https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Swright75OWASP - User contributions [en]2026-05-29T14:28:00ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Scotland&diff=256647Scotland2020-01-15T21:37:56Z<p>Swright75: Added February's event details</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter OWASP Scotland Google Group]. <br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''PwC '''for hosting our upcoming February 2020 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter Google Group] to be informed of upcoming events.<br />
<br />
=== '''Tuesday, 11 February 2020''' ===<br />
'''Time''': 18:00 - 20:00 BST<br />
<br />
'''Location''': PwC, 144 Morrison Street, Edinburgh, EH3 8EX<br />
<br />
'''Tickets''': Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-2020-tickets-90016877905<br />
<br />
=== Description ===<br />
We are pleased to announce that the first OWASP Scotland Chapter meeting of 2020 will take place on Tuesday the 11th of Feb. Many thanks to PwC, who has kindly offered to host this event for us. They will also be providing pizza and refreshments on the evening.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
=== '''Security Culture and Behaviour - security is still often seen as a technology problem''' ===<br />
'''Speaker''': Louise MacDougall<br />
<br />
This presentation will focus on the culture and behaviours surrounding cyber security and explore the 'People layer' of defence. Louise will discuss how organisations should be approaching cyber security leadership and how they can drive the right security behaviours within their staff. Particular focus will be on the role of senior leadership and behavioural models that can be applied to cyber security.<br />
<br />
=== TBD ===<br />
'''Speaker''': TBD<br />
<br />
TBD<br />
<br />
== Past Events ==<br />
<br />
=== '''Thursday, 21 November 2019''' ===<br />
'''Time''': 18:00 - 20:00 BST<br />
<br />
'''Location''': Deloitte Offices, Saltire Court, 20 Castle Terrace, Edinburgh, EH1 2DB<br />
<br />
Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-november-tickets-78186324401<br />
<br />
=== Description ===<br />
The final OWASP Scotland Chapter meeting of 2019 will take place on Thursday the 21st of November. Many thanks to Deloitte, who has kindly offered to host this event for us. They will also be providing pizza and refreshments on the evening.<br />
<br />
We have two great talks lined up for the OWASP Scotland community with Rob McElvanney on "Red Teaming: Simply the BEST" and Colin Cassidy giving us an insight into the "Adventures in the wacky world of control systems".<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
=== Red Teaming: Simply the BEST ===<br />
'''Speaker''': Rob McElvanney, Deloitte<br />
<br />
Using examples of real world attacks, Associate Director Rob McElvanney will discuss lessons learned from recent Red Team exercises, particularly within the CBEST and GBEST frameworks. This session will illustrate some of the methods used by advanced actors to achieve access, allowing them a foothold for lateral movement and privilege escalation. The session will also explore how organisations can improve their chances of defending against such adversaries.<br />
<br />
=== Adventures in the wacky world of control systems ===<br />
'''Speaker''': Colin Cassidy<br />
<br />
This talk is a grab bag of different ICS topics to give people a flavours of the challenges being faced. The focus will be primarily on the energy industry, but other ICS and critical infrastructure faces similar issues. We will briefly discuss control system changes over time, what caused those changes, what improvements (or not) that they brought. We will cover some real life findings and thoughts from the field, this will include some odd findings, commonly seen issues, and how mistakes can cause surprisingly kinetic problems!<br />
<br />
More positively there are solutions and improvements, but a one-size-fits-all solution does not tend to work, even when dealing with very similar sites.<br />
<br />
Bio: Colin Cassidy (@parttimesecguy) used to be a software engineer at GE for 15 years working on their Distribution Management System (DMS). He is currently atoning for all his software development sin as a senior security consultant with IOActive. Colin has performed a number of security audits for ICS operators including one of the UKs largest Distribution Network Operators, several windfarms, container ships, shipping terminals, and AMI/smart meter infrastructure. Colin has also presented and Blackhat and Defcon on vulnerabilities found in Industrial Ethernet Switches. In his spare time, he searches for spare time.<br />
<br />
=== Thursday, 12 September 2019 ===<br />
'''Time''': 18:00 – 20:00 BST<br />
<br />
'''Location''': Ernst & Young, 144 Morrison Street, Edinburgh, EH3 8EX<br />
<br />
'''Tickets''': Tickets are available on EventBrite (https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-september-tickets-66503743487)<br />
<br />
==== Weaknesses in Software Supply Chains ====<br />
'''Speaker''': Sean Wright<br />
<br />
Software development today is a far cry from software development from yesteryear. Gone are the days of developing something from the ground up. Software development now involves “stitching together” numerous libraries and frameworks together to develop the desired system/application. We are now dependent on 3rd party vendors and providers now, more than ever before. This has greatly help to aid the generation of rapid development. However, this helped to introduce a new, and often overlooked problem, weakness introduced by these libraries. Why would an attacker spend significant effort and time trying to break through the front door of an organisation, when they can instead open a backdoor for themselves?<br />
<br />
The purpose of this talk is to raise awareness for the potential problem, with some recommendations of tools and approaches which could help. Discussing past examples where backdoors have been placed into libraries, as well as discussing some of the difficulties to keeping libraries up to date.<br />
<br />
==== EY Global Information Security Survey Results ====<br />
'''Speaker''': Shriparna Ghosh<br />
<br />
EY runs a Global Information Security Survey (GISS) every year. Responses were collected from over 60 countries representing all industry sectors with more than 1400 participants.<br />
<br />
After a year in which organisations have been rocked by a series of large-scale cybersecurity breaches and ongoing recriminations over state-sponsored interventions, EY’s Global Information Security Survey shows which areas were the key areas of focus or areas of investment for various sectors. It also outlines the top trends in the cyber world from a global perspective.<br />
<br />
=== Thursday, 9 May 2019 ===<br />
'''Time''': 18:00 – 20:00 BST<br />
<br />
'''Location''': PwC, 144 Morrison Street, Edinburgh, EH3 8EX<br />
<br />
'''Tickets''': Tickets are available on EventBrite (https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-59785884189)<br />
<br />
==== Deception, Confusion, Mistrust: Attacks and Defences ====<br />
'''Speaker''': Matt Wixey<br />
<br />
This talk will cover 2 topics. The first focuses on Remote Online Social Engineering (ROSE), an emerging long-term attack vector deployed by threat actors to build trust and rapport with targeted users in order to gain access to business networks. I'll provide an outline of attackers' methodologies, why they would want to deploy them, some case studies, and countermeasures. The second is a light-hearted look at ways in which defenders can confuse, deceive, or frustrate attackers on a compromised honeypot or other host, with an emphasis on practical implementation. I'll examine some historic ways in which this has been done, along with some case studies, and then present some new methods I've come up with, with a few demos.<br />
<br />
'''Bio'''<br />
<br />
Matt leads technical research for the PwC Cyber Security practice in the UK, and is a PhD candidate at University College London. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security.<br />
<br />
==== Why Security-as-a-Feature Will Never Happen ====<br />
'''Speaker''': Lawrence Munro<br />
<br />
In a fairly dystopian view of our Cyber future, this talk discusses the reasons why we still haven't been able to include security as a design feature in applications.This talk goes into detail around the issues with human nature, education, financial requirements and laziness that contribute to the generally grim state of 'cyber' security.<br />
<br />
As a security community (especially in Penetration testing), we’re very quick to throw mud and laugh at developers who’re not writing secure code. We also like to tell ourselves about new security issues and keep our learning within the community (as that's where we seek / receive the most praise). We should turn our view externally and reflect on information that we make available and how who we lobby to make positive changes. We simply don't teach people security early enough and position it as an essential design feature when people learn their trade. The general premise of the topic is that as an industry we know that one of the key challenges is that security needs to be 'baked in' at the design level. However, when we are taught the rudiments of Information Technology, security is not inherent or considered. The fundamental lack of security rubrics in education during key learning milestones means that security will always be an afterthought, or the domain of the specialist. If we're not addressing security at this level and providing the masses with a proper education, we'll never win the battle, let alone the war. In my opinion, the fault resides with those providing information to those seeking to learn. Specifically: Universities, Colleges, vendors, commercial providers, your friend Dave from school, authors and anyone who showed their friends how to customise their page on MySpace.com in the early 2000's. In order to validate my assertions, I have audited the occurrence of secure coding learning (at to respective top 25 UK / US universities) in undergraduate software engineering degrees (by module). I have also performed a similar evaluation on commercial offerings and looked at some of the most popular introductory books. I use this secondary data along with my own views to demonstrate the current failures of the industry and propose approaches to remedy this issue.<br />
<br />
'''Bio'''<br />
<br />
Lawrence Munro is the Worldwide VP of SpiderLabs, a Post-Graduate Student at Oxford University and Director for B-Sides London. My research (and presentation topics) are varied, but often include: red teaming, education in InfoSec and weird side-projects. Lawrence has previously presented his thoughts and research at: Black Hat USA 2018, DEFCON 2017, 44CON 2018, RootCon 2017, B-Sides (Various), ToorCon San Diego 2015.<br />
<br />
=== Thursday, 21 February 2019 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One (Level 4), 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
We have two great speakers kicking off 2019 for us.<br />
<br />
Tickets available here: [https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-tickets-55989107929 https://owasp-scotland-november.eventbrite.co.uk]<br />
<br />
Many thanks to FanDuel for hosting this event.<br />
<br />
==== Seeing what is not there: searching in Windows paths ====<br />
''Speaker'': Margus Lind, Context IS<br />
<br />
Windows – designed to make training materials self-improve.<br />
<br />
During a recent Windows breakout and privilege escalation training session we stumbled upon several new instances of exploits. While the underlying principles are well known, it is shocking to see such weaknesses exploitable out of the box, even on the latest Windows 10 RS5.<br />
<br />
Firstly, the presentation will give a brief overview of the way Windows searches for required commands and DLLs. This will be followed by some practical examples of how it can be exploited to escalate privileges and bypass UAC.<br />
<br />
Overall, we’ll see that while Windows makes an ever improving attempt at security features, the spaghetti bowl of legacy features and behaviours remains rather entertaining...<br />
<br />
==== A view of the threat landscape ====<br />
''Speaker'': Don Smith, Secureworks<br />
<br />
Using examples of real world attacks, Senior Director Don Smith will discuss lessons learned from recent incidents involving determined and persistent adversaries. This session will illustrate the methods used by advanced actors to avoid detection and consolidate their access in compromised environments. The session will also explore how security teams can improve their chances of defending against such adversaries, pragmatic advice with the odd reality check. <br />
<br />
=== Thursday, 15 November 2018 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=255702Scotland2019-10-24T19:55:53Z<p>Swright75: /* Acknowledgements */</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter OWASP Scotland Google Group]. <br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''Delloite''' for hosting our upcoming November 2019 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter Google Group] to be informed of upcoming events.<br />
<br />
=== '''Thursday, 21 November 2019''' ===<br />
'''Time''': 18:00 - 20:00 BST<br />
<br />
'''Location''': Deloitte Offices, Saltire Court, 20 Castle Terrace, Edinburgh, EH1 2DB<br />
<br />
Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-november-tickets-78186324401<br />
<br />
=== Description ===<br />
The final OWASP Scotland Chapter meeting of 2019 will take place on Thursday the 21st of November. Many thanks to Deloitte, who has kindly offered to host this event for us. They will also be providing pizza and refreshments on the evening.<br />
<br />
We have two great talks lined up for the OWASP Scotland community with Rob McElvanney on "Red Teaming: Simply the BEST" and Colin Cassidy giving us an insight into the "Adventures in the wacky world of control systems".<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
=== Red Teaming: Simply the BEST ===<br />
'''Speaker''': Rob McElvanney, Deloitte<br />
<br />
Using examples of real world attacks, Associate Director Rob McElvanney will discuss lessons learned from recent Red Team exercises, particularly within the CBEST and GBEST frameworks. This session will illustrate some of the methods used by advanced actors to achieve access, allowing them a foothold for lateral movement and privilege escalation. The session will also explore how organisations can improve their chances of defending against such adversaries.<br />
<br />
=== Adventures in the wacky world of control systems ===<br />
'''Speaker''': Colin Cassidy<br />
<br />
This talk is a grab bag of different ICS topics to give people a flavours of the challenges being faced. The focus will be primarily on the energy industry, but other ICS and critical infrastructure faces similar issues. We will briefly discuss control system changes over time, what caused those changes, what improvements (or not) that they brought. We will cover some real life findings and thoughts from the field, this will include some odd findings, commonly seen issues, and how mistakes can cause surprisingly kinetic problems!<br />
<br />
More positively there are solutions and improvements, but a one-size-fits-all solution does not tend to work, even when dealing with very similar sites.<br />
<br />
Bio: Colin Cassidy (@parttimesecguy) used to be a software engineer at GE for 15 years working on their Distribution Management System (DMS). He is currently atoning for all his software development sin as a senior security consultant with IOActive. Colin has performed a number of security audits for ICS operators including one of the UKs largest Distribution Network Operators, several windfarms, container ships, shipping terminals, and AMI/smart meter infrastructure. Colin has also presented and Blackhat and Defcon on vulnerabilities found in Industrial Ethernet Switches. In his spare time, he searches for spare time.<br />
