based on feedback from the alpha release - '''Implemented some feature requests (e.g. snap-to-grid) and fixed issues reports (e.g. save bugs) by users'''
* Implementation of a rule engine for generation of threats/mitigations
* Updated tests and end-user documentation

Milestone 3: Release 1

* Key refinements, bug fixes and new features based on feedback from the beta release
* Complete end user documentation
* Penetration test

Milestone 4 - Dev lifecycle integration

* Detailed scope to be defined, but in general the vision is to support hooks into issue tracking and requirements management tool so that threats/mitigations can be tracked through to implementation and test

'''Timeframes'''

This is hard to estimate as it could change a lot if there were other developers involved. Based on my current velocity with just me, I would say release 1 could be complete in 1 year (optimistically).

'''Technology'''

The technical architecture is javascript from top to bottom. In the client the key libraries are Angular for the MVC architecture and JointJS for the diagramming. JointJS has a log of great features, but is not a perfect fit for Angular. This needs a review. In the prototype, all storage is done on the client using browser local storage.

Following an architecture review the following key changes were made:

* A new Electron based, installable desktop variant was introduced using the local file system for model storage
* The web variant was changed to use GitHub for model storage - other source control systems will follow (e.g. BitBucket)
* Seperation of common code into a new NPM package, shared between the web and desktop variants
* The Nools rule engine will be replaced since it is no longer maintained

'''Challenges'''

* Getting enough usage of the alpha and beta to get the UX and rule engine right
* Finding a sustainable way to host it, especially to support deeper GitHub/BitBucket/Etc. integration

==Getting Involved==

===Alpha testers===

Great user experience is one of the key goals for the project and to get that right it needs some users! If you would like to try the tool out, that would be great. A working prototype can be found at:

https://threatdragon.org/

The desktop variant (for Windows and OSX) can be downloaded from:

https://github.com/mike-goodwin/owasp-threat-dragon-desktop/releases

To help you get started, take a look at the (draft) docs:

[http://mike-goodwin.github.io/owasp-threat-dragon/ http://docs.threatdragon.org/]

If you are still having problems, let me know and I will be pleased to help (mike.goodwin@owasp.org). All feedback is ''very'' welcome. Either email me or put an issue on GitHub

https://github.com/mike-goodwin/owasp-threat-dragon/issues

===Coding===

Coding help of any kind is always welcome. The project builds easily (let me know if you have any problems) so getting up and running should be simple.

===Threat rule engine===

If you are not into javascript, you can still help! We need to build a powerful threat generation rule engine to replace the stubbed one that is in place for the prototype. If you can contribute in this area by defining rule, that would be great.

=Minimum Viable Product=

1) Application source code for a threat modeling tool

2) End user documentation for the tool

3) An online hosted version of the tool

4) An installable, cross-platform desktop version of the tool

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Threat Dragon

2019-06-30T12:11:28Z

Michael Goodwin: updated roadmap progress

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Threat Dragon Project==
An online threat modelling web application including system diagramming and a rule engine to auto-generate threats/mitigations. The focus will be on great UX a powerful rule engine and alignment with other development lifecycle tools.

==Description==

Threat modelling is widely regarded as a powerful way to build security into the design of applications early in the development lifecycle. At its best, it is especially good for

* Ensuring defence-in-depth
* Establishing consistent security design patterns across an application
* Flushing out security requirements and user stories

However, effective adoption by organisations can be difficult. Reasons for this include:

* There are no cross-platform, free tools (that I am aware of)
* The usability of existing tools is not great - productivity for the team is therefore poor, especially in the early stages of adoption
* The learning curve for teams is steep - threat modelling often ends up being left to a small "expert" subset of a team and ignores the valuable perspectives from the wider team
* Integration with other development lifecycle tools (e.g. issue tracking tools) is poor - leading to models being ignored

OWASP Threat Dragon will address this by providing a free, open-source, threat modelling web application for teams implementing the STRIDE approach. The key areas of focus for the tool will be:

* '''Great UX''' - using Threat Dragon should be simple, engaging and fun
* '''A powerful threat/mitigation rule engine''' - this will lower the barrier to entry for teams and allow non-specialists to contribute
* '''Integration points with other development lifecycle tools''' - this will ensure that models slot easily into the development lifecycle and remain relevant as the project evolves

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.apache.org/licenses/LICENSE-2.0 Apache 2.0 License]
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

The source code for the project can be found here:

https://github.com/mike-goodwin/owasp-threat-dragon

You can click here to see a working prototype:

https://threatdragon.org

And (draft) end-user documentation can be found here:

http://docs.threatdragon.org

== Project Leader ==

[mailto:mike.goodwin@owasp.org Mike Goodwin]

== Related Projects ==

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]

|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

|}

=FAQs=

'''Q1:''' Hold on...isn't this the same as [https://github.com/mozilla/seasponge Mozilla's SeaSponge]?

'''A1:''' As I was working on prototyping this, mostly as a way of getting myself properly up to speed with javascript, I found out about SeaSponge via the OWASP leaders mailing list. SeaSponge has a lot in common with this project and I based my implementation of the threat model file download feature on theirs. Maybe they could be merged in the future? Who knows?

= Acknowledgements =
==Contributors==

[mailto:mike.goodwin@owasp.org Mike Goodwin]

= Road Map and Getting Involved =

==Roadmap==
'''Vision for the project:'''

The overall vision for the project is to implement a tool that removes as many barriers as possible for organisations wanting to embed threat modelling into their development lifecycle. Barriers I have seen are:

* Lack of cross platform tooling: Tool needs to be x-platform
* Poor UX in existing tools, productivity is poor: Great UX is a must
* Steep learning curve for adopting teams: Tool to build in expert knowledge to help the team get started
* Models are ignored: Integration with other lifecycle tools is key

'''Initial high level plan:'''

Milestone 1: Alpha release - Basic threat modelling experience

* Architecture review of the existing prototype with refinement/change where required - '''complete: Confirmed JointJs works fine, Storage model changed and addition of Electon based desktop variant. Nools rule engine (no longer supported) replaced by [https://github.com/cachecontrol/json-rules-engine json-rules-engine]. Shifted from Grunt/Bower to NPM/Browserify'''
* Secure design review and implementation of findings
* Development of tests (unit and manual) - '''complete: [https://codecov.io/github/mike-goodwin/owasp-threat-dragon?branch=master Codecov report]'''
* Draft end user documentation - '''complete: [http://mike-goodwin.github.io/owasp-threat-dragon/ GitHub pages]'''
* "Publicity drive" to sign up alpha/beta users and generate feedback

Milestone 2: Beta release - Threat/mitigation rule engine

* Refinement of UX based on feedback from the alpha release
* (Some) feature enhancements based on feedback from the alpha release
* Implementation of a rule engine for generation of threats/mitigations
* Updated tests and end-user documentation

Milestone 3: Release 1

* Key refinements, bug fixes and new features based on feedback from the beta release
* Complete end user documentation
* Penetration test

Milestone 4 - Dev lifecycle integration

* Detailed scope to be defined, but in general the vision is to support hooks into issue tracking and requirements management tool so that threats/mitigations can be tracked through to implementation and test

'''Timeframes'''

This is hard to estimate as it could change a lot if there were other developers involved. Based on my current velocity with just me, I would say release 1 could be complete in 1 year (optimistically).

'''Technology'''

The technical architecture is javascript from top to bottom. In the client the key libraries are Angular for the MVC architecture and JointJS for the diagramming. JointJS has a log of great features, but is not a perfect fit for Angular. This needs a review. In the prototype, all storage is done on the client using browser local storage.

