OWASP - User contributions [en]

Leeds UK

2010-11-21T22:34:05Z

Simon Bennetts:

{{Chapter Template|chaptername=Leeds UK|extra=

This is a new chapter and we are looking for enthusiatic new members to make this one of the best OWASP chapters. We are hoping to accumalate a good proportion of subject matter experts who will in turn be able to provide guidance and presentations for the benefit of all chapter members. So please join the mailing list and contribute.

Details of your chapter Board members can be found here [[Leeds_UK_chapter_leaders]]

The chapter email address is [mailto:owaspleeds@gmail.com owaspleeds@gmail.com]

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Leeds_UK|emailarchives=http://lists.owasp.org/pipermail/owasp-Leeds_UK}}

<paypal>Leeds_UK</paypal>

== 2011 Planned Meetings ==

March

June

September

December

== Next Meeting ==
'''Date:''' Wednesday 8th December in Manchester

'''Location:''' To be announced

'''Schedule: 18:00 for 18:15 start'''

'''18:20 - 18:30'''

OWASP Chapter introduction. OWASP values and membership. Chapter information.

''Jason Alexander - OWASP Leeds/Northern Chapter Board Member''

'''18:30 - 19:15'''

upSploit - Vulnerability Advisory Solution

''Thomas Mackenzie''

Over the past year a lot of vulnerabilities have been released out into the wild and a lot of discussion has been had on what ethical disclosure is. upSploit is an online web application / tool that can be used by researchers to release vulnerabilities as ethically as possible.

The talk consists of a number of parts including: Information on vulnerability disclosure before upSploit was around, the creation / idea of upSploit and how it has helped and is helping the community at the moment.

''Speaker Bio''

Tom studies a BSc (Hons) in Ethical Hacking for Computer Security at Northumbria University in Newcastle and worked part time for Wetherby based company RandomStorm conducting Web Penetration testing, External Penetration testing and building wireless analysis solutions. Tom found a vulnerability in WordPress back in February 2010 which helped him kickstart his career in infosec whilst still studying. Previously the Co-host of popular UK student podcast Disaster Protocol Tom now spend all the time away from that on the upSploit project making sure his team get stuff done!

'''19:15 - 20:00'''

Avoiding the CWE/SANS Top 25 Most Dangerous Programming Errors

''Jason Steer - Solution Architect at Veracode''

The CWE/SANS list of the Top 25 Most Dangerous Programming Errors is becoming the standard for developing secure applications in large enterprises. Even the State of New York and the Depository Trust & Clearing Corporation (DTCC) plan to implement procurement contracts that include language mandating application security. Whether you manage internal development activities, work with third party developers or are developing commercial-of-the-shelf (COTS) applications for enterprises, your mandate is clear- safeguard your code and avoid the CWE/SANS Top 25 Most Dangerous Programming Errors.

During this presentation, Jason will discuss:

Prevalence of attacks using vulnerabilities listed in the CWE/SANS Top 25

CWE categories illustrated with code snippets in .NET, Java, and other languages

Impact of attacks on your application and your customers

Methods to identify, track and remediate these vulnerabilities

Session attendees will leave armed with the necessary steps to ensure that they’re building secure applications.

'''20:00 - 20:45'''

OWASP Zed Attack Proxy

''Simon Bennetts - Project Lead and technical team lead at Sage UK''

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing.

In this presentation Simon will explain why it was released, who it is aimed at and where it is headed.

== Past Events ==

'''2010 Dates'''

[[15th_September_Leeds]]

[[16th_june_Leeds]]

[[17th March - Leeds]]

'''2009 Dates'''

[[14th October 2009 - Leeds]]

[[Category:United Kingdom]]

Talk:HttpOnly

2010-06-18T13:41:38Z

Simon Bennetts:

== Tomcat configuration ==

Tomcat versions from 5.5.28 and 6.0.19 support the HttpOnly cookie option.

This is configured in the conf/context.xml file:

<Context useHttpOnly="true">
...
</Context>
[[User:Simon Bennetts|Simon Bennetts]] 14:40, 18 June 2010 (UTC)

Talk:Securing tomcat

2010-06-18T13:40:58Z

Simon Bennetts:

== InvokerServlet ==
There needs to be an addendum in here about disabling the InvokerServlet. See my blog entry at [[http://yet-another-dev.blogspot.com/2009/12/this-post-is-especially-for-anyone.html yet-another-dev.blogspot.com]] for details about why this is a bad idea. --[[User:Chris Schmidt|Chris Schmidt]] 22:03, 17 December 2009 (UTC)

== File permissions ==

Hmm, what does "Make sure tomcat user has read/write access to /tmp" mean?

Tomcat creates a directory "temp", not "tmp", and read/write on a directory doesn't actually allow reading or writing. I assume the intention is "chmod 700 temp"... would love if anyone can clarify.
[[User:Douglasheld|Douglasheld]] 18:06, 3 April 2009 (UTC)

== Newer Tomcat branches ==

This page is hopelessly outdated for anyone working with the Tomcat 6 branch. We need to figure out the best way to document security measures for the different supported branches.
[[User:Ken|Ken]] 10:25, 20 March 2009 (UTC)

I've not had call to use Tomcat 6, but in a few months I plan to start experimenting with the embedded version. I don't mind expanding the article to have a section on 6 (and keep the section on 5.5), but I can't contribute anything just yet. My preference would be a single article as it will cut down on duplication. In the meantime, any differences, areas to cover, new features, etc. that others could note down will help speed things up. [[User:Dledmonds|Darren]] 09:11, 26 March 2009 (UTC)

== HttpOnly configuration ==

Tomcat versions from 5.5.28 and 6.0.19 support the HttpOnly [http://www.owasp.org/index.php/HttpOnly] cookie option.

This is configured in the conf/context.xml file:

<Context useHttpOnly="true">
...
</Context>

[[User:Simon Bennetts|Simon Bennetts]] 14:40, 18 June 2010 (UTC)

Talk:HttpOnly

2010-06-18T13:37:04Z

Simon Bennetts: Created page with '== Tomcat configuration == Tomcat versions from 5.5.28 and 6.0.19 support the HttpOnly cookie option. This is configured in the conf/context.xml file: <Context useHttpOnly="t…'

== Tomcat configuration ==

Tomcat versions from 5.5.28 and 6.0.19 support the HttpOnly cookie option.

This is configured in the conf/context.xml file:

<Context useHttpOnly="true">
...
</Context>

Talk:Securing tomcat

2010-06-18T13:36:17Z

Simon Bennetts: