OWASP - User contributions [en]

Gothenburg

2015-12-15T19:05:56Z

Peter Magnusson: OWASP Gothenburg Day 2015 video/* Historiska Presentationer: PDF, video med mera */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius. I styrelsen sitter Per Josefsson, Fredrik Strömberg, Anders Rosdahl, Mikael Falkvidd och Viktor Hedberg.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==
* 2015-12-08 Mario Heiderich - An Abusive Relationship with AngularJS – About the Security Adventures with the "Super-Hero" Framework [https://www.youtube.com/watch?v=wzrojHHyQwc video]
* 2015-12-08 Marie Moe - Unpatchable - Living with a vulnerable implanted device [https://www.youtube.com/watch?v=ffpkFvRZWB8 video]
* 2015-12-08 Martin Johns - Your Scripts in My Page - What Could Possibly Go Wrong? [https://www.youtube.com/watch?v=fILLsFDkkuQ video]
* 2015-12-08 Michele Orrù - Dark FairyTales from a Phisherman (Vol. III) [https://www.youtube.com/watch?v=8DJKp7nKAes video]
* 2015-10-20 Mattias Jidhage - [[Media:GoingGrey.pdf|Going dark (grey)]] [https://youtu.be/ercZOphipRw video]
* 2015-10-20 Jonas Magazinius - Mac Hack Backup Attack [https://youtu.be/3KQMFR7Dv3M video]
* 2015-10-20 Mikael Falkvidd - [[Media:Linux_kernel_live_patching.pdf|Livepatching the linux kernel]] [https://youtu.be/zy0R_S2raSM video]
* 2015-10-20 Fredrik Strömberg - [[Media:Qubes.pdf|An introduction to QubesOS]] [https://youtu.be/oDR6VyzimPQ video]
* 2015-10-20 Anders Rosdahl - [[Media:Hands-on with wifi security publish.pdf|Hands on with wifi security]] [https://www.youtube.com/watch?v=FkCb6VORZj4 video]
* 2015-10-20 Viktor Hedberg - OWASP Security Shepherd [https://youtu.be/iKPFCO1qqb8 video]
* 2015-10-20 Mikael Wecksten - [[Media:Android sec.pdf|Introduction to Android app security review]] [https://youtu.be/Vua9Z_8aESA video]
* 2015-10-20 Peter Gullberg - [[Media:OWASP Security Tapas - TrustZone, TEE and Mobile Security final.pdf|TrustZone, TEE and mobile security]] [https://youtu.be/NSBSgpD_9kw video]
* 2015-04-16 Adde Lindh: [[Media:DefenderEconomics.pdf|Defender Economics]]
* 2015-04-16 Michael Boman: [[Media: From_Malware_Analysis_to_Indications_of_Compromise.pdf|From Malware Analysis to Indications of Compromise]]
* 2015-03-19 Georg Koppen and Philipp Winter: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]] [https://www.youtube.com/watch?v=bmmAFiqOgks Video: Relays] [https://www.youtube.com/watch?v=s7vb_mjJn2M Video: TorBrowser] [https://www.youtube.com/watch?v=UhWhlm0SB-U Video: Questions and Answers]
* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2015 ==
'''2015-12-08 - OWASP Gothenburg Day'''
See https://www.owasp.org/index.php/OWASP_Gothenburg_Day_2015

'''2015-10-20 - Security Tapas'''

While preparing for OWASP Gothenburg Day we realised we need something that is quite the opposite of a giant all-day event with international speakers. We need a small and cosy down-to-earth session with local speakers. Like a hackathon but with some kind of agenda. Small demonstrations, primers on a subject or technology, a lightning talk or even a small hands on workshop. To make room for a lot of people we keep them short, aiming for 15-20 minutes for presentations with some additional room for workshops.
OWASP will open up the floor, while you, our community, sets the agenda and take place on stage.
Thanks to our sponsor ÅF we'll have a cool venue on the 16th floor and something to eat and drink.
Pls, send us a short title, your suggested time slot size in minutes and whether this is a workshop or not (defined by the fact that participants will require to bring some kind of equipment and will be expected to perform some kind of activity) to mattias.jidhage@owasp.org OR let us know through the ticket registration form.
You are of course very welcome to attend even if you don't have something to present.

'''Going dark - Mattias Jidhage'''

'''Mac Hack Backup Attack - Jonas Magazinius'''

'''Livepatching the linux kernel - Mikael Falkvidd'''

'''An introduction to QubesOS - Fredrik Strömberg'''

'''Hands on with wifi security - Anders Rosdahl'''

'''OWASP Security Shepherd - Viktor Hedberg'''

'''Introduction to Android app security review - Mikael Wecksten'''

'''TrustZone, TEE and mobile security - Peter Gullberg'''

''' 2015-04-15 - D-FENS'''

Let's talk defense.
Offense might be a bit more fun (admit it - there is a small evil mini-me inside all of us that wants nothing but wielding the mighty power of the hack that ruled them all) but let's face it, there are only so many wrongdoing organisations with world domination aspirations that will hire you to develop attacks on company time. For most of us that wants a paycheck within security, defence is on the menu. So, how should we effectively use our company’s sparse resources to make it harder for an attacker to breach our defenses and when that inevitably happens anyway; how do we find the bad code and remove it?
The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English!

''Agenda''

17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint and a Community update

18:15 Defender economics

19:00 Short break

19:05 Search and destroy

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Andreas Lindh - Defender Economics'''

There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them. This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.

Andreas Lindh (@addelindh) is a security analyst and engineer working for I Secure Sweden in Gothenburg, Sweden. He specializes in threat & vulnerability analysis, intrusion detection and generally making his clients more secure. When he's not dissecting threats or kicking some intruder off a network somewhere, he likes to write crappy Python code and make bad puns on Twitter. Andreas has previously presented his work at, among others, Black Hat USA, Virus Bulletin and 44Con.

'''Michael Boman - Search and Destroy the unknown'''

What do you do after realizing that you have been infected by a previously unknown sample that your antimalware vendor failed to detect, or you are unsure that you have up-to-date antimalware products on all systems in your environment? Perhaps you are not able to install antimalware on some endpoints due to regulatory restrictions. So how do you go about to detect malware that hasn’t been detected by your antimalware software? Learn how you can make use of the sources of detection you already have, like your firewall logs, to detect unknown threats on your network and help you locate and extract the malicious software causing the issue. Once you got your hands on a sample you can analyze it for artifacts the malware creates. Those artifacts, called Indicators of Compromise (IOC), can be used to detect additional malware infections on your SMB or Enterprise network using tools you might already have or can easily be acquired freely from the internet.

Michael Boman (@mboman) is a senior malware analyst at the Malware Research Institute and has been presenting at several large security conferences including 44CON and DEEPSEC in the recent years about malware research, everything from finding malware samples to analyze suspected files at speed and on budget. Michael has been interested in malicious software since he got his own machine infected even though he followed all the best practices having his computer up-to-date with both patches and antimalware software. The fact that the only thing that notified him about the infection was the built-in Windows firewall asking if it was OK to open a port for a piece of executable. And the rest, as they say, is history. Malware Research Institute is an organization that promotes malware research, tools and techniques for aspiring and seasoned malware analysts. Malware Research Institute has a blog where they publish interesting resources for malware researchers over at http://blog.malwareresearch.institute.

'''2015-03-20 - Philipp and Georg's slides available'''

Tor presentation slides: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]]

'''2015-03-11 - Strengths and weaknesses of Tor, the white knight of internet anonymity '''

"For those interested in online anonymity there are lots of tools available and Tor is one of the most frequently used. How does it work, how do you use it safely, and what are the risks? Is it possible to express your opinions anonymously on the internet today or can well funded actors circumvent the anonymity that Tor provides and find your true identity? What is the current status of the anonymity provided and what is being done to prevent current and future attacks on Tor?

To answer those and other questions regarding Tor we have invited Georg Koppen and Philipp Winter from the Tor Project to join us on Thursday, March 19. Be sure to book your seat immediately.

Who's this 'Tor', anyway?
Tor is an overlay network that enables people to use the Internet anonymously. We give a brief overview of how Tor works and then focus on how Tor can be used safely. In particular, we talk about the problem of malicious exit relays, how they can be a problem for Tor users, and how the Tor Project deals with them. Next, we talk about Tor Browser, The Tor Project's Firefox fork. Tor Browser protects against a number of (deanonymization) attacks that are not prevented by Firefox or Chrome. The goal of this talk is to show how Tor can be used safely for Web surfing and to correct common misunderstandings.

'''Georg Koppen'''
Works for The Tor Project on the Tor Browser, Torbutton, and Tor's build automation. He's also the main developer behind Tor's effort to create deterministic builds.

'''Phillipp Winter'''
Works for The Tor Project on research related to malicious exit relays and censorship circumvention. He is the main developer of ScrambleSuit, a polymorphic network traffic obfuscation protocol that's used by Tor.

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsors TeliaSonera & Mullvad and a Community update

18:15 Surfing safely over the Tor network, part 1

18:55 Short break

19:00 Surfing safely over the Tor network, part 2

19:40 Coming events

19:50 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

Gothenburg

2015-11-02T19:34:55Z

Peter Magnusson: 2015-10-20 Peter Gullberg - TrustZone, TEE and mobile security [https://youtu.be/NSBSgpD_9kw video] /* Historiska Presentationer: PDF, video med mera */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius. I styrelsen sitter Per Josefsson, Fredrik Strömberg, Anders Rosdahl, Mikael Falkvidd och Viktor Hedberg.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==
* 2015-10-20 Mattias Jidhage - [[Media:GoingGrey.pdf|Going dark (grey)]] [https://youtu.be/ercZOphipRw video]
* 2015-10-20 Jonas Magazinius - Mac Hack Backup Attack [https://youtu.be/3KQMFR7Dv3M video]
* 2015-10-20 Mikael Falkvidd - [[Media:Linux_kernel_live_patching.pdf|Livepatching the linux kernel]] [https://youtu.be/zy0R_S2raSM video]
* 2015-10-20 Fredrik Strömberg - [[Media:Qubes.pdf|An introduction to QubesOS]] [https://youtu.be/oDR6VyzimPQ video]
* 2015-10-20 Anders Rosdahl - [[Media:Hands-on with wifi security publish.pdf|Hands on with wifi security]] [https://www.youtube.com/watch?v=FkCb6VORZj4 video]
* 2015-10-20 Viktor Hedberg - OWASP Security Shepherd [https://youtu.be/iKPFCO1qqb8 video]
* 2015-10-20 Mikael Wecksten - [[Media:Android sec.pdf|Introduction to Android app security review]] [https://youtu.be/Vua9Z_8aESA video]
* 2015-10-20 Peter Gullberg - [[Media:OWASP Security Tapas - TrustZone, TEE and Mobile Security final.pdf|TrustZone, TEE and mobile security]] [https://youtu.be/NSBSgpD_9kw video]
* 2015-04-16 Adde Lindh: [[Media:DefenderEconomics.pdf|Defender Economics]]
* 2015-04-16 Michael Boman: [[Media: From_Malware_Analysis_to_Indications_of_Compromise.pdf|From Malware Analysis to Indications of Compromise]]
* 2015-03-19 Georg Koppen and Philipp Winter: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]] [https://www.youtube.com/watch?v=bmmAFiqOgks Video: Relays] [https://www.youtube.com/watch?v=s7vb_mjJn2M Video: TorBrowser] [https://www.youtube.com/watch?v=UhWhlm0SB-U Video: Questions and Answers]
* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2015 ==
'''2015-12-08 - OWASP Gothenburg Day'''
See https://www.owasp.org/index.php/OWASP_Gothenburg_Day_2015

'''2015-10-20 - Security Tapas'''

While preparing for OWASP Gothenburg Day we realised we need something that is quite the opposite of a giant all-day event with international speakers. We need a small and cosy down-to-earth session with local speakers. Like a hackathon but with some kind of agenda. Small demonstrations, primers on a subject or technology, a lightning talk or even a small hands on workshop. To make room for a lot of people we keep them short, aiming for 15-20 minutes for presentations with some additional room for workshops.
OWASP will open up the floor, while you, our community, sets the agenda and take place on stage.
Thanks to our sponsor ÅF we'll have a cool venue on the 16th floor and something to eat and drink.
Pls, send us a short title, your suggested time slot size in minutes and whether this is a workshop or not (defined by the fact that participants will require to bring some kind of equipment and will be expected to perform some kind of activity) to mattias.jidhage@owasp.org OR let us know through the ticket registration form.
You are of course very welcome to attend even if you don't have something to present.

'''Going dark - Mattias Jidhage'''

'''Mac Hack Backup Attack - Jonas Magazinius'''

'''Livepatching the linux kernel - Mikael Falkvidd'''

'''An introduction to QubesOS - Fredrik Strömberg'''

'''Hands on with wifi security - Anders Rosdahl'''

'''OWASP Security Shepherd - Viktor Hedberg'''

'''Introduction to Android app security review - Mikael Wecksten'''

'''TrustZone, TEE and mobile security - Peter Gullberg'''

''' 2015-04-15 - D-FENS'''

Let's talk defense.
Offense might be a bit more fun (admit it - there is a small evil mini-me inside all of us that wants nothing but wielding the mighty power of the hack that ruled them all) but let's face it, there are only so many wrongdoing organisations with world domination aspirations that will hire you to develop attacks on company time. For most of us that wants a paycheck within security, defence is on the menu. So, how should we effectively use our company’s sparse resources to make it harder for an attacker to breach our defenses and when that inevitably happens anyway; how do we find the bad code and remove it?
The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English!

''Agenda''

17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint and a Community update

18:15 Defender economics

19:00 Short break

19:05 Search and destroy

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Andreas Lindh - Defender Economics'''

There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them. This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.

Andreas Lindh (@addelindh) is a security analyst and engineer working for I Secure Sweden in Gothenburg, Sweden. He specializes in threat & vulnerability analysis, intrusion detection and generally making his clients more secure. When he's not dissecting threats or kicking some intruder off a network somewhere, he likes to write crappy Python code and make bad puns on Twitter. Andreas has previously presented his work at, among others, Black Hat USA, Virus Bulletin and 44Con.

'''Michael Boman - Search and Destroy the unknown'''

What do you do after realizing that you have been infected by a previously unknown sample that your antimalware vendor failed to detect, or you are unsure that you have up-to-date antimalware products on all systems in your environment? Perhaps you are not able to install antimalware on some endpoints due to regulatory restrictions. So how do you go about to detect malware that hasn’t been detected by your antimalware software? Learn how you can make use of the sources of detection you already have, like your firewall logs, to detect unknown threats on your network and help you locate and extract the malicious software causing the issue. Once you got your hands on a sample you can analyze it for artifacts the malware creates. Those artifacts, called Indicators of Compromise (IOC), can be used to detect additional malware infections on your SMB or Enterprise network using tools you might already have or can easily be acquired freely from the internet.

Michael Boman (@mboman) is a senior malware analyst at the Malware Research Institute and has been presenting at several large security conferences including 44CON and DEEPSEC in the recent years about malware research, everything from finding malware samples to analyze suspected files at speed and on budget. Michael has been interested in malicious software since he got his own machine infected even though he followed all the best practices having his computer up-to-date with both patches and antimalware software. The fact that the only thing that notified him about the infection was the built-in Windows firewall asking if it was OK to open a port for a piece of executable. And the rest, as they say, is history. Malware Research Institute is an organization that promotes malware research, tools and techniques for aspiring and seasoned malware analysts. Malware Research Institute has a blog where they publish interesting resources for malware researchers over at http://blog.malwareresearch.institute.

'''2015-03-20 - Philipp and Georg's slides available'''

Tor presentation slides: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]]

'''2015-03-11 - Strengths and weaknesses of Tor, the white knight of internet anonymity '''

"For those interested in online anonymity there are lots of tools available and Tor is one of the most frequently used. How does it work, how do you use it safely, and what are the risks? Is it possible to express your opinions anonymously on the internet today or can well funded actors circumvent the anonymity that Tor provides and find your true identity? What is the current status of the anonymity provided and what is being done to prevent current and future attacks on Tor?

To answer those and other questions regarding Tor we have invited Georg Koppen and Philipp Winter from the Tor Project to join us on Thursday, March 19. Be sure to book your seat immediately.

Who's this 'Tor', anyway?
Tor is an overlay network that enables people to use the Internet anonymously. We give a brief overview of how Tor works and then focus on how Tor can be used safely. In particular, we talk about the problem of malicious exit relays, how they can be a problem for Tor users, and how the Tor Project deals with them. Next, we talk about Tor Browser, The Tor Project's Firefox fork. Tor Browser protects against a number of (deanonymization) attacks that are not prevented by Firefox or Chrome. The goal of this talk is to show how Tor can be used safely for Web surfing and to correct common misunderstandings.

'''Georg Koppen'''
Works for The Tor Project on the Tor Browser, Torbutton, and Tor's build automation. He's also the main developer behind Tor's effort to create deterministic builds.

'''Phillipp Winter'''
Works for The Tor Project on research related to malicious exit relays and censorship circumvention. He is the main developer of ScrambleSuit, a polymorphic network traffic obfuscation protocol that's used by Tor.

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsors TeliaSonera & Mullvad and a Community update

18:15 Surfing safely over the Tor network, part 1

18:55 Short break

19:00 Surfing safely over the Tor network, part 2

19:40 Coming events

19:50 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

Gothenburg

2015-10-26T20:44:03Z

Peter Magnusson: 2015-10-20 Peter Gullberg - TrustZone, TEE and mobile security /* Historiska Presentationer: PDF, video med mera */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius. I styrelsen sitter Per Josefsson, Fredrik Strömberg, Anders Rosdahl, Mikael Falkvidd och Viktor Hedberg.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==
* 2015-10-20 Mattias Jidhage - [[Media:GoingGrey.pdf|Going dark (grey)]] [https://youtu.be/ercZOphipRw video]
* 2015-10-20 Jonas Magazinius - Mac Hack Backup Attack [https://youtu.be/3KQMFR7Dv3M video]
* 2015-10-20 Mikael Falkvidd - [[Media:Linux_kernel_live_patching.pdf|Livepatching the linux kernel]] [https://youtu.be/zy0R_S2raSM video]
* 2015-10-20 Fredrik Strömberg - [[Media:Qubes.pdf|An introduction to QubesOS]] [https://youtu.be/oDR6VyzimPQ video]
* 2015-10-20 Anders Rosdahl - [[Media:Hands-on with wifi security publish.pdf|Hands on with wifi security]] [https://www.youtube.com/watch?v=FkCb6VORZj4 video]
* 2015-10-20 Viktor Hedberg - OWASP Security Shepherd [https://youtu.be/iKPFCO1qqb8 video]
* 2015-10-20 Mikael Wecksten - [[Media:Android sec.pdf|Introduction to Android app security review]] [https://youtu.be/Vua9Z_8aESA video]
* 2015-10-20 Peter Gullberg - [[Media:OWASP Security Tapas - TrustZone, TEE and Mobile Security final.pdf|TrustZone, TEE and mobile security]]
* 2015-04-16 Adde Lindh: [[Media:DefenderEconomics.pdf|Defender Economics]]
* 2015-04-16 Michael Boman: [[Media: From_Malware_Analysis_to_Indications_of_Compromise.pdf|From Malware Analysis to Indications of Compromise]]
* 2015-03-19 Georg Koppen and Philipp Winter: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]] [https://www.youtube.com/watch?v=bmmAFiqOgks Video: Relays] [https://www.youtube.com/watch?v=s7vb_mjJn2M Video: TorBrowser] [https://www.youtube.com/watch?v=UhWhlm0SB-U Video: Questions and Answers]
* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2015 ==
'''2015-10-20 - Security Tapas'''

While preparing for OWASP Gothenburg Day we realised we need something that is quite the opposite of a giant all-day event with international speakers. We need a small and cosy down-to-earth session with local speakers. Like a hackathon but with some kind of agenda. Small demonstrations, primers on a subject or technology, a lightning talk or even a small hands on workshop. To make room for a lot of people we keep them short, aiming for 15-20 minutes for presentations with some additional room for workshops.
OWASP will open up the floor, while you, our community, sets the agenda and take place on stage.
Thanks to our sponsor ÅF we'll have a cool venue on the 16th floor and something to eat and drink.
Pls, send us a short title, your suggested time slot size in minutes and whether this is a workshop or not (defined by the fact that participants will require to bring some kind of equipment and will be expected to perform some kind of activity) to mattias.jidhage@owasp.org OR let us know through the ticket registration form.
You are of course very welcome to attend even if you don't have something to present.

'''Going dark - Mattias Jidhage'''

'''Mac Hack Backup Attack - Jonas Magazinius'''

'''Livepatching the linux kernel - Mikael Falkvidd'''

'''An introduction to QubesOS - Fredrik Strömberg'''

'''Hands on with wifi security - Anders Rosdahl'''

'''OWASP Security Shepherd - Viktor Hedberg'''

'''Introduction to Android app security review - Mikael Wecksten'''

'''TrustZone, TEE and mobile security - Peter Gullberg'''

''' 2015-04-15 - D-FENS'''

Let's talk defense.
Offense might be a bit more fun (admit it - there is a small evil mini-me inside all of us that wants nothing but wielding the mighty power of the hack that ruled them all) but let's face it, there are only so many wrongdoing organisations with world domination aspirations that will hire you to develop attacks on company time. For most of us that wants a paycheck within security, defence is on the menu. So, how should we effectively use our company’s sparse resources to make it harder for an attacker to breach our defenses and when that inevitably happens anyway; how do we find the bad code and remove it?
The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English!

''Agenda''

17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint and a Community update

18:15 Defender economics

19:00 Short break

19:05 Search and destroy

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Andreas Lindh - Defender Economics'''

There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them. This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.

Andreas Lindh (@addelindh) is a security analyst and engineer working for I Secure Sweden in Gothenburg, Sweden. He specializes in threat & vulnerability analysis, intrusion detection and generally making his clients more secure. When he's not dissecting threats or kicking some intruder off a network somewhere, he likes to write crappy Python code and make bad puns on Twitter. Andreas has previously presented his work at, among others, Black Hat USA, Virus Bulletin and 44Con.

'''Michael Boman - Search and Destroy the unknown'''

What do you do after realizing that you have been infected by a previously unknown sample that your antimalware vendor failed to detect, or you are unsure that you have up-to-date antimalware products on all systems in your environment? Perhaps you are not able to install antimalware on some endpoints due to regulatory restrictions. So how do you go about to detect malware that hasn’t been detected by your antimalware software? Learn how you can make use of the sources of detection you already have, like your firewall logs, to detect unknown threats on your network and help you locate and extract the malicious software causing the issue. Once you got your hands on a sample you can analyze it for artifacts the malware creates. Those artifacts, called Indicators of Compromise (IOC), can be used to detect additional malware infections on your SMB or Enterprise network using tools you might already have or can easily be acquired freely from the internet.

Michael Boman (@mboman) is a senior malware analyst at the Malware Research Institute and has been presenting at several large security conferences including 44CON and DEEPSEC in the recent years about malware research, everything from finding malware samples to analyze suspected files at speed and on budget. Michael has been interested in malicious software since he got his own machine infected even though he followed all the best practices having his computer up-to-date with both patches and antimalware software. The fact that the only thing that notified him about the infection was the built-in Windows firewall asking if it was OK to open a port for a piece of executable. And the rest, as they say, is history. Malware Research Institute is an organization that promotes malware research, tools and techniques for aspiring and seasoned malware analysts. Malware Research Institute has a blog where they publish interesting resources for malware researchers over at http://blog.malwareresearch.institute.

'''2015-03-20 - Philipp and Georg's slides available'''

Tor presentation slides: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]]

'''2015-03-11 - Strengths and weaknesses of Tor, the white knight of internet anonymity '''

"For those interested in online anonymity there are lots of tools available and Tor is one of the most frequently used. How does it work, how do you use it safely, and what are the risks? Is it possible to express your opinions anonymously on the internet today or can well funded actors circumvent the anonymity that Tor provides and find your true identity? What is the current status of the anonymity provided and what is being done to prevent current and future attacks on Tor?

To answer those and other questions regarding Tor we have invited Georg Koppen and Philipp Winter from the Tor Project to join us on Thursday, March 19. Be sure to book your seat immediately.

Who's this 'Tor', anyway?
Tor is an overlay network that enables people to use the Internet anonymously. We give a brief overview of how Tor works and then focus on how Tor can be used safely. In particular, we talk about the problem of malicious exit relays, how they can be a problem for Tor users, and how the Tor Project deals with them. Next, we talk about Tor Browser, The Tor Project's Firefox fork. Tor Browser protects against a number of (deanonymization) attacks that are not prevented by Firefox or Chrome. The goal of this talk is to show how Tor can be used safely for Web surfing and to correct common misunderstandings.

'''Georg Koppen'''
Works for The Tor Project on the Tor Browser, Torbutton, and Tor's build automation. He's also the main developer behind Tor's effort to create deterministic builds.

'''Phillipp Winter'''
Works for The Tor Project on research related to malicious exit relays and censorship circumvention. He is the main developer of ScrambleSuit, a polymorphic network traffic obfuscation protocol that's used by Tor.

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsors TeliaSonera & Mullvad and a Community update

18:15 Surfing safely over the Tor network, part 1

18:55 Short break

19:00 Surfing safely over the Tor network, part 2

19:40 Coming events

19:50 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

File:OWASP Security Tapas - TrustZone, TEE and Mobile Security final.pdf

2015-10-26T20:42:33Z

Peter Magnusson: Trusted Execution Environment, TrustZone and Mobile Security OWASP Göteborg: Security Tapas, Oct-20, 2015 Peter Gullberg, Principal Engineer - Digital Banking, Gemalto "TEE allows Applications to execute, process, protect and store sensitive data in...