Following an architecture review the following key changes were made:

* A new Electron based, installable desktop variant was introduced using the local file system for model storage
* The web variant was changed to use GitHub for model storage - other source control systems will follow (e.g. BitBucket)
* Seperation of common code into a new NPM package, shared between the web and desktop variants
* The Nools rule engine will be replaced since it is no longer maintained

'''Challenges'''

* Getting enough usage of the alpha and beta to get the UX and rule engine right
* Finding a sustainable way to host it, especially to support deeper GitHub/BitBucket/Etc. integration

==Getting Involved==

===Alpha testers===

Great user experience is one of the key goals for the project and to get that right it needs some users! If you would like to try the tool out, that would be great. A working prototype can be found at:

https://threatdragon.org/

The desktop variant (for Windows and OSX) can be downloaded from:

https://github.com/mike-goodwin/owasp-threat-dragon-desktop/releases

To help you get started, take a look at the (draft) docs:

[http://mike-goodwin.github.io/owasp-threat-dragon/ http://docs.threatdragon.org/]

If you are still having problems, let me know and I will be pleased to help (mike.goodwin@owasp.org). All feedback is ''very'' welcome. Either email me or put an issue on GitHub

https://github.com/mike-goodwin/owasp-threat-dragon/issues

===Coding===

Coding help of any kind is always welcome. The project builds easily (let me know if you have any problems) so getting up and running should be simple.

===Threat rule engine===

If you are not into javascript, you can still help! We need to build a powerful threat generation rule engine to replace the stubbed one that is in place for the prototype. If you can contribute in this area by defining rule, that would be great.

=Minimum Viable Product=

1) Application source code for a threat modeling tool

2) End user documentation for the tool

3) An online hosted version of the tool

4) An installable, cross-platform desktop version of the tool

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

Newcastle

2018-02-02T20:29:22Z

Michael Goodwin: added file download

{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster], [mailto:mike.goodwin@owasp.org Mike Goodwin,] and [mailto:andrew.pannell@owasp.org Andi Pannell]

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}
= Upcoming Events =

Next event to be announced soon.

Keep updated and in touch using the [https://lists.owasp.org/mailman/listinfo/owasp-Newcastle chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle]

= Past Events =

'''2015 Dates'''

----

24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002

The long talk by '''Ben Lee''' and '''Ross Dargan''':

'''The problems with proving identity.'''

In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers.

The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…*

(*Talk may not be historically accurate! ;))

[[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]

The short talks:

'''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks'''

The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities.

Take a copy of the game away with you - it is suitable for developers of all sizes.

[[Media: Owaspnewcastle-snakesandladders.pptx]]

'''Michael Haselhurst - Automated Security Testing Using The ZAP API'''

This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi.

[[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]

'''Mike Goodwin - Real world defence in depth (part 1)'''

Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality.

[[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]

----

29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002

We changed the format for this meeting and has 3 short talks (approx 20 mins) and then one long one (60 mins).

Speakers:

* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf |Media: CSP_Newcastle_Chapter_Sept_2015.pdf]]
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]

----

28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.

Speakers:
* '''Andrew Waite: Honeypots; from research to the Enterprise.''' [[Media: OWASP_Honeypots.odp]]

* '''George Chlapoutakis: Security in the World of Containerisation.''' [[Media: OWASP_Security_Containerisation.ppt]]
----

29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.

Speakers:
* '''Robin Fewster: An introduction to basic application penetration testing.''' An introduction to penetration testing, using several OWASP projects as well as other open source and free programs. [[Media: An_introduction_to_penetration_testing.pptx]]

* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.''' An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises. [[Media: Threat_Modeling_Presentation.pptx]]
----

24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.

Speakers:

* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]

----

'''2016 Dates'''

----

23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.

Speakers:

* '''Andrew Pannell: 50 Million Downloads and All I Got Was Malware.''' How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [https://rm-r.sh/uploads/50MillionDownloads.pdf]
* '''Colin Watson: OWASP Cornucopia.''' OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp]

----

'''2017 Dates'''

----

19/09/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.

