OWASP Limerick Day 2013 - Revision history

Marian Ventuneac at 19:15, 3 November 2013

2013-11-03T19:15:37Z

Marian Ventuneac at 16:59, 3 November 2013

2013-11-03T16:59:37Z

Marian Ventuneac at 16:58, 3 November 2013

2013-11-03T16:58:10Z

Marian Ventuneac at 16:53, 3 November 2013

2013-11-03T16:53:17Z

Marian Ventuneac at 16:51, 3 November 2013

2013-11-03T16:51:07Z

Marian Ventuneac at 16:22, 3 November 2013

2013-11-03T16:22:16Z

Marian Ventuneac at 11:49, 29 October 2013

2013-10-29T11:49:34Z

Marian Ventuneac at 09:15, 29 October 2013

2013-10-29T09:15:44Z

Marian Ventuneac at 19:19, 28 October 2013

2013-10-28T19:19:33Z

Marian Ventuneac at 19:00, 28 October 2013

2013-10-28T19:00:24Z

@@ Line 126: / Line 126: @@
 | colspan="2" style="text-align: center;background: grey; color: white" | ''OWASP Limerick Chapter Raffle - Sponsored InfoSec Books and Gadgets''
 |-
-| 16:05 - 16:50 || [http://www.linkedin.com/in/mventuneac Marian Ventuneac]<br> Security Architect at Genworth Financial|| ''' Social Enterprise Software: Risks & Countermeasures'''   []<br><br>Social enterprise is reshaping the way employees communicate, work and collaborate for increased productivity. With all such benefits for the business, it could be easy to overlook the security risks. From exposure of confidential data and files, to the classic Cross-Site Scripting and Insecure Direct Object Reference issues, the lack of proper security controls could lead to serious data breaches. Unfortunately, social enterprise solutions are not immune to such risks.<br>
+| 16:05 - 16:50 || [http://www.linkedin.com/in/mventuneac Marian Ventuneac]<br> Security Architect at Genworth Financial|| ''' Social Enterprise Software: Risks & Countermeasures'''   [http://www.ventuneac.net/research-publications/MarianVentuneac_OWASPIreland-Limerick-Day_20131031_SocialEnterpriseSoftware.pdf Link]<br><br>Social enterprise is reshaping the way employees communicate, work and collaborate for increased productivity. With all such benefits for the business, it could be easy to overlook the security risks. From exposure of confidential data and files, to the classic Cross-Site Scripting and Insecure Direct Object Reference issues, the lack of proper security controls could lead to serious data breaches. Unfortunately, social enterprise solutions are not immune to such risks.<br>
 Marian will present various security risks identified for representative social enterprise solutions (from Salesforce, Blogtronix, Tibco , Yammer and Jive), while also providing recommendations on effective risks mitigation for adoption of social enterprise solutions.
 |-

@@ Line 96: / Line 96: @@
 | colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''
 |-
-| 09:00 - 09:20 || OWASP Limerick Organization || Welcome & OWASP Update
+| 09:00 - 09:20 || OWASP Limerick Organization || Welcome & OWASP Update    [https://www.owasp.org/images/8/84/OWASPIreland-Limerick-Day_20131031_Agenda.pdf Link]
 |-
 | 09:20 - 10:10 || [http://www.linkedin.com/in/gjoyce Gerard Joyce]<br>Director of Enterprise Risk Management at LinkResQ || ''' Managing Risks: An ISO 31000 Approach '''    [https://www.owasp.org/images/4/48/OWASPIreland-Limerick-Day_20131031_ManagingRisks-GerardJoyce.PDF Link]<br><br>In November 2009 ISO published the definitive guide to best practice in the management of risks: the ISO 31000 risk management standard.<br>