Trusted Execution Environment,
TrustZone and Mobile Security

OWASP Göteborg: Security Tapas, Oct-20, 2015
Peter Gullberg, Principal Engineer - Digital Banking, Gemalto

"TEE allows Applications to execute, process,
protect and store sensitive data in an isolated,
trusted environment."

Trusted Execution Environment (TEE)

TEE - Use Cases
5
Content Protection
• IP streaming
• DRM
• Key protection
• Content protection
Mobile Financial Services
• mBanking
• Online payments
• User authentication
• Transaction validation
Corporate/government
• Secure networking
• Secure email
• BYOD
• User authentication
• Data encryption

Example of TEE enabled devices

Architectural ways of achieving a TEE

ARM TrustZone
TrustZone enables the development of separate environments
Rich Operating System - Normal domain
Trusted Execution - Secure domain
Both domains have the same capabilities
Operate in a separate memory space
Enables a single physical processor core to execute from both the
Normal world and the Secure world
Normal world components cannot access secure world resources
Cortex-A Processors

How TrustZone works
10
Uses a “33rd bit”, signaling whether in secure mode
This bit is also propagated outside the system on chip (SoC)
Peripherals and memory are configured during startup which side
to belong to (normal/secure)

ARM TrustZone: Non Secure bit
11
The memory is split in Secure and Non-secure regions
Non-secure (NS) bit
Determines if the program execution is in the Secure or Nonsecure
world
AMBA AXI bus propagates the NS bit
Shared memory between two worlds
Possible to secure peripherals
Screen, crypto blocks
Protected against software attacks

ARM TrustZone: transition management
12
Switch between normal and secure domain
Monitor
Gatekeeper that controls migration between Normal and Secure world
In normal world, have both user mode and privileges mode. Same
for Secure world
Secure device drivers
typically run in user
mode
Cannot switch the NS
bit in user mode
Secure Monitor Call
SMC

CPU boots in "secure
kernel mode" in ROM
ROM Boot loader
verifies signature of
TEE OS
TEE verifies signature
of RichOS and starts it

Example on use case
securebitcoin.net

BitCoin - example
16
SecureBitCoin.net
Secure management of
Master Secret
PIN-entry to access the
Master Secret
Use secure crypto
provided by TEE
Master Secret is kept
secure at all time
Malware cannot steal data,
or modify transactions

Trusted User Interface

App Deployment
"secure BitCoin" App

Global Platform

Gothenburg

2015-10-25T12:45:11Z

Peter Magnusson: Viktor Hedberg - OWASP Security Shepherd [https://youtu.be/iKPFCO1qqb8 video] /* Historiska Presentationer: PDF, video med mera */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius. I styrelsen sitter Per Josefsson, Fredrik Strömberg, Anders Rosdahl, Mikael Falkvidd och Viktor Hedberg.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==
* 2015-10-20 Mattias Jidhage - [[Media:GoingGrey.pdf|Going dark (grey)]] [https://youtu.be/ercZOphipRw video]
* 2015-10-20 Jonas Magazinius - Mac Hack Backup Attack [https://youtu.be/3KQMFR7Dv3M video]
* 2015-10-20 Mikael Falkvidd - [[Media:Linux_kernel_live_patching.pdf|Livepatching the linux kernel]] [https://youtu.be/zy0R_S2raSM video]
* 2015-10-20 Fredrik Strömberg - [[Media:Qubes.pdf|An introduction to QubesOS]] [https://youtu.be/oDR6VyzimPQ video]
* 2015-10-20 Anders Rosdahl - [[Media:Hands-on with wifi security publish.pdf|Hands on with wifi security]] [https://www.youtube.com/watch?v=FkCb6VORZj4 video]
* 2015-10-20 Viktor Hedberg - OWASP Security Shepherd [https://youtu.be/iKPFCO1qqb8 video]
* 2015-10-20 Mikael Wecksten - [[Media:Android sec.pdf|Introduction to Android app security review]] [https://youtu.be/Vua9Z_8aESA video]
* 2015-10-20 Peter Gullberg - TrustZone, TEE and mobile security
* 2015-04-16 Adde Lindh: [[Media:DefenderEconomics.pdf|Defender Economics]]
* 2015-04-16 Michael Boman: [[Media: From_Malware_Analysis_to_Indications_of_Compromise.pdf|From Malware Analysis to Indications of Compromise]]
* 2015-03-19 Georg Koppen and Philipp Winter: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]] [https://www.youtube.com/watch?v=bmmAFiqOgks Video: Relays] [https://www.youtube.com/watch?v=s7vb_mjJn2M Video: TorBrowser] [https://www.youtube.com/watch?v=UhWhlm0SB-U Video: Questions and Answers]
* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2015 ==
'''2015-10-20 - Security Tapas'''

While preparing for OWASP Gothenburg Day we realised we need something that is quite the opposite of a giant all-day event with international speakers. We need a small and cosy down-to-earth session with local speakers. Like a hackathon but with some kind of agenda. Small demonstrations, primers on a subject or technology, a lightning talk or even a small hands on workshop. To make room for a lot of people we keep them short, aiming for 15-20 minutes for presentations with some additional room for workshops.
OWASP will open up the floor, while you, our community, sets the agenda and take place on stage.
Thanks to our sponsor ÅF we'll have a cool venue on the 16th floor and something to eat and drink.
Pls, send us a short title, your suggested time slot size in minutes and whether this is a workshop or not (defined by the fact that participants will require to bring some kind of equipment and will be expected to perform some kind of activity) to mattias.jidhage@owasp.org OR let us know through the ticket registration form.
You are of course very welcome to attend even if you don't have something to present.

'''Going dark - Mattias Jidhage'''

'''Mac Hack Backup Attack - Jonas Magazinius'''

'''Livepatching the linux kernel - Mikael Falkvidd'''

'''An introduction to QubesOS - Fredrik Strömberg'''

'''Hands on with wifi security - Anders Rosdahl'''

'''OWASP Security Shepherd - Viktor Hedberg'''

'''Introduction to Android app security review - Mikael Wecksten'''

'''TrustZone, TEE and mobile security - Peter Gullberg'''

''' 2015-04-15 - D-FENS'''

Let's talk defense.
Offense might be a bit more fun (admit it - there is a small evil mini-me inside all of us that wants nothing but wielding the mighty power of the hack that ruled them all) but let's face it, there are only so many wrongdoing organisations with world domination aspirations that will hire you to develop attacks on company time. For most of us that wants a paycheck within security, defence is on the menu. So, how should we effectively use our company’s sparse resources to make it harder for an attacker to breach our defenses and when that inevitably happens anyway; how do we find the bad code and remove it?
The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English!

''Agenda''

17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint and a Community update

18:15 Defender economics

19:00 Short break

19:05 Search and destroy

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Andreas Lindh - Defender Economics'''

There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them. This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.

Andreas Lindh (@addelindh) is a security analyst and engineer working for I Secure Sweden in Gothenburg, Sweden. He specializes in threat & vulnerability analysis, intrusion detection and generally making his clients more secure. When he's not dissecting threats or kicking some intruder off a network somewhere, he likes to write crappy Python code and make bad puns on Twitter. Andreas has previously presented his work at, among others, Black Hat USA, Virus Bulletin and 44Con.

'''Michael Boman - Search and Destroy the unknown'''

What do you do after realizing that you have been infected by a previously unknown sample that your antimalware vendor failed to detect, or you are unsure that you have up-to-date antimalware products on all systems in your environment? Perhaps you are not able to install antimalware on some endpoints due to regulatory restrictions. So how do you go about to detect malware that hasn’t been detected by your antimalware software? Learn how you can make use of the sources of detection you already have, like your firewall logs, to detect unknown threats on your network and help you locate and extract the malicious software causing the issue. Once you got your hands on a sample you can analyze it for artifacts the malware creates. Those artifacts, called Indicators of Compromise (IOC), can be used to detect additional malware infections on your SMB or Enterprise network using tools you might already have or can easily be acquired freely from the internet.

Michael Boman (@mboman) is a senior malware analyst at the Malware Research Institute and has been presenting at several large security conferences including 44CON and DEEPSEC in the recent years about malware research, everything from finding malware samples to analyze suspected files at speed and on budget. Michael has been interested in malicious software since he got his own machine infected even though he followed all the best practices having his computer up-to-date with both patches and antimalware software. The fact that the only thing that notified him about the infection was the built-in Windows firewall asking if it was OK to open a port for a piece of executable. And the rest, as they say, is history. Malware Research Institute is an organization that promotes malware research, tools and techniques for aspiring and seasoned malware analysts. Malware Research Institute has a blog where they publish interesting resources for malware researchers over at http://blog.malwareresearch.institute.

'''2015-03-20 - Philipp and Georg's slides available'''

Tor presentation slides: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]]

'''2015-03-11 - Strengths and weaknesses of Tor, the white knight of internet anonymity '''

"For those interested in online anonymity there are lots of tools available and Tor is one of the most frequently used. How does it work, how do you use it safely, and what are the risks? Is it possible to express your opinions anonymously on the internet today or can well funded actors circumvent the anonymity that Tor provides and find your true identity? What is the current status of the anonymity provided and what is being done to prevent current and future attacks on Tor?

To answer those and other questions regarding Tor we have invited Georg Koppen and Philipp Winter from the Tor Project to join us on Thursday, March 19. Be sure to book your seat immediately.

Who's this 'Tor', anyway?
Tor is an overlay network that enables people to use the Internet anonymously. We give a brief overview of how Tor works and then focus on how Tor can be used safely. In particular, we talk about the problem of malicious exit relays, how they can be a problem for Tor users, and how the Tor Project deals with them. Next, we talk about Tor Browser, The Tor Project's Firefox fork. Tor Browser protects against a number of (deanonymization) attacks that are not prevented by Firefox or Chrome. The goal of this talk is to show how Tor can be used safely for Web surfing and to correct common misunderstandings.

'''Georg Koppen'''
Works for The Tor Project on the Tor Browser, Torbutton, and Tor's build automation. He's also the main developer behind Tor's effort to create deterministic builds.

'''Phillipp Winter'''
Works for The Tor Project on research related to malicious exit relays and censorship circumvention. He is the main developer of ScrambleSuit, a polymorphic network traffic obfuscation protocol that's used by Tor.

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsors TeliaSonera & Mullvad and a Community update

18:15 Surfing safely over the Tor network, part 1

18:55 Short break

19:00 Surfing safely over the Tor network, part 2

19:40 Coming events

19:50 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

Gothenburg

2015-10-25T12:21:19Z

Peter Magnusson: 2015-10-20 Mikael Wecksten - Introduction to Android app security review [https://youtu.be/Vua9Z_8aESA video] /* Historiska Presentationer: PDF, video med mera */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius. I styrelsen sitter Per Josefsson, Fredrik Strömberg, Anders Rosdahl, Mikael Falkvidd och Viktor Hedberg.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==
* 2015-10-20 Mattias Jidhage - [[Media:GoingGrey.pdf|Going dark (grey)]] [https://youtu.be/ercZOphipRw video]
* 2015-10-20 Jonas Magazinius - Mac Hack Backup Attack [https://youtu.be/3KQMFR7Dv3M video]
* 2015-10-20 Mikael Falkvidd - [[Media:Linux_kernel_live_patching.pdf|Livepatching the linux kernel]] [https://youtu.be/zy0R_S2raSM video]
* 2015-10-20 Fredrik Strömberg - [[Media:Qubes.pdf|An introduction to QubesOS]] [https://youtu.be/oDR6VyzimPQ video]
* 2015-10-20 Anders Rosdahl - [[Media:Hands-on with wifi security publish.pdf|Hands on with wifi security]] [https://www.youtube.com/watch?v=FkCb6VORZj4 video]
* 2015-10-20 Viktor Hedberg - OWASP Security Shepherd
* 2015-10-20 Mikael Wecksten - [[Media:Android sec.pdf|Introduction to Android app security review]] [https://youtu.be/Vua9Z_8aESA video]
* 2015-10-20 Peter Gullberg - TrustZone, TEE and mobile security
* 2015-04-16 Adde Lindh: [[Media:DefenderEconomics.pdf|Defender Economics]]
* 2015-04-16 Michael Boman: [[Media: From_Malware_Analysis_to_Indications_of_Compromise.pdf|From Malware Analysis to Indications of Compromise]]
* 2015-03-19 Georg Koppen and Philipp Winter: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]] [https://www.youtube.com/watch?v=bmmAFiqOgks Video: Relays] [https://www.youtube.com/watch?v=s7vb_mjJn2M Video: TorBrowser] [https://www.youtube.com/watch?v=UhWhlm0SB-U Video: Questions and Answers]
* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2015 ==
'''2015-10-20 - Security Tapas'''

While preparing for OWASP Gothenburg Day we realised we need something that is quite the opposite of a giant all-day event with international speakers. We need a small and cosy down-to-earth session with local speakers. Like a hackathon but with some kind of agenda. Small demonstrations, primers on a subject or technology, a lightning talk or even a small hands on workshop. To make room for a lot of people we keep them short, aiming for 15-20 minutes for presentations with some additional room for workshops.
OWASP will open up the floor, while you, our community, sets the agenda and take place on stage.
Thanks to our sponsor ÅF we'll have a cool venue on the 16th floor and something to eat and drink.
Pls, send us a short title, your suggested time slot size in minutes and whether this is a workshop or not (defined by the fact that participants will require to bring some kind of equipment and will be expected to perform some kind of activity) to mattias.jidhage@owasp.org OR let us know through the ticket registration form.
You are of course very welcome to attend even if you don't have something to present.

'''Going dark - Mattias Jidhage'''

'''Mac Hack Backup Attack - Jonas Magazinius'''

'''Livepatching the linux kernel - Mikael Falkvidd'''

'''An introduction to QubesOS - Fredrik Strömberg'''

'''Hands on with wifi security - Anders Rosdahl'''

'''OWASP Security Shepherd - Viktor Hedberg'''

'''Introduction to Android app security review - Mikael Wecksten'''

'''TrustZone, TEE and mobile security - Peter Gullberg'''

''' 2015-04-15 - D-FENS'''

Let's talk defense.
Offense might be a bit more fun (admit it - there is a small evil mini-me inside all of us that wants nothing but wielding the mighty power of the hack that ruled them all) but let's face it, there are only so many wrongdoing organisations with world domination aspirations that will hire you to develop attacks on company time. For most of us that wants a paycheck within security, defence is on the menu. So, how should we effectively use our company’s sparse resources to make it harder for an attacker to breach our defenses and when that inevitably happens anyway; how do we find the bad code and remove it?
The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English!

''Agenda''

17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint and a Community update

18:15 Defender economics

19:00 Short break

19:05 Search and destroy

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Andreas Lindh - Defender Economics'''

There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them. This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.

Andreas Lindh (@addelindh) is a security analyst and engineer working for I Secure Sweden in Gothenburg, Sweden. He specializes in threat & vulnerability analysis, intrusion detection and generally making his clients more secure. When he's not dissecting threats or kicking some intruder off a network somewhere, he likes to write crappy Python code and make bad puns on Twitter. Andreas has previously presented his work at, among others, Black Hat USA, Virus Bulletin and 44Con.

'''Michael Boman - Search and Destroy the unknown'''

What do you do after realizing that you have been infected by a previously unknown sample that your antimalware vendor failed to detect, or you are unsure that you have up-to-date antimalware products on all systems in your environment? Perhaps you are not able to install antimalware on some endpoints due to regulatory restrictions. So how do you go about to detect malware that hasn’t been detected by your antimalware software? Learn how you can make use of the sources of detection you already have, like your firewall logs, to detect unknown threats on your network and help you locate and extract the malicious software causing the issue. Once you got your hands on a sample you can analyze it for artifacts the malware creates. Those artifacts, called Indicators of Compromise (IOC), can be used to detect additional malware infections on your SMB or Enterprise network using tools you might already have or can easily be acquired freely from the internet.

Michael Boman (@mboman) is a senior malware analyst at the Malware Research Institute and has been presenting at several large security conferences including 44CON and DEEPSEC in the recent years about malware research, everything from finding malware samples to analyze suspected files at speed and on budget. Michael has been interested in malicious software since he got his own machine infected even though he followed all the best practices having his computer up-to-date with both patches and antimalware software. The fact that the only thing that notified him about the infection was the built-in Windows firewall asking if it was OK to open a port for a piece of executable. And the rest, as they say, is history. Malware Research Institute is an organization that promotes malware research, tools and techniques for aspiring and seasoned malware analysts. Malware Research Institute has a blog where they publish interesting resources for malware researchers over at http://blog.malwareresearch.institute.

'''2015-03-20 - Philipp and Georg's slides available'''

Tor presentation slides: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]]

'''2015-03-11 - Strengths and weaknesses of Tor, the white knight of internet anonymity '''

"For those interested in online anonymity there are lots of tools available and Tor is one of the most frequently used. How does it work, how do you use it safely, and what are the risks? Is it possible to express your opinions anonymously on the internet today or can well funded actors circumvent the anonymity that Tor provides and find your true identity? What is the current status of the anonymity provided and what is being done to prevent current and future attacks on Tor?

To answer those and other questions regarding Tor we have invited Georg Koppen and Philipp Winter from the Tor Project to join us on Thursday, March 19. Be sure to book your seat immediately.

Who's this 'Tor', anyway?
Tor is an overlay network that enables people to use the Internet anonymously. We give a brief overview of how Tor works and then focus on how Tor can be used safely. In particular, we talk about the problem of malicious exit relays, how they can be a problem for Tor users, and how the Tor Project deals with them. Next, we talk about Tor Browser, The Tor Project's Firefox fork. Tor Browser protects against a number of (deanonymization) attacks that are not prevented by Firefox or Chrome. The goal of this talk is to show how Tor can be used safely for Web surfing and to correct common misunderstandings.

'''Georg Koppen'''
Works for The Tor Project on the Tor Browser, Torbutton, and Tor's build automation. He's also the main developer behind Tor's effort to create deterministic builds.

'''Phillipp Winter'''
Works for The Tor Project on research related to malicious exit relays and censorship circumvention. He is the main developer of ScrambleSuit, a polymorphic network traffic obfuscation protocol that's used by Tor.

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsors TeliaSonera & Mullvad and a Community update

18:15 Surfing safely over the Tor network, part 1

18:55 Short break

19:00 Surfing safely over the Tor network, part 2

19:40 Coming events

19:50 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

Gothenburg

2015-10-25T12:10:39Z

Peter Magnusson: Mikael Wecksten - Introduction to Android app security review /* Historiska Presentationer: PDF, video med mera */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius. I styrelsen sitter Per Josefsson, Fredrik Strömberg, Anders Rosdahl, Mikael Falkvidd och Viktor Hedberg.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==
* 2015-10-20 Mattias Jidhage - [[Media:GoingGrey.pdf|Going dark (grey)]] [https://youtu.be/ercZOphipRw video]
* 2015-10-20 Jonas Magazinius - Mac Hack Backup Attack [https://youtu.be/3KQMFR7Dv3M video]
* 2015-10-20 Mikael Falkvidd - [[Media:Linux_kernel_live_patching.pdf|Livepatching the linux kernel]] [https://youtu.be/zy0R_S2raSM video]
* 2015-10-20 Fredrik Strömberg - [[Media:Qubes.pdf|An introduction to QubesOS]] [https://youtu.be/oDR6VyzimPQ video]
* 2015-10-20 Anders Rosdahl - [[Media:Hands-on with wifi security publish.pdf|Hands on with wifi security]] [https://www.youtube.com/watch?v=FkCb6VORZj4 video]
* 2015-10-20 Viktor Hedberg - OWASP Security Shepherd
* 2015-10-20 Mikael Wecksten - [[Media:Android sec.pdf|Introduction to Android app security review]]
* 2015-10-20 Peter Gullberg - TrustZone, TEE and mobile security
* 2015-04-16 Adde Lindh: [[Media:DefenderEconomics.pdf|Defender Economics]]
* 2015-04-16 Michael Boman: [[Media: From_Malware_Analysis_to_Indications_of_Compromise.pdf|From Malware Analysis to Indications of Compromise]]
* 2015-03-19 Georg Koppen and Philipp Winter: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]] [https://www.youtube.com/watch?v=bmmAFiqOgks Video: Relays] [https://www.youtube.com/watch?v=s7vb_mjJn2M Video: TorBrowser] [https://www.youtube.com/watch?v=UhWhlm0SB-U Video: Questions and Answers]
* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2015 ==
'''2015-10-20 - Security Tapas'''

While preparing for OWASP Gothenburg Day we realised we need something that is quite the opposite of a giant all-day event with international speakers. We need a small and cosy down-to-earth session with local speakers. Like a hackathon but with some kind of agenda. Small demonstrations, primers on a subject or technology, a lightning talk or even a small hands on workshop. To make room for a lot of people we keep them short, aiming for 15-20 minutes for presentations with some additional room for workshops.
OWASP will open up the floor, while you, our community, sets the agenda and take place on stage.
Thanks to our sponsor ÅF we'll have a cool venue on the 16th floor and something to eat and drink.
Pls, send us a short title, your suggested time slot size in minutes and whether this is a workshop or not (defined by the fact that participants will require to bring some kind of equipment and will be expected to perform some kind of activity) to mattias.jidhage@owasp.org OR let us know through the ticket registration form.
You are of course very welcome to attend even if you don't have something to present.

'''Going dark - Mattias Jidhage'''

'''Mac Hack Backup Attack - Jonas Magazinius'''

'''Livepatching the linux kernel - Mikael Falkvidd'''

'''An introduction to QubesOS - Fredrik Strömberg'''

'''Hands on with wifi security - Anders Rosdahl'''

'''OWASP Security Shepherd - Viktor Hedberg'''

'''Introduction to Android app security review - Mikael Wecksten'''

'''TrustZone, TEE and mobile security - Peter Gullberg'''

''' 2015-04-15 - D-FENS'''

Let's talk defense.
Offense might be a bit more fun (admit it - there is a small evil mini-me inside all of us that wants nothing but wielding the mighty power of the hack that ruled them all) but let's face it, there are only so many wrongdoing organisations with world domination aspirations that will hire you to develop attacks on company time. For most of us that wants a paycheck within security, defence is on the menu. So, how should we effectively use our company’s sparse resources to make it harder for an attacker to breach our defenses and when that inevitably happens anyway; how do we find the bad code and remove it?
The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English!

''Agenda''

17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint and a Community update

18:15 Defender economics

19:00 Short break

19:05 Search and destroy

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Andreas Lindh - Defender Economics'''

There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them. This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.

Andreas Lindh (@addelindh) is a security analyst and engineer working for I Secure Sweden in Gothenburg, Sweden. He specializes in threat & vulnerability analysis, intrusion detection and generally making his clients more secure. When he's not dissecting threats or kicking some intruder off a network somewhere, he likes to write crappy Python code and make bad puns on Twitter. Andreas has previously presented his work at, among others, Black Hat USA, Virus Bulletin and 44Con.

'''Michael Boman - Search and Destroy the unknown'''

What do you do after realizing that you have been infected by a previously unknown sample that your antimalware vendor failed to detect, or you are unsure that you have up-to-date antimalware products on all systems in your environment? Perhaps you are not able to install antimalware on some endpoints due to regulatory restrictions. So how do you go about to detect malware that hasn’t been detected by your antimalware software? Learn how you can make use of the sources of detection you already have, like your firewall logs, to detect unknown threats on your network and help you locate and extract the malicious software causing the issue. Once you got your hands on a sample you can analyze it for artifacts the malware creates. Those artifacts, called Indicators of Compromise (IOC), can be used to detect additional malware infections on your SMB or Enterprise network using tools you might already have or can easily be acquired freely from the internet.

Michael Boman (@mboman) is a senior malware analyst at the Malware Research Institute and has been presenting at several large security conferences including 44CON and DEEPSEC in the recent years about malware research, everything from finding malware samples to analyze suspected files at speed and on budget. Michael has been interested in malicious software since he got his own machine infected even though he followed all the best practices having his computer up-to-date with both patches and antimalware software. The fact that the only thing that notified him about the infection was the built-in Windows firewall asking if it was OK to open a port for a piece of executable. And the rest, as they say, is history. Malware Research Institute is an organization that promotes malware research, tools and techniques for aspiring and seasoned malware analysts. Malware Research Institute has a blog where they publish interesting resources for malware researchers over at http://blog.malwareresearch.institute.

'''2015-03-20 - Philipp and Georg's slides available'''

Tor presentation slides: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]]

'''2015-03-11 - Strengths and weaknesses of Tor, the white knight of internet anonymity '''

"For those interested in online anonymity there are lots of tools available and Tor is one of the most frequently used. How does it work, how do you use it safely, and what are the risks? Is it possible to express your opinions anonymously on the internet today or can well funded actors circumvent the anonymity that Tor provides and find your true identity? What is the current status of the anonymity provided and what is being done to prevent current and future attacks on Tor?

To answer those and other questions regarding Tor we have invited Georg Koppen and Philipp Winter from the Tor Project to join us on Thursday, March 19. Be sure to book your seat immediately.

Who's this 'Tor', anyway?
Tor is an overlay network that enables people to use the Internet anonymously. We give a brief overview of how Tor works and then focus on how Tor can be used safely. In particular, we talk about the problem of malicious exit relays, how they can be a problem for Tor users, and how the Tor Project deals with them. Next, we talk about Tor Browser, The Tor Project's Firefox fork. Tor Browser protects against a number of (deanonymization) attacks that are not prevented by Firefox or Chrome. The goal of this talk is to show how Tor can be used safely for Web surfing and to correct common misunderstandings.