Speakers:
* '''Gareth Dixon: Running a security event using OWASP Security Shepherd.''' In this talk I will cover running a security event using [[OWASP Security Shepherd]]. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. [[Media:Security_Shepherd.pptx]]
* '''Mike Goodwin: Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon'''<nowiki/>. Threat modelling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. [[OWASP Threat Dragon]] is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. [[Media:Owasp_threat_dragon_201709_.pptx]]
----

21/11/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.

Speakers:
* '''Lorenzo Grespan: Explain hacking in ten minutes.''' Bio: Lorenzo Grespan is a computer scientist currently working as an application security specialist for Secarma, Ltd. While his main interest has always been computer security, he also worked as a developer, systems administrator and project manager for a research effort in robotic surgery. His background is in computational neuroscience, neural networks and evolutionary systems and he likes to solve interesting problems at the intersection of people and technology. Talk (30 minutes): Recently I had to show a 10-minute "live hack" to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go "aha!" turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users. [[Media:OWASPNCL LG 21112017.pdf]]

* '''Robin Sillem:''' '''Building a Development Environment That's 'Secure Enough'.''' This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data. [[Media:Modern_DevOps_and_security.pptx]]
----

'''2018 Dates'''

----

30/11/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE01-008.

Speakers
* '''Neil Dixley: Code that fights back.''' Lessons from the gaming world on detecting and responding to attacks on software assets. An introduction to proactive software security including a philosophical look at how far we should go to protect our apps.

* '''Luke Sadler: Practical demonstration of mobile software penetration'''. Luke Sadler walks us through hands on examples of cracking mobile technology.
----

= Chapter Leaders =

The chapter leaders are:

* [[User:Connor Carr|Connor Carr]]
* [[User:Listenerstation|Robin Fewster]]
* [[User:Michael Goodwin|Mike Goodwin]]
* [[User:Andi Pannell|Andi Pannell]]

We are always happy to hear from people who want to contribute to the chapter as a leader.

= Slack =
OWASP Newcastle has a slack group which you're welcome to join and chat to us! You can join us [https://owasp.slack.com/messages/C0CLHS45S Here]
= Sponsorship =

The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.

[[File:sage-logo.jpg]]

Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:

* Platinum sponsor (£1200)
* Gold sponsor (£600)
* Silver sponsor (£300)

Any other donation is also gratefully received.

= Local Organisations =

Other related organisations in the Newcastle area:

* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter events and corporate sponsorship officer [mailto:katy.l.buller@pwc.com Katy Buller].

Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.

And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Chapter]]
[[Category:United Kingdom]]

2015-11-30T22:02:28Z

Michael Goodwin: Michael Goodwin uploaded a new version of "File:OWASPNewcastle automated security testing using ZAP API.pptx"

File:OWASPNewcastle automated security testing using ZAP API.pptx

2015-11-30T22:01:12Z

Michael Goodwin:

Newcastle

2015-11-30T22:00:48Z

Michael Goodwin: /* Past Events */

{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr] and [mailto:mike.goodwin@owasp.org Mike Goodwin]

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}

= Next Meeting =

The next event will be run in January 2016, date and time to be confirmed and we might have a new and exciting location! We have two great talks in mind, but they are not 100% confirmed. Details TBC so watch this space.

= Upcoming Events =

The next event will be run in January 2016, date and time to be confirmed and we might have a new and exciting location! We have two great talks in mind, but they are not 100% confirmed. Details TBC so watch this space.

= Past Events =

'''2015 Dates'''

24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002

The long talk by '''Ben Lee''' and '''Ross Dargan''':

'''The problems with proving identity.'''

In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers.

The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…*

(*Talk may not be historically accurate! ;))

[[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]

The short talks:

'''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks'''

The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities.

Take a copy of the game away with you - it is suitable for developers of all sizes.