@@ Line 126: / Line 126: @@
 | colspan="2" style="text-align: center;background: grey; color: white" | ''OWASP Limerick Chapter Raffle - Sponsored InfoSec Books and Gadgets''
 |-
-| 16:05 - 16:50 || [http://www.linkedin.com/in/mventuneac Marian Ventuneac]<br> Security Architect at Genworth Financial|| ''' Social Enterprise Software: Risks & Countermeasures'''    Link: []<br><br>Social enterprise is reshaping the way employees communicate, work and collaborate for increased productivity. With all such benefits for the business, it could be easy to overlook the security risks. From exposure of confidential data and files, to the classic Cross-Site Scripting and Insecure Direct Object Reference issues, the lack of proper security controls could lead to serious data breaches. Unfortunately, social enterprise solutions are not immune to such risks.<br>
+| 16:05 - 16:50 || [http://www.linkedin.com/in/mventuneac Marian Ventuneac]<br> Security Architect at Genworth Financial|| ''' Social Enterprise Software: Risks & Countermeasures'''   []<br><br>Social enterprise is reshaping the way employees communicate, work and collaborate for increased productivity. With all such benefits for the business, it could be easy to overlook the security risks. From exposure of confidential data and files, to the classic Cross-Site Scripting and Insecure Direct Object Reference issues, the lack of proper security controls could lead to serious data breaches. Unfortunately, social enterprise solutions are not immune to such risks.<br>
 Marian will present various security risks identified for representative social enterprise solutions (from Salesforce, Blogtronix, Tibco , Yammer and Jive), while also providing recommendations on effective risks mitigation for adoption of social enterprise solutions.
 |-

@@ Line 98: / Line 98: @@
 | 09:00 - 09:20 || OWASP Limerick Organization || Welcome & OWASP Update
 |-
-| 09:20 - 10:10 || [http://www.linkedin.com/in/gjoyce Gerard Joyce]<br>Director of Enterprise Risk Management at LinkResQ || ''' Managing Risks: An ISO 31000 Approach '''    [https://www.owasp.org/index.php/File:OWASPIreland-Limerick-Day_20131031_ManagingRisks-GerardJoyce.PDF Link]<br><br>In November 2009 ISO published the definitive guide to best practice in the management of risks: the ISO 31000 risk management standard.<br>
+| 09:20 - 10:10 || [http://www.linkedin.com/in/gjoyce Gerard Joyce]<br>Director of Enterprise Risk Management at LinkResQ || ''' Managing Risks: An ISO 31000 Approach '''    [https://www.owasp.org/images/4/48/OWASPIreland-Limerick-Day_20131031_ManagingRisks-GerardJoyce.PDF Link]<br><br>In November 2009 ISO published the definitive guide to best practice in the management of risks: the ISO 31000 risk management standard.<br>
 ISO 31000 can be applied to any business and any activity. In this presentation Gerard Joyce will demonstrate how it can be applied in software development.
 |-
-| 10:10 - 11:00 || [http://www.linkedin.com/pub/oana-cornea/55/430/b10 Oana Cornea]<br>Security Analyst at Electronic Arts|| ''' iOS Penetration Testing Cheat Sheet '''   [https://www.owasp.org/index.php/File:OWASPIreland-Limerick-Day_20131031_iOSCheatSheet-OanaCornea.pdf Link]<br><br>This presentation will highlight the main iOS applications attack vectors, techniques and tools to perform a pentest and mechanisms that can be implemented to reduce application vulnerabilities. These will be presented in connection with the OWASP Top Ten Mobile Risks and will provide practical guidance on how to improve the security of mobile applications.
+| 10:10 - 11:00 || [http://www.linkedin.com/pub/oana-cornea/55/430/b10 Oana Cornea]<br>Security Analyst at Electronic Arts|| ''' iOS Penetration Testing Cheat Sheet '''   [https://www.owasp.org/images/d/d0/OWASPIreland-Limerick-Day_20131031_iOSCheatSheet-OanaCornea.pdf Link]<br><br>This presentation will highlight the main iOS applications attack vectors, techniques and tools to perform a pentest and mechanisms that can be implemented to reduce application vulnerabilities. These will be presented in connection with the OWASP Top Ten Mobile Risks and will provide practical guidance on how to improve the security of mobile applications.
 |-
 | 11:00 - 11:20
 | colspan="2" style="text-align: center;background: grey; color: white" | ''Tea/Coffee Break''
 |-
-| 11:20 - 12:10 || [http://ie.linkedin.com/pub/patrick-fitzgerald/4/911/529 Patrick Fitzgerald]<br>Security Consultant at Ward Solutions|| ''' Introduction to Metasploit '''   [https://www.owasp.org/index.php/File:OWASPIreland-Limerick-Day_20131031_Metasploit-PatrickFitzgerald.pdf Link]<br><br>Patrick will introduce Metasploit and demonstrate what the framework is capable of out-of-the-box.  The goal is to show both how useful the tool is for security professionals and how dangerous it can be in the wrong hands.
+| 11:20 - 12:10 || [http://ie.linkedin.com/pub/patrick-fitzgerald/4/911/529 Patrick Fitzgerald]<br>Security Consultant at Ward Solutions|| ''' Introduction to Metasploit '''   [https://www.owasp.org/images/7/73/OWASPIreland-Limerick-Day_20131031_Metasploit-PatrickFitzgerald.pdf Link]<br><br>Patrick will introduce Metasploit and demonstrate what the framework is capable of out-of-the-box.  The goal is to show both how useful the tool is for security professionals and how dangerous it can be in the wrong hands.
 |-
 | 12:10 - 13:00 || [http://www.linkedin.com/pub/simon-bennetts/13/57a/3b Simon Bennetts]<br>Security Automation Engineer at Mozilla || ''' OWASP ZAP - whats even newer '''    [http://www.slideshare.net/psiinon/owasp-2013-limerick Link]<br><br>The Zed Attack Proxy is one of the most popular OWASP projects, and has an enthusiastic developer community which encourages participation.<br>
@@ Line 116: / Line 116: @@
 | colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch Break''
 |-
-| 14:00 - 14:50 || [http://eg.linkedin.com/pub/ahmed-neil/38/590/73 Ahmed Neil]<br>Database Administrator at Mansoura University|| ''' Digital Forensics: What, Why and How'''   [https://www.owasp.org/index.php/File:OWASPIreland-Limerick-Day_20131031_DigitalForensics-AhmedNeil.pdf Link]<br><br>
+| 14:00 - 14:50 || [http://eg.linkedin.com/pub/ahmed-neil/38/590/73 Ahmed Neil]<br>Database Administrator at Mansoura University|| ''' Digital Forensics: What, Why and How'''   [https://www.owasp.org/images/7/71/OWASPIreland-Limerick-Day_20131031_DigitalForensics-AhmedNeil.pdf Link]<br><br>
 |-
 | 14:50 - 15:40 || [http://www.linkedin.com/in/mark4security Mark Goodwin]<br>Security Engineer at Mozilla || ''' An Introduction to Firefox OS Security '''    []<br><br>A look at Firefox OS, Mozilla's new mobile operating system, the proposed Open Web Applications standard and what these new technologies mean for application security specialists.

@@ Line 98: / Line 98: @@
 | 09:00 - 09:20 || OWASP Limerick Organization || Welcome & OWASP Update
 |-
-| 09:20 - 10:10 || [http://www.linkedin.com/in/gjoyce Gerard Joyce]<br>Director of Enterprise Risk Management at LinkResQ || ''' Managing Risks: An ISO 31000 Approach '''    Link: []<br><br>In November 2009 ISO published the definitive guide to best practice in the management of risks: the ISO 31000 risk management standard.<br>
+| 09:20 - 10:10 || [http://www.linkedin.com/in/gjoyce Gerard Joyce]<br>Director of Enterprise Risk Management at LinkResQ || ''' Managing Risks: An ISO 31000 Approach '''    [https://www.owasp.org/index.php/File:OWASPIreland-Limerick-Day_20131031_ManagingRisks-GerardJoyce.PDF Link]<br><br>In November 2009 ISO published the definitive guide to best practice in the management of risks: the ISO 31000 risk management standard.<br>
 ISO 31000 can be applied to any business and any activity. In this presentation Gerard Joyce will demonstrate how it can be applied in software development.
 |-
-| 10:10 - 11:00 || [http://www.linkedin.com/pub/oana-cornea/55/430/b10 Oana Cornea]<br>Security Analyst at Electronic Arts|| ''' iOS Penetration Testing Cheat Sheet '''   Link: []<br><br>This presentation will highlight the main iOS applications attack vectors, techniques and tools to perform a pentest and mechanisms that can be implemented to reduce application vulnerabilities. These will be presented in connection with the OWASP Top Ten Mobile Risks and will provide practical guidance on how to improve the security of mobile applications.
+| 10:10 - 11:00 || [http://www.linkedin.com/pub/oana-cornea/55/430/b10 Oana Cornea]<br>Security Analyst at Electronic Arts|| ''' iOS Penetration Testing Cheat Sheet '''   [https://www.owasp.org/index.php/File:OWASPIreland-Limerick-Day_20131031_iOSCheatSheet-OanaCornea.pdf Link]<br><br>This presentation will highlight the main iOS applications attack vectors, techniques and tools to perform a pentest and mechanisms that can be implemented to reduce application vulnerabilities. These will be presented in connection with the OWASP Top Ten Mobile Risks and will provide practical guidance on how to improve the security of mobile applications.
 |-
 | 11:00 - 11:20
 | colspan="2" style="text-align: center;background: grey; color: white" | ''Tea/Coffee Break''
 |-
-| 11:20 - 12:10 || [http://ie.linkedin.com/pub/patrick-fitzgerald/4/911/529 Patrick Fitzgerald]<br>Security Consultant at Ward Solutions|| ''' Introduction to Metasploit '''    Link: []<br><br>Patrick will introduce Metasploit and demonstrate what the framework is capable of out-of-the-box.  The goal is to show both how useful the tool is for security professionals and how dangerous it can be in the wrong hands.
+| 11:20 - 12:10 || [http://ie.linkedin.com/pub/patrick-fitzgerald/4/911/529 Patrick Fitzgerald]<br>Security Consultant at Ward Solutions|| ''' Introduction to Metasploit '''   [https://www.owasp.org/index.php/File:OWASPIreland-Limerick-Day_20131031_Metasploit-PatrickFitzgerald.pdf Link]<br><br>Patrick will introduce Metasploit and demonstrate what the framework is capable of out-of-the-box.  The goal is to show both how useful the tool is for security professionals and how dangerous it can be in the wrong hands.
 |-
 | 12:10 - 13:00 || [http://www.linkedin.com/pub/simon-bennetts/13/57a/3b Simon Bennetts]<br>Security Automation Engineer at Mozilla || ''' OWASP ZAP - whats even newer '''    [http://www.slideshare.net/psiinon/owasp-2013-limerick Link]<br><br>The Zed Attack Proxy is one of the most popular OWASP projects, and has an enthusiastic developer community which encourages participation.<br>
@@ Line 116: / Line 116: @@
 | colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch Break''
 |-
-| 14:00 - 14:50 || [http://eg.linkedin.com/pub/ahmed-neil/38/590/73 Ahmed Neil]<br>Database Administrator at Mansoura University|| ''' Digital Forensics: What, Why and How'''    Link: []<br><br>
+| 14:00 - 14:50 || [http://eg.linkedin.com/pub/ahmed-neil/38/590/73 Ahmed Neil]<br>Database Administrator at Mansoura University|| ''' Digital Forensics: What, Why and How'''   [https://www.owasp.org/index.php/File:OWASPIreland-Limerick-Day_20131031_DigitalForensics-AhmedNeil.pdf Link]<br><br>
 |-
-| 14:50 - 15:40 || [http://www.linkedin.com/in/mark4security Mark Goodwin]<br>Security Engineer at Mozilla || ''' An Introduction to Firefox OS Security '''    Link: []<br><br>A look at Firefox OS, Mozilla's new mobile operating system, the proposed Open Web Applications standard and what these new technologies mean for application security specialists.
+| 14:50 - 15:40 || [http://www.linkedin.com/in/mark4security Mark Goodwin]<br>Security Engineer at Mozilla || ''' An Introduction to Firefox OS Security '''    []<br><br>A look at Firefox OS, Mozilla's new mobile operating system, the proposed Open Web Applications standard and what these new technologies mean for application security specialists.
 |-
 | 15:40 - 16:00

@@ Line 107: / Line 107: @@
 | colspan="2" style="text-align: center;background: grey; color: white" | ''Tea/Coffee Break''
 |-
-| 11:20 - 12:10 || [http://ie.linkedin.com/pub/patrick-fitzgerald/4/911/529 Patrick Fitzgerald]<br>Security Consultant at Ward Solutions|| ''' Introduction to Metasploit ''' <br><br>
+| 11:20 - 12:10 || [http://ie.linkedin.com/pub/patrick-fitzgerald/4/911/529 Patrick Fitzgerald]<br>Security Consultant at Ward Solutions|| ''' Introduction to Metasploit ''' <br><br>Patrick will introduce Metasploit and demonstrate what the framework is capable of out-of-the-box.  The goal is to show both how useful the tool is for security professionals and how dangerous it can be in the wrong hands.
 |-
 | 12:10 - 13:00 || [http://www.linkedin.com/pub/simon-bennetts/13/57a/3b Simon Bennetts]<br>Security Automation Engineer at Mozilla || ''' OWASP ZAP - whats even newer ''' <br><br>The Zed Attack Proxy is one of the most popular OWASP projects, and has an enthusiastic developer community which encourages participation.<br>

@@ Line 121: / Line 121: @@
 |-
 | 15:40 - 16:00
-| colspan="2" style="text-align: center;background: grey; color: white" | 'Tea/Coffee Break''
+| colspan="2" style="text-align: center;background: grey; color: white" | ''Tea/Coffee Break''
 |-
-| 16:00 - 16:50 || TBD || ''' Title ''' <br>''Abstract:''
+| 16:00 - 16:05
 |-
-| 16:50 - 17:30 || [http://www.linkedin.com/in/angeloprado Angelo Prado]<br>Senior Manager, Product Security at Salesforce.com<br><br>[http://www.linkedin.com/in/yoelgluck Yoel Gluck]<br>Lead Product Security Engineer at Salesforce.com|| ''' SSL, gone in 30 seconds - a BREACH beyond CRIME ''' <br>In this hands-on talk, Angelo and Yoel will introduce new targeted techniques and research that allows an attacker to reliably retrieve encrypted secrets (session identifiers, CSRF tokens, OAuth tokens, email addresses, ViewState hidden fields, etc.) from an HTTPS channel. They will demonstrate this new browser vector is real and practical by executing a PoC against a major enterprise product in under 30 seconds. They will also describe the algorithm behind the attack, how the usage of basic statistical analysis can be applied to extract data from dynamic pages, as well as practical mitigations you can implement today. They will also describe the posture of different SaaS vendors vis-à-vis this attack while also presenting the BREACH tool.
+| 16:05 - 16:50 || [http://www.linkedin.com/in/mventuneac Marian Ventuneac]<br> Security Architect at Genworth Financial|| ''' Social Enterprise Software: Risks & Countermeasures''' <br><br>Social enterprise is reshaping the way employees communicate, work and collaborate for increased productivity. Furthermore, it facilitates enhanced collaboration with  partners and customers while building and strengthening business relationships. Relying on cloud-based ecosystems, hybrid or the classic on-premise solutions, adoption of social networks in the enterprise is on the rise.
 |}

@@ Line 86: / Line 86: @@
 (for details, check the {{#switchtablink:Venue|Venue}} tab)
 <br>
@@ Line 130: / Line 116: @@
 | colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch Break''
 |-
-| 14:00 - 14:50 || [http://eg.linkedin.com/pub/ahmed-neil/38/590/73 Ahmed Neil]<br>Database Administrator at Mansoura University|| ''' Digital Forensics: What, Why and How''' <br><br>''Abstract:''
+| 14:00 - 14:50 || [http://eg.linkedin.com/pub/ahmed-neil/38/590/73 Ahmed Neil]<br>Database Administrator at Mansoura University|| ''' Digital Forensics: What, Why and How''' <br><br>
 |-
 | 14:50 - 15:40 || [http://www.linkedin.com/in/mark4security Mark Goodwin]<br>Security Engineer at Mozilla || ''' An Introduction to Firefox OS Security ''' <br><br>A look at Firefox OS, Mozilla's new mobile operating system, the proposed Open Web Applications standard and what these new technologies mean for application security specialists.