<br />
== Past Events ==<br />
<br />
=== Thursday, 12 September 2019 ===<br />
'''Time''': 18:00 – 20:00 BST<br />
<br />
'''Location''': Ernst & Young, 144 Morrison Street, Edinburgh, EH3 8EX<br />
<br />
'''Tickets''': Tickets are available on EventBrite (https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-september-tickets-66503743487)<br />
<br />
==== Weaknesses in Software Supply Chains ====<br />
'''Speaker''': Sean Wright<br />
<br />
Software development today is a far cry from software development from yesteryear. Gone are the days of developing something from the ground up. Software development now involves “stitching together” numerous libraries and frameworks together to develop the desired system/application. We are now dependent on 3rd party vendors and providers now, more than ever before. This has greatly help to aid the generation of rapid development. However, this helped to introduce a new, and often overlooked problem, weakness introduced by these libraries. Why would an attacker spend significant effort and time trying to break through the front door of an organisation, when they can instead open a backdoor for themselves?<br />
<br />
The purpose of this talk is to raise awareness for the potential problem, with some recommendations of tools and approaches which could help. Discussing past examples where backdoors have been placed into libraries, as well as discussing some of the difficulties to keeping libraries up to date.<br />
<br />
==== EY Global Information Security Survey Results ====<br />
'''Speaker''': Shriparna Ghosh<br />
<br />
EY runs a Global Information Security Survey (GISS) every year. Responses were collected from over 60 countries representing all industry sectors with more than 1400 participants.<br />
<br />
After a year in which organisations have been rocked by a series of large-scale cybersecurity breaches and ongoing recriminations over state-sponsored interventions, EY’s Global Information Security Survey shows which areas were the key areas of focus or areas of investment for various sectors. It also outlines the top trends in the cyber world from a global perspective.<br />
<br />
=== Thursday, 9 May 2019 ===<br />
'''Time''': 18:00 – 20:00 BST<br />
<br />
'''Location''': PwC, 144 Morrison Street, Edinburgh, EH3 8EX<br />
<br />
'''Tickets''': Tickets are available on EventBrite (https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-59785884189)<br />
<br />
==== Deception, Confusion, Mistrust: Attacks and Defences ====<br />
'''Speaker''': Matt Wixey<br />
<br />
This talk will cover 2 topics. The first focuses on Remote Online Social Engineering (ROSE), an emerging long-term attack vector deployed by threat actors to build trust and rapport with targeted users in order to gain access to business networks. I'll provide an outline of attackers' methodologies, why they would want to deploy them, some case studies, and countermeasures. The second is a light-hearted look at ways in which defenders can confuse, deceive, or frustrate attackers on a compromised honeypot or other host, with an emphasis on practical implementation. I'll examine some historic ways in which this has been done, along with some case studies, and then present some new methods I've come up with, with a few demos.<br />
<br />
'''Bio'''<br />
<br />
Matt leads technical research for the PwC Cyber Security practice in the UK, and is a PhD candidate at University College London. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security.<br />
<br />
==== Why Security-as-a-Feature Will Never Happen ====<br />
'''Speaker''': Lawrence Munro<br />
<br />
In a fairly dystopian view of our Cyber future, this talk discusses the reasons why we still haven't been able to include security as a design feature in applications.This talk goes into detail around the issues with human nature, education, financial requirements and laziness that contribute to the generally grim state of 'cyber' security.<br />
<br />
As a security community (especially in Penetration testing), we’re very quick to throw mud and laugh at developers who’re not writing secure code. We also like to tell ourselves about new security issues and keep our learning within the community (as that's where we seek / receive the most praise). We should turn our view externally and reflect on information that we make available and how who we lobby to make positive changes. We simply don't teach people security early enough and position it as an essential design feature when people learn their trade. The general premise of the topic is that as an industry we know that one of the key challenges is that security needs to be 'baked in' at the design level. However, when we are taught the rudiments of Information Technology, security is not inherent or considered. The fundamental lack of security rubrics in education during key learning milestones means that security will always be an afterthought, or the domain of the specialist. If we're not addressing security at this level and providing the masses with a proper education, we'll never win the battle, let alone the war. In my opinion, the fault resides with those providing information to those seeking to learn. Specifically: Universities, Colleges, vendors, commercial providers, your friend Dave from school, authors and anyone who showed their friends how to customise their page on MySpace.com in the early 2000's. In order to validate my assertions, I have audited the occurrence of secure coding learning (at to respective top 25 UK / US universities) in undergraduate software engineering degrees (by module). I have also performed a similar evaluation on commercial offerings and looked at some of the most popular introductory books. I use this secondary data along with my own views to demonstrate the current failures of the industry and propose approaches to remedy this issue.<br />
<br />
'''Bio'''<br />
<br />
Lawrence Munro is the Worldwide VP of SpiderLabs, a Post-Graduate Student at Oxford University and Director for B-Sides London. My research (and presentation topics) are varied, but often include: red teaming, education in InfoSec and weird side-projects. Lawrence has previously presented his thoughts and research at: Black Hat USA 2018, DEFCON 2017, 44CON 2018, RootCon 2017, B-Sides (Various), ToorCon San Diego 2015.<br />
<br />
=== Thursday, 21 February 2019 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One (Level 4), 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
We have two great speakers kicking off 2019 for us.<br />
<br />
Tickets available here: [https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-tickets-55989107929 https://owasp-scotland-november.eventbrite.co.uk]<br />
<br />
Many thanks to FanDuel for hosting this event.<br />
<br />
==== Seeing what is not there: searching in Windows paths ====<br />
''Speaker'': Margus Lind, Context IS<br />
<br />
Windows – designed to make training materials self-improve.<br />
<br />
During a recent Windows breakout and privilege escalation training session we stumbled upon several new instances of exploits. While the underlying principles are well known, it is shocking to see such weaknesses exploitable out of the box, even on the latest Windows 10 RS5.<br />
<br />
Firstly, the presentation will give a brief overview of the way Windows searches for required commands and DLLs. This will be followed by some practical examples of how it can be exploited to escalate privileges and bypass UAC.<br />
<br />
Overall, we’ll see that while Windows makes an ever improving attempt at security features, the spaghetti bowl of legacy features and behaviours remains rather entertaining...<br />
<br />
==== A view of the threat landscape ====<br />
''Speaker'': Don Smith, Secureworks<br />
<br />
Using examples of real world attacks, Senior Director Don Smith will discuss lessons learned from recent incidents involving determined and persistent adversaries. This session will illustrate the methods used by advanced actors to avoid detection and consolidate their access in compromised environments. The session will also explore how security teams can improve their chances of defending against such adversaries, pragmatic advice with the odd reality check. <br />
<br />
=== Thursday, 15 November 2018 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=255701Scotland2019-10-24T19:51:28Z<p>Swright75: November event added</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter OWASP Scotland Google Group]. <br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''Ernst & Young''' for hosting our upcoming September 2019 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter Google Group] to be informed of upcoming events.<br />
<br />
=== '''Thursday, 21 November 2019''' ===<br />
'''Time''': 18:00 - 20:00 BST<br />
<br />
'''Location''': Deloitte Offices, Saltire Court, 20 Castle Terrace, Edinburgh, EH1 2DB<br />
<br />
Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-november-tickets-78186324401<br />
<br />
=== Description ===<br />
The final OWASP Scotland Chapter meeting of 2019 will take place on Thursday the 21st of November. Many thanks to Deloitte, who has kindly offered to host this event for us. They will also be providing pizza and refreshments on the evening.<br />
<br />
We have two great talks lined up for the OWASP Scotland community with Rob McElvanney on "Red Teaming: Simply the BEST" and Colin Cassidy giving us an insight into the "Adventures in the wacky world of control systems".<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
=== Red Teaming: Simply the BEST ===<br />
'''Speaker''': Rob McElvanney, Deloitte<br />
<br />
Using examples of real world attacks, Associate Director Rob McElvanney will discuss lessons learned from recent Red Team exercises, particularly within the CBEST and GBEST frameworks. This session will illustrate some of the methods used by advanced actors to achieve access, allowing them a foothold for lateral movement and privilege escalation. The session will also explore how organisations can improve their chances of defending against such adversaries.<br />
<br />
=== Adventures in the wacky world of control systems ===<br />
'''Speaker''': Colin Cassidy<br />
<br />
This talk is a grab bag of different ICS topics to give people a flavours of the challenges being faced. The focus will be primarily on the energy industry, but other ICS and critical infrastructure faces similar issues. We will briefly discuss control system changes over time, what caused those changes, what improvements (or not) that they brought. We will cover some real life findings and thoughts from the field, this will include some odd findings, commonly seen issues, and how mistakes can cause surprisingly kinetic problems!<br />
<br />
More positively there are solutions and improvements, but a one-size-fits-all solution does not tend to work, even when dealing with very similar sites.<br />
<br />
Bio: Colin Cassidy (@parttimesecguy) used to be a software engineer at GE for 15 years working on their Distribution Management System (DMS). He is currently atoning for all his software development sin as a senior security consultant with IOActive. Colin has performed a number of security audits for ICS operators including one of the UKs largest Distribution Network Operators, several windfarms, container ships, shipping terminals, and AMI/smart meter infrastructure. Colin has also presented and Blackhat and Defcon on vulnerabilities found in Industrial Ethernet Switches. In his spare time, he searches for spare time.<br />
<br />
== Past Events ==<br />
<br />
=== Thursday, 12 September 2019 ===<br />
'''Time''': 18:00 – 20:00 BST<br />
<br />
'''Location''': Ernst & Young, 144 Morrison Street, Edinburgh, EH3 8EX<br />
<br />
'''Tickets''': Tickets are available on EventBrite (https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-september-tickets-66503743487)<br />
<br />
==== Weaknesses in Software Supply Chains ====<br />
'''Speaker''': Sean Wright<br />
<br />
Software development today is a far cry from software development from yesteryear. Gone are the days of developing something from the ground up. Software development now involves “stitching together” numerous libraries and frameworks together to develop the desired system/application. We are now dependent on 3rd party vendors and providers now, more than ever before. This has greatly help to aid the generation of rapid development. However, this helped to introduce a new, and often overlooked problem, weakness introduced by these libraries. Why would an attacker spend significant effort and time trying to break through the front door of an organisation, when they can instead open a backdoor for themselves?<br />
<br />
The purpose of this talk is to raise awareness for the potential problem, with some recommendations of tools and approaches which could help. Discussing past examples where backdoors have been placed into libraries, as well as discussing some of the difficulties to keeping libraries up to date.<br />
<br />
==== EY Global Information Security Survey Results ====<br />
'''Speaker''': Shriparna Ghosh<br />
<br />
EY runs a Global Information Security Survey (GISS) every year. Responses were collected from over 60 countries representing all industry sectors with more than 1400 participants.<br />
<br />
After a year in which organisations have been rocked by a series of large-scale cybersecurity breaches and ongoing recriminations over state-sponsored interventions, EY’s Global Information Security Survey shows which areas were the key areas of focus or areas of investment for various sectors. It also outlines the top trends in the cyber world from a global perspective.<br />
<br />
=== Thursday, 9 May 2019 ===<br />
'''Time''': 18:00 – 20:00 BST<br />
<br />
'''Location''': PwC, 144 Morrison Street, Edinburgh, EH3 8EX<br />
<br />
'''Tickets''': Tickets are available on EventBrite (https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-59785884189)<br />
<br />
==== Deception, Confusion, Mistrust: Attacks and Defences ====<br />
'''Speaker''': Matt Wixey<br />
<br />
This talk will cover 2 topics. The first focuses on Remote Online Social Engineering (ROSE), an emerging long-term attack vector deployed by threat actors to build trust and rapport with targeted users in order to gain access to business networks. I'll provide an outline of attackers' methodologies, why they would want to deploy them, some case studies, and countermeasures. The second is a light-hearted look at ways in which defenders can confuse, deceive, or frustrate attackers on a compromised honeypot or other host, with an emphasis on practical implementation. I'll examine some historic ways in which this has been done, along with some case studies, and then present some new methods I've come up with, with a few demos.<br />
<br />
'''Bio'''<br />
<br />
Matt leads technical research for the PwC Cyber Security practice in the UK, and is a PhD candidate at University College London. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security.<br />
<br />
==== Why Security-as-a-Feature Will Never Happen ====<br />
'''Speaker''': Lawrence Munro<br />
<br />
In a fairly dystopian view of our Cyber future, this talk discusses the reasons why we still haven't been able to include security as a design feature in applications.This talk goes into detail around the issues with human nature, education, financial requirements and laziness that contribute to the generally grim state of 'cyber' security.<br />
<br />