[[Media: Owaspnewcastle-snakesandladders.pptx]]

'''Michael Haselhurst - Automated Security Testing Using The ZAP API'''

This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi.

[[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]

'''Mike Goodwin - Real world defence in depth (part 1)'''

Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality.

[[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]

----

29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002

We changed the format for this meeting and has 3 short talks (approx 20 mins) and then one long one (60 mins).

Speakers:

* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf ]]
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]

----

28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.

Speakers:
* '''Andrew Waite: Honeypots; from research to the Enterprise.'''
[[Media: OWASP_Honeypots.odp]]

* '''George Chlapoutakis: Security in the World of Containerisation.'''
[[Media: OWASP_Security_Containerisation.ppt]]

----

29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.

Speakers:
* '''Robin Fewster: An introduction to basic application penetration testing.'''
An introduction to penetration testing, using several OWASP projects as well as other open source and free programs.
[[Media: An_introduction_to_penetration_testing.pptx]]

* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.'''
An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises.
[[Media: Threat_Modeling_Presentation.pptx]]

----

24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.

Speakers:

* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]

= Chapter Leaders =

The chapter leaders are:

* [[User:Connor Carr|Connor Carr]]
* [[User:Michael Goodwin|Mike Goodwin]]

Once the group is up and running we will be looking for more leaders.

= Sponsorship =

The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.

[[File:sage-logo.jpg]]

Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:

* Platinum sponsor (£1200)
* Gold sponsor (£600)
* Silver sponsor (£300)

Any other donation is also gratefully received.

= Local Organisations =

Other related organisations in the Newcastle area:

* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter treasurer [mailto:gleishman@secnetics.com Gordon Leishman].

Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.

And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).

__NOTOC__ <headertabs />

[[Category:OWASP Chapter]]
[[Category:United Kingdom]]

Newcastle

2015-11-30T21:54:42Z

Michael Goodwin: /* Past Events */

{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr] and [mailto:mike.goodwin@owasp.org Mike Goodwin]

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}

= Next Meeting =

The next event will be run in January 2016, date and time to be confirmed and we might have a new and exciting location! We have two great talks in mind, but they are not 100% confirmed. Details TBC so watch this space.

= Upcoming Events =

The next event will be run in January 2016, date and time to be confirmed and we might have a new and exciting location! We have two great talks in mind, but they are not 100% confirmed. Details TBC so watch this space.

= Past Events =

'''2015 Dates'''

24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002

The long talk by '''Ben Lee''' and '''Ross Dargan''':

'''The problems with proving identity.'''

In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers.

The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…*

(*Talk may not be historically accurate! ;))

[[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]

The short talks:

'''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks'''

The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities.

Take a copy of the game away with you - it is suitable for developers of all sizes.

[[Media: Owaspnewcastle-snakesandladders.pptx]]

'''Michael Haselhurst - Automated Security Testing Using The ZAP API'''

This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi.

Presentation coming soon!

'''Mike Goodwin - Real world defence in depth (part 1)'''

Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality.

[[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]

----

29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002

We changed the format for this meeting and has 3 short talks (approx 20 mins) and then one long one (60 mins).

Speakers:

* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf ]]
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]

----

28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.

Speakers:
* '''Andrew Waite: Honeypots; from research to the Enterprise.'''
[[Media: OWASP_Honeypots.odp]]

* '''George Chlapoutakis: Security in the World of Containerisation.'''
[[Media: OWASP_Security_Containerisation.ppt]]

----

29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.

Speakers:
* '''Robin Fewster: An introduction to basic application penetration testing.'''
An introduction to penetration testing, using several OWASP projects as well as other open source and free programs.
[[Media: An_introduction_to_penetration_testing.pptx]]

* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.'''
An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises.
[[Media: Threat_Modeling_Presentation.pptx]]

----

24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.