'''Georg Koppen'''
Works for The Tor Project on the Tor Browser, Torbutton, and Tor's build automation. He's also the main developer behind Tor's effort to create deterministic builds.

'''Phillipp Winter'''
Works for The Tor Project on research related to malicious exit relays and censorship circumvention. He is the main developer of ScrambleSuit, a polymorphic network traffic obfuscation protocol that's used by Tor.

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsors TeliaSonera & Mullvad and a Community update

18:15 Surfing safely over the Tor network, part 1

18:55 Short break

19:00 Surfing safely over the Tor network, part 2

19:40 Coming events

19:50 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

File:Android sec.pdf

2015-10-25T12:09:26Z

Peter Magnusson: Introduction to Android Security review - Mikael Wecksten Outline Listen Look Listening in AP & Wireshark Why a AP? Any device Easy to set up Easy to use Alternatives Rooted device Saves to PCAP Other good stuff? Burp! Other standard tools for web-sec...

Introduction to Android Security review - Mikael Wecksten
Outline
Listen
Look
Listening in
AP & Wireshark
Why a AP?
Any device
Easy to set up
Easy to use
Alternatives
Rooted device
Saves to PCAP
Other good stuff?
Burp!
Other standard tools for web-sec
Looking in
Decompiling APKs
APK
Compressed folder
Everything needed
.dex file
dex Files
Dalvik
Bytecode
ART is replacing it
Still dex files
Same input bytecode
Jar Files
Compressed folder
.class files
Hardware
USB-WiFi Dongel:
Tp-link
TL-WN722N
200 kronor locally in Sweden
Of course other alternatives
As low as 100 kronor online
Questions?
Contact:
wecksten@student.chalmers.se
@wecksten

Gothenburg

2015-10-25T11:07:56Z

Peter Magnusson: 2015-10-20 Fredrik Strömberg - An introduction to QubesOS [https://youtu.be/oDR6VyzimPQ video] /* Historiska Presentationer: PDF, video med mera */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius. I styrelsen sitter Per Josefsson, Fredrik Strömberg, Anders Rosdahl, Mikael Falkvidd och Viktor Hedberg.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==
* 2015-10-20 Mattias Jidhage - [[Media:GoingGrey.pdf|Going dark (grey)]] [https://youtu.be/ercZOphipRw video]
* 2015-10-20 Jonas Magazinius - Mac Hack Backup Attack [https://youtu.be/3KQMFR7Dv3M video]
* 2015-10-20 Mikael Falkvidd - [[Media:Linux_kernel_live_patching.pdf|Livepatching the linux kernel]] [https://youtu.be/zy0R_S2raSM video]
* 2015-10-20 Fredrik Strömberg - [[Media:Qubes.pdf|An introduction to QubesOS]] [https://youtu.be/oDR6VyzimPQ video]
* 2015-10-20 Anders Rosdahl - [[Media:Hands-on with wifi security publish.pdf|Hands on with wifi security]] [https://www.youtube.com/watch?v=FkCb6VORZj4 video]
* 2015-10-20 Viktor Hedberg - OWASP Security Shepherd
* 2015-10-20 Mikael Wecksten Introduction to Android app security review
* 2015-10-20 Peter Gullberg - TrustZone, TEE and mobile security
* 2015-04-16 Adde Lindh: [[Media:DefenderEconomics.pdf|Defender Economics]]
* 2015-04-16 Michael Boman: [[Media: From_Malware_Analysis_to_Indications_of_Compromise.pdf|From Malware Analysis to Indications of Compromise]]
* 2015-03-19 Georg Koppen and Philipp Winter: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]] [https://www.youtube.com/watch?v=bmmAFiqOgks Video: Relays] [https://www.youtube.com/watch?v=s7vb_mjJn2M Video: TorBrowser] [https://www.youtube.com/watch?v=UhWhlm0SB-U Video: Questions and Answers]
* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2015 ==
'''2015-10-20 - Security Tapas'''

While preparing for OWASP Gothenburg Day we realised we need something that is quite the opposite of a giant all-day event with international speakers. We need a small and cosy down-to-earth session with local speakers. Like a hackathon but with some kind of agenda. Small demonstrations, primers on a subject or technology, a lightning talk or even a small hands on workshop. To make room for a lot of people we keep them short, aiming for 15-20 minutes for presentations with some additional room for workshops.
OWASP will open up the floor, while you, our community, sets the agenda and take place on stage.
Thanks to our sponsor ÅF we'll have a cool venue on the 16th floor and something to eat and drink.
Pls, send us a short title, your suggested time slot size in minutes and whether this is a workshop or not (defined by the fact that participants will require to bring some kind of equipment and will be expected to perform some kind of activity) to mattias.jidhage@owasp.org OR let us know through the ticket registration form.
You are of course very welcome to attend even if you don't have something to present.

'''Going dark - Mattias Jidhage'''

'''Mac Hack Backup Attack - Jonas Magazinius'''

'''Livepatching the linux kernel - Mikael Falkvidd'''

'''An introduction to QubesOS - Fredrik Strömberg'''

'''Hands on with wifi security - Anders Rosdahl'''

'''OWASP Security Shepherd - Viktor Hedberg'''

'''Introduction to Android app security review - Mikael Wecksten'''

'''TrustZone, TEE and mobile security - Peter Gullberg'''

''' 2015-04-15 - D-FENS'''

Let's talk defense.
Offense might be a bit more fun (admit it - there is a small evil mini-me inside all of us that wants nothing but wielding the mighty power of the hack that ruled them all) but let's face it, there are only so many wrongdoing organisations with world domination aspirations that will hire you to develop attacks on company time. For most of us that wants a paycheck within security, defence is on the menu. So, how should we effectively use our company’s sparse resources to make it harder for an attacker to breach our defenses and when that inevitably happens anyway; how do we find the bad code and remove it?
The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English!

''Agenda''

17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint and a Community update

18:15 Defender economics

19:00 Short break

19:05 Search and destroy

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Andreas Lindh - Defender Economics'''

There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them. This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.

Andreas Lindh (@addelindh) is a security analyst and engineer working for I Secure Sweden in Gothenburg, Sweden. He specializes in threat & vulnerability analysis, intrusion detection and generally making his clients more secure. When he's not dissecting threats or kicking some intruder off a network somewhere, he likes to write crappy Python code and make bad puns on Twitter. Andreas has previously presented his work at, among others, Black Hat USA, Virus Bulletin and 44Con.

'''Michael Boman - Search and Destroy the unknown'''

What do you do after realizing that you have been infected by a previously unknown sample that your antimalware vendor failed to detect, or you are unsure that you have up-to-date antimalware products on all systems in your environment? Perhaps you are not able to install antimalware on some endpoints due to regulatory restrictions. So how do you go about to detect malware that hasn’t been detected by your antimalware software? Learn how you can make use of the sources of detection you already have, like your firewall logs, to detect unknown threats on your network and help you locate and extract the malicious software causing the issue. Once you got your hands on a sample you can analyze it for artifacts the malware creates. Those artifacts, called Indicators of Compromise (IOC), can be used to detect additional malware infections on your SMB or Enterprise network using tools you might already have or can easily be acquired freely from the internet.

Michael Boman (@mboman) is a senior malware analyst at the Malware Research Institute and has been presenting at several large security conferences including 44CON and DEEPSEC in the recent years about malware research, everything from finding malware samples to analyze suspected files at speed and on budget. Michael has been interested in malicious software since he got his own machine infected even though he followed all the best practices having his computer up-to-date with both patches and antimalware software. The fact that the only thing that notified him about the infection was the built-in Windows firewall asking if it was OK to open a port for a piece of executable. And the rest, as they say, is history. Malware Research Institute is an organization that promotes malware research, tools and techniques for aspiring and seasoned malware analysts. Malware Research Institute has a blog where they publish interesting resources for malware researchers over at http://blog.malwareresearch.institute.

'''2015-03-20 - Philipp and Georg's slides available'''

Tor presentation slides: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]]

'''2015-03-11 - Strengths and weaknesses of Tor, the white knight of internet anonymity '''

"For those interested in online anonymity there are lots of tools available and Tor is one of the most frequently used. How does it work, how do you use it safely, and what are the risks? Is it possible to express your opinions anonymously on the internet today or can well funded actors circumvent the anonymity that Tor provides and find your true identity? What is the current status of the anonymity provided and what is being done to prevent current and future attacks on Tor?

To answer those and other questions regarding Tor we have invited Georg Koppen and Philipp Winter from the Tor Project to join us on Thursday, March 19. Be sure to book your seat immediately.

Who's this 'Tor', anyway?
Tor is an overlay network that enables people to use the Internet anonymously. We give a brief overview of how Tor works and then focus on how Tor can be used safely. In particular, we talk about the problem of malicious exit relays, how they can be a problem for Tor users, and how the Tor Project deals with them. Next, we talk about Tor Browser, The Tor Project's Firefox fork. Tor Browser protects against a number of (deanonymization) attacks that are not prevented by Firefox or Chrome. The goal of this talk is to show how Tor can be used safely for Web surfing and to correct common misunderstandings.

'''Georg Koppen'''
Works for The Tor Project on the Tor Browser, Torbutton, and Tor's build automation. He's also the main developer behind Tor's effort to create deterministic builds.

'''Phillipp Winter'''
Works for The Tor Project on research related to malicious exit relays and censorship circumvention. He is the main developer of ScrambleSuit, a polymorphic network traffic obfuscation protocol that's used by Tor.

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsors TeliaSonera & Mullvad and a Community update

18:15 Surfing safely over the Tor network, part 1

18:55 Short break

19:00 Surfing safely over the Tor network, part 2

19:40 Coming events

19:50 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

Gothenburg

2015-10-25T10:44:00Z

Peter Magnusson: 2015-10-20 Anders Rosdahl - Hands on with wifi security [https://www.youtube.com/watch?v=FkCb6VORZj4 video] /* Historiska Presentationer: PDF, video med mera */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius. I styrelsen sitter Per Josefsson, Fredrik Strömberg, Anders Rosdahl, Mikael Falkvidd och Viktor Hedberg.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==
* 2015-10-20 Mattias Jidhage - [[Media:GoingGrey.pdf|Going dark (grey)]] [https://youtu.be/ercZOphipRw video]
* 2015-10-20 Jonas Magazinius - Mac Hack Backup Attack [https://youtu.be/3KQMFR7Dv3M video]
* 2015-10-20 Mikael Falkvidd - [[Media:Linux_kernel_live_patching.pdf|Livepatching the linux kernel]] [https://youtu.be/zy0R_S2raSM video]
* 2015-10-20 Fredrik Strömberg - [[Media:Qubes.pdf|An introduction to QubesOS]]
* 2015-10-20 Anders Rosdahl - [[Media:Hands-on with wifi security publish.pdf|Hands on with wifi security]] [https://www.youtube.com/watch?v=FkCb6VORZj4 video]
* 2015-10-20 Viktor Hedberg - OWASP Security Shepherd
* 2015-10-20 Mikael Wecksten Introduction to Android app security review
* 2015-10-20 Peter Gullberg - TrustZone, TEE and mobile security
* 2015-04-16 Adde Lindh: [[Media:DefenderEconomics.pdf|Defender Economics]]
* 2015-04-16 Michael Boman: [[Media: From_Malware_Analysis_to_Indications_of_Compromise.pdf|From Malware Analysis to Indications of Compromise]]
* 2015-03-19 Georg Koppen and Philipp Winter: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]] [https://www.youtube.com/watch?v=bmmAFiqOgks Video: Relays] [https://www.youtube.com/watch?v=s7vb_mjJn2M Video: TorBrowser] [https://www.youtube.com/watch?v=UhWhlm0SB-U Video: Questions and Answers]
* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2015 ==
'''2015-10-20 - Security Tapas'''

While preparing for OWASP Gothenburg Day we realised we need something that is quite the opposite of a giant all-day event with international speakers. We need a small and cosy down-to-earth session with local speakers. Like a hackathon but with some kind of agenda. Small demonstrations, primers on a subject or technology, a lightning talk or even a small hands on workshop. To make room for a lot of people we keep them short, aiming for 15-20 minutes for presentations with some additional room for workshops.
OWASP will open up the floor, while you, our community, sets the agenda and take place on stage.
Thanks to our sponsor ÅF we'll have a cool venue on the 16th floor and something to eat and drink.
Pls, send us a short title, your suggested time slot size in minutes and whether this is a workshop or not (defined by the fact that participants will require to bring some kind of equipment and will be expected to perform some kind of activity) to mattias.jidhage@owasp.org OR let us know through the ticket registration form.
You are of course very welcome to attend even if you don't have something to present.

'''Going dark - Mattias Jidhage'''

'''Mac Hack Backup Attack - Jonas Magazinius'''

'''Livepatching the linux kernel - Mikael Falkvidd'''

'''An introduction to QubesOS - Fredrik Strömberg'''

'''Hands on with wifi security - Anders Rosdahl'''

'''OWASP Security Shepherd - Viktor Hedberg'''

'''Introduction to Android app security review - Mikael Wecksten'''

'''TrustZone, TEE and mobile security - Peter Gullberg'''

''' 2015-04-15 - D-FENS'''

Let's talk defense.
Offense might be a bit more fun (admit it - there is a small evil mini-me inside all of us that wants nothing but wielding the mighty power of the hack that ruled them all) but let's face it, there are only so many wrongdoing organisations with world domination aspirations that will hire you to develop attacks on company time. For most of us that wants a paycheck within security, defence is on the menu. So, how should we effectively use our company’s sparse resources to make it harder for an attacker to breach our defenses and when that inevitably happens anyway; how do we find the bad code and remove it?
The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English!

''Agenda''

17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint and a Community update

18:15 Defender economics

19:00 Short break

19:05 Search and destroy

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Andreas Lindh - Defender Economics'''

There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them. This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.

Andreas Lindh (@addelindh) is a security analyst and engineer working for I Secure Sweden in Gothenburg, Sweden. He specializes in threat & vulnerability analysis, intrusion detection and generally making his clients more secure. When he's not dissecting threats or kicking some intruder off a network somewhere, he likes to write crappy Python code and make bad puns on Twitter. Andreas has previously presented his work at, among others, Black Hat USA, Virus Bulletin and 44Con.

'''Michael Boman - Search and Destroy the unknown'''

What do you do after realizing that you have been infected by a previously unknown sample that your antimalware vendor failed to detect, or you are unsure that you have up-to-date antimalware products on all systems in your environment? Perhaps you are not able to install antimalware on some endpoints due to regulatory restrictions. So how do you go about to detect malware that hasn’t been detected by your antimalware software? Learn how you can make use of the sources of detection you already have, like your firewall logs, to detect unknown threats on your network and help you locate and extract the malicious software causing the issue. Once you got your hands on a sample you can analyze it for artifacts the malware creates. Those artifacts, called Indicators of Compromise (IOC), can be used to detect additional malware infections on your SMB or Enterprise network using tools you might already have or can easily be acquired freely from the internet.

Michael Boman (@mboman) is a senior malware analyst at the Malware Research Institute and has been presenting at several large security conferences including 44CON and DEEPSEC in the recent years about malware research, everything from finding malware samples to analyze suspected files at speed and on budget. Michael has been interested in malicious software since he got his own machine infected even though he followed all the best practices having his computer up-to-date with both patches and antimalware software. The fact that the only thing that notified him about the infection was the built-in Windows firewall asking if it was OK to open a port for a piece of executable. And the rest, as they say, is history. Malware Research Institute is an organization that promotes malware research, tools and techniques for aspiring and seasoned malware analysts. Malware Research Institute has a blog where they publish interesting resources for malware researchers over at http://blog.malwareresearch.institute.

'''2015-03-20 - Philipp and Georg's slides available'''

Tor presentation slides: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]]

'''2015-03-11 - Strengths and weaknesses of Tor, the white knight of internet anonymity '''

"For those interested in online anonymity there are lots of tools available and Tor is one of the most frequently used. How does it work, how do you use it safely, and what are the risks? Is it possible to express your opinions anonymously on the internet today or can well funded actors circumvent the anonymity that Tor provides and find your true identity? What is the current status of the anonymity provided and what is being done to prevent current and future attacks on Tor?

To answer those and other questions regarding Tor we have invited Georg Koppen and Philipp Winter from the Tor Project to join us on Thursday, March 19. Be sure to book your seat immediately.

Who's this 'Tor', anyway?
Tor is an overlay network that enables people to use the Internet anonymously. We give a brief overview of how Tor works and then focus on how Tor can be used safely. In particular, we talk about the problem of malicious exit relays, how they can be a problem for Tor users, and how the Tor Project deals with them. Next, we talk about Tor Browser, The Tor Project's Firefox fork. Tor Browser protects against a number of (deanonymization) attacks that are not prevented by Firefox or Chrome. The goal of this talk is to show how Tor can be used safely for Web surfing and to correct common misunderstandings.

'''Georg Koppen'''
Works for The Tor Project on the Tor Browser, Torbutton, and Tor's build automation. He's also the main developer behind Tor's effort to create deterministic builds.

'''Phillipp Winter'''
Works for The Tor Project on research related to malicious exit relays and censorship circumvention. He is the main developer of ScrambleSuit, a polymorphic network traffic obfuscation protocol that's used by Tor.

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsors TeliaSonera & Mullvad and a Community update

18:15 Surfing safely over the Tor network, part 1

18:55 Short break

19:00 Surfing safely over the Tor network, part 2

19:40 Coming events

19:50 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

Gothenburg

2015-10-24T10:15:34Z

Peter Magnusson: 2015-10-20 Fredrik Strömberg - An introduction to QubesOS /* Historiska Presentationer: PDF, video med mera */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius. I styrelsen sitter Per Josefsson, Fredrik Strömberg, Anders Rosdahl, Mikael Falkvidd och Viktor Hedberg.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==
* 2015-10-20 Mattias Jidhage - [[Media:GoingGrey.pdf|Going dark (grey)]] [https://youtu.be/ercZOphipRw video]
* 2015-10-20 Jonas Magazinius - Mac Hack Backup Attack [https://youtu.be/3KQMFR7Dv3M video]
* 2015-10-20 Mikael Falkvidd - [[Media:Linux_kernel_live_patching.pdf|Livepatching the linux kernel]] [https://youtu.be/zy0R_S2raSM video]
* 2015-10-20 Fredrik Strömberg - [[Media:Qubes.pdf|An introduction to QubesOS]]
* 2015-10-20 Anders Rosdahl - [[Media:Hands-on with wifi security publish.pdf|Hands on with wifi security]]
* 2015-10-20 Viktor Hedberg - OWASP Security Shepherd
* 2015-10-20 Mikael Wecksten Introduction to Android app security review
* 2015-10-20 Peter Gullberg - TrustZone, TEE and mobile security
* 2015-04-16 Adde Lindh: [[Media:DefenderEconomics.pdf|Defender Economics]]
* 2015-04-16 Michael Boman: [[Media: From_Malware_Analysis_to_Indications_of_Compromise.pdf|From Malware Analysis to Indications of Compromise]]
* 2015-03-19 Georg Koppen and Philipp Winter: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]] [https://www.youtube.com/watch?v=bmmAFiqOgks Video: Relays] [https://www.youtube.com/watch?v=s7vb_mjJn2M Video: TorBrowser] [https://www.youtube.com/watch?v=UhWhlm0SB-U Video: Questions and Answers]
* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2015 ==
'''2015-10-20 - Security Tapas'''

While preparing for OWASP Gothenburg Day we realised we need something that is quite the opposite of a giant all-day event with international speakers. We need a small and cosy down-to-earth session with local speakers. Like a hackathon but with some kind of agenda. Small demonstrations, primers on a subject or technology, a lightning talk or even a small hands on workshop. To make room for a lot of people we keep them short, aiming for 15-20 minutes for presentations with some additional room for workshops.
OWASP will open up the floor, while you, our community, sets the agenda and take place on stage.
Thanks to our sponsor ÅF we'll have a cool venue on the 16th floor and something to eat and drink.
Pls, send us a short title, your suggested time slot size in minutes and whether this is a workshop or not (defined by the fact that participants will require to bring some kind of equipment and will be expected to perform some kind of activity) to mattias.jidhage@owasp.org OR let us know through the ticket registration form.
You are of course very welcome to attend even if you don't have something to present.

'''Going dark - Mattias Jidhage'''

'''Mac Hack Backup Attack - Jonas Magazinius'''

'''Livepatching the linux kernel - Mikael Falkvidd'''

'''An introduction to QubesOS - Fredrik Strömberg'''

'''Hands on with wifi security - Anders Rosdahl'''

'''OWASP Security Shepherd - Viktor Hedberg'''

'''Introduction to Android app security review - Mikael Wecksten'''

'''TrustZone, TEE and mobile security - Peter Gullberg'''

''' 2015-04-15 - D-FENS'''

Let's talk defense.
Offense might be a bit more fun (admit it - there is a small evil mini-me inside all of us that wants nothing but wielding the mighty power of the hack that ruled them all) but let's face it, there are only so many wrongdoing organisations with world domination aspirations that will hire you to develop attacks on company time. For most of us that wants a paycheck within security, defence is on the menu. So, how should we effectively use our company’s sparse resources to make it harder for an attacker to breach our defenses and when that inevitably happens anyway; how do we find the bad code and remove it?
The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English!

''Agenda''

17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint and a Community update

18:15 Defender economics

19:00 Short break

19:05 Search and destroy

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Andreas Lindh - Defender Economics'''

There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them. This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.

Andreas Lindh (@addelindh) is a security analyst and engineer working for I Secure Sweden in Gothenburg, Sweden. He specializes in threat & vulnerability analysis, intrusion detection and generally making his clients more secure. When he's not dissecting threats or kicking some intruder off a network somewhere, he likes to write crappy Python code and make bad puns on Twitter. Andreas has previously presented his work at, among others, Black Hat USA, Virus Bulletin and 44Con.

'''Michael Boman - Search and Destroy the unknown'''

What do you do after realizing that you have been infected by a previously unknown sample that your antimalware vendor failed to detect, or you are unsure that you have up-to-date antimalware products on all systems in your environment? Perhaps you are not able to install antimalware on some endpoints due to regulatory restrictions. So how do you go about to detect malware that hasn’t been detected by your antimalware software? Learn how you can make use of the sources of detection you already have, like your firewall logs, to detect unknown threats on your network and help you locate and extract the malicious software causing the issue. Once you got your hands on a sample you can analyze it for artifacts the malware creates. Those artifacts, called Indicators of Compromise (IOC), can be used to detect additional malware infections on your SMB or Enterprise network using tools you might already have or can easily be acquired freely from the internet.

Michael Boman (@mboman) is a senior malware analyst at the Malware Research Institute and has been presenting at several large security conferences including 44CON and DEEPSEC in the recent years about malware research, everything from finding malware samples to analyze suspected files at speed and on budget. Michael has been interested in malicious software since he got his own machine infected even though he followed all the best practices having his computer up-to-date with both patches and antimalware software. The fact that the only thing that notified him about the infection was the built-in Windows firewall asking if it was OK to open a port for a piece of executable. And the rest, as they say, is history. Malware Research Institute is an organization that promotes malware research, tools and techniques for aspiring and seasoned malware analysts. Malware Research Institute has a blog where they publish interesting resources for malware researchers over at http://blog.malwareresearch.institute.

'''2015-03-20 - Philipp and Georg's slides available'''

Tor presentation slides: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]]

'''2015-03-11 - Strengths and weaknesses of Tor, the white knight of internet anonymity '''

"For those interested in online anonymity there are lots of tools available and Tor is one of the most frequently used. How does it work, how do you use it safely, and what are the risks? Is it possible to express your opinions anonymously on the internet today or can well funded actors circumvent the anonymity that Tor provides and find your true identity? What is the current status of the anonymity provided and what is being done to prevent current and future attacks on Tor?

To answer those and other questions regarding Tor we have invited Georg Koppen and Philipp Winter from the Tor Project to join us on Thursday, March 19. Be sure to book your seat immediately.

Who's this 'Tor', anyway?
Tor is an overlay network that enables people to use the Internet anonymously. We give a brief overview of how Tor works and then focus on how Tor can be used safely. In particular, we talk about the problem of malicious exit relays, how they can be a problem for Tor users, and how the Tor Project deals with them. Next, we talk about Tor Browser, The Tor Project's Firefox fork. Tor Browser protects against a number of (deanonymization) attacks that are not prevented by Firefox or Chrome. The goal of this talk is to show how Tor can be used safely for Web surfing and to correct common misunderstandings.

'''Georg Koppen'''
Works for The Tor Project on the Tor Browser, Torbutton, and Tor's build automation. He's also the main developer behind Tor's effort to create deterministic builds.

'''Phillipp Winter'''
Works for The Tor Project on research related to malicious exit relays and censorship circumvention. He is the main developer of ScrambleSuit, a polymorphic network traffic obfuscation protocol that's used by Tor.

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsors TeliaSonera & Mullvad and a Community update

18:15 Surfing safely over the Tor network, part 1

18:55 Short break

19:00 Surfing safely over the Tor network, part 2

19:40 Coming events

19:50 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

File:Qubes.pdf

2015-10-24T10:14:27Z

Peter Magnusson: Fredrik Strömberg - An introduction to QubesOS Security by Correctness Security by Isolation Security by Obscurity ●Development started in 2010 ●Made by Joanna Rutkowska et al ●Low-level security ●Blue Pill ●Xen security ●Intel TXT & Int...

Fredrik Strömberg - An introduction to QubesOS

Security by Correctness
Security by Isolation
Security by Obscurity

●Development started in 2010
●Made by Joanna Rutkowska et al ●Low-level security ●Blue Pill ●Xen security ●Intel TXT & Intel SMM

Windows, OSX, Linux
One attack can own everything

Separate your digital life into security domains

●sys-vpn ●router ●red ●personal ●email ●work-web
●chat ●mullvad-dev ●printer ●server-admin ●sys-backup ●vault ●proj-*
●Disposables

Thank you!

Gothenburg

2015-10-23T22:47:21Z

Peter Magnusson: jidhage video /* Historiska Presentationer: PDF, video med mera */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius. I styrelsen sitter Per Josefsson, Fredrik Strömberg, Anders Rosdahl, Mikael Falkvidd och Viktor Hedberg.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==
* 2015-10-20 Mattias Jidhage - [[Media:GoingGrey.pdf|Going dark (grey)]] [https://youtu.be/ercZOphipRw video]
* 2015-10-20 Jonas Magazinius - Mac Hack Backup Attack [https://youtu.be/3KQMFR7Dv3M video]
* 2015-10-20 Mikael Falkvidd - [[Media:Linux_kernel_live_patching.pdf|Livepatching the linux kernel]] [https://youtu.be/zy0R_S2raSM video]
* 2015-10-20 Fredrik Strömberg - An introduction to QubesOS
* 2015-10-20 Anders Rosdahl - [[Media:Hands-on with wifi security publish.pdf|Hands on with wifi security]]
* 2015-10-20 Viktor Hedberg - OWASP Security Shepherd
* 2015-10-20 Mikael Wecksten Introduction to Android app security review
* 2015-10-20 Peter Gullberg - TrustZone, TEE and mobile security
* 2015-04-16 Adde Lindh: [[Media:DefenderEconomics.pdf|Defender Economics]]
* 2015-04-16 Michael Boman: [[Media: From_Malware_Analysis_to_Indications_of_Compromise.pdf|From Malware Analysis to Indications of Compromise]]
* 2015-03-19 Georg Koppen and Philipp Winter: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]] [https://www.youtube.com/watch?v=bmmAFiqOgks Video: Relays] [https://www.youtube.com/watch?v=s7vb_mjJn2M Video: TorBrowser] [https://www.youtube.com/watch?v=UhWhlm0SB-U Video: Questions and Answers]
* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2015 ==
'''2015-10-20 - Security Tapas'''

While preparing for OWASP Gothenburg Day we realised we need something that is quite the opposite of a giant all-day event with international speakers. We need a small and cosy down-to-earth session with local speakers. Like a hackathon but with some kind of agenda. Small demonstrations, primers on a subject or technology, a lightning talk or even a small hands on workshop. To make room for a lot of people we keep them short, aiming for 15-20 minutes for presentations with some additional room for workshops.
OWASP will open up the floor, while you, our community, sets the agenda and take place on stage.
Thanks to our sponsor ÅF we'll have a cool venue on the 16th floor and something to eat and drink.
Pls, send us a short title, your suggested time slot size in minutes and whether this is a workshop or not (defined by the fact that participants will require to bring some kind of equipment and will be expected to perform some kind of activity) to mattias.jidhage@owasp.org OR let us know through the ticket registration form.
You are of course very welcome to attend even if you don't have something to present.

'''Going dark - Mattias Jidhage'''

'''Mac Hack Backup Attack - Jonas Magazinius'''

'''Livepatching the linux kernel - Mikael Falkvidd'''

'''An introduction to QubesOS - Fredrik Strömberg'''

'''Hands on with wifi security - Anders Rosdahl'''

'''OWASP Security Shepherd - Viktor Hedberg'''

'''Introduction to Android app security review - Mikael Wecksten'''

'''TrustZone, TEE and mobile security - Peter Gullberg'''

''' 2015-04-15 - D-FENS'''

Let's talk defense.
Offense might be a bit more fun (admit it - there is a small evil mini-me inside all of us that wants nothing but wielding the mighty power of the hack that ruled them all) but let's face it, there are only so many wrongdoing organisations with world domination aspirations that will hire you to develop attacks on company time. For most of us that wants a paycheck within security, defence is on the menu. So, how should we effectively use our company’s sparse resources to make it harder for an attacker to breach our defenses and when that inevitably happens anyway; how do we find the bad code and remove it?
The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English!

''Agenda''

17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint and a Community update

18:15 Defender economics

19:00 Short break

19:05 Search and destroy

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Andreas Lindh - Defender Economics'''

There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them. This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.

Andreas Lindh (@addelindh) is a security analyst and engineer working for I Secure Sweden in Gothenburg, Sweden. He specializes in threat & vulnerability analysis, intrusion detection and generally making his clients more secure. When he's not dissecting threats or kicking some intruder off a network somewhere, he likes to write crappy Python code and make bad puns on Twitter. Andreas has previously presented his work at, among others, Black Hat USA, Virus Bulletin and 44Con.

'''Michael Boman - Search and Destroy the unknown'''

What do you do after realizing that you have been infected by a previously unknown sample that your antimalware vendor failed to detect, or you are unsure that you have up-to-date antimalware products on all systems in your environment? Perhaps you are not able to install antimalware on some endpoints due to regulatory restrictions. So how do you go about to detect malware that hasn’t been detected by your antimalware software? Learn how you can make use of the sources of detection you already have, like your firewall logs, to detect unknown threats on your network and help you locate and extract the malicious software causing the issue. Once you got your hands on a sample you can analyze it for artifacts the malware creates. Those artifacts, called Indicators of Compromise (IOC), can be used to detect additional malware infections on your SMB or Enterprise network using tools you might already have or can easily be acquired freely from the internet.

Michael Boman (@mboman) is a senior malware analyst at the Malware Research Institute and has been presenting at several large security conferences including 44CON and DEEPSEC in the recent years about malware research, everything from finding malware samples to analyze suspected files at speed and on budget. Michael has been interested in malicious software since he got his own machine infected even though he followed all the best practices having his computer up-to-date with both patches and antimalware software. The fact that the only thing that notified him about the infection was the built-in Windows firewall asking if it was OK to open a port for a piece of executable. And the rest, as they say, is history. Malware Research Institute is an organization that promotes malware research, tools and techniques for aspiring and seasoned malware analysts. Malware Research Institute has a blog where they publish interesting resources for malware researchers over at http://blog.malwareresearch.institute.

'''2015-03-20 - Philipp and Georg's slides available'''

Tor presentation slides: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]]

'''2015-03-11 - Strengths and weaknesses of Tor, the white knight of internet anonymity '''

"For those interested in online anonymity there are lots of tools available and Tor is one of the most frequently used. How does it work, how do you use it safely, and what are the risks? Is it possible to express your opinions anonymously on the internet today or can well funded actors circumvent the anonymity that Tor provides and find your true identity? What is the current status of the anonymity provided and what is being done to prevent current and future attacks on Tor?

To answer those and other questions regarding Tor we have invited Georg Koppen and Philipp Winter from the Tor Project to join us on Thursday, March 19. Be sure to book your seat immediately.

Who's this 'Tor', anyway?
Tor is an overlay network that enables people to use the Internet anonymously. We give a brief overview of how Tor works and then focus on how Tor can be used safely. In particular, we talk about the problem of malicious exit relays, how they can be a problem for Tor users, and how the Tor Project deals with them. Next, we talk about Tor Browser, The Tor Project's Firefox fork. Tor Browser protects against a number of (deanonymization) attacks that are not prevented by Firefox or Chrome. The goal of this talk is to show how Tor can be used safely for Web surfing and to correct common misunderstandings.

'''Georg Koppen'''
Works for The Tor Project on the Tor Browser, Torbutton, and Tor's build automation. He's also the main developer behind Tor's effort to create deterministic builds.

'''Phillipp Winter'''
Works for The Tor Project on research related to malicious exit relays and censorship circumvention. He is the main developer of ScrambleSuit, a polymorphic network traffic obfuscation protocol that's used by Tor.

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsors TeliaSonera & Mullvad and a Community update

18:15 Surfing safely over the Tor network, part 1

18:55 Short break

19:00 Surfing safely over the Tor network, part 2

19:40 Coming events

19:50 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

Gothenburg

2015-10-23T21:06:29Z

Peter Magnusson: 2015-10-20 Mattias Jidhage - Going dark (grey) /* Historiska Presentationer: PDF, video med mera */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius. I styrelsen sitter Per Josefsson, Fredrik Strömberg, Anders Rosdahl, Mikael Falkvidd och Viktor Hedberg.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==
* 2015-10-20 Mattias Jidhage - [[Media:GoingGrey.pdf|Going dark (grey)]]
* 2015-10-20 Jonas Magazinius - Mac Hack Backup Attack [https://youtu.be/3KQMFR7Dv3M video]
* 2015-10-20 Mikael Falkvidd - [[Media:Linux_kernel_live_patching.pdf|Livepatching the linux kernel]] [https://youtu.be/zy0R_S2raSM video]
* 2015-10-20 Fredrik Strömberg - An introduction to QubesOS
* 2015-10-20 Anders Rosdahl - [[Media:Hands-on with wifi security publish.pdf|Hands on with wifi security]]
* 2015-10-20 Viktor Hedberg - OWASP Security Shepherd
* 2015-10-20 Mikael Wecksten Introduction to Android app security review
* 2015-10-20 Peter Gullberg - TrustZone, TEE and mobile security
* 2015-04-16 Adde Lindh: [[Media:DefenderEconomics.pdf|Defender Economics]]
* 2015-04-16 Michael Boman: [[Media: From_Malware_Analysis_to_Indications_of_Compromise.pdf|From Malware Analysis to Indications of Compromise]]
* 2015-03-19 Georg Koppen and Philipp Winter: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]] [https://www.youtube.com/watch?v=bmmAFiqOgks Video: Relays] [https://www.youtube.com/watch?v=s7vb_mjJn2M Video: TorBrowser] [https://www.youtube.com/watch?v=UhWhlm0SB-U Video: Questions and Answers]
* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2015 ==
'''2015-10-20 - Security Tapas'''

While preparing for OWASP Gothenburg Day we realised we need something that is quite the opposite of a giant all-day event with international speakers. We need a small and cosy down-to-earth session with local speakers. Like a hackathon but with some kind of agenda. Small demonstrations, primers on a subject or technology, a lightning talk or even a small hands on workshop. To make room for a lot of people we keep them short, aiming for 15-20 minutes for presentations with some additional room for workshops.
OWASP will open up the floor, while you, our community, sets the agenda and take place on stage.
Thanks to our sponsor ÅF we'll have a cool venue on the 16th floor and something to eat and drink.
Pls, send us a short title, your suggested time slot size in minutes and whether this is a workshop or not (defined by the fact that participants will require to bring some kind of equipment and will be expected to perform some kind of activity) to mattias.jidhage@owasp.org OR let us know through the ticket registration form.
You are of course very welcome to attend even if you don't have something to present.

'''Going dark - Mattias Jidhage'''

'''Mac Hack Backup Attack - Jonas Magazinius'''

'''Livepatching the linux kernel - Mikael Falkvidd'''

'''An introduction to QubesOS - Fredrik Strömberg'''

'''Hands on with wifi security - Anders Rosdahl'''

'''OWASP Security Shepherd - Viktor Hedberg'''

'''Introduction to Android app security review - Mikael Wecksten'''

'''TrustZone, TEE and mobile security - Peter Gullberg'''

''' 2015-04-15 - D-FENS'''

Let's talk defense.
Offense might be a bit more fun (admit it - there is a small evil mini-me inside all of us that wants nothing but wielding the mighty power of the hack that ruled them all) but let's face it, there are only so many wrongdoing organisations with world domination aspirations that will hire you to develop attacks on company time. For most of us that wants a paycheck within security, defence is on the menu. So, how should we effectively use our company’s sparse resources to make it harder for an attacker to breach our defenses and when that inevitably happens anyway; how do we find the bad code and remove it?
The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English!

''Agenda''

17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint and a Community update

18:15 Defender economics

19:00 Short break

19:05 Search and destroy

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Andreas Lindh - Defender Economics'''

There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them. This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.

Andreas Lindh (@addelindh) is a security analyst and engineer working for I Secure Sweden in Gothenburg, Sweden. He specializes in threat & vulnerability analysis, intrusion detection and generally making his clients more secure. When he's not dissecting threats or kicking some intruder off a network somewhere, he likes to write crappy Python code and make bad puns on Twitter. Andreas has previously presented his work at, among others, Black Hat USA, Virus Bulletin and 44Con.

'''Michael Boman - Search and Destroy the unknown'''

What do you do after realizing that you have been infected by a previously unknown sample that your antimalware vendor failed to detect, or you are unsure that you have up-to-date antimalware products on all systems in your environment? Perhaps you are not able to install antimalware on some endpoints due to regulatory restrictions. So how do you go about to detect malware that hasn’t been detected by your antimalware software? Learn how you can make use of the sources of detection you already have, like your firewall logs, to detect unknown threats on your network and help you locate and extract the malicious software causing the issue. Once you got your hands on a sample you can analyze it for artifacts the malware creates. Those artifacts, called Indicators of Compromise (IOC), can be used to detect additional malware infections on your SMB or Enterprise network using tools you might already have or can easily be acquired freely from the internet.

Michael Boman (@mboman) is a senior malware analyst at the Malware Research Institute and has been presenting at several large security conferences including 44CON and DEEPSEC in the recent years about malware research, everything from finding malware samples to analyze suspected files at speed and on budget. Michael has been interested in malicious software since he got his own machine infected even though he followed all the best practices having his computer up-to-date with both patches and antimalware software. The fact that the only thing that notified him about the infection was the built-in Windows firewall asking if it was OK to open a port for a piece of executable. And the rest, as they say, is history. Malware Research Institute is an organization that promotes malware research, tools and techniques for aspiring and seasoned malware analysts. Malware Research Institute has a blog where they publish interesting resources for malware researchers over at http://blog.malwareresearch.institute.

'''2015-03-20 - Philipp and Georg's slides available'''

Tor presentation slides: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]]

'''2015-03-11 - Strengths and weaknesses of Tor, the white knight of internet anonymity '''

"For those interested in online anonymity there are lots of tools available and Tor is one of the most frequently used. How does it work, how do you use it safely, and what are the risks? Is it possible to express your opinions anonymously on the internet today or can well funded actors circumvent the anonymity that Tor provides and find your true identity? What is the current status of the anonymity provided and what is being done to prevent current and future attacks on Tor?

To answer those and other questions regarding Tor we have invited Georg Koppen and Philipp Winter from the Tor Project to join us on Thursday, March 19. Be sure to book your seat immediately.

Who's this 'Tor', anyway?
Tor is an overlay network that enables people to use the Internet anonymously. We give a brief overview of how Tor works and then focus on how Tor can be used safely. In particular, we talk about the problem of malicious exit relays, how they can be a problem for Tor users, and how the Tor Project deals with them. Next, we talk about Tor Browser, The Tor Project's Firefox fork. Tor Browser protects against a number of (deanonymization) attacks that are not prevented by Firefox or Chrome. The goal of this talk is to show how Tor can be used safely for Web surfing and to correct common misunderstandings.

'''Georg Koppen'''
Works for The Tor Project on the Tor Browser, Torbutton, and Tor's build automation. He's also the main developer behind Tor's effort to create deterministic builds.

'''Phillipp Winter'''
Works for The Tor Project on research related to malicious exit relays and censorship circumvention. He is the main developer of ScrambleSuit, a polymorphic network traffic obfuscation protocol that's used by Tor.

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsors TeliaSonera & Mullvad and a Community update

18:15 Surfing safely over the Tor network, part 1

18:55 Short break

19:00 Surfing safely over the Tor network, part 2

19:40 Coming events

19:50 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

File:GoingGrey.pdf

2015-10-23T21:04:32Z

Peter Magnusson: Going Dark (Grey) How to be pre1y anonymous online Prior art • @thegrugq – OPSEC for freedom fighters • this.lightVersion(“hands-on”) • Focus on Gothenburg, Sweden, today – on my way here – TIL: never redecorate the house, arrange...

Going Dark (Grey)
How to be pre1y anonymous online
Prior art
• @thegrugq
– OPSEC for freedom fighters
• this.lightVersion(“hands-on”)
• Focus on Gothenburg, Sweden, today
– on my way here
– TIL: never redecorate the house, arrange two OWASP
meetups, be presenter on one of them and give another
presenta?on for a customer and start a new assignment on
the same week
Why?
• The plumbing is boring and hard to get right
– pracOce makes perfect
– you never know when you are going to need it
• 45 yo, father of 2, living in the suburbs, driving
a Volvo…
– not much 1337
• Responsible disclosure
– currently seams to be responsible only one way
Some of the commandments
• Never operate from your house
• Keep personal life and freedom fighOng
separated
– don’t contaminate
• STFU FAIL
Architecture
teh
Internetz
SITE
BASE
MOBILE
ME
Challenges
• TOR and/or VPN?
• Hardware?
• How to buy stuff?
Tor
• Provides anonymity
• Anonymity protects you
– Data leaving Tor through exit node is not
protected.
– CorrelaOon of entry and exit?
– Not foolproof, but pre1y ok unless you have
naOon states as adversaries
VPN
• Provides privacy
• Privacy protects your data
– Tunnel endpoint IP can be detected
– VPN provider can have logs
– Traffic correlaOon?
Tor and/or VPN
• “TOR -> VPN – OK”
– Anonymous person within the Tor cloud connect to a VPNexit
on the internet.
• Or directly to your persistence-plaiorm
• Looks like HTTPS locally?
• “VPN -> TOR – GOTO JAIL”
– An IP connected to a person and/or geolocaOon connects
to the Tor cloud. CommunicaOons from Tor to Internet/
target/plaiorm are monitored.
• Can you VPN to Tor? Through your own server?
• Running Tor through a VPN tunnel?
Tor and/or VPN
• Prepaid mobile broadband
– Not from home, not connected to me
– Can of course be tracked to a locaOon
• VPN
– An extra step to keep ISP eyes away
Hardware
• Mobile broadband
– Prepaid starter kit
• Amazon plaiorm
– Probably monitored, but will not leave trace on your..
• Mobile unit
– Buy a laptop or use your old one
• Personal Onion Router To Avoid Leo
– Fail close and a fun project – Raspberry 2?
Money
• Purchase VPN over TOR with bitcoins
– Anonymous but, can be traced
• don’t mix wallets
• use mixers
• Light
– Prepaid credit cards
• Tied to physical locaOon
• CCTV
• Purchases are monitored
Case study for lazy and moderately
evil ha><><0rz
• Walk into 7Eleven or Pressbyrån
– Buy a prepaid credit card
– Buy a mobile broadband modem
• ISP starter pack, from 199:-
• Kjell&Co 399:-
– Use cash and your favorite hoodie
• Use credit card to order a VPN
– and create an amazon account
• Email, cell phone no
• Done
Oh, and you need at least one persona and a couple of hacker nicks as well

Gothenburg

2015-10-21T22:02:38Z

Peter Magnusson: Anders Rosdahl - Hands on with wifi security /* Historiska Presentationer: PDF, video med mera */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius. I styrelsen sitter Per Josefsson, Fredrik Strömberg, Anders Rosdahl, Mikael Falkvidd och Viktor Hedberg.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==
* 2015-10-20 Mattias Jidhage - Going dark
* 2015-10-20 Jonas Magazinius - Mac Hack Backup Attack [https://youtu.be/3KQMFR7Dv3M video]
* 2015-10-20 Mikael Falkvidd - [[Media:Linux_kernel_live_patching.pdf|Livepatching the linux kernel]] [https://youtu.be/zy0R_S2raSM video]
* 2015-10-20 Fredrik Strömberg - An introduction to QubesOS
* 2015-10-20 Anders Rosdahl - [[Media:Hands-on with wifi security publish.pdf|Hands on with wifi security]]
* 2015-10-20 Viktor Hedberg - OWASP Security Shepherd
* 2015-10-20 Mikael Wecksten Introduction to Android app security review
* 2015-10-20 Peter Gullberg - TrustZone, TEE and mobile security
* 2015-04-16 Adde Lindh: [[Media:DefenderEconomics.pdf|Defender Economics]]
* 2015-04-16 Michael Boman: [[Media: From_Malware_Analysis_to_Indications_of_Compromise.pdf|From Malware Analysis to Indications of Compromise]]
* 2015-03-19 Georg Koppen and Philipp Winter: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]] [https://www.youtube.com/watch?v=bmmAFiqOgks Video: Relays] [https://www.youtube.com/watch?v=s7vb_mjJn2M Video: TorBrowser] [https://www.youtube.com/watch?v=UhWhlm0SB-U Video: Questions and Answers]
* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2015 ==
'''2015-10-20 - Security Tapas'''

While preparing for OWASP Gothenburg Day we realised we need something that is quite the opposite of a giant all-day event with international speakers. We need a small and cosy down-to-earth session with local speakers. Like a hackathon but with some kind of agenda. Small demonstrations, primers on a subject or technology, a lightning talk or even a small hands on workshop. To make room for a lot of people we keep them short, aiming for 15-20 minutes for presentations with some additional room for workshops.
OWASP will open up the floor, while you, our community, sets the agenda and take place on stage.
Thanks to our sponsor ÅF we'll have a cool venue on the 16th floor and something to eat and drink.
Pls, send us a short title, your suggested time slot size in minutes and whether this is a workshop or not (defined by the fact that participants will require to bring some kind of equipment and will be expected to perform some kind of activity) to mattias.jidhage@owasp.org OR let us know through the ticket registration form.
You are of course very welcome to attend even if you don't have something to present.

'''Going dark - Mattias Jidhage'''

'''Mac Hack Backup Attack - Jonas Magazinius'''

'''Livepatching the linux kernel - Mikael Falkvidd'''

'''An introduction to QubesOS - Fredrik Strömberg'''

'''Hands on with wifi security - Anders Rosdahl'''

'''OWASP Security Shepherd - Viktor Hedberg'''

'''Introduction to Android app security review - Mikael Wecksten'''

'''TrustZone, TEE and mobile security - Peter Gullberg'''

''' 2015-04-15 - D-FENS'''

Let's talk defense.
Offense might be a bit more fun (admit it - there is a small evil mini-me inside all of us that wants nothing but wielding the mighty power of the hack that ruled them all) but let's face it, there are only so many wrongdoing organisations with world domination aspirations that will hire you to develop attacks on company time. For most of us that wants a paycheck within security, defence is on the menu. So, how should we effectively use our company’s sparse resources to make it harder for an attacker to breach our defenses and when that inevitably happens anyway; how do we find the bad code and remove it?
The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English!

''Agenda''

17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint and a Community update

18:15 Defender economics

19:00 Short break

19:05 Search and destroy

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Andreas Lindh - Defender Economics'''

There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them. This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.

Andreas Lindh (@addelindh) is a security analyst and engineer working for I Secure Sweden in Gothenburg, Sweden. He specializes in threat & vulnerability analysis, intrusion detection and generally making his clients more secure. When he's not dissecting threats or kicking some intruder off a network somewhere, he likes to write crappy Python code and make bad puns on Twitter. Andreas has previously presented his work at, among others, Black Hat USA, Virus Bulletin and 44Con.

'''Michael Boman - Search and Destroy the unknown'''

What do you do after realizing that you have been infected by a previously unknown sample that your antimalware vendor failed to detect, or you are unsure that you have up-to-date antimalware products on all systems in your environment? Perhaps you are not able to install antimalware on some endpoints due to regulatory restrictions. So how do you go about to detect malware that hasn’t been detected by your antimalware software? Learn how you can make use of the sources of detection you already have, like your firewall logs, to detect unknown threats on your network and help you locate and extract the malicious software causing the issue. Once you got your hands on a sample you can analyze it for artifacts the malware creates. Those artifacts, called Indicators of Compromise (IOC), can be used to detect additional malware infections on your SMB or Enterprise network using tools you might already have or can easily be acquired freely from the internet.

Michael Boman (@mboman) is a senior malware analyst at the Malware Research Institute and has been presenting at several large security conferences including 44CON and DEEPSEC in the recent years about malware research, everything from finding malware samples to analyze suspected files at speed and on budget. Michael has been interested in malicious software since he got his own machine infected even though he followed all the best practices having his computer up-to-date with both patches and antimalware software. The fact that the only thing that notified him about the infection was the built-in Windows firewall asking if it was OK to open a port for a piece of executable. And the rest, as they say, is history. Malware Research Institute is an organization that promotes malware research, tools and techniques for aspiring and seasoned malware analysts. Malware Research Institute has a blog where they publish interesting resources for malware researchers over at http://blog.malwareresearch.institute.

'''2015-03-20 - Philipp and Georg's slides available'''

Tor presentation slides: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]]

'''2015-03-11 - Strengths and weaknesses of Tor, the white knight of internet anonymity '''

"For those interested in online anonymity there are lots of tools available and Tor is one of the most frequently used. How does it work, how do you use it safely, and what are the risks? Is it possible to express your opinions anonymously on the internet today or can well funded actors circumvent the anonymity that Tor provides and find your true identity? What is the current status of the anonymity provided and what is being done to prevent current and future attacks on Tor?

To answer those and other questions regarding Tor we have invited Georg Koppen and Philipp Winter from the Tor Project to join us on Thursday, March 19. Be sure to book your seat immediately.

Who's this 'Tor', anyway?
Tor is an overlay network that enables people to use the Internet anonymously. We give a brief overview of how Tor works and then focus on how Tor can be used safely. In particular, we talk about the problem of malicious exit relays, how they can be a problem for Tor users, and how the Tor Project deals with them. Next, we talk about Tor Browser, The Tor Project's Firefox fork. Tor Browser protects against a number of (deanonymization) attacks that are not prevented by Firefox or Chrome. The goal of this talk is to show how Tor can be used safely for Web surfing and to correct common misunderstandings.

'''Georg Koppen'''
Works for The Tor Project on the Tor Browser, Torbutton, and Tor's build automation. He's also the main developer behind Tor's effort to create deterministic builds.

'''Phillipp Winter'''
Works for The Tor Project on research related to malicious exit relays and censorship circumvention. He is the main developer of ScrambleSuit, a polymorphic network traffic obfuscation protocol that's used by Tor.

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsors TeliaSonera & Mullvad and a Community update

18:15 Surfing safely over the Tor network, part 1

18:55 Short break

19:00 Surfing safely over the Tor network, part 2

19:40 Coming events

19:50 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

File:Hands-on with wifi security publish.pdf

2015-10-21T22:00:36Z

Peter Magnusson: Hands-on with wifi security OWASP Göteborg Security Tapas 2015-10-20 Anders Rosdahl #whoami Avarage security enthusiast No bleeding edge research, no wall of fames, no cve's Actually, this is me... @rosdahl Agenda Wifi overview Authentication and enc...

Hands-on with wifi security
OWASP Göteborg Security Tapas
2015-10-20
Anders Rosdahl
#whoami
Avarage security enthusiast
No bleeding edge research, no wall of fames, no cve's
Actually, this is me...
@rosdahl
Agenda
Wifi overview
Authentication and encryption
Attacks
Defence
Demo / lab
Wifi overview
Access points continuously
send beacons to announce
themselves
Clients continously probe for
access points
Authentication
Association
Bands, channels and frequencies
802.11 Release year Frequency
(GHz)
Max data
transfer rate
(Mbit/s)
Bandwidth
(MHz)
a 1999 5 / (3.7) 54 20
b 1999 2.4 11 22
g 2003 2.4 54 20
n 2009 2.4 / 5
72/150
(per MIMO
stream)
20/40
ac 2013 5
96/200/433/866
(per MIMO
stream)
20/40/80/160
there’s more...
Wireless Modes
Each wireless device/inteface can be in one of the followingmodes. Definitions
vary.
Station – also referred to as Client mode or Managed mode
Master – also referred to as Access Point or Infrastructuremode
Ad hoc – for mesh wifi networks
Monitor – also referred to as RFMON (Radio Frequency MONitor). Used
to silently listen to wifi traffic. An interface in this mode can capture
traffic without connecting to any network.
Not all combination of wifi cards/drivers/OS support all modes..
Authentication and encryption
• Based on the RC4 stream cipher, which is effectively broken
WEP
• WPA – intermediate solution while waiting for WPA2, which would fix all
that was broken with WEP. Designed by crytographers.
• PSK or asymmetric key pairs/certificates
• TKIP-RC4 (WPA) / CCMP-AES (WPA2)
WPA/WPA2
• Provides WPA/WPA2 password to client requiring only a PIN code
• Two modes:
• Push-Button-Connect
• 4/8 digit PIN code
WPS
Attacks
WPA/WPA2
1. Deauthenticate connected client(s) with traffic injection
2. Capture re-authenticationhandshake
3. Offline word-list or rule-based brute force attack on recorded handshake
WPS
Brute force WPS PIN. In 2012 several deficienciesin WPS were disclosed. E.g. onlymax 11k
vs 10M tries is needed since AP acks/nacks first 4 digits.
WPS backoff/timeout timeout preventsbruteforcing. Was not ubiquitous 2012.
WEP
RC4 ...
Offline brute force attack similarto WPA above
Defence – hot security tips for hotspots
Use long and strong WPA2
passwords!
Disable WPS on yourrouter
Don’t use WEP – obviously...
Use VPN when connected to
public access points – anyone can
listen
Be careful about auto-connect
features of devicesto avoid
connecting to rouge access
points
Demo/lab
Alfa cards for loan!

Gothenburg

2015-10-21T21:58:01Z

Peter Magnusson: Mikael Falkvidd - Livepatching the linux kernel /* Historiska Presentationer: PDF, video med mera */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius. I styrelsen sitter Per Josefsson, Fredrik Strömberg, Anders Rosdahl, Mikael Falkvidd och Viktor Hedberg.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==
* 2015-10-20 Mattias Jidhage - Going dark
* 2015-10-20 Jonas Magazinius - Mac Hack Backup Attack [https://youtu.be/3KQMFR7Dv3M video]
* 2015-10-20 Mikael Falkvidd - [[Media:Linux_kernel_live_patching.pdf|Livepatching the linux kernel]] [https://youtu.be/zy0R_S2raSM video]
* 2015-10-20 Fredrik Strömberg - An introduction to QubesOS
* 2015-10-20 Anders Rosdahl - Hands on with wifi security
* 2015-10-20 Viktor Hedberg - OWASP Security Shepherd
* 2015-10-20 Mikael Wecksten Introduction to Android app security review
* 2015-10-20 Peter Gullberg - TrustZone, TEE and mobile security
* 2015-04-16 Adde Lindh: [[Media:DefenderEconomics.pdf|Defender Economics]]
* 2015-04-16 Michael Boman: [[Media: From_Malware_Analysis_to_Indications_of_Compromise.pdf|From Malware Analysis to Indications of Compromise]]
* 2015-03-19 Georg Koppen and Philipp Winter: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]] [https://www.youtube.com/watch?v=bmmAFiqOgks Video: Relays] [https://www.youtube.com/watch?v=s7vb_mjJn2M Video: TorBrowser] [https://www.youtube.com/watch?v=UhWhlm0SB-U Video: Questions and Answers]
* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2015 ==
'''2015-10-20 - Security Tapas'''

While preparing for OWASP Gothenburg Day we realised we need something that is quite the opposite of a giant all-day event with international speakers. We need a small and cosy down-to-earth session with local speakers. Like a hackathon but with some kind of agenda. Small demonstrations, primers on a subject or technology, a lightning talk or even a small hands on workshop. To make room for a lot of people we keep them short, aiming for 15-20 minutes for presentations with some additional room for workshops.
OWASP will open up the floor, while you, our community, sets the agenda and take place on stage.
Thanks to our sponsor ÅF we'll have a cool venue on the 16th floor and something to eat and drink.
Pls, send us a short title, your suggested time slot size in minutes and whether this is a workshop or not (defined by the fact that participants will require to bring some kind of equipment and will be expected to perform some kind of activity) to mattias.jidhage@owasp.org OR let us know through the ticket registration form.
You are of course very welcome to attend even if you don't have something to present.

'''Going dark - Mattias Jidhage'''

'''Mac Hack Backup Attack - Jonas Magazinius'''

'''Livepatching the linux kernel - Mikael Falkvidd'''

'''An introduction to QubesOS - Fredrik Strömberg'''

'''Hands on with wifi security - Anders Rosdahl'''

'''OWASP Security Shepherd - Viktor Hedberg'''

'''Introduction to Android app security review - Mikael Wecksten'''

'''TrustZone, TEE and mobile security - Peter Gullberg'''

''' 2015-04-15 - D-FENS'''

Let's talk defense.
Offense might be a bit more fun (admit it - there is a small evil mini-me inside all of us that wants nothing but wielding the mighty power of the hack that ruled them all) but let's face it, there are only so many wrongdoing organisations with world domination aspirations that will hire you to develop attacks on company time. For most of us that wants a paycheck within security, defence is on the menu. So, how should we effectively use our company’s sparse resources to make it harder for an attacker to breach our defenses and when that inevitably happens anyway; how do we find the bad code and remove it?
The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English!

''Agenda''

17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint and a Community update

18:15 Defender economics

19:00 Short break

19:05 Search and destroy

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Andreas Lindh - Defender Economics'''

There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them. This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.

Andreas Lindh (@addelindh) is a security analyst and engineer working for I Secure Sweden in Gothenburg, Sweden. He specializes in threat & vulnerability analysis, intrusion detection and generally making his clients more secure. When he's not dissecting threats or kicking some intruder off a network somewhere, he likes to write crappy Python code and make bad puns on Twitter. Andreas has previously presented his work at, among others, Black Hat USA, Virus Bulletin and 44Con.

'''Michael Boman - Search and Destroy the unknown'''

What do you do after realizing that you have been infected by a previously unknown sample that your antimalware vendor failed to detect, or you are unsure that you have up-to-date antimalware products on all systems in your environment? Perhaps you are not able to install antimalware on some endpoints due to regulatory restrictions. So how do you go about to detect malware that hasn’t been detected by your antimalware software? Learn how you can make use of the sources of detection you already have, like your firewall logs, to detect unknown threats on your network and help you locate and extract the malicious software causing the issue. Once you got your hands on a sample you can analyze it for artifacts the malware creates. Those artifacts, called Indicators of Compromise (IOC), can be used to detect additional malware infections on your SMB or Enterprise network using tools you might already have or can easily be acquired freely from the internet.

Michael Boman (@mboman) is a senior malware analyst at the Malware Research Institute and has been presenting at several large security conferences including 44CON and DEEPSEC in the recent years about malware research, everything from finding malware samples to analyze suspected files at speed and on budget. Michael has been interested in malicious software since he got his own machine infected even though he followed all the best practices having his computer up-to-date with both patches and antimalware software. The fact that the only thing that notified him about the infection was the built-in Windows firewall asking if it was OK to open a port for a piece of executable. And the rest, as they say, is history. Malware Research Institute is an organization that promotes malware research, tools and techniques for aspiring and seasoned malware analysts. Malware Research Institute has a blog where they publish interesting resources for malware researchers over at http://blog.malwareresearch.institute.

'''2015-03-20 - Philipp and Georg's slides available'''

Tor presentation slides: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]]

'''2015-03-11 - Strengths and weaknesses of Tor, the white knight of internet anonymity '''

"For those interested in online anonymity there are lots of tools available and Tor is one of the most frequently used. How does it work, how do you use it safely, and what are the risks? Is it possible to express your opinions anonymously on the internet today or can well funded actors circumvent the anonymity that Tor provides and find your true identity? What is the current status of the anonymity provided and what is being done to prevent current and future attacks on Tor?

To answer those and other questions regarding Tor we have invited Georg Koppen and Philipp Winter from the Tor Project to join us on Thursday, March 19. Be sure to book your seat immediately.

Who's this 'Tor', anyway?
Tor is an overlay network that enables people to use the Internet anonymously. We give a brief overview of how Tor works and then focus on how Tor can be used safely. In particular, we talk about the problem of malicious exit relays, how they can be a problem for Tor users, and how the Tor Project deals with them. Next, we talk about Tor Browser, The Tor Project's Firefox fork. Tor Browser protects against a number of (deanonymization) attacks that are not prevented by Firefox or Chrome. The goal of this talk is to show how Tor can be used safely for Web surfing and to correct common misunderstandings.

'''Georg Koppen'''
Works for The Tor Project on the Tor Browser, Torbutton, and Tor's build automation. He's also the main developer behind Tor's effort to create deterministic builds.

'''Phillipp Winter'''
Works for The Tor Project on research related to malicious exit relays and censorship circumvention. He is the main developer of ScrambleSuit, a polymorphic network traffic obfuscation protocol that's used by Tor.

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsors TeliaSonera & Mullvad and a Community update

18:15 Surfing safely over the Tor network, part 1

18:55 Short break

19:00 Surfing safely over the Tor network, part 2

19:40 Coming events

19:50 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

File:Linux kernel live patching.pdf

2015-10-21T21:55:31Z

Peter Magnusson: Linux kernel live patching OWASP Security Tapas 2015-10-20 Mikael Falkvidd (@mfalkvidd) Why live patches? ● Apply fixes for severe security problems quickly and without planning downtime - SUSE’s goal is CVSS 6 and above ● Stability fixes ● lar...

Linux kernel live patching
OWASP Security Tapas 2015-10-20
Mikael Falkvidd (@mfalkvidd)
Why live patches?
● Apply fixes for severe security problems quickly and without planning
downtime - SUSE’s goal is CVSS 6 and above
● Stability fixes
● large in-memory databases - saving and re-reading data from disk can take
hours
● virtualization hosts - patch hosts without affecting guests
● computing clusters - some calculations are hard to stop and resume
● large datacenters - rebooting thousands or tens of thousands of machines
in a controlled way without affecting business can be hard
kpatch
● From Red Hat, released publically summer of 2014
● 10-40 milliseconds freeze
● All-or-nothing
● No performance impact after patching
kGraft
● From SUSE, released publically in November 2014
● No freeze
● Divides processes into different universes (with/without patch)
● Some performance impact after patching
Demo 1 - patch an exploit without rebooting
Demo 2 - create our own patch
--- orig/fs/proc/meminfo.c 2015-09-28 22:27:23.720627176 +0200
+++ fs/proc/meminfo.c 2015-09-28 22:28:28.565031970 +0200
@@ -89,6 +89,7 @@
* Tagged format, for easy grepping and expansion.
*/
seq_printf(m,
+ "kpatch fungerar!\n"
"MemTotal: %8lu kB\n"
"MemFree: %8lu kB\n"
"MemAvailable: %8lu kB\n"

Gothenburg

2015-10-21T21:53:33Z

Peter Magnusson: 2015-10-20 Mikael Falkvidd - Livepatching the linux kernel [https://youtu.be/zy0R_S2raSM video] /* Historiska Presentationer: PDF, video med mera */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius. I styrelsen sitter Per Josefsson, Fredrik Strömberg, Anders Rosdahl, Mikael Falkvidd och Viktor Hedberg.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==
* 2015-10-20 Mattias Jidhage - Going dark
* 2015-10-20 Jonas Magazinius - Mac Hack Backup Attack [https://youtu.be/3KQMFR7Dv3M video]
* 2015-10-20 Mikael Falkvidd - Livepatching the linux kernel [https://youtu.be/zy0R_S2raSM video]
* 2015-10-20 Fredrik Strömberg - An introduction to QubesOS
* 2015-10-20 Anders Rosdahl - Hands on with wifi security
* 2015-10-20 Viktor Hedberg - OWASP Security Shepherd
* 2015-10-20 Mikael Wecksten Introduction to Android app security review
* 2015-10-20 Peter Gullberg - TrustZone, TEE and mobile security
* 2015-04-16 Adde Lindh: [[Media:DefenderEconomics.pdf|Defender Economics]]
* 2015-04-16 Michael Boman: [[Media: From_Malware_Analysis_to_Indications_of_Compromise.pdf|From Malware Analysis to Indications of Compromise]]
* 2015-03-19 Georg Koppen and Philipp Winter: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]] [https://www.youtube.com/watch?v=bmmAFiqOgks Video: Relays] [https://www.youtube.com/watch?v=s7vb_mjJn2M Video: TorBrowser] [https://www.youtube.com/watch?v=UhWhlm0SB-U Video: Questions and Answers]
* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2015 ==
'''2015-10-20 - Security Tapas'''

While preparing for OWASP Gothenburg Day we realised we need something that is quite the opposite of a giant all-day event with international speakers. We need a small and cosy down-to-earth session with local speakers. Like a hackathon but with some kind of agenda. Small demonstrations, primers on a subject or technology, a lightning talk or even a small hands on workshop. To make room for a lot of people we keep them short, aiming for 15-20 minutes for presentations with some additional room for workshops.
OWASP will open up the floor, while you, our community, sets the agenda and take place on stage.
Thanks to our sponsor ÅF we'll have a cool venue on the 16th floor and something to eat and drink.
Pls, send us a short title, your suggested time slot size in minutes and whether this is a workshop or not (defined by the fact that participants will require to bring some kind of equipment and will be expected to perform some kind of activity) to mattias.jidhage@owasp.org OR let us know through the ticket registration form.
You are of course very welcome to attend even if you don't have something to present.

'''Going dark - Mattias Jidhage'''

'''Mac Hack Backup Attack - Jonas Magazinius'''

'''Livepatching the linux kernel - Mikael Falkvidd'''

'''An introduction to QubesOS - Fredrik Strömberg'''

'''Hands on with wifi security - Anders Rosdahl'''

'''OWASP Security Shepherd - Viktor Hedberg'''

'''Introduction to Android app security review - Mikael Wecksten'''

'''TrustZone, TEE and mobile security - Peter Gullberg'''

''' 2015-04-15 - D-FENS'''

Let's talk defense.
Offense might be a bit more fun (admit it - there is a small evil mini-me inside all of us that wants nothing but wielding the mighty power of the hack that ruled them all) but let's face it, there are only so many wrongdoing organisations with world domination aspirations that will hire you to develop attacks on company time. For most of us that wants a paycheck within security, defence is on the menu. So, how should we effectively use our company’s sparse resources to make it harder for an attacker to breach our defenses and when that inevitably happens anyway; how do we find the bad code and remove it?
The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English!

''Agenda''

17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint and a Community update

18:15 Defender economics

19:00 Short break

19:05 Search and destroy

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Andreas Lindh - Defender Economics'''

There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them. This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.

Andreas Lindh (@addelindh) is a security analyst and engineer working for I Secure Sweden in Gothenburg, Sweden. He specializes in threat & vulnerability analysis, intrusion detection and generally making his clients more secure. When he's not dissecting threats or kicking some intruder off a network somewhere, he likes to write crappy Python code and make bad puns on Twitter. Andreas has previously presented his work at, among others, Black Hat USA, Virus Bulletin and 44Con.

'''Michael Boman - Search and Destroy the unknown'''

What do you do after realizing that you have been infected by a previously unknown sample that your antimalware vendor failed to detect, or you are unsure that you have up-to-date antimalware products on all systems in your environment? Perhaps you are not able to install antimalware on some endpoints due to regulatory restrictions. So how do you go about to detect malware that hasn’t been detected by your antimalware software? Learn how you can make use of the sources of detection you already have, like your firewall logs, to detect unknown threats on your network and help you locate and extract the malicious software causing the issue. Once you got your hands on a sample you can analyze it for artifacts the malware creates. Those artifacts, called Indicators of Compromise (IOC), can be used to detect additional malware infections on your SMB or Enterprise network using tools you might already have or can easily be acquired freely from the internet.

Michael Boman (@mboman) is a senior malware analyst at the Malware Research Institute and has been presenting at several large security conferences including 44CON and DEEPSEC in the recent years about malware research, everything from finding malware samples to analyze suspected files at speed and on budget. Michael has been interested in malicious software since he got his own machine infected even though he followed all the best practices having his computer up-to-date with both patches and antimalware software. The fact that the only thing that notified him about the infection was the built-in Windows firewall asking if it was OK to open a port for a piece of executable. And the rest, as they say, is history. Malware Research Institute is an organization that promotes malware research, tools and techniques for aspiring and seasoned malware analysts. Malware Research Institute has a blog where they publish interesting resources for malware researchers over at http://blog.malwareresearch.institute.

'''2015-03-20 - Philipp and Georg's slides available'''

Tor presentation slides: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]]

'''2015-03-11 - Strengths and weaknesses of Tor, the white knight of internet anonymity '''

"For those interested in online anonymity there are lots of tools available and Tor is one of the most frequently used. How does it work, how do you use it safely, and what are the risks? Is it possible to express your opinions anonymously on the internet today or can well funded actors circumvent the anonymity that Tor provides and find your true identity? What is the current status of the anonymity provided and what is being done to prevent current and future attacks on Tor?

To answer those and other questions regarding Tor we have invited Georg Koppen and Philipp Winter from the Tor Project to join us on Thursday, March 19. Be sure to book your seat immediately.

Who's this 'Tor', anyway?
Tor is an overlay network that enables people to use the Internet anonymously. We give a brief overview of how Tor works and then focus on how Tor can be used safely. In particular, we talk about the problem of malicious exit relays, how they can be a problem for Tor users, and how the Tor Project deals with them. Next, we talk about Tor Browser, The Tor Project's Firefox fork. Tor Browser protects against a number of (deanonymization) attacks that are not prevented by Firefox or Chrome. The goal of this talk is to show how Tor can be used safely for Web surfing and to correct common misunderstandings.

'''Georg Koppen'''
Works for The Tor Project on the Tor Browser, Torbutton, and Tor's build automation. He's also the main developer behind Tor's effort to create deterministic builds.

'''Phillipp Winter'''
Works for The Tor Project on research related to malicious exit relays and censorship circumvention. He is the main developer of ScrambleSuit, a polymorphic network traffic obfuscation protocol that's used by Tor.

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsors TeliaSonera & Mullvad and a Community update

18:15 Surfing safely over the Tor network, part 1

18:55 Short break

19:00 Surfing safely over the Tor network, part 2

19:40 Coming events

19:50 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

Gothenburg

2015-10-21T20:26:49Z

Peter Magnusson: 2015-10-20 Jonas Magazinius - Mac Hack Backup Attack [https://youtu.be/3KQMFR7Dv3M video] /* Historiska Presentationer: PDF, video med mera */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius. I styrelsen sitter Per Josefsson, Fredrik Strömberg, Anders Rosdahl, Mikael Falkvidd och Viktor Hedberg.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==
* 2015-10-20 Mattias Jidhage - Going dark
* 2015-10-20 Jonas Magazinius - Mac Hack Backup Attack [https://youtu.be/3KQMFR7Dv3M video]
* 2015-10-20 Mikael Falkvidd - Livepatching the linux kernel
* 2015-10-20 Fredrik Strömberg - An introduction to QubesOS
* 2015-10-20 Anders Rosdahl - Hands on with wifi security
* 2015-10-20 Viktor Hedberg - OWASP Security Shepherd
* 2015-10-20 Mikael Wecksten Introduction to Android app security review
* 2015-10-20 Peter Gullberg - TrustZone, TEE and mobile security
* 2015-04-16 Adde Lindh: [[Media:DefenderEconomics.pdf|Defender Economics]]
* 2015-04-16 Michael Boman: [[Media: From_Malware_Analysis_to_Indications_of_Compromise.pdf|From Malware Analysis to Indications of Compromise]]
* 2015-03-19 Georg Koppen and Philipp Winter: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]] [https://www.youtube.com/watch?v=bmmAFiqOgks Video: Relays] [https://www.youtube.com/watch?v=s7vb_mjJn2M Video: TorBrowser] [https://www.youtube.com/watch?v=UhWhlm0SB-U Video: Questions and Answers]
* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2015 ==
'''2015-10-20 - Security Tapas'''

While preparing for OWASP Gothenburg Day we realised we need something that is quite the opposite of a giant all-day event with international speakers. We need a small and cosy down-to-earth session with local speakers. Like a hackathon but with some kind of agenda. Small demonstrations, primers on a subject or technology, a lightning talk or even a small hands on workshop. To make room for a lot of people we keep them short, aiming for 15-20 minutes for presentations with some additional room for workshops.
OWASP will open up the floor, while you, our community, sets the agenda and take place on stage.
Thanks to our sponsor ÅF we'll have a cool venue on the 16th floor and something to eat and drink.
Pls, send us a short title, your suggested time slot size in minutes and whether this is a workshop or not (defined by the fact that participants will require to bring some kind of equipment and will be expected to perform some kind of activity) to mattias.jidhage@owasp.org OR let us know through the ticket registration form.
You are of course very welcome to attend even if you don't have something to present.

'''Going dark - Mattias Jidhage'''

'''Mac Hack Backup Attack - Jonas Magazinius'''

'''Livepatching the linux kernel - Mikael Falkvidd'''

'''An introduction to QubesOS - Fredrik Strömberg'''

'''Hands on with wifi security - Anders Rosdahl'''

'''OWASP Security Shepherd - Viktor Hedberg'''

'''Introduction to Android app security review - Mikael Wecksten'''

'''TrustZone, TEE and mobile security - Peter Gullberg'''

''' 2015-04-15 - D-FENS'''

Let's talk defense.
Offense might be a bit more fun (admit it - there is a small evil mini-me inside all of us that wants nothing but wielding the mighty power of the hack that ruled them all) but let's face it, there are only so many wrongdoing organisations with world domination aspirations that will hire you to develop attacks on company time. For most of us that wants a paycheck within security, defence is on the menu. So, how should we effectively use our company’s sparse resources to make it harder for an attacker to breach our defenses and when that inevitably happens anyway; how do we find the bad code and remove it?
The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English!

''Agenda''

17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint and a Community update

18:15 Defender economics

19:00 Short break

19:05 Search and destroy

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Andreas Lindh - Defender Economics'''

There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them. This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.

Andreas Lindh (@addelindh) is a security analyst and engineer working for I Secure Sweden in Gothenburg, Sweden. He specializes in threat & vulnerability analysis, intrusion detection and generally making his clients more secure. When he's not dissecting threats or kicking some intruder off a network somewhere, he likes to write crappy Python code and make bad puns on Twitter. Andreas has previously presented his work at, among others, Black Hat USA, Virus Bulletin and 44Con.

'''Michael Boman - Search and Destroy the unknown'''

What do you do after realizing that you have been infected by a previously unknown sample that your antimalware vendor failed to detect, or you are unsure that you have up-to-date antimalware products on all systems in your environment? Perhaps you are not able to install antimalware on some endpoints due to regulatory restrictions. So how do you go about to detect malware that hasn’t been detected by your antimalware software? Learn how you can make use of the sources of detection you already have, like your firewall logs, to detect unknown threats on your network and help you locate and extract the malicious software causing the issue. Once you got your hands on a sample you can analyze it for artifacts the malware creates. Those artifacts, called Indicators of Compromise (IOC), can be used to detect additional malware infections on your SMB or Enterprise network using tools you might already have or can easily be acquired freely from the internet.

Michael Boman (@mboman) is a senior malware analyst at the Malware Research Institute and has been presenting at several large security conferences including 44CON and DEEPSEC in the recent years about malware research, everything from finding malware samples to analyze suspected files at speed and on budget. Michael has been interested in malicious software since he got his own machine infected even though he followed all the best practices having his computer up-to-date with both patches and antimalware software. The fact that the only thing that notified him about the infection was the built-in Windows firewall asking if it was OK to open a port for a piece of executable. And the rest, as they say, is history. Malware Research Institute is an organization that promotes malware research, tools and techniques for aspiring and seasoned malware analysts. Malware Research Institute has a blog where they publish interesting resources for malware researchers over at http://blog.malwareresearch.institute.

'''2015-03-20 - Philipp and Georg's slides available'''

Tor presentation slides: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]]

'''2015-03-11 - Strengths and weaknesses of Tor, the white knight of internet anonymity '''

"For those interested in online anonymity there are lots of tools available and Tor is one of the most frequently used. How does it work, how do you use it safely, and what are the risks? Is it possible to express your opinions anonymously on the internet today or can well funded actors circumvent the anonymity that Tor provides and find your true identity? What is the current status of the anonymity provided and what is being done to prevent current and future attacks on Tor?

To answer those and other questions regarding Tor we have invited Georg Koppen and Philipp Winter from the Tor Project to join us on Thursday, March 19. Be sure to book your seat immediately.

Who's this 'Tor', anyway?
Tor is an overlay network that enables people to use the Internet anonymously. We give a brief overview of how Tor works and then focus on how Tor can be used safely. In particular, we talk about the problem of malicious exit relays, how they can be a problem for Tor users, and how the Tor Project deals with them. Next, we talk about Tor Browser, The Tor Project's Firefox fork. Tor Browser protects against a number of (deanonymization) attacks that are not prevented by Firefox or Chrome. The goal of this talk is to show how Tor can be used safely for Web surfing and to correct common misunderstandings.

'''Georg Koppen'''
Works for The Tor Project on the Tor Browser, Torbutton, and Tor's build automation. He's also the main developer behind Tor's effort to create deterministic builds.

'''Phillipp Winter'''
Works for The Tor Project on research related to malicious exit relays and censorship circumvention. He is the main developer of ScrambleSuit, a polymorphic network traffic obfuscation protocol that's used by Tor.

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsors TeliaSonera & Mullvad and a Community update

18:15 Surfing safely over the Tor network, part 1

18:55 Short break

19:00 Surfing safely over the Tor network, part 2

19:40 Coming events

19:50 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

Gothenburg

2015-10-21T18:38:22Z

Peter Magnusson: /* Historiska Presentationer: PDF, video med mera */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius. I styrelsen sitter Per Josefsson, Fredrik Strömberg, Anders Rosdahl, Mikael Falkvidd och Viktor Hedberg.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==
* 2015-10-20 Mattias Jidhage - Going dark
* 2015-10-20 Jonas Magazinius - Mac Hack Backup Attack
* 2015-10-20 Mikael Falkvidd - Livepatching the linux kernel
* 2015-10-20 Fredrik Strömberg - An introduction to QubesOS
* 2015-10-20 Anders Rosdahl - Hands on with wifi security
* 2015-10-20 Viktor Hedberg - OWASP Security Shepherd
* 2015-10-20 Mikael Wecksten Introduction to Android app security review
* 2015-10-20 Peter Gullberg - TrustZone, TEE and mobile security
* 2015-04-16 Adde Lindh: [[Media:DefenderEconomics.pdf|Defender Economics]]
* 2015-04-16 Michael Boman: [[Media: From_Malware_Analysis_to_Indications_of_Compromise.pdf|From Malware Analysis to Indications of Compromise]]
* 2015-03-19 Georg Koppen and Philipp Winter: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]] [https://www.youtube.com/watch?v=bmmAFiqOgks Video: Relays] [https://www.youtube.com/watch?v=s7vb_mjJn2M Video: TorBrowser] [https://www.youtube.com/watch?v=UhWhlm0SB-U Video: Questions and Answers]
* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2015 ==
'''2015-10-20 - Security Tapas'''

While preparing for OWASP Gothenburg Day we realised we need something that is quite the opposite of a giant all-day event with international speakers. We need a small and cosy down-to-earth session with local speakers. Like a hackathon but with some kind of agenda. Small demonstrations, primers on a subject or technology, a lightning talk or even a small hands on workshop. To make room for a lot of people we keep them short, aiming for 15-20 minutes for presentations with some additional room for workshops.
OWASP will open up the floor, while you, our community, sets the agenda and take place on stage.
Thanks to our sponsor ÅF we'll have a cool venue on the 16th floor and something to eat and drink.
Pls, send us a short title, your suggested time slot size in minutes and whether this is a workshop or not (defined by the fact that participants will require to bring some kind of equipment and will be expected to perform some kind of activity) to mattias.jidhage@owasp.org OR let us know through the ticket registration form.
You are of course very welcome to attend even if you don't have something to present.

'''Going dark - Mattias Jidhage'''

'''Mac Hack Backup Attack - Jonas Magazinius'''

'''Livepatching the linux kernel - Mikael Falkvidd'''

'''An introduction to QubesOS - Fredrik Strömberg'''

'''Hands on with wifi security - Anders Rosdahl'''

'''OWASP Security Shepherd - Viktor Hedberg'''

'''Introduction to Android app security review - Mikael Wecksten'''

'''TrustZone, TEE and mobile security - Peter Gullberg'''

''' 2015-04-15 - D-FENS'''

Let's talk defense.
Offense might be a bit more fun (admit it - there is a small evil mini-me inside all of us that wants nothing but wielding the mighty power of the hack that ruled them all) but let's face it, there are only so many wrongdoing organisations with world domination aspirations that will hire you to develop attacks on company time. For most of us that wants a paycheck within security, defence is on the menu. So, how should we effectively use our company’s sparse resources to make it harder for an attacker to breach our defenses and when that inevitably happens anyway; how do we find the bad code and remove it?
The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English!

''Agenda''

17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint and a Community update

18:15 Defender economics

19:00 Short break

19:05 Search and destroy

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Andreas Lindh - Defender Economics'''

There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them. This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.

Andreas Lindh (@addelindh) is a security analyst and engineer working for I Secure Sweden in Gothenburg, Sweden. He specializes in threat & vulnerability analysis, intrusion detection and generally making his clients more secure. When he's not dissecting threats or kicking some intruder off a network somewhere, he likes to write crappy Python code and make bad puns on Twitter. Andreas has previously presented his work at, among others, Black Hat USA, Virus Bulletin and 44Con.

'''Michael Boman - Search and Destroy the unknown'''

What do you do after realizing that you have been infected by a previously unknown sample that your antimalware vendor failed to detect, or you are unsure that you have up-to-date antimalware products on all systems in your environment? Perhaps you are not able to install antimalware on some endpoints due to regulatory restrictions. So how do you go about to detect malware that hasn’t been detected by your antimalware software? Learn how you can make use of the sources of detection you already have, like your firewall logs, to detect unknown threats on your network and help you locate and extract the malicious software causing the issue. Once you got your hands on a sample you can analyze it for artifacts the malware creates. Those artifacts, called Indicators of Compromise (IOC), can be used to detect additional malware infections on your SMB or Enterprise network using tools you might already have or can easily be acquired freely from the internet.

Michael Boman (@mboman) is a senior malware analyst at the Malware Research Institute and has been presenting at several large security conferences including 44CON and DEEPSEC in the recent years about malware research, everything from finding malware samples to analyze suspected files at speed and on budget. Michael has been interested in malicious software since he got his own machine infected even though he followed all the best practices having his computer up-to-date with both patches and antimalware software. The fact that the only thing that notified him about the infection was the built-in Windows firewall asking if it was OK to open a port for a piece of executable. And the rest, as they say, is history. Malware Research Institute is an organization that promotes malware research, tools and techniques for aspiring and seasoned malware analysts. Malware Research Institute has a blog where they publish interesting resources for malware researchers over at http://blog.malwareresearch.institute.

'''2015-03-20 - Philipp and Georg's slides available'''

Tor presentation slides: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]]

'''2015-03-11 - Strengths and weaknesses of Tor, the white knight of internet anonymity '''

"For those interested in online anonymity there are lots of tools available and Tor is one of the most frequently used. How does it work, how do you use it safely, and what are the risks? Is it possible to express your opinions anonymously on the internet today or can well funded actors circumvent the anonymity that Tor provides and find your true identity? What is the current status of the anonymity provided and what is being done to prevent current and future attacks on Tor?

To answer those and other questions regarding Tor we have invited Georg Koppen and Philipp Winter from the Tor Project to join us on Thursday, March 19. Be sure to book your seat immediately.

Who's this 'Tor', anyway?
Tor is an overlay network that enables people to use the Internet anonymously. We give a brief overview of how Tor works and then focus on how Tor can be used safely. In particular, we talk about the problem of malicious exit relays, how they can be a problem for Tor users, and how the Tor Project deals with them. Next, we talk about Tor Browser, The Tor Project's Firefox fork. Tor Browser protects against a number of (deanonymization) attacks that are not prevented by Firefox or Chrome. The goal of this talk is to show how Tor can be used safely for Web surfing and to correct common misunderstandings.

'''Georg Koppen'''
Works for The Tor Project on the Tor Browser, Torbutton, and Tor's build automation. He's also the main developer behind Tor's effort to create deterministic builds.

'''Phillipp Winter'''
Works for The Tor Project on research related to malicious exit relays and censorship circumvention. He is the main developer of ScrambleSuit, a polymorphic network traffic obfuscation protocol that's used by Tor.

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsors TeliaSonera & Mullvad and a Community update

18:15 Surfing safely over the Tor network, part 1

18:55 Short break

19:00 Surfing safely over the Tor network, part 2

19:40 Coming events

19:50 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

Gothenburg

2015-10-21T18:33:27Z

Peter Magnusson: 2015-10-20 - Security Tapas /* OWASP Göteborg 2015 */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius. I styrelsen sitter Per Josefsson, Fredrik Strömberg, Anders Rosdahl, Mikael Falkvidd och Viktor Hedberg.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==

* 2015-04-16 Adde Lindh: [[Media:DefenderEconomics.pdf|Defender Economics]]
* 2015-04-16 Michael Boman: [[Media: From_Malware_Analysis_to_Indications_of_Compromise.pdf|From Malware Analysis to Indications of Compromise]]
* 2015-03-19 Georg Koppen and Philipp Winter: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]] [https://www.youtube.com/watch?v=bmmAFiqOgks Video: Relays] [https://www.youtube.com/watch?v=s7vb_mjJn2M Video: TorBrowser] [https://www.youtube.com/watch?v=UhWhlm0SB-U Video: Questions and Answers]
* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2015 ==
'''2015-10-20 - Security Tapas'''

While preparing for OWASP Gothenburg Day we realised we need something that is quite the opposite of a giant all-day event with international speakers. We need a small and cosy down-to-earth session with local speakers. Like a hackathon but with some kind of agenda. Small demonstrations, primers on a subject or technology, a lightning talk or even a small hands on workshop. To make room for a lot of people we keep them short, aiming for 15-20 minutes for presentations with some additional room for workshops.
OWASP will open up the floor, while you, our community, sets the agenda and take place on stage.
Thanks to our sponsor ÅF we'll have a cool venue on the 16th floor and something to eat and drink.
Pls, send us a short title, your suggested time slot size in minutes and whether this is a workshop or not (defined by the fact that participants will require to bring some kind of equipment and will be expected to perform some kind of activity) to mattias.jidhage@owasp.org OR let us know through the ticket registration form.
You are of course very welcome to attend even if you don't have something to present.

'''Going dark - Mattias Jidhage'''

'''Mac Hack Backup Attack - Jonas Magazinius'''

'''Livepatching the linux kernel - Mikael Falkvidd'''

'''An introduction to QubesOS - Fredrik Strömberg'''

'''Hands on with wifi security - Anders Rosdahl'''

'''OWASP Security Shepherd - Viktor Hedberg'''

'''Introduction to Android app security review - Mikael Wecksten'''

'''TrustZone, TEE and mobile security - Peter Gullberg'''

''' 2015-04-15 - D-FENS'''

Let's talk defense.
Offense might be a bit more fun (admit it - there is a small evil mini-me inside all of us that wants nothing but wielding the mighty power of the hack that ruled them all) but let's face it, there are only so many wrongdoing organisations with world domination aspirations that will hire you to develop attacks on company time. For most of us that wants a paycheck within security, defence is on the menu. So, how should we effectively use our company’s sparse resources to make it harder for an attacker to breach our defenses and when that inevitably happens anyway; how do we find the bad code and remove it?
The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English!

''Agenda''

17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint and a Community update

18:15 Defender economics

19:00 Short break

19:05 Search and destroy

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Andreas Lindh - Defender Economics'''

There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them. This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.

Andreas Lindh (@addelindh) is a security analyst and engineer working for I Secure Sweden in Gothenburg, Sweden. He specializes in threat & vulnerability analysis, intrusion detection and generally making his clients more secure. When he's not dissecting threats or kicking some intruder off a network somewhere, he likes to write crappy Python code and make bad puns on Twitter. Andreas has previously presented his work at, among others, Black Hat USA, Virus Bulletin and 44Con.

'''Michael Boman - Search and Destroy the unknown'''

What do you do after realizing that you have been infected by a previously unknown sample that your antimalware vendor failed to detect, or you are unsure that you have up-to-date antimalware products on all systems in your environment? Perhaps you are not able to install antimalware on some endpoints due to regulatory restrictions. So how do you go about to detect malware that hasn’t been detected by your antimalware software? Learn how you can make use of the sources of detection you already have, like your firewall logs, to detect unknown threats on your network and help you locate and extract the malicious software causing the issue. Once you got your hands on a sample you can analyze it for artifacts the malware creates. Those artifacts, called Indicators of Compromise (IOC), can be used to detect additional malware infections on your SMB or Enterprise network using tools you might already have or can easily be acquired freely from the internet.

Michael Boman (@mboman) is a senior malware analyst at the Malware Research Institute and has been presenting at several large security conferences including 44CON and DEEPSEC in the recent years about malware research, everything from finding malware samples to analyze suspected files at speed and on budget. Michael has been interested in malicious software since he got his own machine infected even though he followed all the best practices having his computer up-to-date with both patches and antimalware software. The fact that the only thing that notified him about the infection was the built-in Windows firewall asking if it was OK to open a port for a piece of executable. And the rest, as they say, is history. Malware Research Institute is an organization that promotes malware research, tools and techniques for aspiring and seasoned malware analysts. Malware Research Institute has a blog where they publish interesting resources for malware researchers over at http://blog.malwareresearch.institute.

'''2015-03-20 - Philipp and Georg's slides available'''

Tor presentation slides: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]]

'''2015-03-11 - Strengths and weaknesses of Tor, the white knight of internet anonymity '''

"For those interested in online anonymity there are lots of tools available and Tor is one of the most frequently used. How does it work, how do you use it safely, and what are the risks? Is it possible to express your opinions anonymously on the internet today or can well funded actors circumvent the anonymity that Tor provides and find your true identity? What is the current status of the anonymity provided and what is being done to prevent current and future attacks on Tor?

To answer those and other questions regarding Tor we have invited Georg Koppen and Philipp Winter from the Tor Project to join us on Thursday, March 19. Be sure to book your seat immediately.

Who's this 'Tor', anyway?
Tor is an overlay network that enables people to use the Internet anonymously. We give a brief overview of how Tor works and then focus on how Tor can be used safely. In particular, we talk about the problem of malicious exit relays, how they can be a problem for Tor users, and how the Tor Project deals with them. Next, we talk about Tor Browser, The Tor Project's Firefox fork. Tor Browser protects against a number of (deanonymization) attacks that are not prevented by Firefox or Chrome. The goal of this talk is to show how Tor can be used safely for Web surfing and to correct common misunderstandings.

'''Georg Koppen'''
Works for The Tor Project on the Tor Browser, Torbutton, and Tor's build automation. He's also the main developer behind Tor's effort to create deterministic builds.

'''Phillipp Winter'''
Works for The Tor Project on research related to malicious exit relays and censorship circumvention. He is the main developer of ScrambleSuit, a polymorphic network traffic obfuscation protocol that's used by Tor.

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsors TeliaSonera & Mullvad and a Community update

18:15 Surfing safely over the Tor network, part 1

18:55 Short break

19:00 Surfing safely over the Tor network, part 2

19:40 Coming events

19:50 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

Gothenburg

2015-03-20T21:47:22Z

Peter Magnusson: Historiska Presentationer: PDF, video med mera. Georg Koppen and Philipp Winter: Surfing safely over the Tor anonymity network. PDF, video 1, video 2, video 3.

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==

* 2015-03-19 Georg Koppen and Philipp Winter: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]] [https://www.youtube.com/watch?v=bmmAFiqOgks Video: Relays] [https://www.youtube.com/watch?v=s7vb_mjJn2M Video: TorBrowser] [https://www.youtube.com/watch?v=UhWhlm0SB-U Video: Questions and Answers]
* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2015 ==

'''2015-03-20 - Philipp and Georg's slides available'''

Tor presentation slides: [[Media:Winter_Koppen_Tor_OWASP_20150319.pdf|Surfing safely over the Tor anonymity network]]

'''2015-03-11 - Strengths and weaknesses of Tor, the white knight of internet anonymity '''

"For those interested in online anonymity there are lots of tools available and Tor is one of the most frequently used. How does it work, how do you use it safely, and what are the risks? Is it possible to express your opinions anonymously on the internet today or can well funded actors circumvent the anonymity that Tor provides and find your true identity? What is the current status of the anonymity provided and what is being done to prevent current and future attacks on Tor?

To answer those and other questions regarding Tor we have invited Georg Koppen and Philipp Winter from the Tor Project to join us on Thursday, March 19. Be sure to book your seat immediately.

Who's this 'Tor', anyway?
Tor is an overlay network that enables people to use the Internet anonymously. We give a brief overview of how Tor works and then focus on how Tor can be used safely. In particular, we talk about the problem of malicious exit relays, how they can be a problem for Tor users, and how the Tor Project deals with them. Next, we talk about Tor Browser, The Tor Project's Firefox fork. Tor Browser protects against a number of (deanonymization) attacks that are not prevented by Firefox or Chrome. The goal of this talk is to show how Tor can be used safely for Web surfing and to correct common misunderstandings.

'''Georg Koppen'''
Works for The Tor Project on the Tor Browser, Torbutton, and Tor's build automation. He's also the main developer behind Tor's effort to create deterministic builds.

'''Phillipp Winter'''
Works for The Tor Project on research related to malicious exit relays and censorship circumvention. He is the main developer of ScrambleSuit, a polymorphic network traffic obfuscation protocol that's used by Tor.

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsors TeliaSonera & Mullvad and a Community update

18:15 Surfing safely over the Tor network, part 1

18:55 Short break

19:00 Surfing safely over the Tor network, part 2

19:40 Coming events

19:50 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

Gothenburg

2014-12-09T22:31:51Z

Peter Magnusson: /* Historiska Presentationer: PDF, video med mera */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==

* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]] - [https://www.youtube.com/watch?v=C7kjwqUTh3A video]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

Gothenburg

2014-12-09T18:49:02Z

Peter Magnusson: Internetdagarna-Its.all.about.the.cookie.odp

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==

* 2014-12-04 Jonas Magazinius [[Media:Internetdagarna-Its.all.about.the.cookie.odp | Internetdagarna-Its.all.about.the.cookie]]
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

File:Internetdagarna-Its.all.about.the.cookie.odp

2014-12-09T18:47:43Z

Peter Magnusson:

Gothenburg

2014-12-09T18:42:39Z

Peter Magnusson: added Media:Modems, ISPs & the media.pptx

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==

* 2014-12-04 Jonas Magazinius
* 2014-12-04 Johan Rydberg Möller [[Media:Modems, ISPs & the media.pptx | Modems, ISPs & the media]] - [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

File:Modems, ISPs & the media.pptx

2014-12-09T18:39:53Z

Peter Magnusson:

Modems, ISPs & the media
How the Comhem vulnerability could have been handled, and what happened instead
---
Who am I?
•@johanRmoller
• Penetration Tester @ Omegapoint
• Podcaster @ Säkerhetspodcasten
• Annoyer of ISPs
--
This talk is about
• How I hacked my own modem
• How Comhem handled my bug report
• How I worked with the media to force Comhem
into handling it better
• How they still failed
• And finally – How it should have been done
--
Lets go back a while
All the way back to August, 2013
--
I live in a ComHem house
Which means I get one of these:
--
Its my gateway to the internet
I decided to see if I could hack myself. There where two obvious
ways to go about it.
--
Pros & Cons
Firmware Analysis
Pros
• Can find stuff not obvious on the
web interface
• Could possibly reprogram the
modem
• Could find cooler vulnerabilities
Cons
• Could brick my modem
• Lots of work
• Not my area of expertise
--
Web Interface hacking
Pros
Easy and quick
Could find really stupid
vulnerabilities
Little to no risk of damaging the
modem
Cons
I wouldn’t be learning anything new
Soldering is cool!
Won’t find hidden stuff
--
The web interface
--
Fiddling around with burp
--
Finding CSRF Vuln
--
Impact of the CSRF vuln
Changing DNS
• Harvest account details
• Spread malware
• Steal Credit Card and bank details
Port Forwarding
• Expose internal network to internet
Turning on remote admin
• Changing all modem settings
• Stealing stored passwords (wifi passwords stored in cleartext)
• Downgrade security
DOS
• Brick the modem
--
Hardware hacking
--
Analyzing firmware
--
Sending the bug report
--
ComHem Responds
--
A year goes by
--
What is responsible disclosure?
--
Comhem Responds
--
Comhem responds again
• “The DNS problem only exists in Stockholm” -Comhem
--
Comhem locks down DNS
• Limiting their modems to only using Comhems DNS. This still
doesn’t solve the following problems:
Port Forwarding
• Expose internal network to internet
Turning on remote admin
• Changing all modem settings
• Stealing stored passwords (wifi passwords stored in cleartext)
• Downgrade security
DOS
• Brick the modem
Etc…
--
Minister proposes Law Change and PTS investigates
--
Comhem solves the problem
• On the 14th of November a firmware update finally arrives, solving the problem.
• At this point, the media attention has died down
• Noone cares that the issue is resolved
• The damage to Comhem is already done, and can’t be reversed at this point
--
What did we learn
• How should they have done it?
• Can we help our clients and companies handle these issues?
•What is it like to deal with the media
• Knowing what you want to say and being able to back it up

Gothenburg

2014-12-09T18:35:12Z

Peter Magnusson: added Category:OWASP_Video

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==

* 2014-12-04 Jonas Magazinius
* 2014-12-04 Johan Rydberg Möller [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]] [[Category:OWASP_Video]]

Gothenburg

2014-12-09T18:32:07Z

Peter Magnusson: /* Historiska Presentationer: PDF, video med mera */

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==

* 2014-12-04 Jonas Magazinius
* 2014-12-04 Johan Rydberg Möller [https://www.youtube.com/watch?v=vrJ_U8HFJEc video]
* 2014-04-24 Dagfinn Övstrud [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]
* 2014-04-24 Jan Wellergård [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]
* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schionning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

== OWASP Göteborg 2014 ==

'''2014-11-13 - Hacking unleashed'''

There seems to be loads of networking equipment out there being in a quite sad state from a security perspective. Yet people rely on them for everyday business and home networking. We're talking, of course, about routers and dongles. OWASP Göteborg will therefore dedicate this event to inform about the insecurity of such devices. We have invited security experts Adde Lindh and Johan Rydberg Möller to guide you through the evening.

2014-12-04 is the evening you all have been waiting for the entire autumn. Welcome to an evening that you'll never forget.

The event is sponsored by Omegapoint, so we wish to thank them in advance for food, drinks and the venue!
The event will be held in English except where noted

Link to [https://www.eventbrite.com/e/hacking-unleashed-tickets-14191957527 eventbrite]

Agenda
17:30 Event starts with a light snack and drink.

18:00 A word from our sponsor Omegapoint. Community update

18:15 Johan Rydberg Möller - Modems, ISPs and the Media - How the Comhem vulnerability could have been handled, and what happened instead [Talk held in Swedish. Slides in English]

19:00 Short break

19:05 Adde Lindh / ISecure Sweden AB - Attacking mobile broadband modules like a criminal would [BlackHat talk] '''CANCELLED'''

19:50 Coming events

20:00 Beer, snacks and some serious security live chat

Approx. 21:00 Event ends

Speaker bios and abstracts

'''Johan Rydberg Möller'''

On the 31st of October this year Dagens Nyheter published an article which prompted Post- och Telestyrelsen to begin an investigation of the internet provider Comhem with suspicions of breaches against the electronic communications law. What prompted DN to publish the article was the disclosure of a serious vulnerability in the Netgear modems that Comhem supply their customers whith, a vulnerability that had gone unpatched for over fourteen months since Comhem was first made aware of the issue. I was the one who first brought Comhems attention to the vulnerability and I worked with DNs reporter in an effort to shed light on the problem, after my correspondence with Comhem did not yield any results. In this talk I will discuss and demonstrate the vulnerability, talk briefly about responsible disclure and share my experience working with the media in order to
force change through public opinion, when nothing else works.

Johan Rydberg Möller is a security specialist at Omegapoint, focused mainly on web security and penetration testing. He is a founder of the security podcast Säkerhetspodcasten and occassionally appears in the news discussing security issues

'''Adde Lindh'''

While there has certainly been some interesting research into the security of mobile broadband modems, or "dongles," in the past, it has almost exclusively focused on novel attacks such as buffer overflows over text message, attacks on the device's file system, and other advanced approaches. The level of skill and effort required to execute such an attack reduces the potential number of attackers, but there are easier ways to monetize from attacking these devices too.

This talk will focus on some more likely scenarios; web-based attacks that are not that hard to pull off but that will allow the attacker to cash in without too much effort. The speaker will demonstrate how to profit, steal sensitive information, and establish a persistent hold on the devices, and also how a seemingly modest attack could be used as part of a more advanced attack chain. There will also be an analysis of why it is easy being an Internet criminal, and how it will continue to be so unless drastic changes are made to how we approach and implement new consumer technology.

Oh, and there will be demos.

Andreas Lindh is a security analyst and engineer working for ISecure Sweden. In his day job, he does a wide variety of defensive security work such as threat analysis, incident detection and response, and database security for a number of large clients in the private and public sector. In his spare time, he does web application and browser security research, mainly focused on consumer security. He also likes long walks on the Internet and romantic evenings in front of a Python IDE.

'''2014-05-20 - Jans och Dagfinns slides tillgängliga'''

Jans slides: [[Media:Privacy_by_Design_v5.pptx‎|Privacy by Design]]

Dagfinns slides: [[Media:OWASP_Dagfinn_final.pdf|Privacy by Design @ Västtrafik]]

'''2014-04-03 - Privacy by design'''

OWASP Göteborg gör en djupdykning i området privacy den 24e april. Internet och sociala nätverk har bidragit till en ökat intresse för privacy. Företag som måste eller vill skydda sina användares data måste fatta privacybeslut redan under designfasen av utvecklingsarbetet. Vi tittar på vad Pricacy by Design innebär och tittar också på ett konkret exempel på hur PoD-ideerna kan tillämpas. För att guida oss genom kvällen har vi bjudit in Jan Wellergård från TeliaSonera och Dagfinn Övstrud från Kentor. Sponsor är TeliaSonera och GIVETVIS kommer det bli helt awesome!

Länk till [https://www.eventbrite.com/e/privacy-by-design-tickets-11189308523 eventbrite]

''Eventet kommer hållas på engelska''

Agenda

17:30 Kvällen inleds med macka och dricka

18:00 Community update + vår sponsor [http://www.teliasonera.com/sv/ TeliaSonera] säger ett par väl valda ord. Tack för sponset!

18:15 [Jan Wellergård/TeliaSonera] - Privacy by design

19:00 Bensträckare

19:05 [Dagfinn Övstrud/Kentor] Privacy by design hos Västtrafik

20:00 Öl, snacks och livechat om säkerhet

ca 21:00 Eventet avslutas

Abstract och talarbio

'''Jan Wellergård'''

What is privacy by design and is it really a new requirement? Privacy matters and protecting personal data is a legal obligation since late 90s. However, one needs a structured way to achieve compliance. It needs to be addressed already in Design.

Jan Wellergård is the Personal Data Representative (sv. Personuppgiftsombud) for TeliaSonera’s Swedish entities. He is monitoring TeliaSonera’s compliance and supporting the business in privacy matters. Jan is also the Security Director for Group Technology – IT Support systems working with information security management

'''Dagfinn Övstrud'''

This talk will introduce and discuss selected relevant systems from the vast systems flora at Västtrafik, on how they deal with handling and protecting privacy data. It will also cover some general infrastructure design principles, and challenges faced in general and as a company in the public sector.

Dagfinn is an infrastructure architect with a special interest in the areas of security, availability and performance. Mostly Microsoft-related, but nobody's perfect. He worked in Västtrafik's IT department from 2008 to 2014, when he joined Kentor AB as a consultant. He has a life too, and in addition to regular mainstream hobbies and interests he has recently picked up his guitar and is in the process of writing and recording his very own independent solo album in the genre of melodic death metal \m/ !

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]]

Gothenburg

2014-03-15T23:59:15Z

Peter Magnusson:

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius.

Vi lägger upp presentationer på youtube-kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i [http://lists.owasp.org/mailman/listinfo/owasp-sweden OWASP Sweden-mailinglistan]). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

__TOC__

== Historiska Presentationer: PDF, video med mera ==

* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schoning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 OWASP Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 OWASP Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 OWASP - Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

''' 2014-02-19 - Klas och Pers slides tillgängliga

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

''' 2014-01-29 - Autentisering, hur svårt kan det va?

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

== OWASP Göteborg 2013 ==

''' 2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

''' 2013-11-03 - SSL för alla

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

== OWASP Göteborg 2012 ==

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

== OWASP Göteborg 2011 ==

'''2011-11-04 - Ett par små uppdateringar

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]]

Gothenburg

2014-02-24T22:03:41Z

Peter Magnusson: Promo för owaspgbg kanalen

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius.

Va? Inte medlem? [http://lists.owasp.org/mailman/listinfo/owasp-sweden Klicka här för att gå med i mailinglistan.]

Vi lägger upp presentationer på youtube kanalen [http://www.youtube.com/user/owaspgbg owaspgbg].

== Deltagande ==

OWASP Foundation is a professional association of global members and is and open to anyone interested in learning more about application security. Local chapters are run independently and governed by the following [[Chapter Leader Handbook]]. As a [http://www.owasp.org/index.php/About_OWASP 501(c)(3)] non-profit professional association your support and sponsorship of a meeting venue and/or refreshments is tax-deductible. Financial contributions should be made online using the online chapter donation button. To be a '''SPEAKER''' at ANY OWASP Chapter in the world simply review the [http://www.owasp.org/index.php/Speaker_Agreement speaker agreement] and then contact the local chapter leader with details of what [http://www.owasp.org/index.php/Category:OWASP_Project OWASP PROJECT], independent research or related software security topic you would like to present on.

<paypal>Gothenburg</paypal>

'''<center>[http://lists.owasp.org/mailman/listinfo/owasp-sweden Klicka här för att gå med i din lokalavdelnings mailinglista]</center>'''



Anmäl Er gärna till vår mailinglista. '''Notera''' dock att när du anmäler dig kommer du att anmäla dig till OWASP ''Sweden''-listan och inte ''Gothenburg''-listan. Detta beror på att Göteborgs och Sverige-kapitlen tillsammans har bestämt oss för att endast använda en lista.

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i OWASP Sweden-mailinglistan). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

== Historiska Presentationer: PDF, video med mera ==

* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schoning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 OWASP Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 OWASP Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 OWASP - Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

===2014-02-19 - Klas och Pers slides tillgängliga===

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

===2014-01-29 - Autentisering, hur svårt kan det va?===

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

===2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga===

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

===2013-11-03 - SSL för alla===

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

===2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga===

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

===2013-09-12 - Så där ja, nu kör vi igång år tre===

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

===2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich===

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

===2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga===

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

===2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari===

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

===2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november===

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

===2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012===

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

===2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga===

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

===2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security===

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

===2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga===

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

===2012-03-25 - Jim Manico's slides tillgängliga===

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

===2012-03-03 - Nästa officiella event spikat till torsdag den 26e april===

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

===2012-03-03 - Jim "@manicode" Manico till Sverige===

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

===2012-02-27 - Snabbt påkommen säkpub===

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

===2012-02-25 - Missa inte dev:mobile===

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

===2012-02-06 - Öppningsceremoni för Software Center===

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

===2012-01-17 - Communityhack===

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

===2012-01-17 - Så där ja!===

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

===2012-01-16 - Vårens aktiviteter===

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

===2011-11-04 - Ett par små uppdateringar===

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

===2011-10-18 - Meeting outline for November 3rd===

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

===2011-10-14 - OWASP Göteborg den 3e november - uppdatering===

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

===2011-09-17 - OWASP Göteborg den 3e november===

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

===2011-09-17 - Ännu ett wow!===

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

===Nästa träff + wow!===

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

===Presentationsmaterial===

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

===OWASP Gothenburg web site goes Swedish + surprise!===

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

===OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective===

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

===July 4th, 2011 - OWASP-Gothenburg opens!===

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]]

Gothenburg

2014-02-24T21:52:51Z

Peter Magnusson: Listan komplett nu kanske?

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius.

Va? Inte medlem? [http://lists.owasp.org/mailman/listinfo/owasp-sweden Klicka här för att gå med i mailinglistan.]

== Deltagande ==

OWASP Foundation is a professional association of global members and is and open to anyone interested in learning more about application security. Local chapters are run independently and governed by the following [[Chapter Leader Handbook]]. As a [http://www.owasp.org/index.php/About_OWASP 501(c)(3)] non-profit professional association your support and sponsorship of a meeting venue and/or refreshments is tax-deductible. Financial contributions should be made online using the online chapter donation button. To be a '''SPEAKER''' at ANY OWASP Chapter in the world simply review the [http://www.owasp.org/index.php/Speaker_Agreement speaker agreement] and then contact the local chapter leader with details of what [http://www.owasp.org/index.php/Category:OWASP_Project OWASP PROJECT], independent research or related software security topic you would like to present on.

<paypal>Gothenburg</paypal>

'''<center>[http://lists.owasp.org/mailman/listinfo/owasp-sweden Klicka här för att gå med i din lokalavdelnings mailinglista]</center>'''



Anmäl Er gärna till vår mailinglista. '''Notera''' dock att när du anmäler dig kommer du att anmäla dig till OWASP ''Sweden''-listan och inte ''Gothenburg''-listan. Detta beror på att Göteborgs och Sverige-kapitlen tillsammans har bestämt oss för att endast använda en lista.

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i OWASP Sweden-mailinglistan). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

== Historiska Presentationer: PDF, video med mera ==

* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schoning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 OWASP Fredrik Sjöström [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]] [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 OWASP Robin Blokker [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]] [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 OWASP - Michael Boman [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]] [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1 - GoodFet]] [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]
* 2012-07-04 Ulf Larson [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]
* 2012-04-26 Erlend Oftedal [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]
* 2012-04-26 Combitech [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]
* 2012-03-03 Jim @Manicode Manico [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]
* 2011-11-03 Martin Holst Swende [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]
* 2011-11-03 Stefano Di Paola [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]
* 2011-08-25 Per Josefsson [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]
* 2011-08-25 Jonas Magazinius [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

== Lokala nyheter ==

===2014-02-19 - Klas och Pers slides tillgängliga===

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

===2014-01-29 - Autentisering, hur svårt kan det va?===

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

===2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga===

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

===2013-11-03 - SSL för alla===

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

===2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga===

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

===2013-09-12 - Så där ja, nu kör vi igång år tre===

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

===2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich===

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

===2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga===

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

===2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari===

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

===2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november===

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

===2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012===

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

===2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga===

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

===2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security===

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

===2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga===

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

===2012-03-25 - Jim Manico's slides tillgängliga===

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

===2012-03-03 - Nästa officiella event spikat till torsdag den 26e april===

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

===2012-03-03 - Jim "@manicode" Manico till Sverige===

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

===2012-02-27 - Snabbt påkommen säkpub===

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

===2012-02-25 - Missa inte dev:mobile===

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

===2012-02-06 - Öppningsceremoni för Software Center===

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

===2012-01-17 - Communityhack===

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

===2012-01-17 - Så där ja!===

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

===2012-01-16 - Vårens aktiviteter===

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

===2011-11-04 - Ett par små uppdateringar===

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

===2011-10-18 - Meeting outline for November 3rd===

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

===2011-10-14 - OWASP Göteborg den 3e november - uppdatering===

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

===2011-09-17 - OWASP Göteborg den 3e november===

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

===2011-09-17 - Ännu ett wow!===

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

===Nästa träff + wow!===

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

===Presentationsmaterial===

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

===OWASP Gothenburg web site goes Swedish + surprise!===

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

===OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective===

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

===July 4th, 2011 - OWASP-Gothenburg opens!===

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]]

Gothenburg

2014-02-24T21:44:19Z

Peter Magnusson: Wiithout structure there is no hope

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius.

Va? Inte medlem? [http://lists.owasp.org/mailman/listinfo/owasp-sweden Klicka här för att gå med i mailinglistan.]

== Deltagande ==

OWASP Foundation is a professional association of global members and is and open to anyone interested in learning more about application security. Local chapters are run independently and governed by the following [[Chapter Leader Handbook]]. As a [http://www.owasp.org/index.php/About_OWASP 501(c)(3)] non-profit professional association your support and sponsorship of a meeting venue and/or refreshments is tax-deductible. Financial contributions should be made online using the online chapter donation button. To be a '''SPEAKER''' at ANY OWASP Chapter in the world simply review the [http://www.owasp.org/index.php/Speaker_Agreement speaker agreement] and then contact the local chapter leader with details of what [http://www.owasp.org/index.php/Category:OWASP_Project OWASP PROJECT], independent research or related software security topic you would like to present on.

<paypal>Gothenburg</paypal>

'''<center>[http://lists.owasp.org/mailman/listinfo/owasp-sweden Klicka här för att gå med i din lokalavdelnings mailinglista]</center>'''



Anmäl Er gärna till vår mailinglista. '''Notera''' dock att när du anmäler dig kommer du att anmäla dig till OWASP ''Sweden''-listan och inte ''Gothenburg''-listan. Detta beror på att Göteborgs och Sverige-kapitlen tillsammans har bestämt oss för att endast använda en lista.

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i OWASP Sweden-mailinglistan). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

== Historiska Presentationer: PDF, video med mera ==

* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schoning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 OWASP Fredrik Sjöström Malware [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 OWASP Robin Blokker Penetration Testing [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 OWASP - Michael Boman Malware Analysis as a Hobby [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors OWASP Hardware Hacking - GoodFet [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario
* 2012-07-04 Ulf Larson
* 2012-04-26 Erlend Oftedal
* 2012-04-26 Combitech
* 2012-03-03 Jim @Manicode Manico
* 2011-11-03 Martin Holst Swende
* 2011-11-03 Stefano Di Paola
* 2011-08-25 Pers
* 2011-08-25 Jonas

== Lokala nyheter ==

===2014-02-19 - Klas och Pers slides tillgängliga===

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

===2014-01-29 - Autentisering, hur svårt kan det va?===

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

===2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga===

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

===2013-11-03 - SSL för alla===

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

===2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga===

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

===2013-09-12 - Så där ja, nu kör vi igång år tre===

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

===2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich===

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

===2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga===

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

===2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari===

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

===2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november===

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

===2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012===

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

===2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga===

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

===2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security===

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

===2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga===

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

===2012-03-25 - Jim Manico's slides tillgängliga===

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

===2012-03-03 - Nästa officiella event spikat till torsdag den 26e april===

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

===2012-03-03 - Jim "@manicode" Manico till Sverige===

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

===2012-02-27 - Snabbt påkommen säkpub===

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

===2012-02-25 - Missa inte dev:mobile===

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

===2012-02-06 - Öppningsceremoni för Software Center===

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

===2012-01-17 - Communityhack===

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

===2012-01-17 - Så där ja!===

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

===2012-01-16 - Vårens aktiviteter===

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

===2011-11-04 - Ett par små uppdateringar===

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

===2011-10-18 - Meeting outline for November 3rd===

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

===2011-10-14 - OWASP Göteborg den 3e november - uppdatering===

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

===2011-09-17 - OWASP Göteborg den 3e november===

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

===2011-09-17 - Ännu ett wow!===

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

===Nästa träff + wow!===

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

===Presentationsmaterial===

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

===OWASP Gothenburg web site goes Swedish + surprise!===

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

===OWASP Gothenburg Meeting, August 25 2011, Welcome to Owasp Gothenburg + Owasp top ten w/ demo + Webappsec from a programming language perspective===

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

===July 4th, 2011 - OWASP-Gothenburg opens!===

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]]

Gothenburg

2014-02-24T21:23:59Z

Peter Magnusson: mer på gamla historiska presentationer

[[File:Owaspgbg_brand_logo_web.png|options|500px]]

== OWASP Göteborgs lokalavdelning ==

Välkommen till OWASP Göteborgs hemsida. Göteborgskapitlets ledare är [mailto:ulf.larson@owasp.org Ulf Larson], [mailto:mattias.jidhage@owasp.org Mattias Jidhage] och Jonas Magazinius.

Va? Inte medlem? [http://lists.owasp.org/mailman/listinfo/owasp-sweden Klicka här för att gå med i mailinglistan.]

== Historiska Presentationer ==

* 2014-02-18 Klas Lindfors [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]] - [http://www.youtube.com/watch?v=ORXDPNyXM-4 video]
* 2014-02-18 Per Thorsheim [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]] - [http://www.youtube.com/watch?v=dc-bF2CU0Xo video]
* 2013-11-30 Joachim Strömbergsson och Peter Magnusson [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]] - [http://www.youtube.com/watch?v=UR5S-OtHUYg video1] [http://www.youtube.com/watch?v=7GJ0Z6EjDVQ video2]
* 2013-10-24 Ulf Larson [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]
* 2013-10-24 Jonas Magazinus [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]
* 2013-04-29 Mario Heiderich [http://www.slideshare.net/x00mario/the-innerhtml-apocalypse The innerHTML Apocalypse]
* 2013-04-29 Mario Heiderich XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity
* 2013-01-31 Mattias Wecksten [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]
* 2013-01-31 Rickard Bodfors [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]
* 2013-01-31 Mårten Schoning [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]
* 2012-11-22 OWASP Fredrik Sjöström Malware [http://www.youtube.com/watch?v=dgwpjQXguso video]
* 2012-11-22 OWASP Robin Blokker Penetration Testing [http://www.youtube.com/watch?v=lilDGi3AgzE video]
* 2012-11-22 OWASP - Michael Boman Malware Analysis as a Hobby [http://www.youtube.com/watch?v=Dth_mJEsGTo video]
* 2012-10-08 Mathias Jidhage och Rikard Bordfors OWASP Hardware Hacking - GoodFet [http://www.youtube.com/watch?v=sPx0JWOIcus video]
* 2012-07-04 Mikko Saario
* 2012-07-04 Ulf Larson
* 2012-04-26 Erlend Oftedal
* 2012-04-26 Combitech
* 2012-03-03 Jim @Manicode Manico
* 2011-11-03 Martin Holst Swende
* 2011-11-03 Stefano Di Paola
* 2011-08-25 Pers
* 2011-08-25 Jonas

== Lokala nyheter ==

'''2014-02-19 - Klas och Pers slides tillgängliga'''

Klas slides: [[Media:Klas_otp_OWASPgbg20140219.pdf‎|One time passwords]]

Pers slides: [[Media:(Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim.pdf‎|(Almost) everything about passwords that OWASP won't teach you]]

'''2014-01-29 - Autentisering, hur svårt kan det va?'''

OWASP Göteborg kör tema autentisering den 18e februari och har bjudit in Per Thorsheim, grundare av Passwords-konferensen, och Klas Lindfors från Yubico. Magnus Almgren från Data- och Informationsteknik vid Chalmers kommer tala kort om RAID2014, som i höst kommer hållas i Göteborg i Chalmers regi. Med andra ord, en mycket spännande agenda, som vanligt! Kvällens sponsor är Ajilon Consultants AB.

Länk till [https://owaspgbg-authentication.eventbrite.com eventbrite]

''Eventet kommer hållas på engelska''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.ajilonconsultants.se/ Ajilon Consultants] säger ett par väl valda ord. Tack för sponset!

18:10 [Klas Lindfors/Yubico] - OTP and U2F

19:00 Paus

19:10 [Per Thorsheim/Stricture Consulting Group, God Praksis AS] - (Almost) everything about passwords that OWASP won't teach you

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio

'''Klas Lindfors'''

One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico's YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.

Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

'''Per Thorsheim'''

OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed
through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (PasswordsCon.org), a conference fully dedicated to passwords & PINs. He's been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he's good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

'''2013-11-30 - Peters och Joachims SSL für alle slides tillgängliga'''

Slides tillgängliga här: [[Media:OWASP_SSL_20131128_preso.pdf|SSL für alle]]

'''2013-11-03 - SSL för alla'''

OWASP Göteborg presenterar stolt en helkväll om SSL/TLS och HTTPS den 28e november. Vi kommer denna gång vara i Omegapoints lokaler på Rosenlundsgatan 3 och vi startar som vanligt med mackor och mingel 17:30.

Vi har denna gång två mycket intressanta och erfarna talare, Joachim Strömbergson och Peter Magnusson. Båda med lång erfarenhet av kryptoteknik och kryptoimplementationer. Vi tar fram stora spaden och gräver fram detaljerna om SSL/TLS och HTTPS. De allra flesta kommer i daglig kontakt med begreppen genom webbrowsern och vi har säkert alla hört talas om någon av de lyckade attacker som utförts under senaste år. Dags att gå till botten med det här! Vad är SSL/TLS och HTTPS egentligen, varför har vi problem, och kan vi lita på det framöver. I så fall, varför?

Länk till [http://owaspgbg-ssl-2013.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka.

18:00 Community update + vår sponsor [http://www.omegapoint.se/ Omegapoint] säger ett par väl valda ord. Tack för sponset!

18:10 Joachim Strömbergson

19:00 Paus

19:10 Peter Magnusson

19:50 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

What is SSL/TLS and HTTPS? What security is it intended to provide? In recent years the SSL/TLS and HTTPS technology has been had numerous alerts on real world, practical crypto attacks, effectively
unravelling HTTPS security promises. What are these attacks, why do they work, and how were the attacks combatted in SSL implementations?

'''Joachim Strömbergson'''

Joachim Strömbergson is a security expert at Secworks, a consultancy
founded by Joachim. By working as an advisor and educator, providing
analysis and implementations Joachim assists his customers in finding
the right security for their products and services. SSL and TLS in
embedded systems, Internet of Things and SCADA system security are
things Joachims battles during day time. On his spare time Joachim
implements ciphers and blogs about security at secworks.se

'''Peter Magnusson'''

Peter is a speaker in the Säkerhetspodcasten security podcast
(sakerhetspodcasten.se) and has a great interest in applied cryptography
and practical cryptographic attacks. Peter works as security consultant at
Omegapoint and specialize in application security.

'''2013-10-24 - Ulfs och Jonas slides från senaste träffen tillgängliga'''

Ulfs slides tillgängliga här: [[Media:OWASP_Topp_tio_Ulf_Larson_20131010.pdf‎|OWASP topp tio 2013 with WebGoat and ZAP]]

Jonas slides tillgängliga här: [[Media:Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP-131010.pptx|Crossing origins by crossing formats]]

'''2013-09-12 - Så där ja, nu kör vi igång år tre'''

Hej Alla!

Nu kör vi igång år tre! Den tionde oktober startar vi upp med 2013-års variant av vårt första event i augusti 2011. Topp tio 2013 har funnits ute ett par månader nu och vi tänkte naturligtvis täcka upp detta. Vi kommer blanda och ge från akademisk forskning i absoluta framkant, senaste "topp tio"-listan, illustrerad med väl valda demonstrationer, samt en introduktion till OWASP och OWASP Göteborg. Vi vill särskilt välkomna de som inte varit hos oss förut, så om någon av Er erfarna säkerhetsrävar känner nån som är intresserad men inte deltagit tidigare får ni gärna tipsa dem. En grym kväll är ju faktiskt bara en registrering på en maillista bort.

Länk till [http://owaspgbg-top10-2013-eorg.eventbrite.com/ eventbrite]

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor ([http://www.starrepublic.com/ Star Republic]) säger ett par väl valda ord. Tack för sponset!

18:00 OWASP Göteborg - Community update + Det här är OWASP Göteborg

18:10 Ulf och Erik - OWASP topp tio 2013 + Demo

19:10 Paus

19:20 Jonas - Polyglot

20:00 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract

'''Ulf och Erik'''

We present the OWASP top ten list for 2013. The top ten list contains the most serious application security risks. In the top of the list we find SQL injection. Well known, but still going strong, due to the potentially disastrous consequences a successful attack may have. In the upper half of the list, we also find broken authentication and, of course, Cross-Site Scripting. Among the newcomers to the list, we find sensitive data exposure, and the use of components with known vulnerabilities. In addition to presenting the list, we also demonstrate some simple attacks.

'''Jonas'''

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. This paper focuses on the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretation of the content, providing a new space of attack vectors. We characterize what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins. The paper presents novel attack vectors that infiltrate the trusted origin by syntax injection across multiple languages and by content smuggling of malicious payload that appears formatted as benign content. The attacks lead to both cross-domain leakage and cross-site request forgery. We perform a systematic study of PDF-based injection and content smuggling attacks. We evaluate the current practice in client/server content filtering and PDF readers for polyglot-based attacks, and report on vulnerabilities in the top 100 Alexa web sites. We identify five web sites to be vulnerable to syntax injection attacks. Further, we have found two major enterprise cloud storage services to be susceptible to content smuggling attacks. Our recommendations for protective measures on server side, in browsers, and in content interpreters (in particular, PDF readers) show how to mitigate the attacks.

'''2013-04-29 - OWASP Göteborg - An evening with Mario Heiderich'''

Vi är stolta att presentera en helkväll med Mario Heiderich. Mario kommer hålla två föredrag om Cross Site Scripting: ett om mXSS och ett om hur XSS utvecklats genom historien. Kommer garanterat bli mycket, mycket intressant!

Länk till [http://owaspgbg-mario-xss-eorg.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Chalmers för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska/The event will be held in its entirety in English'''

Preliminär agenda

17:30 Kvällen inleds med macka och dricka. Vår sponsor Chalmers säger ett par väl valda ord

18:00 Community update

18:10 Mario Heiderich - The InnerHTML Apocalypse

18.45 Paus

19:00 Mario Heiderich - XSS from 1999 to 2013

19:45 Öl, snacks och livechat om säkerhet

Ca 21:00 Eventet slutar

Abstract och talarbio:

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory - including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless "alert" is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat-bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

'''2013-04-29 - Slides från OWASP Göteborg 2013-02-28 finns nu tillgängliga'''

Nu finns slides från vårt Februarievent tillgängliga här

Mattias slides: [[Media:Mattias_wecksten_OWASPGBG_20130228.pdf|IT-forensics and information security]]

Rikards slides: [[Media:Rikard_bodforss_OWASPGBG_20130228.pdf|Don't touch that system]]

Mortens slides: [[Media:Morten_schionning_OWASPGPG_20130228.odp|Incidents and forensics]]

'''2013-01-31 - OWASP Göteborg - IT-forensik, 28e februari'''

OWASP Göteborg drar igång våren med en spännande presentationskväll om IT-forensik i samarbete med ISACA. Vi har tre talare på schemat och vi lovar att det kommer bli en blandning ni inte kan motstå!

Länk till [http://owaspgbg-it-forensics.eventbrite.com/ eventbrite]

Vi tackar varmt vår sponsor Omegapoint för käk och för att vi får använda lokalen!

'''Eventet kommer hållas på engelska'''

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Omegapoint

18:00 Community update

18:10 [Morten Schiønning/TeliaSonera] - Incidents and Forensics

18:50 Bensträckare

18:55 [Rikard Bodforss/Omegapoint] - Don't touch that system!

19:35 Bensträckare #2

19:50 [Mattias Weckstén/Halmstad University] - Entry level it-forensic training from an academic point of view

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

Abstract och talarbio

'''Morten Schiønning'''

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

'''Rikard Bodforss'''

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén''

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

'''2012-10-29 - OWASP Göteborg - Pentest och Malware, 22e november'''

''Uppdatering 2012-12-05''

Slides finns nu tillgängliga, de finns under varje talares bio nedan.

Den 22e november kör vi vårt novemberevent. Kvällens tema är pentestning och malware, vi har tre talare på detta event och det är garanterat nåt ni inte vill missa. Så boka er plats redan nu på [http://owaspgbg-pentest-malware.eventbrite.com/ eventbrite]. Denna gång är vår sponsor TeliaSonera och vi kommer hålla eventet i deras lokaler i Gårda. Adressinformation finns i eventbrite-länken.

Prelimiär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor TeliaSonera

18:00 Community update

18:10 [Michael Boman/2Secure] - Malwareanalys som en hobby

18:50 Bensträckare

18:55 [Robin Blokker/FRA] - Penetrationstestning

19:35 Bensträckare #2

19:50 [Fredrik Sjöstrand/FRA] - Malware

20:30 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

21:30 Eventet avslutas en gång till. Nu på allvar.

Abstract och talarbio

''Michael Boman''

Som pappa till fem barn så har man varken tid eller pengar, men ändå ville jag inte lägga ner min hobby som malware-forskare. Lösningen heter automatisering, och jag tänkte förklara hur det fungerar. För tillfället så analyserar jag drygt 1 misstänkt virus/minuten, men det kan skalas upp i takt med hårdvara (så gott som linjär skalning

Michael Boman arbetar som säkerhetskonsult för 2Secure och analyserar skadlig kod som hobby. Michael har över 10 års erfarenhet av säkerhetstestning av applikationer och infrastruktur. Michael är passionerad om data-säkerhet och gör sitt bästa för att fler skall göra rätt från början. Michael driver webbsidan [http://michaelboman.org michaelboman.org] där delar där med sig sina kunskaper och erfarenheter när han kan.

Michaels slides: [[Media:Michael_Boman_Mart_OWASPGBG_20121122.pdf‎|Malware analysis as a hobby]]

''Robin Blokker''

All penetrationstestning utförs enligt "Best effort" principen med begränsade resurser. Vad är en rimlig spelplan för ett test? Vilka metoder är effektiva och vad letar man efter? Vilka gränser måste respekteras och vilka bör man som sakkunnig expert utforska eller ignorera? Hur ser man till att arbetet får maximal avkastning och att resultaten genererar verklig säkerhet i slutändan?

Robin Blokker är säkerhetsspecialist vid FRA:s enhet för nätverkssäkerhet var han arbetar med granskningar och penetrationstester av svenska myndigheters system. Robins tekniska hemmaplan är webbsäkerhet och klient-attacker. Han betraktar sig själv som en välintegrerad hemvandrare och en aktiv del av den offentliga säkerhetsgemenskapen var han övar sig i psykologisk krigsföring och
frisbeegolf.

Robins slides: [[Media:Robin_Blocker_Penetrationtesting_OWASPGBG_20121122.RobinBlokker.pdf|Penetrationstestning]]

''Fredrik Sjöstrand''

Malware har gått ifrån att vara ett simpelt busstreck till att tömma ditt bankkonto, ta alla dina inloggningsuppgifter och aktivt försvåra analys med anti-debug, anti-vm och obfuskering. Hur kan det se ut? Vad händer? Framtid?

Fredrik Sjöström arbetar som reverse engineer vid FRAs informationssäkerhetsavdelning där han arbetar med att köra kod baklänges. Fokus ligger på malware analys och att hitta metoder för detektering. De lediga stunder som inte tillbringas i en debugger tillägnas Premier League och Chelsea FC.

Fredriks slides: [[Media:Fredrik_Sjostrom_Malware_OWASPGBG_20121122.pdf‎|Malware]]

'''2012-10-08 - OWASP Göteborg - Introduction to Hardware Hacking part 1, 25:e Oktober, 2012'''

''Uppdatering 2012-10-29''

Nu finns slides tillgängliga [[Media:OWASP-Hardware-Hacking-Part1.pptx‎|OWASP Hardware Hacking Part 1]]. Dessutom finns en video från spektaklet. Den hittar ni [http://t.co/9VsMeAGW här].

''Ursprungspost 2010-10-08''

Torsdag 25e oktober slår OWASP Göteborg och Omegapoint upp sina portar för en helkväll med hårdvarusnickeri! Till vårt stora nöje blev eventet fullbokat i princip så fort biljetterna släpptes. Ni som är intresserade men som inte fick plats kan anmäla ert intresse till [mailto:mattias.jidhage@owasp.org Mattias Jidhage]. Om tillräckligt många är intresserade finns det inget som hindrar att vi kör fler omgångar.

Under kvällen så kommer vi kika lite på ytmontering generellt och mer specifikt på GoodFET (som är kvällens mål). Om man nu vill bygga något elektroniskt, hur gör man då? Och det här med ytmontering - kan man verkligen göra det hemma? Och varför? Vad skall man egentligen ha en GoodFET till? Vad finns det mer för intressanta säkerhetsrelaterade hårdvaruprojekt man kan pilla med? Din GoodFET får du ta med dig hem.

'''2012-09-13 - Slides från OWASP Göteborg 2012-09-06 finns nu tillgängliga'''

Nu finns slides från vårt september-event tillgängliga. Varsågoda!

Mikko Saario - [[Media:Mikko_Saario_3_from_1_hybrid_agile_OWASP_Gbg_20120906.pdf‎|3 från 1 - hybrid environments and agile]]

Ulf Larson - [[Media:Securing_mobile_applications_OWASP_Gbg_20120906.pdf|Securing Mobile Applications]]

'''2012-07-04 - Nästa event spikat till torsdag den 6e september - tema mobile security'''

Torsdagen den 6e april slår vi upp portarna till OWASP Göteborgs första event på år två! Denna gång kommer temat vara mobilsäkerhet och vi har övertalat [https://www.linkedin.com/in/mikkosaario Mikko Saario], Senior Security Manager vid Nokia att komma och köra en 3-från-1 om mobilsäkerhet och agil säkerhet. Dessutom kommer Ulf Larson att berätta kortfattat om vad OWASP kan erbjuda mobilutvecklare. Sponsor för detta event är Adecco IT Konsult. Tusen tack till Adecco IT Konsult för detta!

Denna gång kommer eventet att hållas hos Adecco IT Konsult, Maskingatan 5, 417 64 Göteborg [https://owaspgbg-mobilesec.eventbrite.com/ Eventbrite].

Mikko kommer hålla sina presentationer på engelska och det är troligt att Ulf också gör så. Denna gång blir också demointensiv och förhoppningsvis håller sig demodjävulen på behörigt avstånd...

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Adecco IT Konsult

18:00 Community update

18:10 Securing mobile applications. What can OWASP offer, + a quick look at iGoat

18:40 Bensträckare

18:45 3-från-1 presentation från Mikko Saario (hybrid environments and security + agile development)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts'''

''Securing Mobile applications. What can OWASP offer ...''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

'''2012-06-01 - Slides från OWASP Göteborg 2012-04-26 nu tillgängliga'''

Nu finns slides från vårt april-event tillgängliga. Nu vet ni alltså vad ni skall göra under semestern. Varsågoda!

Erlend Oftedal - [http://eoftedal.github.com/CrossDomainAndBrowserSecurity/#1 Cross domain communication and browser security features]

Combitech - [[Media:OWASP_Evalg_2012-04-26.ppt‎|Security assessment of the E-valg system]]

'''2012-03-25 - Jim Manico's slides tillgängliga'''

Här kommer nu länken till Jim Manico's slides från föredraget den 22e. Håll till godo! [[Media:Manico_Developer_Top_Ten_Core_Controls_v4.1.ppt.zip | JManico - Developer Top Ten]]

'''2012-03-03 - Nästa officiella event spikat till torsdag den 26e april'''

Torsdagen den 26e april slår vi upp portarna OWASP Göteborgs sista event före sommaren. Efter detta går vi in i sommardimman och space:ar ut ett par månader innan vi återigen tar nya tag inför hösten. Sponsor för detta event är [http://www.combitech.se/ Combitech]. Tusen tack till Combitech för detta!

Temat för aprileventet är Norge! Vi får besök av Erlend Oftedal (@webtonull) som skall berätta om ''Cross domain communication and browser security features''. Rekommenderad lyssning för er som använder webbläsare. Vi har också ett team från Combitech som skall berätta om säkerhetsarbetet bakom framtagningen av E-valg, elektroniska val i Norge. Garanterat spännande lyssning det med!

Denna gång kommer eventet att hållas på ''Utbildningscenter för kollektivtrafik, Bror Nilssons gata 16, 417 55 Göteborg'' Håll ögonen öppna för Eventbrite-länk.

Preliminär agenda:

17:30 Eventet öppnar. Mackor och dricka. Ett par ord från vår sponsor Combitech

18:00 Community update

18:10 Security assessment of the E-valg system - Combitech

19:05 Bensträckare

19:15 Cross domain communication and browser security features - Erlend Oftedal (presentation och slides är på engelska)

20:10 Mingel, en öl eller två och lite snacks

Ca 21:00 Eventet avslutas

'''Abstracts:'''

''Security assessment of the E-valg system''

Norge har under hösten 2011 genomfört elektroniska val med ett nyframtaget system som kallas för E-valg. Säkerheten i ett sådant system är naturligtvis mycket viktig för att kunna genomföra fria val med lika rösträtt och där man kan hålla hemligt vad man röstar på. Ett viktigt krav är att man ska kunna avge sin röst utan att rösten kan kopplas till väljaren, man ska vara säker på att rösten har blivit registrerad på rätt kandidat och parti och endast en röst per person ska räknas. Ett annat krav är att ingen ska kunna forcera systemets säkerhet för att påverka valresultatet (integritet) eller ta reda på vad någon har röstat på (sekretess).
Säkerhetsarbetet har varit en viktig del i framtagningen av E-valg och varit del av alla faser (iterationer) av projektet. Combitech har haft rollen som oberoende säkerhetsgranskare och utfört granskning av design, kodgranskning och penetrationstester på det färdiga systemet. I princip all information om systemet är dessutom öppen för att göra det möjligt för alla som vill att granska säkerheten.
Presentationen kommer att beskriva principerna i säkerhetslösningen och hur säkerhetsgranskning och penetrationstest har utförts.

''Cross domain communication and browser security features''

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

'''2012-03-03 - Jim "@manicode" Manico till Sverige'''

Jim Manico är på nordisk turné för att bland annat berätta om hur man skyddar sig mot Cross-site scripting. Den 22e mars landar Jim i Göteborg för att 18:00 hålla en presentation i Chalmers kårhus. Det kommer finnas mackor, öl, snacks och dricka. Mer info kommer allt eftersom den blir tillgänglig. Håll också ögonen öppna för Eventbrite-länk.

''Uppdatering 2012-03-12''

Här kommer nu Jims abstract och länken till anmälan via [http://owaspgbg-manico.eventbrite.com/ Eventbrite].

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in '''English'''.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

'''2012-02-27 - Snabbt påkommen säkpub'''

Vi tänkte att vi skulle avrunda februari med en tämligen snabbt påkommen säkpub. Åtminstone någon av oss i boardet kommer finnas på [http://olrepubliken.se Ölrepubliken] under denna veckas torsdagskväll (29e februari, alltså) om någon vill titta in en stund. Tilläggas kan att det ryktas om att ett öl kallat Ctrl Alt Delete (jodå, ni läste rätt) skall finnas i lokalen under sagda torsdagskväll. Väl mött!

'''2012-02-25 - Missa inte dev:mobile'''

En utvecklarkonferens för mobilutveckling ([http://devmobile.se dev:mobile]) kommer att gå av stapeln i Göteborg den 12e juni. Säkerligen har några av er börjat fundera kring säkerhetsproblem för mobila applikationer och har ni något intressant och/eller spännande att dela med er av skulle jag rekommendera att ni skickar in ert abstract till info@devmobile.se före 16 mars. Som inspiration kan ni titta på [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] och dess relaterade sidor.

'''2012-02-06 - Öppningsceremoni för Software Center'''

Den förträfflige säkerhetsforskaren Andrei Sabelfeld bad mig att meddela den intresserade communitymedlemmen (japp, det är Du) att Software Center officiellt öppnar på tisdagen den 14e februari. Arrangören har dessutom haft den goda smaken att välja Kuggen på Lindholmen för ceremonin. Dessutom utlovas både tal och poster presentationer av intressant och aktuell forskning. Kort sagt, det finns ingen anledning att inte gå dit. Här kommer [http://www.lindholmen.se/en/node/22046 länken]. Vi ses där!

'''2012-01-17 - Communityhack'''

Nu går det bra att anmäla sig till OWASP Göteborgs communityhack som går av stapeln 18e februari på Chalmers. Mer info hittar ni på [http://communityhack-feb-2012.eventbrite.com/ Eventbrite], där ni även kan anmäla er. Vi ses där!

''Uppdatering 2012-02-12''

Adressen är Rännvägen 4. Följ [https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=r%C3%A4nnv%C3%A4gen+4,+g%C3%B6teborg,+sverige&aq=&sll=57.687406,11.979418&sspn=0.051477,0.154324&vpsrc=0&ie=UTF8&hq=&hnear=R%C3%A4nnv%C3%A4gen+4,+412+58+G%C3%B6teborg,+Sweden&ll=57.688311,11.97808&spn=0.006434,0.01929&t=m&z=16&iwloc=A denna länk] för att hitta dit.

Det kommer finnas en person på plats för att släppa in er från ca 08:45.

''Uppdatering 2012-01-30''

Det är nu klart att det serveras frukost på communityhacket.

''Uppdatering 2012-01-27''

Tusen tack [[File:Omegapoint_logo.png|100px]] som står för pizza och dricka. Vill ditt företag också synas på denna sida så kontakta någon av oss. Epostadresserna finns ovan.

Vill du skylta med ditt kommande projekt inför communityhacket redan nu? Gå in på [http://www.insto.org/communityhack/index.php/Main_Page Projektwikisidan] och lägg in era förslag. Ett par förslag har redan ramlat in!

'''2012-01-17 - Så där ja!'''

Då har vi bokat Erlend Oftedal (@webtonull) till vårt april-event. Sök på Erlend så ser ni själva vilken kanonbokning vi gjort!

I skuggan av detta har vi dessutom bekräftat lokal till vårt communityhack. Lunchrummet på 7e våningen i D&IT-huset på Chalmers. Tack Chalmers och D&IT!

'''2012-01-16 - Vårens aktiviteter'''

Väl mött!

Vi har, julen till trots, inte riktigt bara legat på sofflocket och slöat. Vi har flera aktiviteter på gång. Bland annat kommer Jim Manico(!) på Norden-turné och OWASP Göteborg kommer att arrangera en presentationskväll med Jim längre fram i mars!
Inte nog med det. Ett communityhack kommer att gå av stapeln i mitten på februari. Hacket kommer hållas på Chalmers, mycket sannolikt i D&ITs förträffliga lunchrum på 7e våningen. Inte fy skam alls!

Till allt detta kommer en ordinare presentationskväll i april och som om inte allt detta är nog går ryktet att en mycket känd och otroligt spännande säkerhetsforskare kommer befinna sig i Sverige längre fram i vår. Givetvis kommer OWASP att göra sitt yttersta för att blanda sig i detta besök och kanalisera det ut till Er!

Stay tuned!

'''2011-11-04 - Ett par små uppdateringar'''

Riktigt kul igår! Har man grymma talare, intressanta diskussioner och 55 personer i lokalen. Då är det rätt svårt att misslyckas...

Slides från gårdagens träff kommer att publiceras här så fort de blir tillgängliga.

Nästa träff är ett community hack, preliminärt schemalagt till 18-19 februari. Community-hacket skiljer sig från de presentations-orienterade kvällsträffarna. Här dyker du upp med din laptop, penna, papper och möjligen en påse ideer som du funderat över. Sen hackar vi loss så mycket vi orkar och ser vart det slutar! Tänk på att det finns inget som säger att du måste koda php, linuxmoduler eller regexpar för att få utbyte. Har du nån kul ide om ett alternativt sätt att genomföra en hotmodellering eller vill testa hur ZAP fungerar är det fritt fram.

För att genomföra denna träff skull vi behöva Er hjälp. Vi behöver en '''samarrangör''' och '''en eller flera sponsorer'''. Känner du att just ditt företag skulle vara intresserad av att ställa upp, kontakta oss. Tillförordnad general för detta event är Erik (erik.brannstrom@gmail.com).

'''2011-10-18 - Meeting outline for November 3rd'''

17:00 - 17:30 Startup mingle with food and some drinks

17:30 - 17:45 Community update

17:45 - 18:30 OWASP Hatkit (presented in English)

18:30 - 18:45 Short break

18:45 - 19:45 DOMinator (presented in English)

[19:45 - 20:30 After event mingle]

Lets have a beer or two and talk security!

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 19:30, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''Talarinformation/Presenter information'''

''Martin Holst Swende''

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Martin's slides: [[Media:Martin_Swende-Hatkit_Owasp-Gothenburg.pdf|OWASP Hatkit]]

''Stefano Di Paola''

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

Stefano's slides: [[Media:AnalyzingDOMXssWithDOMinator.pdf| DOMinator]]

'''2011-10-14 - OWASP Göteborg den 3e november - uppdatering'''

Nu är sponsor fixad och vi har någonstans att vara och mat att äta! Nu finns det alltså INGA hinder för att anmäla er. Kom ihåg, först till kvarn gäller även denna gång! Mötet kommer denna gång att hållas helt på engelska/the meeting will be held in its entirety in English och innehåller presentationer av Stefano Di Paola och Martin Holst Swende.

Mötet kommer denna gång att sponsras av Adecco IT & Engineering och hållas på Götgatan 11, 41105 Göteborg (mitt i Nordstan). Mötet startar 17:00 och slutar runt 20:00, följt av öl och mingel. För att anmäla dig till mötet ber vi dig besöka/To sign up for the event, please visit [http://owaspgbg-nov2011.eventbrite.com/ Eventbrite].

'''2011-09-17 - OWASP Göteborg den 3e november'''

Vi har spikat datum för nästa träff till den tredje november. Denna träff kommer innehålla presentationer av Stefano Di Paola och Martin Holst Swende. Vi jagar för närvarande sponsorer och har därför ingen plats bestämd än. Är Ditt företag intresserat av att sponsra en denna träff är ni välkomna att höra av er till Ulf eller Mattias!

Att vi inte har någon plats än skall dock inte få förhindra någon att anmäla sig, så det är bara att sätta igång. Anmälningsformuläret finns [http://owaspgbg-nov2011.eventbrite.com/ här].

'''2011-09-17 - Ännu ett wow!'''

Vi har det stora nöjet att presentera vår andra spikade talare för vår nästa träff! Denna person är ingen mindre än Martin Holst Swende. Martin har utvecklat verktyget OWASP Hatkit och även presenterat detta på DEFCON 19 i år. Martin har utlovat en demobaserad presentation som garanterat kommer att bli både spännande och lärorik! Därav ännu ett wow!

'''Nästa träff + wow!'''

Det ser ut som om vi har spikat första talaren till nästa träff (tack Jonas!). Denna person är ingen mindre än Stefano Di Paola, a.k.a WisecWisec, a.k.a mannen bakom DOMinator. Därav wow!

Det lutar också åt att nästa träff kommer att hållas den tredje november. Mer information kommer allt eftersom. Stay tuned och prelboka upp tredje november för OWASP-träff redan nu!

'''Presentationsmaterial'''

Presentationsmaterial kommer att länkas till från denna sida i anslutning till våra träffar.

'''OWASP Gothenburg web site goes Swedish + surprise!'''

OWASP Göteborgs webbsida (den här alltså) kommer från idag att i huvudsak vara på svenska. Vi vänder oss till största del till svensktalande och har därför valt att använda svenska som språk. Det innehåll som redan fanns på sidan (före 11 augusti 2011) kommer att fortsätta vara på engelska. Viss generell information kommer att översättas.

Överraskning! OWASP Göteborg kommer att göra en kort videoinspelning där vi skickar "en hälsning från Göteborgskapitlet". Denna hälsning, tillsammans med hälsningar från andra kapitel kommer att visas upp på OWASP AppSecUSA senare i höst. Själva överraskningen består i att vi har tänkt att spela in videosnutten under vårt möte den 25e augusti. Detta innebär också att alla som deltar på mötet också får vara med och medverka i hälsningsvideon. De ni ;-)

'''OWASP Gothenburg Meeting, August 25 2011''', '''Welcome to Owasp Gothenburg''' + '''Owasp top ten w/ demo''' + '''Webappsec from a programming language perspective'''

'''Meeting agenda'''

''17:00 - 17:30, Welcome and sandwiches''

''17:30 - 17:45, OWASP Gothenburg Local Chapter - who are we, what do we do?''

Introduction to the Gothenburg chapter, co-Leaders and Board-members, and the vision for making Gothenburg to a more interesting place for people interested in security.

<br> ''17:45 - 18:45, OWASP Top 10 - DEMO''

Per Josefsson and Ulf Larson walks through the latest version of the top list and demonstrates a few of the attacks.

OWASP Top 10 is a list of the ten most dangerous threats with respect to application security. The latest version is from 2010 and the next version is expected during 2013.

Pers slides: [[Media:Per_Josefsson_OWASP_Topp_Tio_20110825.ppt|OWASP Top Ten]]

''18:45 - 19:00, Short break''

''19:00 - 19:30, Web application security from a programming language perspective''

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Jonas slides: [[Media:Jonas_Magazinius_OWASP_Appsec_Proglang_20110825.pptx|A Language-based Perspective on Web Application Security]]

''19:30 - 20:30, Beer''

[http://www.omegapoint.se Omegapoint] are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit [http://owaspgbg-aug2011.eventbrite.com/ this] site.

<br>

'''July 4th, 2011 - OWASP-Gothenburg opens!'''

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

== Deltagande ==

OWASP Foundation is a professional association of global members and is and open to anyone interested in learning more about application security. Local chapters are run independently and governed by the following [[Chapter Leader Handbook]]. As a [http://www.owasp.org/index.php/About_OWASP 501(c)(3)] non-profit professional association your support and sponsorship of a meeting venue and/or refreshments is tax-deductible. Financial contributions should be made online using the online chapter donation button. To be a '''SPEAKER''' at ANY OWASP Chapter in the world simply review the [http://www.owasp.org/index.php/Speaker_Agreement speaker agreement] and then contact the local chapter leader with details of what [http://www.owasp.org/index.php/Category:OWASP_Project OWASP PROJECT], independent research or related software security topic you would like to present on.

<paypal>Gothenburg</paypal>

'''<center>[http://lists.owasp.org/mailman/listinfo/owasp-sweden Klicka här för att gå med i din lokalavdelnings mailinglista]</center>'''



Anmäl Er gärna till vår mailinglista. '''Notera''' dock att när du anmäler dig kommer du att anmäla dig till OWASP ''Sweden''-listan och inte ''Gothenburg''-listan. Detta beror på att Göteborgs och Sverige-kapitlen tillsammans har bestämt oss för att endast använda en lista.

Vem som helst är välkommen till våra möten (det enda som krävs för deltagande är att du har gått med i OWASP Sweden-mailinglistan). Är du intresserad av att hjälpa till eller har förslag på spännande och intressanta föredrag och/eller talare är du välkommen att kontakta oss.

== OWASP Sverige-bloggen ==

För längre nyhetsinlägg och rapporter från konferenser och annat hänvisar vi till [http://owaspsweden.blogspot.com/ OWASP Sverige-bloggen].

== OWASP Göteborgs vision ==

OWASP Göteborgs vision är att väcka intresse för och sprida kunskap om hur man bygger säkra mjukvarusystem. Den är att tillhandahålla en balanserad mix av de senaste rönen inom akademisk säkerhetsforskning (spets och framkant), etablerade säkerhetstekniker och designprinciper för direkt tillämpning (bredd och mogenhet). De viktigaste elementen i konstruktionen av säkra applikationer är design och utvecklingsmetodik. OWASP Göteborg skall därför bidra till att öka säkerhetstänkandet hos programvaruutvecklare.

OWASP Göteborg når ut till utvecklare, projektledare och säkerhetspersoner genom att erbjuda intressanta föredrag och demonstrationer kring säkerhet - både i stort och i smått. Communityhack-dagar, mingel, inhemska och utländska talare profilerar oss som en seriös aktör som erbjuder intresserade en mötesplats där de kan träffa likasinnade, utbyta idéer samt diskutera de senaste inom området.

[[Category:OWASP_Chapter]] [[Category:Sweden]] [[Category:Gothenburg]]