As a security community (especially in Penetration testing), we’re very quick to throw mud and laugh at developers who’re not writing secure code. We also like to tell ourselves about new security issues and keep our learning within the community (as that's where we seek / receive the most praise). We should turn our view externally and reflect on information that we make available and how who we lobby to make positive changes. We simply don't teach people security early enough and position it as an essential design feature when people learn their trade. The general premise of the topic is that as an industry we know that one of the key challenges is that security needs to be 'baked in' at the design level. However, when we are taught the rudiments of Information Technology, security is not inherent or considered. The fundamental lack of security rubrics in education during key learning milestones means that security will always be an afterthought, or the domain of the specialist. If we're not addressing security at this level and providing the masses with a proper education, we'll never win the battle, let alone the war. In my opinion, the fault resides with those providing information to those seeking to learn. Specifically: Universities, Colleges, vendors, commercial providers, your friend Dave from school, authors and anyone who showed their friends how to customise their page on MySpace.com in the early 2000's. In order to validate my assertions, I have audited the occurrence of secure coding learning (at to respective top 25 UK / US universities) in undergraduate software engineering degrees (by module). I have also performed a similar evaluation on commercial offerings and looked at some of the most popular introductory books. I use this secondary data along with my own views to demonstrate the current failures of the industry and propose approaches to remedy this issue.<br />
<br />
'''Bio'''<br />
<br />
Lawrence Munro is the Worldwide VP of SpiderLabs, a Post-Graduate Student at Oxford University and Director for B-Sides London. My research (and presentation topics) are varied, but often include: red teaming, education in InfoSec and weird side-projects. Lawrence has previously presented his thoughts and research at: Black Hat USA 2018, DEFCON 2017, 44CON 2018, RootCon 2017, B-Sides (Various), ToorCon San Diego 2015.<br />
<br />
=== Thursday, 21 February 2019 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One (Level 4), 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
We have two great speakers kicking off 2019 for us.<br />
<br />
Tickets available here: [https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-tickets-55989107929 https://owasp-scotland-november.eventbrite.co.uk]<br />
<br />
Many thanks to FanDuel for hosting this event.<br />
<br />
==== Seeing what is not there: searching in Windows paths ====<br />
''Speaker'': Margus Lind, Context IS<br />
<br />
Windows – designed to make training materials self-improve.<br />
<br />
During a recent Windows breakout and privilege escalation training session we stumbled upon several new instances of exploits. While the underlying principles are well known, it is shocking to see such weaknesses exploitable out of the box, even on the latest Windows 10 RS5.<br />
<br />
Firstly, the presentation will give a brief overview of the way Windows searches for required commands and DLLs. This will be followed by some practical examples of how it can be exploited to escalate privileges and bypass UAC.<br />
<br />
Overall, we’ll see that while Windows makes an ever improving attempt at security features, the spaghetti bowl of legacy features and behaviours remains rather entertaining...<br />
<br />
==== A view of the threat landscape ====<br />
''Speaker'': Don Smith, Secureworks<br />
<br />
Using examples of real world attacks, Senior Director Don Smith will discuss lessons learned from recent incidents involving determined and persistent adversaries. This session will illustrate the methods used by advanced actors to avoid detection and consolidate their access in compromised environments. The session will also explore how security teams can improve their chances of defending against such adversaries, pragmatic advice with the odd reality check. <br />
<br />
=== Thursday, 15 November 2018 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=254815Scotland2019-09-19T16:45:29Z<p>Swright75: /* Past Events */</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter OWASP Scotland Google Group]. <br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''Ernst & Young''' for hosting our upcoming September 2019 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter Google Group] to be informed of upcoming events.<br />
<br />
== Past Events ==<br />
<br />
=== Thursday, 12 September 2019 ===<br />
'''Time''': 18:00 – 20:00 BST<br />
<br />
'''Location''': Ernst & Young, 144 Morrison Street, Edinburgh, EH3 8EX<br />
<br />
'''Tickets''': Tickets are available on EventBrite (https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-september-tickets-66503743487)<br />
<br />
==== Weaknesses in Software Supply Chains ====<br />
'''Speaker''': Sean Wright<br />
<br />
Software development today is a far cry from software development from yesteryear. Gone are the days of developing something from the ground up. Software development now involves “stitching together” numerous libraries and frameworks together to develop the desired system/application. We are now dependent on 3rd party vendors and providers now, more than ever before. This has greatly help to aid the generation of rapid development. However, this helped to introduce a new, and often overlooked problem, weakness introduced by these libraries. Why would an attacker spend significant effort and time trying to break through the front door of an organisation, when they can instead open a backdoor for themselves?<br />
<br />
The purpose of this talk is to raise awareness for the potential problem, with some recommendations of tools and approaches which could help. Discussing past examples where backdoors have been placed into libraries, as well as discussing some of the difficulties to keeping libraries up to date.<br />
<br />
==== EY Global Information Security Survey Results ====<br />
'''Speaker''': Shriparna Ghosh<br />
<br />
EY runs a Global Information Security Survey (GISS) every year. Responses were collected from over 60 countries representing all industry sectors with more than 1400 participants.<br />
<br />
After a year in which organisations have been rocked by a series of large-scale cybersecurity breaches and ongoing recriminations over state-sponsored interventions, EY’s Global Information Security Survey shows which areas were the key areas of focus or areas of investment for various sectors. It also outlines the top trends in the cyber world from a global perspective.<br />
<br />
=== Thursday, 9 May 2019 ===<br />
'''Time''': 18:00 – 20:00 BST<br />
<br />
'''Location''': PwC, 144 Morrison Street, Edinburgh, EH3 8EX<br />
<br />
'''Tickets''': Tickets are available on EventBrite (https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-59785884189)<br />
<br />
==== Deception, Confusion, Mistrust: Attacks and Defences ====<br />
'''Speaker''': Matt Wixey<br />
<br />
This talk will cover 2 topics. The first focuses on Remote Online Social Engineering (ROSE), an emerging long-term attack vector deployed by threat actors to build trust and rapport with targeted users in order to gain access to business networks. I'll provide an outline of attackers' methodologies, why they would want to deploy them, some case studies, and countermeasures. The second is a light-hearted look at ways in which defenders can confuse, deceive, or frustrate attackers on a compromised honeypot or other host, with an emphasis on practical implementation. I'll examine some historic ways in which this has been done, along with some case studies, and then present some new methods I've come up with, with a few demos.<br />
<br />
'''Bio'''<br />
<br />
Matt leads technical research for the PwC Cyber Security practice in the UK, and is a PhD candidate at University College London. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security.<br />
<br />
==== Why Security-as-a-Feature Will Never Happen ====<br />
'''Speaker''': Lawrence Munro<br />
<br />
In a fairly dystopian view of our Cyber future, this talk discusses the reasons why we still haven't been able to include security as a design feature in applications.This talk goes into detail around the issues with human nature, education, financial requirements and laziness that contribute to the generally grim state of 'cyber' security.<br />
<br />
As a security community (especially in Penetration testing), we’re very quick to throw mud and laugh at developers who’re not writing secure code. We also like to tell ourselves about new security issues and keep our learning within the community (as that's where we seek / receive the most praise). We should turn our view externally and reflect on information that we make available and how who we lobby to make positive changes. We simply don't teach people security early enough and position it as an essential design feature when people learn their trade. The general premise of the topic is that as an industry we know that one of the key challenges is that security needs to be 'baked in' at the design level. However, when we are taught the rudiments of Information Technology, security is not inherent or considered. The fundamental lack of security rubrics in education during key learning milestones means that security will always be an afterthought, or the domain of the specialist. If we're not addressing security at this level and providing the masses with a proper education, we'll never win the battle, let alone the war. In my opinion, the fault resides with those providing information to those seeking to learn. Specifically: Universities, Colleges, vendors, commercial providers, your friend Dave from school, authors and anyone who showed their friends how to customise their page on MySpace.com in the early 2000's. In order to validate my assertions, I have audited the occurrence of secure coding learning (at to respective top 25 UK / US universities) in undergraduate software engineering degrees (by module). I have also performed a similar evaluation on commercial offerings and looked at some of the most popular introductory books. I use this secondary data along with my own views to demonstrate the current failures of the industry and propose approaches to remedy this issue.<br />
<br />
'''Bio'''<br />
<br />
Lawrence Munro is the Worldwide VP of SpiderLabs, a Post-Graduate Student at Oxford University and Director for B-Sides London. My research (and presentation topics) are varied, but often include: red teaming, education in InfoSec and weird side-projects. Lawrence has previously presented his thoughts and research at: Black Hat USA 2018, DEFCON 2017, 44CON 2018, RootCon 2017, B-Sides (Various), ToorCon San Diego 2015.<br />
<br />
=== Thursday, 21 February 2019 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One (Level 4), 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
We have two great speakers kicking off 2019 for us.<br />
<br />
Tickets available here: [https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-tickets-55989107929 https://owasp-scotland-november.eventbrite.co.uk]<br />
<br />
Many thanks to FanDuel for hosting this event.<br />
<br />
==== Seeing what is not there: searching in Windows paths ====<br />
''Speaker'': Margus Lind, Context IS<br />
<br />
Windows – designed to make training materials self-improve.<br />
<br />
During a recent Windows breakout and privilege escalation training session we stumbled upon several new instances of exploits. While the underlying principles are well known, it is shocking to see such weaknesses exploitable out of the box, even on the latest Windows 10 RS5.<br />
<br />
Firstly, the presentation will give a brief overview of the way Windows searches for required commands and DLLs. This will be followed by some practical examples of how it can be exploited to escalate privileges and bypass UAC.<br />
<br />
Overall, we’ll see that while Windows makes an ever improving attempt at security features, the spaghetti bowl of legacy features and behaviours remains rather entertaining...<br />
<br />
==== A view of the threat landscape ====<br />
''Speaker'': Don Smith, Secureworks<br />
<br />
Using examples of real world attacks, Senior Director Don Smith will discuss lessons learned from recent incidents involving determined and persistent adversaries. This session will illustrate the methods used by advanced actors to avoid detection and consolidate their access in compromised environments. The session will also explore how security teams can improve their chances of defending against such adversaries, pragmatic advice with the odd reality check. <br />
<br />
=== Thursday, 15 November 2018 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=254343Scotland2019-08-29T18:32:25Z<p>Swright75: Added details about second speaker.</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter OWASP Scotland Google Group]. <br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''Ernst & Young''' for hosting our upcoming September 2019 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter Google Group] to be informed of upcoming events.<br />
<br />
=== Thursday, 12 September 2019 ===<br />
'''Time''': 18:00 – 20:00 BST<br />
<br />
'''Location''': Ernst & Young, 144 Morrison Street, Edinburgh, EH3 8EX<br />
<br />
'''Tickets''': Tickets are available on EventBrite (https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-september-tickets-66503743487)<br />
<br />
==== Weaknesses in Software Supply Chains ====<br />
'''Speaker''': Sean Wright<br />
<br />
Software development today is a far cry from software development from yesteryear. Gone are the days of developing something from the ground up. Software development now involves “stitching together” numerous libraries and frameworks together to develop the desired system/application. We are now dependent on 3rd party vendors and providers now, more than ever before. This has greatly help to aid the generation of rapid development. However, this helped to introduce a new, and often overlooked problem, weakness introduced by these libraries. Why would an attacker spend significant effort and time trying to break through the front door of an organisation, when they can instead open a backdoor for themselves?<br />
<br />
The purpose of this talk is to raise awareness for the potential problem, with some recommendations of tools and approaches which could help. Discussing past examples where backdoors have been placed into libraries, as well as discussing some of the difficulties to keeping libraries up to date.<br />
<br />
==== EY Global Information Security Survey Results ====<br />
'''Speaker''': Shriparna Ghosh<br />
<br />
EY runs a Global Information Security Survey (GISS) every year. Responses were collected from over 60 countries representing all industry sectors with more than 1400 participants.<br />
<br />
After a year in which organisations have been rocked by a series of large-scale cybersecurity breaches and ongoing recriminations over state-sponsored interventions, EY’s Global Information Security Survey shows which areas were the key areas of focus or areas of investment for various sectors. It also outlines the top trends in the cyber world from a global perspective.<br />
<br />
== Past Events ==<br />
<br />
=== Thursday, 9 May 2019 ===<br />
'''Time''': 18:00 – 20:00 BST<br />
<br />
'''Location''': PwC, 144 Morrison Street, Edinburgh, EH3 8EX<br />
<br />
'''Tickets''': Tickets are available on EventBrite (https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-59785884189)<br />
<br />
==== Deception, Confusion, Mistrust: Attacks and Defences ====<br />
'''Speaker''': Matt Wixey<br />
<br />
This talk will cover 2 topics. The first focuses on Remote Online Social Engineering (ROSE), an emerging long-term attack vector deployed by threat actors to build trust and rapport with targeted users in order to gain access to business networks. I'll provide an outline of attackers' methodologies, why they would want to deploy them, some case studies, and countermeasures. The second is a light-hearted look at ways in which defenders can confuse, deceive, or frustrate attackers on a compromised honeypot or other host, with an emphasis on practical implementation. I'll examine some historic ways in which this has been done, along with some case studies, and then present some new methods I've come up with, with a few demos.<br />
<br />
'''Bio'''<br />
<br />
Matt leads technical research for the PwC Cyber Security practice in the UK, and is a PhD candidate at University College London. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security.<br />
<br />
==== Why Security-as-a-Feature Will Never Happen ====<br />
'''Speaker''': Lawrence Munro<br />
<br />
In a fairly dystopian view of our Cyber future, this talk discusses the reasons why we still haven't been able to include security as a design feature in applications.This talk goes into detail around the issues with human nature, education, financial requirements and laziness that contribute to the generally grim state of 'cyber' security.<br />
<br />
As a security community (especially in Penetration testing), we’re very quick to throw mud and laugh at developers who’re not writing secure code. We also like to tell ourselves about new security issues and keep our learning within the community (as that's where we seek / receive the most praise). We should turn our view externally and reflect on information that we make available and how who we lobby to make positive changes. We simply don't teach people security early enough and position it as an essential design feature when people learn their trade. The general premise of the topic is that as an industry we know that one of the key challenges is that security needs to be 'baked in' at the design level. However, when we are taught the rudiments of Information Technology, security is not inherent or considered. The fundamental lack of security rubrics in education during key learning milestones means that security will always be an afterthought, or the domain of the specialist. If we're not addressing security at this level and providing the masses with a proper education, we'll never win the battle, let alone the war. In my opinion, the fault resides with those providing information to those seeking to learn. Specifically: Universities, Colleges, vendors, commercial providers, your friend Dave from school, authors and anyone who showed their friends how to customise their page on MySpace.com in the early 2000's. In order to validate my assertions, I have audited the occurrence of secure coding learning (at to respective top 25 UK / US universities) in undergraduate software engineering degrees (by module). I have also performed a similar evaluation on commercial offerings and looked at some of the most popular introductory books. I use this secondary data along with my own views to demonstrate the current failures of the industry and propose approaches to remedy this issue.<br />
<br />
'''Bio'''<br />
<br />
Lawrence Munro is the Worldwide VP of SpiderLabs, a Post-Graduate Student at Oxford University and Director for B-Sides London. My research (and presentation topics) are varied, but often include: red teaming, education in InfoSec and weird side-projects. Lawrence has previously presented his thoughts and research at: Black Hat USA 2018, DEFCON 2017, 44CON 2018, RootCon 2017, B-Sides (Various), ToorCon San Diego 2015.<br />
<br />
=== Thursday, 21 February 2019 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One (Level 4), 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
We have two great speakers kicking off 2019 for us.<br />
<br />
Tickets available here: [https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-tickets-55989107929 https://owasp-scotland-november.eventbrite.co.uk]<br />
<br />
Many thanks to FanDuel for hosting this event.<br />
<br />
==== Seeing what is not there: searching in Windows paths ====<br />
''Speaker'': Margus Lind, Context IS<br />
<br />
Windows – designed to make training materials self-improve.<br />
<br />
During a recent Windows breakout and privilege escalation training session we stumbled upon several new instances of exploits. While the underlying principles are well known, it is shocking to see such weaknesses exploitable out of the box, even on the latest Windows 10 RS5.<br />
<br />
Firstly, the presentation will give a brief overview of the way Windows searches for required commands and DLLs. This will be followed by some practical examples of how it can be exploited to escalate privileges and bypass UAC.<br />
<br />
Overall, we’ll see that while Windows makes an ever improving attempt at security features, the spaghetti bowl of legacy features and behaviours remains rather entertaining...<br />
<br />
==== A view of the threat landscape ====<br />
''Speaker'': Don Smith, Secureworks<br />
<br />
Using examples of real world attacks, Senior Director Don Smith will discuss lessons learned from recent incidents involving determined and persistent adversaries. This session will illustrate the methods used by advanced actors to avoid detection and consolidate their access in compromised environments. The session will also explore how security teams can improve their chances of defending against such adversaries, pragmatic advice with the odd reality check. <br />
<br />
=== Thursday, 15 November 2018 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=253295Scotland2019-07-26T10:34:31Z<p>Swright75: /* Acknowledgements */</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter OWASP Scotland Google Group]. <br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''Ernst & Young''' for hosting our upcoming September 2019 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter Google Group] to be informed of upcoming events.<br />
<br />
=== Thursday, 12 September 2019 ===<br />
'''Time''': 18:00 – 20:00 BST<br />
<br />
'''Location''': Ernst & Young, 144 Morrison Street, Edinburgh, EH3 8EX<br />
<br />
'''Tickets''': Tickets are available on EventBrite (https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-september-tickets-66503743487)<br />
<br />
==== Weaknesses in Software Supply Chains ====<br />
'''Speaker''': Sean Wright<br />
<br />
Software development today is a far cry from software development from yesteryear. Gone are the days of developing something from the ground up. Software development now involves “stitching together” numerous libraries and frameworks together to develop the desired system/application. We are now dependent on 3rd party vendors and providers now, more than ever before. This has greatly help to aid the generation of rapid development. However, this helped to introduce a new, and often overlooked problem, weakness introduced by these libraries. Why would an attacker spend significant effort and time trying to break through the front door of an organisation, when they can instead open a backdoor for themselves?<br />
<br />
The purpose of this talk is to raise awareness for the potential problem, with some recommendations of tools and approaches which could help. Discussing past examples where backdoors have been placed into libraries, as well as discussing some of the difficulties to keeping libraries up to date.<br />
<br />
==== TBD ====<br />
'''Speaker''': TBD<br />
<br />
TBD.<br />
<br />
== Past Events ==<br />
<br />
=== Thursday, 9 May 2019 ===<br />
'''Time''': 18:00 – 20:00 BST<br />
<br />
'''Location''': PwC, 144 Morrison Street, Edinburgh, EH3 8EX<br />
<br />
'''Tickets''': Tickets are available on EventBrite (https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-59785884189)<br />
<br />
==== Deception, Confusion, Mistrust: Attacks and Defences ====<br />
'''Speaker''': Matt Wixey<br />
<br />
This talk will cover 2 topics. The first focuses on Remote Online Social Engineering (ROSE), an emerging long-term attack vector deployed by threat actors to build trust and rapport with targeted users in order to gain access to business networks. I'll provide an outline of attackers' methodologies, why they would want to deploy them, some case studies, and countermeasures. The second is a light-hearted look at ways in which defenders can confuse, deceive, or frustrate attackers on a compromised honeypot or other host, with an emphasis on practical implementation. I'll examine some historic ways in which this has been done, along with some case studies, and then present some new methods I've come up with, with a few demos.<br />
<br />
'''Bio'''<br />
<br />
Matt leads technical research for the PwC Cyber Security practice in the UK, and is a PhD candidate at University College London. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security.<br />
<br />
==== Why Security-as-a-Feature Will Never Happen ====<br />
'''Speaker''': Lawrence Munro<br />
<br />
In a fairly dystopian view of our Cyber future, this talk discusses the reasons why we still haven't been able to include security as a design feature in applications.This talk goes into detail around the issues with human nature, education, financial requirements and laziness that contribute to the generally grim state of 'cyber' security.<br />
<br />
As a security community (especially in Penetration testing), we’re very quick to throw mud and laugh at developers who’re not writing secure code. We also like to tell ourselves about new security issues and keep our learning within the community (as that's where we seek / receive the most praise). We should turn our view externally and reflect on information that we make available and how who we lobby to make positive changes. We simply don't teach people security early enough and position it as an essential design feature when people learn their trade. The general premise of the topic is that as an industry we know that one of the key challenges is that security needs to be 'baked in' at the design level. However, when we are taught the rudiments of Information Technology, security is not inherent or considered. The fundamental lack of security rubrics in education during key learning milestones means that security will always be an afterthought, or the domain of the specialist. If we're not addressing security at this level and providing the masses with a proper education, we'll never win the battle, let alone the war. In my opinion, the fault resides with those providing information to those seeking to learn. Specifically: Universities, Colleges, vendors, commercial providers, your friend Dave from school, authors and anyone who showed their friends how to customise their page on MySpace.com in the early 2000's. In order to validate my assertions, I have audited the occurrence of secure coding learning (at to respective top 25 UK / US universities) in undergraduate software engineering degrees (by module). I have also performed a similar evaluation on commercial offerings and looked at some of the most popular introductory books. I use this secondary data along with my own views to demonstrate the current failures of the industry and propose approaches to remedy this issue.<br />
<br />
'''Bio'''<br />
<br />
Lawrence Munro is the Worldwide VP of SpiderLabs, a Post-Graduate Student at Oxford University and Director for B-Sides London. My research (and presentation topics) are varied, but often include: red teaming, education in InfoSec and weird side-projects. Lawrence has previously presented his thoughts and research at: Black Hat USA 2018, DEFCON 2017, 44CON 2018, RootCon 2017, B-Sides (Various), ToorCon San Diego 2015.<br />
<br />
=== Thursday, 21 February 2019 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One (Level 4), 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
We have two great speakers kicking off 2019 for us.<br />
<br />
Tickets available here: [https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-tickets-55989107929 https://owasp-scotland-november.eventbrite.co.uk]<br />
<br />
Many thanks to FanDuel for hosting this event.<br />
<br />
==== Seeing what is not there: searching in Windows paths ====<br />
''Speaker'': Margus Lind, Context IS<br />
<br />
Windows – designed to make training materials self-improve.<br />
<br />
During a recent Windows breakout and privilege escalation training session we stumbled upon several new instances of exploits. While the underlying principles are well known, it is shocking to see such weaknesses exploitable out of the box, even on the latest Windows 10 RS5.<br />
<br />
Firstly, the presentation will give a brief overview of the way Windows searches for required commands and DLLs. This will be followed by some practical examples of how it can be exploited to escalate privileges and bypass UAC.<br />
<br />
Overall, we’ll see that while Windows makes an ever improving attempt at security features, the spaghetti bowl of legacy features and behaviours remains rather entertaining...<br />
<br />
==== A view of the threat landscape ====<br />
''Speaker'': Don Smith, Secureworks<br />
<br />
Using examples of real world attacks, Senior Director Don Smith will discuss lessons learned from recent incidents involving determined and persistent adversaries. This session will illustrate the methods used by advanced actors to avoid detection and consolidate their access in compromised environments. The session will also explore how security teams can improve their chances of defending against such adversaries, pragmatic advice with the odd reality check. <br />
<br />
=== Thursday, 15 November 2018 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=253294Scotland2019-07-26T10:17:05Z<p>Swright75: Added September event.</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter OWASP Scotland Google Group]. <br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''FanDuel''' for hosting our upcoming February 2019 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter Google Group] to be informed of upcoming events.<br />
<br />
=== Thursday, 12 September 2019 ===<br />
'''Time''': 18:00 – 20:00 BST<br />
<br />
'''Location''': Ernst & Young, 144 Morrison Street, Edinburgh, EH3 8EX<br />
<br />
'''Tickets''': Tickets are available on EventBrite (https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-september-tickets-66503743487)<br />
<br />
==== Weaknesses in Software Supply Chains ====<br />
'''Speaker''': Sean Wright<br />
<br />
Software development today is a far cry from software development from yesteryear. Gone are the days of developing something from the ground up. Software development now involves “stitching together” numerous libraries and frameworks together to develop the desired system/application. We are now dependent on 3rd party vendors and providers now, more than ever before. This has greatly help to aid the generation of rapid development. However, this helped to introduce a new, and often overlooked problem, weakness introduced by these libraries. Why would an attacker spend significant effort and time trying to break through the front door of an organisation, when they can instead open a backdoor for themselves?<br />
<br />
The purpose of this talk is to raise awareness for the potential problem, with some recommendations of tools and approaches which could help. Discussing past examples where backdoors have been placed into libraries, as well as discussing some of the difficulties to keeping libraries up to date.<br />
<br />
==== TBD ====<br />
'''Speaker''': TBD<br />
<br />
TBD.<br />
<br />
== Past Events ==<br />
<br />
=== Thursday, 9 May 2019 ===<br />
'''Time''': 18:00 – 20:00 BST<br />
<br />
'''Location''': PwC, 144 Morrison Street, Edinburgh, EH3 8EX<br />
<br />
'''Tickets''': Tickets are available on EventBrite (https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-59785884189)<br />