Speakers:

* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]

= Chapter Leaders =

The chapter leaders are:

* [[User:Connor Carr|Connor Carr]]
* [[User:Michael Goodwin|Mike Goodwin]]

Once the group is up and running we will be looking for more leaders.

= Sponsorship =

The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.

[[File:sage-logo.jpg]]

Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:

* Platinum sponsor (£1200)
* Gold sponsor (£600)
* Silver sponsor (£300)

Any other donation is also gratefully received.

= Local Organisations =

Other related organisations in the Newcastle area:

* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter treasurer [mailto:gleishman@secnetics.com Gordon Leishman].

Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.

And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).

__NOTOC__ <headertabs />

[[Category:OWASP Chapter]]
[[Category:United Kingdom]]

File:OWASPNewcastle the problem with proving identity.pptx

2015-11-30T21:54:04Z

Michael Goodwin:

2015-10-08T11:11:00Z

2015-09-30T12:28:05Z

Michael Goodwin:

File:OWASP Threat Dragon Newcastle Chapter Sept 2015.pptx

2015-09-30T12:27:09Z

Michael Goodwin:

File:OWASP Mobile Security Project Newcastle Chapter Sept 2015.pptx

2015-09-30T12:25:40Z

Michael Goodwin:

Newcastle

2015-08-24T11:25:43Z

Michael Goodwin:

{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr] and [mailto:mike.goodwin@owasp.org Mike Goodwin]

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}

= Next Meeting =

The next meeting will take place on 29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002. We are changing the format this time and having 3 small 20 minute talks, a refreshment break and then a single 60 minute talk

We are still looking for a speaker for the long talk, but the short sessions are

* John Beddard on Securing Real-Time Networks
* Ian Oxley on Content Security Policy
* Mike Goodwin talking about his OWASP threat modelling tool project

If you would like to volunteer to speak at this or any future meetings, please get in contact with the chapter leaders - you would be very welcome!

= Upcoming Events =

The next meeting will take place on 28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.

Our speakers are '''Andrew Waite''' will be taking about '''"Honeypots; From Research to the Enterprise"''' and '''George Chlapoutakis''' talking about '''"Security in the World of Containerisation"'''.

We are looking to host a meeting the final Tuesday of every second month.

Please get in touch if you would like to speak at a Newcastle event - we would be delighted to hear from you.

Everyone is welcome to join us at our chapter meetings.

= Past Events =

'''2015 Dates'''

28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.

Speakers:
* '''Andrew Waite: Honeypots; from research to the Enterprise.'''
[[Media: OWASP_Honeypots.odp]]

* '''George Chlapoutakis: Security in the World of Containerisation.'''
[[Media: OWASP_Security_Containerisation.ppt]]

Speakers:
* '''Robin Fewster: An introduction to basic application penetration testing.'''
An introduction to penetration testing, using several OWASP projects as well as other open source and free programs.
[[Media: An_introduction_to_penetration_testing.pptx]]

* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.'''
An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises.
[[Media: Threat_Modeling_Presentation.pptx]]

24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.

Speakers:

* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]

= Chapter Leaders =

The chapter leaders are:

* [[User:Connor Carr|Connor Carr]]
* [[User:Michael Goodwin|Mike Goodwin]]

Once the group is up and running we will be looking for more leaders.

= Sponsorship =

The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.

[[File:sage-logo.jpg]]

Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:

* Platinum sponsor (£1200)
* Gold sponsor (£600)
* Silver sponsor (£300)

Any other donation is also gratefully received.

= Local Organisations =

Other related organisations in the Newcastle area:

* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter treasurer [mailto:gleishman@secnetics.com Gordon Leishman]. Their next meeting is on 22nd September at PricewaterhouseCoopers LLP, Central Square South, Orchard Street, Newcastle upon Tyne, NE1 3AZ

Please get in touch with one of the chapter leaders to get your organisation listed here.

And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events.

__NOTOC__ <headertabs />

[[Category:OWASP Chapter]]
[[Category:United Kingdom]]