<br />
==== Deception, Confusion, Mistrust: Attacks and Defences ====<br />
'''Speaker''': Matt Wixey<br />
<br />
This talk will cover 2 topics. The first focuses on Remote Online Social Engineering (ROSE), an emerging long-term attack vector deployed by threat actors to build trust and rapport with targeted users in order to gain access to business networks. I'll provide an outline of attackers' methodologies, why they would want to deploy them, some case studies, and countermeasures. The second is a light-hearted look at ways in which defenders can confuse, deceive, or frustrate attackers on a compromised honeypot or other host, with an emphasis on practical implementation. I'll examine some historic ways in which this has been done, along with some case studies, and then present some new methods I've come up with, with a few demos.<br />
<br />
'''Bio'''<br />
<br />
Matt leads technical research for the PwC Cyber Security practice in the UK, and is a PhD candidate at University College London. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security.<br />
<br />
==== Why Security-as-a-Feature Will Never Happen ====<br />
'''Speaker''': Lawrence Munro<br />
<br />
In a fairly dystopian view of our Cyber future, this talk discusses the reasons why we still haven't been able to include security as a design feature in applications.This talk goes into detail around the issues with human nature, education, financial requirements and laziness that contribute to the generally grim state of 'cyber' security.<br />
<br />
As a security community (especially in Penetration testing), we’re very quick to throw mud and laugh at developers who’re not writing secure code. We also like to tell ourselves about new security issues and keep our learning within the community (as that's where we seek / receive the most praise). We should turn our view externally and reflect on information that we make available and how who we lobby to make positive changes. We simply don't teach people security early enough and position it as an essential design feature when people learn their trade. The general premise of the topic is that as an industry we know that one of the key challenges is that security needs to be 'baked in' at the design level. However, when we are taught the rudiments of Information Technology, security is not inherent or considered. The fundamental lack of security rubrics in education during key learning milestones means that security will always be an afterthought, or the domain of the specialist. If we're not addressing security at this level and providing the masses with a proper education, we'll never win the battle, let alone the war. In my opinion, the fault resides with those providing information to those seeking to learn. Specifically: Universities, Colleges, vendors, commercial providers, your friend Dave from school, authors and anyone who showed their friends how to customise their page on MySpace.com in the early 2000's. In order to validate my assertions, I have audited the occurrence of secure coding learning (at to respective top 25 UK / US universities) in undergraduate software engineering degrees (by module). I have also performed a similar evaluation on commercial offerings and looked at some of the most popular introductory books. I use this secondary data along with my own views to demonstrate the current failures of the industry and propose approaches to remedy this issue.<br />
<br />
'''Bio'''<br />
<br />
Lawrence Munro is the Worldwide VP of SpiderLabs, a Post-Graduate Student at Oxford University and Director for B-Sides London. My research (and presentation topics) are varied, but often include: red teaming, education in InfoSec and weird side-projects. Lawrence has previously presented his thoughts and research at: Black Hat USA 2018, DEFCON 2017, 44CON 2018, RootCon 2017, B-Sides (Various), ToorCon San Diego 2015.<br />
<br />
=== Thursday, 21 February 2019 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One (Level 4), 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
We have two great speakers kicking off 2019 for us.<br />
<br />
Tickets available here: [https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-tickets-55989107929 https://owasp-scotland-november.eventbrite.co.uk]<br />
<br />
Many thanks to FanDuel for hosting this event.<br />
<br />
==== Seeing what is not there: searching in Windows paths ====<br />
''Speaker'': Margus Lind, Context IS<br />
<br />
Windows – designed to make training materials self-improve.<br />
<br />
During a recent Windows breakout and privilege escalation training session we stumbled upon several new instances of exploits. While the underlying principles are well known, it is shocking to see such weaknesses exploitable out of the box, even on the latest Windows 10 RS5.<br />
<br />
Firstly, the presentation will give a brief overview of the way Windows searches for required commands and DLLs. This will be followed by some practical examples of how it can be exploited to escalate privileges and bypass UAC.<br />
<br />
Overall, we’ll see that while Windows makes an ever improving attempt at security features, the spaghetti bowl of legacy features and behaviours remains rather entertaining...<br />
<br />
==== A view of the threat landscape ====<br />
''Speaker'': Don Smith, Secureworks<br />
<br />
Using examples of real world attacks, Senior Director Don Smith will discuss lessons learned from recent incidents involving determined and persistent adversaries. This session will illustrate the methods used by advanced actors to avoid detection and consolidate their access in compromised environments. The session will also explore how security teams can improve their chances of defending against such adversaries, pragmatic advice with the odd reality check. <br />
<br />
=== Thursday, 15 November 2018 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=250640Scotland2019-04-25T10:18:47Z<p>Swright75: Added ticket details.</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter OWASP Scotland Google Group]. <br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''FanDuel''' for hosting our upcoming February 2019 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter Google Group] to be informed of upcoming events.<br />
<br />
=== Thursday, 9 May 2019 ===<br />
'''Time''': 18:00 – 20:00 BST<br />
<br />
'''Location''': PwC, 144 Morrison Street, Edinburgh, EH3 8EX<br />
<br />
'''Tickets''': Tickets are available on EventBrite (https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-59785884189)<br />
<br />
==== Deception, Confusion, Mistrust: Attacks and Defences ====<br />
'''Speaker''': Matt Wixey<br />
<br />
This talk will cover 2 topics. The first focuses on Remote Online Social Engineering (ROSE), an emerging long-term attack vector deployed by threat actors to build trust and rapport with targeted users in order to gain access to business networks. I'll provide an outline of attackers' methodologies, why they would want to deploy them, some case studies, and countermeasures. The second is a light-hearted look at ways in which defenders can confuse, deceive, or frustrate attackers on a compromised honeypot or other host, with an emphasis on practical implementation. I'll examine some historic ways in which this has been done, along with some case studies, and then present some new methods I've come up with, with a few demos.<br />
<br />
'''Bio'''<br />
<br />
Matt leads technical research for the PwC Cyber Security practice in the UK, and is a PhD candidate at University College London. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security.<br />
<br />
==== Why Security-as-a-Feature Will Never Happen ====<br />
'''Speaker''': Lawrence Munro<br />
<br />
In a fairly dystopian view of our Cyber future, this talk discusses the reasons why we still haven't been able to include security as a design feature in applications.This talk goes into detail around the issues with human nature, education, financial requirements and laziness that contribute to the generally grim state of 'cyber' security.<br />
<br />
As a security community (especially in Penetration testing), we’re very quick to throw mud and laugh at developers who’re not writing secure code. We also like to tell ourselves about new security issues and keep our learning within the community (as that's where we seek / receive the most praise). We should turn our view externally and reflect on information that we make available and how who we lobby to make positive changes. We simply don't teach people security early enough and position it as an essential design feature when people learn their trade. The general premise of the topic is that as an industry we know that one of the key challenges is that security needs to be 'baked in' at the design level. However, when we are taught the rudiments of Information Technology, security is not inherent or considered. The fundamental lack of security rubrics in education during key learning milestones means that security will always be an afterthought, or the domain of the specialist. If we're not addressing security at this level and providing the masses with a proper education, we'll never win the battle, let alone the war. In my opinion, the fault resides with those providing information to those seeking to learn. Specifically: Universities, Colleges, vendors, commercial providers, your friend Dave from school, authors and anyone who showed their friends how to customise their page on MySpace.com in the early 2000's. In order to validate my assertions, I have audited the occurrence of secure coding learning (at to respective top 25 UK / US universities) in undergraduate software engineering degrees (by module). I have also performed a similar evaluation on commercial offerings and looked at some of the most popular introductory books. I use this secondary data along with my own views to demonstrate the current failures of the industry and propose approaches to remedy this issue.<br />
<br />
'''Bio'''<br />
<br />
Lawrence Munro is the Worldwide VP of SpiderLabs, a Post-Graduate Student at Oxford University and Director for B-Sides London. My research (and presentation topics) are varied, but often include: red teaming, education in InfoSec and weird side-projects. Lawrence has previously presented his thoughts and research at: Black Hat USA 2018, DEFCON 2017, 44CON 2018, RootCon 2017, B-Sides (Various), ToorCon San Diego 2015.<br />
<br />
== Past Events ==<br />
<br />
=== Thursday, 21 February 2019 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One (Level 4), 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
We have two great speakers kicking off 2019 for us.<br />
<br />
Tickets available here: [https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-tickets-55989107929 https://owasp-scotland-november.eventbrite.co.uk]<br />
<br />
Many thanks to FanDuel for hosting this event.<br />
<br />
==== Seeing what is not there: searching in Windows paths ====<br />
''Speaker'': Margus Lind, Context IS<br />
<br />
Windows – designed to make training materials self-improve.<br />
<br />
During a recent Windows breakout and privilege escalation training session we stumbled upon several new instances of exploits. While the underlying principles are well known, it is shocking to see such weaknesses exploitable out of the box, even on the latest Windows 10 RS5.<br />
<br />
Firstly, the presentation will give a brief overview of the way Windows searches for required commands and DLLs. This will be followed by some practical examples of how it can be exploited to escalate privileges and bypass UAC.<br />
<br />
Overall, we’ll see that while Windows makes an ever improving attempt at security features, the spaghetti bowl of legacy features and behaviours remains rather entertaining...<br />
<br />
==== A view of the threat landscape ====<br />
''Speaker'': Don Smith, Secureworks<br />
<br />
Using examples of real world attacks, Senior Director Don Smith will discuss lessons learned from recent incidents involving determined and persistent adversaries. This session will illustrate the methods used by advanced actors to avoid detection and consolidate their access in compromised environments. The session will also explore how security teams can improve their chances of defending against such adversaries, pragmatic advice with the odd reality check. <br />
<br />
=== Thursday, 15 November 2018 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=249581Scotland2019-04-02T21:09:47Z<p>Swright75: Added May event</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter OWASP Scotland Google Group]. <br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''FanDuel''' for hosting our upcoming February 2019 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter Google Group] to be informed of upcoming events.<br />
<br />
=== Thursday, 9 May 2019 ===<br />
'''Time''': 18:00 – 20:00 BST<br />
<br />
'''Location''': PwC, 144 Morrison Street, Edinburgh, EH3 8EX<br />
<br />
==== Deception, Confusion, Mistrust: Attacks and Defences ====<br />
'''Speaker''': Matt Wixey<br />
<br />
This talk will cover 2 topics. The first focuses on Remote Online Social Engineering (ROSE), an emerging long-term attack vector deployed by threat actors to build trust and rapport with targeted users in order to gain access to business networks. I'll provide an outline of attackers' methodologies, why they would want to deploy them, some case studies, and countermeasures. The second is a light-hearted look at ways in which defenders can confuse, deceive, or frustrate attackers on a compromised honeypot or other host, with an emphasis on practical implementation. I'll examine some historic ways in which this has been done, along with some case studies, and then present some new methods I've come up with, with a few demos.<br />
<br />
'''Bio'''<br />
<br />
Matt leads technical research for the PwC Cyber Security practice in the UK, and is a PhD candidate at University College London. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security.<br />
<br />
==== Why Security-as-a-Feature Will Never Happen ====<br />
'''Speaker''': Lawrence Munro<br />
<br />
In a fairly dystopian view of our Cyber future, this talk discusses the reasons why we still haven't been able to include security as a design feature in applications.This talk goes into detail around the issues with human nature, education, financial requirements and laziness that contribute to the generally grim state of 'cyber' security.<br />
<br />
As a security community (especially in Penetration testing), we’re very quick to throw mud and laugh at developers who’re not writing secure code. We also like to tell ourselves about new security issues and keep our learning within the community (as that's where we seek / receive the most praise). We should turn our view externally and reflect on information that we make available and how who we lobby to make positive changes. We simply don't teach people security early enough and position it as an essential design feature when people learn their trade. The general premise of the topic is that as an industry we know that one of the key challenges is that security needs to be 'baked in' at the design level. However, when we are taught the rudiments of Information Technology, security is not inherent or considered. The fundamental lack of security rubrics in education during key learning milestones means that security will always be an afterthought, or the domain of the specialist. If we're not addressing security at this level and providing the masses with a proper education, we'll never win the battle, let alone the war. In my opinion, the fault resides with those providing information to those seeking to learn. Specifically: Universities, Colleges, vendors, commercial providers, your friend Dave from school, authors and anyone who showed their friends how to customise their page on MySpace.com in the early 2000's. In order to validate my assertions, I have audited the occurrence of secure coding learning (at to respective top 25 UK / US universities) in undergraduate software engineering degrees (by module). I have also performed a similar evaluation on commercial offerings and looked at some of the most popular introductory books. I use this secondary data along with my own views to demonstrate the current failures of the industry and propose approaches to remedy this issue.<br />
<br />
'''Bio'''<br />
<br />
Lawrence Munro is the Worldwide VP of SpiderLabs, a Post-Graduate Student at Oxford University and Director for B-Sides London. My research (and presentation topics) are varied, but often include: red teaming, education in InfoSec and weird side-projects. Lawrence has previously presented his thoughts and research at: Black Hat USA 2018, DEFCON 2017, 44CON 2018, RootCon 2017, B-Sides (Various), ToorCon San Diego 2015.<br />
<br />
== Past Events ==<br />
<br />
=== Thursday, 21 February 2019 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One (Level 4), 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
We have two great speakers kicking off 2019 for us.<br />
<br />
Tickets available here: [https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-tickets-55989107929 https://owasp-scotland-november.eventbrite.co.uk]<br />
<br />
Many thanks to FanDuel for hosting this event.<br />
<br />
==== Seeing what is not there: searching in Windows paths ====<br />
''Speaker'': Margus Lind, Context IS<br />
<br />
Windows – designed to make training materials self-improve.<br />
<br />
During a recent Windows breakout and privilege escalation training session we stumbled upon several new instances of exploits. While the underlying principles are well known, it is shocking to see such weaknesses exploitable out of the box, even on the latest Windows 10 RS5.<br />
<br />
Firstly, the presentation will give a brief overview of the way Windows searches for required commands and DLLs. This will be followed by some practical examples of how it can be exploited to escalate privileges and bypass UAC.<br />
<br />
Overall, we’ll see that while Windows makes an ever improving attempt at security features, the spaghetti bowl of legacy features and behaviours remains rather entertaining...<br />
<br />
==== A view of the threat landscape ====<br />
''Speaker'': Don Smith, Secureworks<br />
<br />
Using examples of real world attacks, Senior Director Don Smith will discuss lessons learned from recent incidents involving determined and persistent adversaries. This session will illustrate the methods used by advanced actors to avoid detection and consolidate their access in compromised environments. The session will also explore how security teams can improve their chances of defending against such adversaries, pragmatic advice with the odd reality check. <br />
<br />
=== Thursday, 15 November 2018 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=248874Scotland2019-03-16T11:59:02Z<p>Swright75: /* Acknowledgements */</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter OWASP Scotland Google Group]. <br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''FanDuel''' for hosting our upcoming February 2019 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
=== Past Events ===<br />
<br />
=== Thursday, 21 February 2019 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One (Level 4), 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
We have two great speakers kicking off 2019 for us.<br />
<br />
Tickets available here: [https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-tickets-55989107929 https://owasp-scotland-november.eventbrite.co.uk]<br />
<br />
Many thanks to FanDuel for hosting this event.<br />
<br />
==== Seeing what is not there: searching in Windows paths ====<br />
''Speaker'': Margus Lind, Context IS<br />
<br />
Windows – designed to make training materials self-improve.<br />
<br />
During a recent Windows breakout and privilege escalation training session we stumbled upon several new instances of exploits. While the underlying principles are well known, it is shocking to see such weaknesses exploitable out of the box, even on the latest Windows 10 RS5.<br />
<br />
Firstly, the presentation will give a brief overview of the way Windows searches for required commands and DLLs. This will be followed by some practical examples of how it can be exploited to escalate privileges and bypass UAC.<br />
<br />
Overall, we’ll see that while Windows makes an ever improving attempt at security features, the spaghetti bowl of legacy features and behaviours remains rather entertaining...<br />
<br />
==== A view of the threat landscape ====<br />
''Speaker'': Don Smith, Secureworks<br />
<br />
Using examples of real world attacks, Senior Director Don Smith will discuss lessons learned from recent incidents involving determined and persistent adversaries. This session will illustrate the methods used by advanced actors to avoid detection and consolidate their access in compromised environments. The session will also explore how security teams can improve their chances of defending against such adversaries, pragmatic advice with the odd reality check. <br />
<br />
=== Thursday, 15 November 2018 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=248873Scotland2019-03-16T11:58:18Z<p>Swright75: Updated to use Google Groups for signup instead</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the [https://groups.google.com/a/owasp.org/forum/#!forum/scotland-chapter OWASP Scotland Google Group]. <br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''Ernst & Young''' for hosting our upcoming November 2018 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
=== Past Events ===<br />
<br />
=== Thursday, 21 February 2019 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One (Level 4), 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
We have two great speakers kicking off 2019 for us.<br />
<br />
Tickets available here: [https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-tickets-55989107929 https://owasp-scotland-november.eventbrite.co.uk]<br />
<br />
Many thanks to FanDuel for hosting this event.<br />
<br />
==== Seeing what is not there: searching in Windows paths ====<br />
''Speaker'': Margus Lind, Context IS<br />
<br />
Windows – designed to make training materials self-improve.<br />
<br />
During a recent Windows breakout and privilege escalation training session we stumbled upon several new instances of exploits. While the underlying principles are well known, it is shocking to see such weaknesses exploitable out of the box, even on the latest Windows 10 RS5.<br />
<br />
Firstly, the presentation will give a brief overview of the way Windows searches for required commands and DLLs. This will be followed by some practical examples of how it can be exploited to escalate privileges and bypass UAC.<br />
<br />
Overall, we’ll see that while Windows makes an ever improving attempt at security features, the spaghetti bowl of legacy features and behaviours remains rather entertaining...<br />
<br />
==== A view of the threat landscape ====<br />
''Speaker'': Don Smith, Secureworks<br />
<br />
Using examples of real world attacks, Senior Director Don Smith will discuss lessons learned from recent incidents involving determined and persistent adversaries. This session will illustrate the methods used by advanced actors to avoid detection and consolidate their access in compromised environments. The session will also explore how security teams can improve their chances of defending against such adversaries, pragmatic advice with the odd reality check. <br />
<br />
=== Thursday, 15 November 2018 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=248872Scotland2019-03-16T11:55:58Z<p>Swright75: Moved recent event to past events</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''Ernst & Young''' for hosting our upcoming November 2018 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
=== Past Events ===<br />
<br />
=== Thursday, 21 February 2019 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One (Level 4), 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
We have two great speakers kicking off 2019 for us.<br />
<br />
Tickets available here: [https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-tickets-55989107929 https://owasp-scotland-november.eventbrite.co.uk]<br />
<br />
Many thanks to FanDuel for hosting this event.<br />
<br />
==== Seeing what is not there: searching in Windows paths ====<br />
''Speaker'': Margus Lind, Context IS<br />
<br />
Windows – designed to make training materials self-improve.<br />
<br />
During a recent Windows breakout and privilege escalation training session we stumbled upon several new instances of exploits. While the underlying principles are well known, it is shocking to see such weaknesses exploitable out of the box, even on the latest Windows 10 RS5.<br />
<br />
Firstly, the presentation will give a brief overview of the way Windows searches for required commands and DLLs. This will be followed by some practical examples of how it can be exploited to escalate privileges and bypass UAC.<br />
<br />
Overall, we’ll see that while Windows makes an ever improving attempt at security features, the spaghetti bowl of legacy features and behaviours remains rather entertaining...<br />
<br />
==== A view of the threat landscape ====<br />
''Speaker'': Don Smith, Secureworks<br />
<br />
Using examples of real world attacks, Senior Director Don Smith will discuss lessons learned from recent incidents involving determined and persistent adversaries. This session will illustrate the methods used by advanced actors to avoid detection and consolidate their access in compromised environments. The session will also explore how security teams can improve their chances of defending against such adversaries, pragmatic advice with the odd reality check. <br />
<br />
=== Thursday, 15 November 2018 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=247635Scotland2019-02-18T13:33:53Z<p>Swright75: Updated details of Don's talk</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''Ernst & Young''' for hosting our upcoming November 2018 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
=== Thursday, 21 February 2019 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One (Level 4), 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
We have two great speakers kicking off 2019 for us.<br />
<br />
Tickets available here: [https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-tickets-55989107929 https://owasp-scotland-november.eventbrite.co.uk]<br />
<br />
Many thanks to FanDuel for hosting this event.<br />
<br />
==== Seeing what is not there: searching in Windows paths ====<br />
''Speaker'': Margus Lind, Context IS<br />
<br />
Windows – designed to make training materials self-improve.<br />
<br />
During a recent Windows breakout and privilege escalation training session we stumbled upon several new instances of exploits. While the underlying principles are well known, it is shocking to see such weaknesses exploitable out of the box, even on the latest Windows 10 RS5.<br />
<br />
Firstly, the presentation will give a brief overview of the way Windows searches for required commands and DLLs. This will be followed by some practical examples of how it can be exploited to escalate privileges and bypass UAC.<br />
<br />
Overall, we’ll see that while Windows makes an ever improving attempt at security features, the spaghetti bowl of legacy features and behaviours remains rather entertaining...<br />
<br />
==== A view of the threat landscape ====<br />
''Speaker'': Don Smith, Secureworks<br />
<br />
Using examples of real world attacks, Senior Director Don Smith will discuss lessons learned from recent incidents involving determined and persistent adversaries. This session will illustrate the methods used by advanced actors to avoid detection and consolidate their access in compromised environments. The session will also explore how security teams can improve their chances of defending against such adversaries, pragmatic advice with the odd reality check. <br />
<br />
== Past Events ==<br />
<br />
=== Thursday, 15 November 2018 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=247148Scotland2019-02-06T12:29:12Z<p>Swright75: Added February event</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''Ernst & Young''' for hosting our upcoming November 2018 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
=== Thursday, 21 February 2019 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One (Level 4), 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
We have two great speakers kicking off 2019 for us.<br />
<br />
Tickets available here: [https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-tickets-55989107929 https://owasp-scotland-november.eventbrite.co.uk]<br />
<br />
Many thanks to FanDuel for hosting this event.<br />
<br />
==== Seeing what is not there: searching in Windows paths ====<br />
''Speaker'': Margus Lind, Context IS<br />
<br />
Windows – designed to make training materials self-improve.<br />
<br />
During a recent Windows breakout and privilege escalation training session we stumbled upon several new instances of exploits. While the underlying principles are well known, it is shocking to see such weaknesses exploitable out of the box, even on the latest Windows 10 RS5.<br />
<br />
Firstly, the presentation will give a brief overview of the way Windows searches for required commands and DLLs. This will be followed by some practical examples of how it can be exploited to escalate privileges and bypass UAC.<br />
<br />
Overall, we’ll see that while Windows makes an ever improving attempt at security features, the spaghetti bowl of legacy features and behaviours remains rather entertaining...<br />
<br />
==== Talk Title TBD ====<br />
''Speaker'': Don Smith, Secureworks<br />
<br />
TBD.<br />
<br />
== Past Events ==<br />
<br />
=== Thursday, 15 November 2018 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=245179Scotland2018-11-15T22:56:33Z<p>Swright75: Moved November event to past events</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''Ernst & Young''' for hosting our upcoming November 2018 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
== Past Events ==<br />
<br />
=== Thursday, 15 November 2018 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=244735Scotland2018-10-30T18:04:55Z<p>Swright75: /* Upcoming Events */</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''Ernst & Young''' for hosting our upcoming November 2018 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
=== Thursday, 15 November 2018 ===<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
== Past Events ==<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=244734Scotland2018-10-30T18:04:04Z<p>Swright75: /* Acknowledgements */</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''Ernst & Young''' for hosting our upcoming November 2018 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
Thursday, 15 November 2018<br />
<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
== Past Events ==<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=244733Scotland2018-10-30T18:03:18Z<p>Swright75: Update the time of the November event</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''FanDuel''' for hosting our September 2018 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
Thursday, 15 November 2018<br />
<br />
'''Time''': 18:00 – 20:00<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
== Past Events ==<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=244726Scotland2018-10-30T15:37:45Z<p>Swright75: /* Upcoming Events */</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''FanDuel''' for hosting our September 2018 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
Thursday, 15 November 2018<br />
<br />
'''Time''': TBC<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are in for a treat in the final OWASP Scotland chapter meeting for 2018 with presenters from the USA and Spain. We have Matt Nelson, Lee Christensen and Brian Reitz from SpecterOps as well as Simon Goldsmith from EY’s Cyber Security Hub presenting.<br />
<br />
Tickets available here: https://owasp-scotland-november.eventbrite.co.uk<br />
<br />
Many thanks to EY for hosting this event.<br />
<br />
'''Cyber Infusion: Security in Innovation for Financial Services'''<br />
<br />
''Speaker'': Simon Goldsmith, EY<br />
<br />
It's almost become a cliché to say that "digital transformation (DX) is changing the way we do things". Technology enabled transformation is changing the way we interact, how we do business and the speed at which we innovate. It´s also changing the way we need to look at security.<br />
<br />
Cyber Infusion is about ensuring security is embedded into how we innovate, rather than the more costly and practically ineffective approach of “bolting it on”. It means security has to operate less as the external “policeman” and more as a “guide” within the team to help chart a course. While there are business imperatives, digital and Open Banking inherently brings cyber risks: with greater connectivity, more data, more parties and more identities to manage, there is greater opportunity for increasingly industrialised and innovative threats to compromise systems, as well as greater regulatory attention and the potential for vulnerabilities to exist.<br />
<br />
In this discussion, we will outline the nature and issues around Cyber Infusion in financial services innovation and a case study from an Open Banking programme showing where good practice can not only ensure a compliant and secure capability, but also add value through differentiation.<br />
<br />
Bio: Simon leads the Innovation and Infusion team in EY’s EMEIA Financial Services Cyber Centre of Excellence. His team’s role is to develop new security approaches for EY’s financial services clients and integrate with EY´s digital transformation and financial crime capabilities to help other teams secure their innovation.<br />
<br />
'''Outlander: Traveling Back in Time for Windows Attack Paths'''<br />
<br />
''Speaker'': Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_) and Brian Reitz (@brian_psu), SpecterOps<br />
<br />
Microsoft Windows is built on a number of technologies that seemed like good ideas at the time.<br />
<br />
In practice these were often poorly implemented, overly ambitious, difficult to understand, and insecure by default: a great combination for pentesters.<br />
<br />
We'll examine two technologies in the Windows graveyard, COM and RPC, that are still in modern versions of Windows and provide multiple attack paths for pentesters.<br />
<br />
We'll go over our methodology for enumerating and discovering the lesser-known features of these technologies, and how the attack surface still remains largely untested in 2018.<br />
<br />
== Past Events ==<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=244285Scotland2018-10-16T15:11:09Z<p>Swright75: /* Upcoming Events */</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''FanDuel''' for hosting our September 2018 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
Thursday, 15 November 2018<br />
<br />
'''Time''': TBC<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
If you are interested in giving a talk, please reach out to [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Robert Janson].<br />
<br />
== Past Events ==<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=244284Scotland2018-10-16T15:10:37Z<p>Swright75: /* Upcoming Events */</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''FanDuel''' for hosting our September 2018 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
Thursday, 15 November 2018<br />
<br />
'''Time''': TBC<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
If you are interested in giving a talk, please reach out to [mailto:sean.wright@owasp.org Sean Wright] or Robert Janson.<br />
<br />
== Past Events ==<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=244283Scotland2018-10-16T15:09:58Z<p>Swright75: /* Upcoming Events */</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''FanDuel''' for hosting our September 2018 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
Thursday, 15 November 2018<br />
<br />
'''Time''': TBC<br />
<br />
'''Location''': Ernst & Young, 144 Morrison St, Edinburgh EH3 8EX<br />
<br />
If you are interested in giving a talk, please reach out to Sean Wright or Robert Janson.<br />
<br />
== Past Events ==<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=244122Scotland2018-10-10T16:19:32Z<p>Swright75: Moved past event to Past Events section</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''FanDuel''' for hosting our September 2018 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
== Past Events ==<br />
<br />
===Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
===Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=242811Scotland2018-08-25T09:13:49Z<p>Swright75: /* Upcoming Events */</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''FanDuel''' for hosting our September 2018 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
=== Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
== Past Events ==<br />
<br />
=== Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=242810Scotland2018-08-25T09:13:24Z<p>Swright75: /* Acknowledgements */</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''FanDuel''' for hosting our September 2018 event. As well as providing the beer and pizza!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
=== Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Fanduel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
== Past Events ==<br />
<br />
=== Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=242809Scotland2018-08-25T09:12:08Z<p>Swright75: Added details for September event.</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''Pricewaterhouse Coopers''' for hosting our March 2018 event!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
=== Thursday, 20 September 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Fanduel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP<br />
<br />
The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us. They will also be providing pizza and beer!<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite:<br />
<br />
https://owasp-scotland-chapter-meeting-september-tickets.eventbrite.co.uk<br />
<br />
'''DNS over TLS / DNS over HTTPS - The privacy magic bullet?'''<br />
<br />
Speaker: Sean Wright<br />
<br />
ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.<br />
<br />
'''Raising Organisational Security Awareness with CTFs'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.<br />
<br />
== Past Events ==<br />
<br />
=== Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=240866Scotland2018-05-22T12:47:40Z<p>Swright75: Moved recent event to past event, as well as removed old events from the Past Events section.</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''Pricewaterhouse Coopers''' for hosting our March 2018 event!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
== Past Events ==<br />
<br />
=== Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=240377Scotland2018-05-02T21:27:13Z<p>Swright75: Added ticket details</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''Pricewaterhouse Coopers''' for hosting our March 2018 event!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
=== Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
Tickets available on Eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-45703255668<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
== Past Events ==<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=240376Scotland2018-05-02T21:24:10Z<p>Swright75: Added details about May's event.</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''Pricewaterhouse Coopers''' for hosting our March 2018 event!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
=== Monday, 21 May 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': Ernst & Young,144 Morrison St, Edinburgh EH3 8EX<br />
<br />
We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21<sup>st</sup> of May. Many thanks to EY who has kindly offered to host this event for us.<br />
<br />
On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.<br />
<br />
In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Cyber Terror'''<br />
<br />
Speaker: Tal Mozes<br />
<br />
Most of us, cyber security professionals, help in the fighting of cybercrime. <br />
<br />
Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.<br />
<br />
'''Responsible Disclosure – The Good, the Bad and the Ugly'''<br />
<br />
Speaker: Rob Jansson<br />
<br />
What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).<br />
<br />
Tickets will be made available on Eventbrite. Details will be shared as soon as they become available.<br />
<br />
== Past Events ==<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=238734Scotland2018-03-19T21:51:02Z<p>Swright75: Added acknowledgements section</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Acknowledgements ==<br />
A big thank you to '''Pricewaterhouse Coopers''' for hosting our March 2018 event!<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
Stayed tuned for upcoming events.<br />
<br />
== Past Events ==<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=238733Scotland2018-03-19T21:47:08Z<p>Swright75: Fixed formatting issues</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
Stayed tuned for upcoming events.<br />
<br />
== Past Events ==<br />
<br />
=== Wednesday, 14 March 2018 ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
====Deconstructing WannaCry====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
====Driving Remediation in Large Organisations====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=238732Scotland2018-03-19T21:46:05Z<p>Swright75: Fixed formatting</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
Stayed tuned for upcoming events.<br />
<br />
== Past Events ==<br />
<br />
=== '''Wednesday, 14 March 2018''' ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== Wednesday, 4 October 2017 ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
===='''Deconstructing WannaCry'''====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
===='''Driving Remediation in Large Organisations'''====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=238731Scotland2018-03-19T21:44:24Z<p>Swright75: Updated the events section, as well as the sponsors section.</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
Stayed tuned for upcoming events.<br />
<br />
== Past Events ==<br />
'''Wednesday, 14 March 2018'''<br />
<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
=== '''Wednesday, 4 October 2017''' ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
===='''Deconstructing WannaCry'''====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
===='''Driving Remediation in Large Organisations'''====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
If you would like to sponsor the OWASP Scotland chapter, please get in contact with [mailto:sean.wright@owasp.org Sean Wright] or [mailto:rob.jansson@owasp.org Rob Jansson].<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=238317Scotland2018-03-04T15:26:15Z<p>Swright75: Corrected date</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
=== '''Wednesday, 14 March 2018''' ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
== Past Events ==<br />
<br />
=== '''Wednesday, 4 October 2017''' ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
===='''Deconstructing WannaCry'''====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
===='''Driving Remediation in Large Organisations'''====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]<br />
[[File:Sopra.jpg|200px|left|Sopra Group]]<br />
<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=237882Scotland2018-02-19T13:49:13Z<p>Swright75: Corrected day for next event</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
=== '''Wednesday, 14 March 2018''' ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Thursday 15th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
== Past Events ==<br />
<br />
=== '''Wednesday, 4 October 2017''' ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
===='''Deconstructing WannaCry'''====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
===='''Driving Remediation in Large Organisations'''====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]<br />
[[File:Sopra.jpg|200px|left|Sopra Group]]<br />
<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=237657Scotland2018-02-15T20:50:59Z<p>Swright75: Added speaker details for upcoming event.</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
=== '''Thursday, 14 March 2018''' ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Thursday 15th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
'''Website Discovery & Managing the Shadow Estate'''<br />
<br />
Speaker: James Penny<br />
<br />
There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.<br />
<br />
A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.<br />
<br />
This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.<br />
<br />
'''Analyst, Engineer or Consultant?'''<br />
<br />
Speaker:Harry McLaren<br />
<br />
A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.<br />
<br />
Tickets available on Eventbrite: https://owasp-scotland-march-2018.eventbrite.co.uk<br />
<br />
== Past Events ==<br />
<br />
=== '''Wednesday, 4 October 2017''' ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
===='''Deconstructing WannaCry'''====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
===='''Driving Remediation in Large Organisations'''====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]<br />
[[File:Sopra.jpg|200px|left|Sopra Group]]<br />
<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=237509Scotland2018-02-12T20:03:18Z<p>Swright75: Changed date of March deven</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
=== '''Thursday, 14 March 2018''' ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Thursday 15th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
== Past Events ==<br />
<br />
=== '''Wednesday, 4 October 2017''' ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event: https://owaspscotlandaugust2017.eventbrite.co.uk/<br />
===='''Deconstructing WannaCry'''====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
===='''Driving Remediation in Large Organisations'''====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event:https://owasp-scotland-chapter-meeting-may-2017-tickets.eventbrite.co.uk<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
'''Event Signup:''' https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-march-2017-tickets-32070062420<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]<br />
[[File:Sopra.jpg|200px|left|Sopra Group]]<br />
<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=237349Scotland2018-02-05T22:50:17Z<p>Swright75: Updated with the new event in March</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
=== '''Thursday, 15 March 2018''' ===<br />
'''Time''': 18:00 - 20:00<br />
<br />
'''Location''': PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX <br />
<br />
We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Thursday 15th March. Many thanks to PwC who has kindly offered to host this event for us.<br />
<br />
We are still confirming speakers so please save the date and await further information in the near future.<br />
<br />
If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.<br />
<br />
For attending this event you will be able to claim 2 CPE points.<br />
<br />
== Past Events ==<br />
<br />
=== '''Wednesday, 4 October 2017''' ===<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event: https://owaspscotlandaugust2017.eventbrite.co.uk/<br />
===='''Deconstructing WannaCry'''====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
===='''Driving Remediation in Large Organisations'''====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event:https://owasp-scotland-chapter-meeting-may-2017-tickets.eventbrite.co.uk<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
'''Event Signup:''' https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-march-2017-tickets-32070062420<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]<br />
[[File:Sopra.jpg|200px|left|Sopra Group]]<br />
<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=234762Scotland2017-10-30T16:23:20Z<p>Swright75: Updated to new Twitter name</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/OWASPScotland Twitter (@OWASPScotland)].<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
'''Wednesday, 4 October 2017'''<br />
<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
== Past Events ==<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event: https://owaspscotlandaugust2017.eventbrite.co.uk/<br />
===='''Deconstructing WannaCry'''====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
===='''Driving Remediation in Large Organisations'''====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event:https://owasp-scotland-chapter-meeting-may-2017-tickets.eventbrite.co.uk<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
'''Event Signup:''' https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-march-2017-tickets-32070062420<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]<br />
[[File:Sopra.jpg|200px|left|Sopra Group]]<br />
<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=234761Scotland2017-10-30T16:18:32Z<p>Swright75: Added Twitter link.</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).<br />
<br />
You can also now follow us on [https://twitter.com/owaspscotland Twitter (@owaspscotland)].<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
'''Wednesday, 4 October 2017'''<br />
<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
== Past Events ==<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event: https://owaspscotlandaugust2017.eventbrite.co.uk/<br />
===='''Deconstructing WannaCry'''====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
===='''Driving Remediation in Large Organisations'''====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event:https://owasp-scotland-chapter-meeting-may-2017-tickets.eventbrite.co.uk<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
'''Event Signup:''' https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-march-2017-tickets-32070062420<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]<br />
[[File:Sopra.jpg|200px|left|Sopra Group]]<br />
<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=233788Scotland2017-09-27T12:21:18Z<p>Swright75: Fixed EventBrite group</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above)<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
'''Wednesday, 4 October 2017'''<br />
<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://owasp-scotland-oct-2017.eventbrite.co.uk https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
== Past Events ==<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event: https://owaspscotlandaugust2017.eventbrite.co.uk/<br />
===='''Deconstructing WannaCry'''====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
===='''Driving Remediation in Large Organisations'''====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event:https://owasp-scotland-chapter-meeting-may-2017-tickets.eventbrite.co.uk<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
'''Event Signup:''' https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-march-2017-tickets-32070062420<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]<br />
[[File:Sopra.jpg|200px|left|Sopra Group]]<br />
<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=233785Scotland2017-09-27T07:57:38Z<p>Swright75: Added October event</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above)<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
'''Wednesday, 4 October 2017'''<br />
<br />
'''Time''': 18:00<br />
<br />
'''Location''': Secureworks, <br />
<br />
1 Tanfield, <br />
<br />
Edinburgh,<br />
<br />
EH3 5DA<br />
<br />
To attend, please register here for the event [https://www.google.com/url?q=https%3A%2F%2Fowasp-scotland-oct-2017.eventbrite.co.uk&sa=D&sntz=1&usg=AFQjCNE66ssz5k1E5qV1uqh87y8i5nhwOQ https://owasp-scotland-oct-2017.eventbrite.co.uk.] Places are limited, so please only register if you will definitely be attending.<br />
<br />
<nowiki>*</nowiki> Please note that if your name is not on the list, you will be unlikely to enter the venue.<br />
<br />
'''Revocation is broken, here's how we're fixing it'''<br />
<br />
''Speaker'': Scott Helme<br />
<br />
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.<br />
<br />
== Past Events ==<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event: https://owaspscotlandaugust2017.eventbrite.co.uk/<br />
===='''Deconstructing WannaCry'''====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
===='''Driving Remediation in Large Organisations'''====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event:https://owasp-scotland-chapter-meeting-may-2017-tickets.eventbrite.co.uk<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
'''Event Signup:''' https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-march-2017-tickets-32070062420<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]<br />
[[File:Sopra.jpg|200px|left|Sopra Group]]<br />
<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=233763Scotland2017-09-26T06:06:01Z<p>Swright75: Moved previous event to past events</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above)<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
== Past Events ==<br />
<br />
=== Thursday, 31 August 2017 ===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event: https://owaspscotlandaugust2017.eventbrite.co.uk/<br />
===='''Deconstructing WannaCry'''====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
===='''Driving Remediation in Large Organisations'''====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event:https://owasp-scotland-chapter-meeting-may-2017-tickets.eventbrite.co.uk<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
'''Event Signup:''' https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-march-2017-tickets-32070062420<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]<br />
[[File:Sopra.jpg|200px|left|Sopra Group]]<br />
<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=231781Scotland2017-07-20T14:32:22Z<p>Swright75: Added August event</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above)<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
===Thursday, 31 August 2017===<br />
Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. <br />
<br />
We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': MF2 on the 4th floor,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet,<br />
<br />
Edinburgh,<br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event: https://owaspscotlandaugust2017.eventbrite.co.uk/<br />
===='''Deconstructing WannaCry'''====<br />
''Speaker'': James Slaughter<br />
<br />
- Who, What, Where, Why and How.<br />
<br />
- Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.<br />
<br />
===='''Driving Remediation in Large Organisations'''====<br />
''Speaker:'' Andrew Scott<br />
<br />
Congratulations! Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well. But what about remediation? When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes. How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down? I’ll look at a number of the challenges here and some solutions.<br />
<br />
== Past Events ==<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event:https://owasp-scotland-chapter-meeting-may-2017-tickets.eventbrite.co.uk<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
'''Event Signup:''' https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-march-2017-tickets-32070062420<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]<br />
[[File:Sopra.jpg|200px|left|Sopra Group]]<br />
<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=229814Scotland2017-05-19T21:16:38Z<p>Swright75: Moved May event into the Past Events section.</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above)<br />
<br />
== Upcoming Events ==<br />
<br />
Signup to the chapter mailing list to be informed of upcoming events.<br />
<br />
== Past Events ==<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event:https://owasp-scotland-chapter-meeting-may-2017-tickets.eventbrite.co.uk<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
'''Event Signup:''' https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-march-2017-tickets-32070062420<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]<br />
[[File:Sopra.jpg|200px|left|Sopra Group]]<br />
<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=229612Scotland2017-05-15T00:08:58Z<p>Swright75: Added additional speaker for May event</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above)<br />
<br />
== Upcoming Events ==<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event:https://owasp-scotland-chapter-meeting-may-2017-tickets.eventbrite.co.uk<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== TLS Demystified ====<br />
''Speaker:'' Sean Wright<br />
<br />
TLS along with PKI often seems to be some sort of black magic which is supposed to make you secure. This talk will attempt to help explain the key parts of TLS breaking it down to be easy to understand. This talk will also cover common mistakes which are made when implementing TLS.<br />
<br />
== Past Events ==<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
'''Event Signup:''' https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-march-2017-tickets-32070062420<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]<br />
[[File:Sopra.jpg|200px|left|Sopra Group]]<br />
<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=229141Scotland2017-04-25T14:53:27Z<p>Swright75: Removed bold from headings</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above)<br />
<br />
== Upcoming Events ==<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event:https://owasp-scotland-chapter-meeting-may-2017-tickets.eventbrite.co.uk<br />
<br />
==== Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was. ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== Speaker no. 2 TBC ====<br />
TBC<br />
<br />
== Past Events ==<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
'''Event Signup:''' https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-march-2017-tickets-32070062420<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]<br />
[[File:Sopra.jpg|200px|left|Sopra Group]]<br />
<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=229140Scotland2017-04-25T14:26:55Z<p>Swright75: Improved layout of new event</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above)<br />
<br />
== Upcoming Events ==<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
To attend, please register here for the event:https://owasp-scotland-chapter-meeting-may-2017-tickets.eventbrite.co.uk<br />
<br />
==== '''Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was.''' ====<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
==== '''Speaker no. 2 TBC''' ====<br />
TBC<br />
<br />
== Past Events ==<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
'''Event Signup:''' https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-march-2017-tickets-32070062420<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]<br />
[[File:Sopra.jpg|200px|left|Sopra Group]]<br />
<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=229139Scotland2017-04-25T14:24:30Z<p>Swright75: Added event information for 18 May event.</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above)<br />
<br />
== Upcoming Events ==<br />
<br />
=== Thursday, 18 May 2017 ===<br />
Good news! Edinburgh University is kindly providing us with meeting space for the next OWASP Scotland chapter meeting. We have an excellent talk lined up by Boglarka on MFA and a second speaker should be confirmed in the near future. If you are attending please register so we can keep an eye on the numbers.<br />
<br />
'''Time''': 18:30<br />
<br />
'''Location''': Ground floor main lecture room,<br />
<br />
Informatics Forum,<br />
<br />
10 CrichtonStreet, <br />
<br />
Edinburgh, <br />
<br />
EH8 9AB<br />
<br />
'''Twice the pride, double the fall – why 2FA / MFA isn’t the cure we all thought it was.'''<br />
<br />
''Speaker'': Boglarka Ronto<br />
<br />
The security industry has been preaching the mantra of MFA for almost a decade. Indeed, many implementations have surfaced, some better than others, with all of these intending to add to the level of security of an existing solution (i.e. external logon interface).<br />
<br />
The trust in such services appears to be unquestioned: companies are looking for cheap, simple and easily manageable solutions and rarely consider the actual level of security associated with the product of their choice.<br />
<br />
This talk discusses ways of testing MFA solutions and includes a few case studies of broken and poor MFA implementations, including one which allowed SMS validation to be bypassed completely at an application level (no physical proximity or cloned phones required).<br />
<br />
'''Speaker no. 2 TBC'''<br />
<br />
To attend, please register here for the event:https://owasp-scotland-chapter-meeting-may-2017-tickets.eventbrite.co.uk<br />
<br />
== Past Events ==<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
'''Event Signup:''' https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-march-2017-tickets-32070062420<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]<br />
[[File:Sopra.jpg|200px|left|Sopra Group]]<br />
<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75https://wiki.owasp.org/index.php?title=Scotland&diff=228162Scotland2017-03-30T20:52:52Z<p>Swright75: Minor formating</p>
<hr />
<div>{{Chapter Template|chaptername=Scotland|extra=The chapter leaders are [mailto:sean.wright@owasp.org Sean Wright] and [mailto:rob.jansson@owasp.org Rob Jansson].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}<br />
<br />
== Local News ==<br />
<br />
Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above)<br />
<br />
== Past Events ==<br />
<br />
=== Friday, 3 March 2017 ===<br />
Virtual event kicking off the year for the Scotland chapter.<br />
<br />
'''Time:''' 12:00<br />
<br />
'''Event Signup:''' https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-march-2017-tickets-32070062420<br />
<br />
The following talks will be given:<br />
<br />
==== Penetration testing: a beginners paradise. ====<br />
Ever wondered how to go from getting a certificate in penetration testing, or some tinkering in your spare time actually doing it as a full time job? Come and get answers as Andrew Scott (Head of Security Testing for an international bank) spills the beans. How did he get into testing, what other ways in are there? How do you sell yourself to prospective employers and make sure you are ready to do what they want to pay you for, not just what you want to do.<br />
<br />
==== CSRF - Imitation is The Best Form of Flattery ====<br />
Despite appearing at number 8 in the OWASP Top 10 list (2013 version), CSRF vulnerabilities are still prevalent in a multitude of applications. What is CSRF? And why is this the case? What can be done to mitigate it? Sean Wright (Lead Security Engineer at security MSP) will give you the details to those very questions and more.<br />
<br />
== Sponsors ==<br />
<br />
The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]<br />
[[File:Sopra.jpg|200px|left|Sopra Group]]<br />
<br />
[[Category:Chapters]]<br />
[[Category:United Kingdom]]<br />
[[Category:Europe]]</div>Swright75