This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Dublin"

From OWASP
Jump to: navigation, search
(Removed PDF slides)
m (Dawnaitken moved page Ireland-Dublin to Dublin)
 
(18 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{Chapter Template|chaptername=Ireland|extra= [[File:Owasp_logo_ireland_small.jpg]]| mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-ireland}} become a [http://www.owasp.org/index.php/Membership#Categories_of_Membership_.26_Supporters Member or Annual Chapter Sponsor(s)]. <br>
 
  
'''Becoming a chapter sponsor means that you get your organisation mentioned in meeting promotion (including on this page), recognition at the beginning of the meeting and promotional material at the meeting. <br>
+
[[File:Owasp_logo_ireland_small.jpg]]
We currently have the following sponsorship options available: <br>
 
€250 for an individual meeting sponsorship<br>
 
€1500 for annual chapter sponsorship<br>
 
Contact any of the board members below for more information. <br>'''
 
  
== OWASP Ireland Board  ==
+
{{Chapter Template|chaptername=Dublin|extra=The chapter leaders are [mailto:[email protected] Denise Murtagh Dunne], [mailto:[email protected] Brendan Gormley] and [mailto:[email protected] Tony Clarke]
 +
|meetupurl=https://www.meetup.com/OWASP-Dublin/|region=Europe}}
  
Should you have a question about the local chapter, would like to get more involved contact ANY of the following people below <br><br>
+
== Local News ==
  
*'''Chapter Lead''' [mailto:Owen.Pendlebury(at)owasp.org Owen Pendlebury] +353876605277<br>
+
Everyone is welcome to join us at our chapter meetings.
*'''Board Member''' [mailto:Mark.Denihan(at)owasp.org Mark Denihan]<br>
 
*'''Board Member''' [[User:EoinKeary|Eoin Keary]] <br>
 
*'''Board Member/ Global Board Member''' [mailto:fcerullo(at)owasp.org Fabio Cerullo] <br>
 
  
 
+
[[Category:OWASP Chapter]]
 
 
 
 
 
 
<br>'''OWASP Ireland'''<br>40 Block E, Smithfield Market Smithfield <br> Dublin 7, Ireland <br>Tel: +353876605277 <br><br>
 
 
 
== OWASP Dublin Chapter 2015 ==
 
=== OWASP July Event===
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 
|-
 
| align="center" height="30" style="background:#CCCCEE;" colspan="2"      | '''
 
OWASP Dublin Chapter Event – Eoin Keary - Security Boot camp'''
 
|-
 
|-
 
|-
 
| style="width:20%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''When'''
 
| style="width:80%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''Where'''
 
|-
 
|-
 
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' Thursday 16th July<br><br>''' Registration: 13:00pm <br>Talks Start: 13:00pm <br> Event finishes at 17:30pm
 
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Venue Location: Morgan McKinley Dublin office <br>
 
Venue Address: Morgan McKinley, Connaught House, No.1 Burlington Road, Dublin 4 (off the canal, across from the Mespil Hotel. On the second floor.)'''<br>
 
Venue Map: [https://www.google.ie/maps/place/Connaught+House/@53.332691,-6.2473347,17z/data=!3m1!4b1!4m2!3m1!1s0x48670ebdacbb7d5f:0x5c32fa5458ed31b9 Google Maps] <br>
 
''(Registration Members. [https://myowasp.force.com/login Members register here])''
 
''(Registration Non-Members. [https://myowasp.force.com/MN4__PublicEventRegistration?id=a2oU0000000TZAOIA4 Non-Members register here])''
 
|-
 
|-
 
| valign="center" bgcolor="#CCCCEE" align="center" colspan="2"            | '''DESCRIPTION'''
 
|-
 
| valign="left" height="80" bgcolor="#EEEEEE" align="left" colspan="2" | Thanks to Morgan McKinley for sponsoring the event<br><br>
 
 
 
'''Security Boot Camp'''<BR>
 
'''Eoin Keary – CTO BCC Risk Advisory  '''<BR>
 
 
 
Eoin was on the  international board of OWASP,  the Open Web Application Security Project  from 2009-2015 and during his time in OWASP he has lead the OWASP Testing and Security Code Review Guides and also contributed to OWASP SAMM, OWASP CISO Guide and the OWASP Cheat Sheet Series.
 
 
 
Eoin is a well-known technical leader in industry in the area of software security and penetration testing, and has led global security engagements for some of the world's largest financial services and consumer products companies. He is the CTO and founder of BCC Risk Advisory which deliver professional security services and edgescan.com, a managed cloud-based SaaS, web vulnerability service.
 
 
 
'''Abstract:''' <BR>
 
 
 
All - Please join us for a free security boot camp.....
 
 
 
OWASP is hosting a special FREE security boot camp for all Owasp members and local developers.
 
The training is recommended for developers who want to learn more about securing their code.
 
Presented by Eoin Keary, this intensive boot camp focuses on the most common web application security problems, including aspects of both the OWASP Top Ten and the MITRE Top 25.
 
The course will introduce and demonstrate application security techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code and understand fixes.
 
<br><br><br><br><br>
 
 
 
 
 
<BR>
 
Any questions please contact me on '''owen.pendlebury(at)owasp.org'''
 
<BR>
 
--
 
Owen Pendlebury<BR>
 
OWASP Ireland-Dublin Chapter Lead<BR>
 
 
 
 
 
|-
 
|}
 
=== OWASP June Event===
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 
|-
 
| align="center" height="30" style="background:#CCCCEE;" colspan="2"      | '''
 
OWASP Dublin Chapter Event – Jason Flood (IBM) & Paul Mooney (Free Lance)'''
 
|-
 
|-
 
|-
 
| style="width:20%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''When'''
 
| style="width:80%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''Where'''
 
|-
 
|-
 
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' Tuesday 16th June<br><br>''' Registration: 18:30pm <br>Talks Start: 19:00pm <br> Event finishes at 21:00pm
 
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Venue Location Hilton Dublin<br>
 
Venue Address: Charlemount Place, Dublin 2 '''<br>
 
Venue Map: [https://www.google.ie/maps/place/Hilton+Dublin/@53.330893,-6.259998,15z/data=!4m2!3m1!1s0x0:0x5b92598f4735994e?sa=X&ved=0CIQBEPwSMAtqFQoTCMyG-cibhcYCFQaWLAodAFAAeg Google Maps] <br>
 
''(Registration. [https://www.eventbrite.com/e/owasp-june-event-hilton-dublin-jason-flood-paul-mooney-tickets-17318536208register here])''
 
|-
 
|-
 
| valign="center" bgcolor="#CCCCEE" align="center" colspan="2"            | '''DESCRIPTION'''
 
|-
 
| valign="left" height="80" bgcolor="#EEEEEE" align="left" colspan="2" | Thanks to Morgan McKinley for sponsoring the event<br><br>
 
 
 
'''Understanding cyber gaps in the human'''<BR>
 
'''Jason Flood – Ethical Hacker IBM  '''<BR>
 
 
 
'''Abstract:''' <BR>
 
 
 
A Capture the Flag tournament, also known as a CTF is a framework often found at conferences such as IRISS, OWASP, Blackhat and many more. For the last number of years as part of my PhD research I have been creating CTF frameworks that operate at local, national and international levels, some of you may have played them or at least seen them, and looking at the results.
 
 
 
These CTF events were built using a variety of architectures, network topologies and programming languages. The challenges they presented also varied both in complexity of exploit and potential organisational damage if exploited.
 
 
 
Today we see attack know-how and attacker tools being freely traded on the internet, enabling hackers and exposing organisations to an even greater communal risk. Arguably it can be said that every organisation no matter the size needs a business plan.  If that business has an online footprint, then a part of that plan needs to focus on it's own cyber risk profile.
 
 
 
Join us to explore how CTF applied methodologies can be used as part of business decisions around resource management, defensive technology solutions, defect management and other aspects of business activities that are associated with operating in a hostile environment such as the internet.
 
<br><br><br><br><br>
 
 
 
''' The Encrypted Token Pattern CSRF Defence'''<BR>
 
 
 
'''Paul Mooney –    Freelance, Ryanair Labs, insidethecpu.com''<BR>
 
 
 
I’m the creator of the Encrypted Token Pattern and ARMOR, its .NET implementation.
 
I specialise in taking apart problems, designing solutions, and providing those solutions as downloadable software frameworks, available under the MIT License.
 
I’m a Software Architect, happiest when designing solutions to problems from a conceptual point-of-view, while getting my hands dirty assembling the nuts and bolts. For that reason, I try to avoid titles; if I had to brand myself, I’m a Technology Consultant.
 
I’m most accomplished in C# in terms of language, however I’m also very proficient in JavaScript, Java, and Google Go.
 
I’m a software-development mentor, and enjoy guiding teams of engineers toward effective technology-driven solutions to real-world problems.
 
 
 
 
 
'''Abstract:''' <BR>
 
 
 
The Encrypted Token Pattern is a defence mechanism against Cross Site Request Forgery (CSRF)
 
attacks, and is an alternative to its sister-patterns; Synchroniser Token, and Double Submit Cookie.
 
This article discusses the merits and means of implementing this defence mechanism in web-based
 
applications.
 
 
 
''Brief Description''
 
The Encrypted Token Pattern
 
The Encrypted Token Pattern leverages a single token, as opposed to dual tokens, and offers a more
 
narrow scope of failure than alternative CSRF protection patterns. <BR>
 
 
 
Leveraging the Encrypted Token Pattern
 
The Advanced Resilient Mode of Recognition (ARMOR) is a C# implementation of the Encrypted
 
Token Pattern, available on GitHub under the MIT license that provides a means of protecting
 
ASP.NET applications from CSRF attacks, by leveraging the Encrypted Token Pattern. A Java
 
equivalent of ARMOR is under construction and will be available soon. <BR>
 
 
 
ARMOR
 
ARMOR is a framework composed of interconnecting components exposed through custom web-
 
handlers. ARMOR is essentially an advanced encryption and hashing mechanism, leveraging the
 
Rijndael encryption standard, and SHA256 hashing by default.
 
 
 
<BR>
 
Any questions please contact me on '''owen.pendlebury(at)owasp.org'''
 
<BR>
 
--
 
Owen Pendlebury<BR>
 
OWASP Ireland-Dublin Chapter Lead<BR>
 
 
 
 
 
|-
 
|}
 
=== OWASP March Event===
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 
|-
 
| align="center" height="30" style="background:#CCCCEE;" colspan="2"      | '''
 
OWASP Dublin Chapter Event - Denim Group - Dan Cornell & John Dickson'''
 
|-
 
|-
 
|-
 
| style="width:20%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''When'''
 
| style="width:80%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''Where'''
 
|-
 
|-
 
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' Thursday 26th March<br><br>''' Registration: 18:30pm <br>Talks Start: 19:00pm <br> Event finishes at 21:00pm
 
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Venue Location: Morgan McKinley Dublin office <br>
 
Venue Address: Morgan McKinley, Connaught House, No.1 Burlington Road, Dublin 4 (off the canal, across from the Mespil Hotel. On the second floor.)'''<br>
 
Venue Map: [https://www.google.ie/maps/place/Connaught+House/@53.332691,-6.2473347,17z/data=!3m1!4b1!4m2!3m1!1s0x48670ebdacbb7d5f:0x5c32fa5458ed31b9 Google Maps] <br>
 
''(Registration. [https://www.eventbrite.com/e/owasp-dublin-chapter-event-denim-group-dan-cornell-john-dickson-tickets-16065539461 register here])''
 
|-
 
|-
 
| valign="center" bgcolor="#CCCCEE" align="center" colspan="2"            | '''DESCRIPTION'''
 
|-
 
| valign="left" height="80" bgcolor="#EEEEEE" align="left" colspan="2" | There will be networking throughout,beer and pizza thanks to Morgan Mckinley<br><br>
 
 
 
'''Managing Your Application Security Program with the ThreadFix Ecosystem'''<BR>
 
'''Dan Cornell – Denim Group - (https://www.linkedin.com/in/dancornell) '''<BR>
 
 
 
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. Cornell is an active member of the development community and a sought-after speaker on topics of web application security, speaking at international conferences including RSA Security Conference, OWASP AppSec USA and EU and Black Hat Arsenal.
 
 
 
'''Abstract:''' <BR>
 
 
 
ThreadFix is an open source application vulnerability management system that helps automate many common application security tasks and integrate security and development tools. This tutorial will walk through the capabilities of the ecosystem of ThreadFix applications, showing how ThreadFix can be used to: Manage a risk-ranked application portfolio Consolidate, normalize and de-duplicate the results of DAST, SAST, IAST and other application security testing activities and track these results over time to produce trending and mean-time-to-fix reporting Convert application vulnerabilities into software defects in developer issue tracking systems Pre-seed DAST scanners such as OWASP ZAP with application attack surface data to allow for better scan coverage Instrument developer Continuous Integration (CI) systems such as Jenkins to automatically collect security test data Map the results of SAST and DAST scanning into developer IDEs The presentation walks through these scenarios and demonstrates how ThreadFix, along with other open source tools, can be used to address common problems faced by teams implementing software security programs. It will also provide insight into the ThreadFix development roadmap and upcoming enhancements.<br><br><br><br><br>
 
 
 
''' AppSec Survey 2.0: Fine-Tuning an AppSec Training Program Based on Data'''<BR>
 
 
 
'''John Dickson – Denim Group''' (https://www.linkedin.com/pub/john-b-dickson-cissp/0/149/41a)<BR>
 
 
 
John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO’s) of Fortune 500 companies and government organizations launch and expand their critical application security initiatives.
 
 
 
 
 
'''Abstract:''' <BR>
 
 
 
Measuring the effectiveness of any security activity is widely discussed – security leaders debate the topic with a religious fervor rivaling that of any other hot button issue. Virtually every organization has some sort of application security training effort, but data on training effectiveness remains scarce. Last year our research team delivered the first-ever survey that captured developer awareness of secure coding concepts and the impact of formal application security training on a developer’s ability to write secure code. We learned that most software developer were aware of certain application security concepts, yet when asked how to write more secure code, they faired poorly. This year’s 600-developer survey provides more quantitative data on what software developers understand about application security, both concepts and practices. It dives most deeply into awareness of defensive coding practices, which most developers largely did not grasp in the 2013 survey. It also is separates respondents by roles, so we can better understand how architects, developers, and QA staff grasp key application security concepts and put them to work. It better captures how software developers learn in general, so one can tailor any security training effort to how software developers, in practice, actually learn. This information will provide data to application security managers responsible for corporate security training that should allow them to make more fact-based decisions about security training.
 
 
 
<BR>
 
Any questions please contact me on '''owen.pendlebury(at)owasp.org'''
 
<BR>
 
--
 
Owen Pendlebury<BR>
 
OWASP Ireland-Dublin Chapter Lead<BR>
 
 
 
 
 
|-
 
|}
 
 
 
== OWASP Dublin Chapter 2014 ==
 
 
 
=== OWASP December Event===
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 
|-
 
| align="center" height="30" style="background:#CCCCEE;" colspan="2"      | '''Chapter Event – David Rook/ Mark Hillick - Riot Games'''
 
|-
 
|-
 
|-
 
| style="width:20%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''When'''
 
| style="width:80%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''Where'''
 
|-
 
|-
 
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' Thursday 4th December<br><br>''' Registration: 18:30pm <br>Talks Start: 19:00pm <br> Event finishes at 21:00pm
 
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Venue Location: Morgan McKinley Dublin office <br>
 
Venue Address: Morgan McKinley, Connaught House, No.1 Burlington Road, Dublin 4 (off the canal, across from the Mespil Hotel. On the second floor.)'''<br>
 
Venue Map: [https://www.google.ie/maps/place/Connaught+House/@53.332691,-6.2473347,17z/data=!3m1!4b1!4m2!3m1!1s0x48670ebdacbb7d5f:0x5c32fa5458ed31b9 Google Maps] <br>
 
''(Registration. [https://www.eventbrite.com/e/owasp-chapter-meeting-riot-games-tickets-14523051839 register here])''
 
|-
 
|-
 
| valign="center" bgcolor="#CCCCEE" align="center" colspan="2"            | '''DESCRIPTION'''
 
|-
 
| valign="left" height="80" bgcolor="#EEEEEE" align="left" colspan="2" | There will be networking throughout,and pizza thanks to Morgan Mckinley<br><br>
 
 
 
'''Leveling up a global application security awareness program'''<BR>
 
'''David Rook - Riot Games - (http://ie.linkedin.com/pub/david-rook/3/41a/b1b) '''<BR>
 
 
 
David Rook is a Security Engineer focusing on Application Security at Riot Games in Dublin. David held various application security roles in the financial services industry since 2006 before moving into the computer games industry in early 2014. He has been a contributor to several OWASP projects including the code review guide and the Cryptographic Storage Cheat Sheet. He has presented at leading information security conferences including DEF CON, BlackHat USA and RSA Europe. In addition to his work with OWASP David created a security resource website and blog called Security Ninja.
 
 
David strives to practice what he preaches and has backed up his work experience by developing two open source security code review tools called Agnitio and the Windows Phone App Analyser.
 
 
 
'''Abstract:''' <BR>
 
 
 
The talk will focus on Riot application security awareness and knowledge sharing in a global company. I will talk about the application security awareness efforts we've implemented this year to bring application security knowledge to software engineers worldwide. These awareness efforts were designed to educate and support engineers around the world who work on high profile web properties and one of the worlds most popular computer games.
 
 
 
I will explain how we've used a combination of traditional and innovative approaches to levelling up our software engineers security knowledge.<BR><BR>
 
 
 
'''Slides''' [https://drive.google.com/file/d/0B_v8QOnVBRmxelBjWW4xQURMeWs/view?usp=sharing, David Rook Slides]<br><br><br><br><br>
 
 
 
''' Security and how it affects Users and Rioters '''<BR>
 
 
 
'''Mark Hillick Security Dude@Riot Games  '''<BR>
 
 
 
Mark is a founder of HackEire, a founding member of IrissCert, the first person in Ireland to achieve the GIAC GSE, and has been stoking a passion for security for 14 years.
 
 
Mark leads up the InfoSec team for Riot Games in Europe and is Product Owner of the Security Engineering vertical. Currently he's focused on building a team, engineering cool solutions, levelling the security program, finding the cloud, dealing with DDOS, and trying to earn Silver next year by himself.
 
 
 
'''Abstract:''' <BR>
 
 
 
The presentation focuses on one of the major security aspects of Android Applications; rooting detection techniques. Many Apps, including (MDM) Mobile Device Management Agents, implements this check in different ways. The aim of the talk is to explore the effectiveness of these checks, with practical examples and explain the impact, in terms of security, of this control being bypassed or not implemented.
 
 
 
A short demo will show the effects of having root permissions on an application when the application thinks you don't.Mark will be discussing his last 18 months at Riot and the increase in attention to security from both a player and Rioter perspective.<BR><BR><BR>
 
 
 
'''Slides''' [https://drive.google.com/file/d/0B_v8QOnVBRmxcGZrRFJycDc2UDQ/view?usp=sharing, Mark Hillick Slides]
 
 
 
<BR>
 
Any questions please contact me on '''owen.pendlebury(at)owasp.org'''
 
<BR>
 
--
 
Owen Pendlebury<BR>
 
OWASP Ireland-Dublin Chapter Lead<BR>
 
 
 
 
 
|-
 
|}
 
 
 
 
 
=== OWASP August Event===
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 
|-
 
| align="center" height="30" style="background:#CCCCEE;" colspan="2"      | '''Chapter Event – Mobile Security'''
 
|-
 
|-
 
|-
 
| style="width:20%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''When'''
 
| style="width:80%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''Where'''
 
|-
 
|-
 
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' Saturday 30th August<br><br>''' Registration: 09:30am <br>Talks Start: 10:00am <br> Event finishes at 6:00pm
 
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Venue Location: Morgan McKinley Dublin office <br>
 
Venue Address: Morgan McKinley, Connaught House, No.1 Burlington Road, Dublin 4 (off the canal, across from the Mespil Hotel. On the second floor.)'''<br>
 
Venue Map: [https://www.google.ie/maps/place/Connaught+House/@53.332691,-6.2473347,17z/data=!3m1!4b1!4m2!3m1!1s0x48670ebdacbb7d5f:0x5c32fa5458ed31b9 Google Maps] <br>
 
''(Registration. [https://www.eventbrite.com/e/owasp-mobile-security-day-30th-august-tickets-12685176705 Register here])''
 
|-
 
|-
 
| valign="center" bgcolor="#CCCCEE" align="center" colspan="2"            | '''DESCRIPTION'''
 
|-
 
| valign="left" height="80" bgcolor="#EEEEEE" align="left" colspan="2" | There will be networking throughout,and pizza thanks to BCC Risk Advisory (http://www.bccriskadvisory.com/) /edgescan (https://www.edgescan.com/)<br><br>
 
 
 
'''“Waving not Drowning” – Secure Mobile Development.'''<BR>
 
'''Eoin Keary - BCC Risk Advisory - (http://ie.linkedin.com/in/eoinkeary) '''<BR>
 
 
 
OWASP board member since 2009. Elected to position of global Vice Chair, September 2011. A long-time member of OWASP. Based in Dublin and director of BCC Risk Advisory Ltd. Eoin Keary has been with OWASP since 2004. He is based in Ireland and runs a software security practice, bccriskadvisory.com. He is currently on the global board of the OWASP foundation, he was elected to the board in 2009. During this time Eoin assisted in founding the OWASP legal entity in Europe and has helped provide structure to OWASPs finances and strategy.<BR>
 
 
 
'''Abstract:''' <BR>
 
 
 
In this talk Eoin shall discuss aspects of securing mobile apps from a source code standpoint. He shall discuss common pitfalls and associated with developing secure applications, why such issues are important and discuss “war stories” relating to  real-world mobile app [in]security.
 
 
 
This talk is suited to anyone involved in developing, managing development or testing mobile applications for security and robustness.
 
<BR><BR>
 
 
 
''' Android rooting detection: how and why? '''<BR>
 
 
 
'''Giuliano Fasto – Espion – (http://uk.linkedin.com/in/giulianofasto) '''<BR>
 
 
 
Giuliano Fasto is a Security Consultant with more than six years of experience in the IT Security field.  He has worked as a Security Consultant and Penetration Tester for well-respected security companies in Italy, the UK and Ireland.  His academic background includes a BSc in IT Security and an MSc in Information Security and Audit. While he has a wide-ranging experience in penetration testing various systems and technologies, in recent years he has specialised in mobile application security testing, particularly on Android and iOS platforms.  He is currently the lead mobile application tester at Espion.
 
 
'''Abstract:''' <BR>
 
 
 
The presentation focuses on one of the major security aspects of Android Applications; rooting detection techniques. Many Apps, including (MDM) Mobile Device Management Agents, implements this check in different ways. The aim of the talk is to explore the effectiveness of these checks, with practical examples and explain the impact, in terms of security, of this control being bypassed or not implemented.
 
 
 
A short demo will show the effects of having root permissions on an application when the application thinks you don't.<BR><BR><BR>
 
 
 
''' Bazuc - A talk about new types of attacks and vulnerabilities being exploited  '''<BR>
 
 
 
'''Cathal McDaid – AdaptiveMobile - (http://ie.linkedin.com/pub/cathal-mc-daid/3/5b2/b77) '''<BR>
 
 
 
Cathal Mc Daid is Head of Data intelligence & Analytics in Adaptivemobile, and is responsible for a team dedicated to analysing and uncovering new threats to mobile operators and subscribers, using advanced ‘big data’ techniques. Cathal has 14 years experience in telecoms and wireless. Currently he is also Chairman of the GSMA’s Mobile Malware Group - who coordinates the world's response to mobile malware. His academic background includes a BEng in Computer Engineering from UL and an Executive MBA from INSEAD.
 
 
 
'''Abstract:''' <BR>
 
 
 
Recent discussions and news about mobile malware primarily talk about new types of attacks and vulnerabilities being exploited. However what do you do when a user knowingly infects his handset for monetary gain?. In this presentation we will discuss a new type of mobile bad-ware, that promised and delivered the user money, in exchange for the renting out of his mobile device for unknown purposes. We discuss the app profile, tactics and impacts - on the users, on the network and on the stock market. <BR><BR>
 
 
 
 
 
 
 
''' OWASP Security Shepherd project '''<BR>
 
 
 
'''Mark denihan & Sean Duggan IBM (http://ie.linkedin.com/in/markdenihan , http://ie.linkedin.com/in/seankduggan ) '''<BR>
 
 
 
Mark is currently working on the IBM Ethical Hacking Team, the OWASP Dublin Board and founded of the OWASP Security Shepherd Project. He got his MSc in Information Security and Digital Forensics in the ITB and a BSc in Computing in the DIT. He also suffers from a love of caffeine and deep paranoia thanks to his extreme security enthusiasm.
 
 
 
Sean has a BSc Computing from Dublin Institute of Technology, currently working in IBM with a passion for Android App Security and Development. He developed an interest in Mobile Application Security after reading about the OWASP Mobile Top Ten Risks in 2012 and has since been keeping up to date with Mobile App Issues. Sean leads the development of the mobile components in the OWASP Security Shepherd project.
 
 
 
'''Abstract:''' <BR>
 
 
 
The OWASP Security Shepherd project has been designed and implemented with the aim of fostering and improving security awareness among a varied skill¬set demographic.
 
 
 
Security Shepherd covers the OWASP Top Ten web app risks and has recently been injected with totally new content to cover the OWASP Top Ten Mobile risks as well. Many of these levels include insufficient mitigations and protections to these risks, such as blacklist filters, atrocious encoding schemes, barbaric security mechanisms and poor security configuration.
 
 
 
The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well. We're going to speak about the platform itself and what it offers someone wishing to teach or learn about mobile and web application security, such as the project’s anti plagiarism mechanisms or it’s flexible approach in presenting its users with lessons and resources.<BR><BR><BR>
 
 
 
 
 
''' CTF'''<BR>
 
 
 
CTF Using the above OWASP Security Shepherd project. <BR>
 
<BR>
 
''Please bring a laptop with Zed Attack Proxy/ Burp installed''
 
 
 
 
 
 
 
'''Format for the day will be '''<BR>
 
 
 
9:30-10.00 -- Registration/ Networking<BR>
 
10:00-11:00 -- Speaker 1 50-55mins Talk<BR>
 
11:00-12:00 --Speaker 2 50-55mins Talk <BR>
 
12:00-1:00 --  Speaker 3 50-55mins Talk <BR>
 
1:00-1:50 --Lunch <BR>
 
2:00-6:00 -- Mobile Shepherd talk leading into CTF. '''Please bring a laptop with Zed Attack Proxy/ Burp installed''' <BR>
 
<BR>
 
Any questions please contact me on '''owen.pendlebury(at)owasp.org'''
 
<BR>
 
--
 
Owen Pendlebury<BR>
 
OWASP Ireland-Dublin Chapter Lead<BR>
 
 
 
 
 
|-
 
|}
 
 
 
=== OWASP May Event (2)===
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 
|-
 
| align="center" height="30" style="background:#CCCCEE;" colspan="2"      | '''Chapter Event - Matt Johansen Sr. Manager for the Threat Research Center at WhiteHat Security'''
 
|-
 
|-
 
|-
 
| style="width:20%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''When'''
 
| style="width:80%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''Where'''
 
|-
 
|-
 
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' Thursday 22nd May<br><br>''' Registration: 18:30 <br>Talk: 19:00
 
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Venue Location: Morgan McKinley Dublin office <br>
 
Venue Address: Morgan McKinley, Connaught House, No.1 Burlington Road, Dublin 4 (off the canal, across from the Mespil Hotel. On the second floor.)'''<br>
 
Venue Map: [https://www.google.ie/maps/place/Connaught+House/@53.332691,-6.2473347,17z/data=!3m1!4b1!4m2!3m1!1s0x48670ebdacbb7d5f:0x5c32fa5458ed31b9 Google Maps] <br>
 
''(Registration. [https://www.eventbrite.ie/e/owasp-chapter-meeting-may-tickets-11644682559 Register here])''
 
|-
 
|-
 
| valign="center" bgcolor="#CCCCEE" align="center" colspan="2"            | '''DESCRIPTION'''
 
|-
 
| valign="left" height="80" bgcolor="#EEEEEE" align="left" colspan="2" | There will be networking afterwards, with beer and pizza thanks to WhiteHat Security - https://www.whitehatsec.com/ <br>
 
 
 
'''*"Top 10 Web Hacks of 2013"*'''
 
 
 
'''Matt Johansen Sr. Manager for the Threat Research Center at WhiteHat Security'''
 
 
 
Matt Johansen is a Sr. Manager for the Threat Research Center at WhiteHat Security where he manages a team of Application Security Specialists, Engineers and Supervisors to prevent website security attacks and protect companies' and their customers' data. Before this he was an Application Security Engineer where he oversaw and assessed more than 35,000 web applications that WhiteHat has under contract for many Fortune 500 companies across a range of technologies.
 
 
He was previously a security consultant for VerSprite, where he was responsible for performing network and web application penetration tests. Mr. Johansen is also an instructor of Web Application Security at Adelphi University, where he received his Bachelor of Science in Computer Science, and San Jose State University. He has also been utilized by the SANS Institute as an industry expert for certification review.
 
 
List of past talks including videos/slides - http://mattjay.github.io/talks/ (BlackHat, DEFCON, RSA, SXSW, Many BSides, etc.
 
 
 
Abstract:
 
 
 
Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its eighth year, the Top 10 Web Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent work.
 
 
In this talk, We will do a technical deep dive and take you through the Top 10 Web Hacks of 2013 as picked by an expert panel of judges.
 
 
This year’s winners are:
 
 
 
1 - Mario Heiderich – Mutation XSS<br>
 
2 - Angelo Prado, Neal Harris, Yoel Gluck – BREACH<br>
 
3 - Pixel Perfect Timing Attacks with HTML5<br>
 
4 - Lucky 13 Attack<br>
 
5 - Weaknesses in RC4<br>
 
6 - Timur Yunusov and Alexey Osipov – XML Out of Band Data Retrieval<br>
 
7 - Million Browser Botnet<br>
 
8 - Large Scale Detection of DOM based XSS<br>
 
9 - Tor Hidden-Service Passive De-Cloaking<br>
 
10 - HTML5 Hard Disk Filler™ API<br>
 
 
 
[[File:Top10WebHacksOf2013FINAL.pptx|200px|thumb|left|Matt Johansen Sr. Manager for the Threat Research Center at WhiteHat Security]]
 
 
 
|-
 
|}
 
 
 
=== OWASP May Event (1)===
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 
|-
 
| align="center" height="30" style="background:#CCCCEE;" colspan="2"      | '''Chapter Event - Eoin Kearyof BCC Risk Advisory and Matej Saksida of Realex'''
 
|-
 
|-
 
|-
 
| style="width:20%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''When'''
 
| style="width:80%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''Where'''
 
|-
 
|-
 
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' Thursday 1st May<br><br>''' Registration: 18:30 <br>Talk: 19:00
 
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Venue Location: TCube<br>
 
Venue Address: 32 - 34 Castle Street, Dublin 2, Ireland'''<br>
 
Venue Map: [https://maps.google.ie/maps?q=32+-+34+Castle+Street,+Dublin+2,+Ireland&hl=en&ll=53.343391,-6.269084&spn=0.004977,0.013679&sll=53.343392,-6.269086&sspn=0.009954,0.027359&hnear=34+Castle+St,+Dublin+2,+County+Dublin&t=m&z=17 Google Maps] <br>
 
''(Registration. [https://www.eventbrite.ie/e/owasp-chapter-meeting-may-tickets-11354041243 Register here])''
 
|-
 
|-
 
| valign="center" bgcolor="#CCCCEE" align="center" colspan="2"            | '''DESCRIPTION'''
 
|-
 
| valign="left" height="80" bgcolor="#EEEEEE" align="left" colspan="2" | There will be networking afterwards, with beer and pizza thanks to BCC Risk Advisory (http://www.bccriskadvisory.com/) <br>
 
 
 
'''Talk 1: *"Top 10 defensive Java developer controls"*'''
 
 
 
'''Eoin Keary - BCC Risk Advisory - (http://ie.linkedin.com/in/eoinkeary)'''
 
 
 
OWASP board member since 2009. Elected to position of global Vice Chair, September 2011. A long time member of OWASP. Based in Dublin and director of BCC Risk Advisory Ltd.
 
Eoin Keary has been with OWASP since 2004. He is based in Ireland and runs a software security practice, bccriskadvisory.com. He is currently on the global board of the OWASP foundation, he was elected to the board in 2009. During this time Eoin assisted in founding the OWASP legal entity in Europe and has helped provide structure to OWASPs finances and strategy.
 
 
 
Abstract:
 
 
 
In this talk Eoin shall go through a list of developer controls in order to help prevent common security vulnerabilities such those focused in the
 
OWASP Top 10 2013. From input validation to contextual output encoding to crypto-secure storage, Eoin shall call out what developers can do to help
 
mitigate such issues. Many of the mitigations are simple and use established API's such that developer need not be security experts and just
 
use core components to help improve their security posture.
 
 
 
 
 
 
 
 
 
 
'''Talk 2: *"Social Engineering - The Art of Human Hacking".*'''
 
 
 
'''Matej Saksida - Realex Payments - (http://ie.linkedin.com/pub/matej-saksida-cism/20/412/176)'''
 
 
 
Abstract:
 
 
 
Nowadays if you want to hack a corporation or damage a personal "enemy" fast, Social Engineering techniques work every time and more often than not
 
it works the first time. In this talk Matej shall go through what is social engineering is, types of social engineering and related threats.
 
Matej shall call out practical example how to use Facebook to ruin someone's life and what countermeasures can be used against social engineering attacks.
 
 
 
 
 
 
 
|-
 
|}
 
 
 
=== OWASP March Event ===
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 
|-
 
| align="center" height="30" style="background:#CCCCEE;" colspan="2"      | '''Chapter Event - Rahim Jina of BCC Risk Advisory and Stephen Scott of Espion'''
 
|-
 
|-
 
|-
 
| style="width:20%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''When'''
 
| style="width:80%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''Where'''
 
|-
 
|-
 
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' Thursday 13th March<br><br>''' Registration: 18:30 <br>Talk: 19:00
 
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Venue Location: TCube<br>
 
Venue Address: 32 - 34 Castle Street, Dublin 2, Ireland'''<br>
 
Venue Map: [https://maps.google.ie/maps?q=32+-+34+Castle+Street,+Dublin+2,+Ireland&hl=en&ll=53.343391,-6.269084&spn=0.004977,0.013679&sll=53.343392,-6.269086&sspn=0.009954,0.027359&hnear=34+Castle+St,+Dublin+2,+County+Dublin&t=m&z=17 Google Maps] <br>
 
''(Registration. [https://www.eventbrite.ie/e/owasp-chapter-meeting-tickets-10802455435 Register here])''
 
|-
 
|-
 
| valign="center" bgcolor="#CCCCEE" align="center" colspan="2"            | '''DESCRIPTION'''
 
|-
 
| valign="left" height="80" bgcolor="#EEEEEE" align="left" colspan="2" | There will be networking afterwards, with beer and pizza thanks to Espion (http://www.espiongroup.com/)
 
 
 
Talk 1: Building a shield of security - Vulnerability Management by the numbers and dumb robots!
 
 
 
Rahim Jina - BCC Risk Advisory
 
 
 
Rahim has been an active member of OWASP since 2008 and has contributed to many projects such as the OWASP Security Code Review Guide and is an ex-board member of the Irish Chapter. Previously Rahim was a senior security consultant at a “big 4” professional services firm and more recently, the head of security for Fonality Inc, a VoIP service provider based in Los Angeles. Rahim is currently a director for BCC Risk Advisory (bccriskadvisory.com), based in Dublin, Ireland. He is also responsible for the security architecture of the edgescan.comvulnerability management solution.
 
 
 
Abstract:
 
 
 
This presentation discusses how builders, breakers and defenders should look at vulnerability management when attempting to keep hackers at bay. We discuss the most common vulnerabilities which are not detected by security tools nor automation but nevertheless are common and can be used to commit real fraud resulting in financial loss. We will see that Web Application Firewalls are ineffective against such attacks and why the only practical solution is to apply a layered approach across all aspects of the SDLC.
 
 
 
 
 
 
Talk 2: "PCI's Changing Environment - What You Need to Know & Why You Need To Know It".
 
 
 
Stephen Scott - Senior Consultant and PCI QSA in Espion's Information Government practice
 
 
 
Stephen Scott, Consultancy Team lead in Espion, is an experienced information security, risk and compliance consultant whose experience spans across many different areas including, PCI DSS, information security, risk management, group internal audit, IT service management and regulatory compliance. Stephen has extensive experience with information security, internal control testing, compliance programmes, information risk management, and process improvement. Stephen has worked across a wide range of industry verticals, including financial, industrial and insurance.
 
 
 
Abstract:
 
 
 
PCI DSS – The Payment Card Industry Data Security Standard sets common requirements for securing payment card information (credit, debit, some gift cards), and lays out a range of controls relating to auditing, scanning and assessment.
 
 
 
This presentation discusses the ever evolving PCI environment, specifically focusing on the changes in the recent release of version 3 of the PCI DSS standard.  Stephen will start off by giving a brief background to PCI, including motivators for merchant and service providers to adhere to the standard.  In addition to this, the presentation will highlight what security considerations are relevant to application and information security practitioners.
 
 
 
 
 
 
 
 
 
|-
 
|}
 
 
 
 
 
== OWASP Ireland 2013 Agenda ==
 
 
 
=== OWASP July Event ===
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 
|-
 
| align="center" height="30" style="background:#CCCCEE;" colspan="2"      | '''Chapter Event - Jeremiah Grossman - Another Year in Web Security'''
 
|-
 
|-
 
|-
 
| style="width:20%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''When'''
 
| style="width:80%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''Where'''
 
|-
 
|-
 
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' Thursday 4th July<br><br>''' Registration: 17:30 <br>Talk: 18:00
 
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Venue Location: TCube<br>
 
Venue Address: 32 - 34 Castle Street, Dublin 2, Ireland'''<br>
 
Venue Map: [https://maps.google.ie/maps?q=32+-+34+Castle+Street,+Dublin+2,+Ireland&hl=en&ll=53.343391,-6.269084&spn=0.004977,0.013679&sll=53.343392,-6.269086&sspn=0.009954,0.027359&hnear=34+Castle+St,+Dublin+2,+County+Dublin&t=m&z=17 Google Maps] <br>
 
''(Registration. [http://www.eventbrite.com/event/7127672059 Register here])''
 
|-
 
|-
 
| valign="center" bgcolor="#CCCCEE" align="center" colspan="2"            | '''DESCRIPTION'''
 
|-
 
| valign="left" height="80" bgcolor="#EEEEEE" align="left" colspan="2" | Jeremiah Grossman of WhiteHat Security will be in Dublin and will be talking at our next chapter event. His talk "Another Year In Web Security: What did 2012 teach us about survival in the coming years?" promises a great insight into the future of web security.
 
 
 
Jeremiah Grossman, founder and CTO of WhiteHat Security, is a world-renowned expert in web application security and a founding member of the Web Application Security Consortium (WASC). At WhiteHat, Mr. Grossman is responsible for web application security R&D and industry evangelism. He is a frequent speaker at industry events including the BlackHat Briefings, ISACA's Networks Security Conference, NASA, ISSA and Defcon.
 
 
 
A trusted media resource, Mr. Grossman has been featured in USA Today, the Washington Post, Information Week, NBC Nightly News, and many others. Mr. Grossman is also a featured expert and frequent contributor on TechTarget'sSearchAppSecurity.com.
 
|-
 
|}
 
 
 
=== OWASP June Event ===
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 
|-
 
| align="center" height="30" style="background:#CCCCEE;" colspan="2"      | '''CONFERENCE AND TRAINING'''
 
|-
 
| align="center" style="background:#EEEEEE;" colspan="2"                  |
 
== '''OWASP Europe Tour - Dublin 2013''' ==
 
'''Tuesday 25th June''' ''(Training. [https://www.owasp.org/index.php/EUTour2013#Training Info about the training session])'' <br>'''Wednesday 26th June''' ''(Conference. [https://www.owasp.org/index.php/EUTour2013#Dublin Info and registration link for the conference])''
 
|-
 
| valign="center" bgcolor="#CCCCEE" align="center" colspan="2"            | '''DESCRIPTION'''
 
|-
 
| valign="left" height="80" bgcolor="#EEEEEE" align="left" colspan="2" | '''OWASP Europe TOUR,''' is an event across the European region that promotes  awareness about application security, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
 
 
 
*Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle.
 
 
 
* This event aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.
 
|-
 
|}
 
 
 
=== OWASP May Event ===
 
 
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 
|-
 
| align="center" height="30" style="background:#CCCCEE;" colspan="2"      | '''TRAINING & TALKS'''
 
|-
 
| align="center" style="background:#EEEEEE;" colspan="2"                  |
 
== '''OWASP Dublin - Realex Payments Application Security Workshop''' ==
 
'''Thursday 30th May'''<br> ''('''Training'''. 1:30pm- 5:00pm)'' <br>('''Talks'''. 6:00pm - 8:00pm)''<br>[http://www.eventbrite.com/event/6665658163/eorg Click here for more information]
 
|-
 
| valign="center" bgcolor="#CCCCEE" align="center" colspan="2"            | '''DESCRIPTION'''
 
|-
 
| valign="left" height="80" bgcolor="#EEEEEE" align="left" colspan="2" | '''Training'''
 
 
 
Eoin Keary will be delivering free application security training between 2pm and 5pm on the 30th May. Eoin was the founder of OWASP Ireland and is currently the global vice chair for OWASP (amongst many other things!  https://www.owasp.org/index.php/Eoin_Keary). He has delivered application security training to many developers and security professionals around the world and recently delivered a training course to over 400 people at the RSA Conference.
 
 
 
The training will focus on secure application development and why we can't hack ourselves secure. It will be covering why penetration testing on its own does not work approaches to improvement including "knowing what you don't know" and how to measure change.
 
 
 
It will be technical training covering XSS eradication, client side security and browser DOM curiosities.
 
 
 
'''Talks'''
 
 
 
The talks will be starting at 6pm in our office and OWASP have arranged two very interesting talks! Diarmaid McManus https://twitter.com/elephant_rb from Realex Payments will be expanding his award winning SecurityBSides London Rookie Track talk https://www.securityninja.co.uk/application-security/securitybsides-london-esp-security-plugin/ to include more details about static analysis approaches and his research and development work on ESP: Security Plugin https://github.com/diarmaid-mcmanus/ESPSecurityPlugin.
 
 
 
Hugh Pearse https://twitter.com/hughpearse will be talking about Low Level Exploits and this looks like it will be a great talk:
 
 
 
“In 2010 Mr Haroon Meer from thinkst.com presented a timeline of memory corruption vulnerabilities and their mitigation techniques dating from 1985 to 2010. In his 35 page publication he referenced almost 150 events in low level information security history. The scope of the presentation "Low Level Exploits" is to explain in detail some of the most significant attacks in from Haroon Meers research. The attacks covered in this presentation include buffer overflows on the stack, heap overflows, integer overflows, format strings, null pointers and ROP chains. This brings us to exploits in the present day where researchers are looking for the successor of the buffer overflow attack, next big exploit.”
 
|-
 
|}
 
 
 
 
 
 
 
== OWASP Ireland 2011 Agenda ==
 
 
 
=== [[Ireland/Training/OWASP projects and resources you can use TODAY]] ===
 
 
 
[[Image:Owasp logo Ireland Training 11 March 2010.gif]]
 
 
 
*'''Overview & Goal'''
 
**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle.
 
**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.
 
**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered.
 
**If you are interested in participating in the hands on portion of the course, please bring a laptop.
 
*'''Dates'''
 
**March, 2011, 11
 
*'''Course Main Content and Registration'''
 
**[[Ireland/Training/OWASP projects and resources you can use TODAY|Click here]]
 
 
 
== OWASP Ireland 2010  ==
 
 
 
[[Image:Dublin2010.gif]]
 
 
 
Click [[OWASP IRELAND 2010]] for more information <br><br>
 
 
 
== OWASP Ireland 2010 Agenda  ==
 
 
 
<br>
 
 
 
==== AUG 2010  ====
 
== OWASP August Event ==
 
 
 
'''When:''' 11/8/2010 6:00pm - 8:00pm <br>
 
 
 
'''Where:''' Ernst &amp; Young, Harcourt Street, Dublin 2, Opposite the Odeon Pub, Dublin, Ireland
 
 
 
'''Sponsors:''' [[Image:Ey logo.gif]]
 
<br>
 
'''Title:''' OWASP ESAPI Swingset: Introduction & Demo by Cathal Courtney
 
<br>
 
'''Abstract:''' The ESAPI Swingset is a web application which demonstrates common security vulnerabilities and asks users to secure the application against these vulnerabilities using the ESAPI library. The application is intended for Java Developers. The goal of the application is to teach developers about the functionality of the ESAPI library and give users a practical understanding of how it can be used to protect web applications against common security vulnerabilities. During the talk, Cathal will demonstrate how to install and use ESAPI Swingset in your organization. A copy of the latest version will be also provided to the attendees.
 
<br>
 
'''Presenter:''' Cathal is an experienced developer working at AIB and is currently the ESAPI Swingset project leader. More information about this project could be found here: [http://www.owasp.org/index.php/ESAPI_Swingset Esapi SwingSet]
 
<br>
 
'''Download Presentation:''' Not available
 
<br><br>
 
'''Title:''' Security Implications for Web Applications based on SOA by John Marmelstein
 
<br>
 
'''Abstract:''' The main point of SOA (in this context) is combining systems and applications to make new applications, or a big 'overall' application.This higher inter-operability does (by default) lower security. For a start, a request originating from a web user might end up at several back end systems, which do not know who or what the request came from.
 
<br>
 
Each back end system might have no access to the customer data, have a different security models, and serve serveral front end. Each of the above systems could be under different ownership, thus the owners have different concerns and priorities. Also, the basic solution at a technical level include single sign on, or security as a service. This can be costly, give limited coverage and have a performance hit. But is pretty much the only way to do it. The other thing to do (probably in tandem) is strict management, and delegation of authority.
 
<br>
 
'''Presenter:''' John has about 13 years in IT. Most of this in distributed systems and 'Middleware' integration software. Including BEA (now owned by Oracle). Mainly working on Enterprise Java and more recently on Microsoft BizTalk. Various industries, incuding financials, public services, and a fish farm.
 
<br>
 
'''Download Presentation:'''
 
 
 
 
 
== APPSEC IRELAND INFORMAL MEET-UP  ==
 
 
 
This is a informal gathering to meet others in information security and have a pint&nbsp;;) all are welcome <br>
 
 
 
'''When:''' TBD <br>
 
 
 
'''Where:''' TBD <br>
 
 
 
'''Sponsors:''' In case you want to sponsor this event, please contact [mailto:fcerullo(at)owasp.org Fabio Cerullo]. <br>
 
 
 
==== SEP 2010  ====
 
 
 
== APPSEC IRELAND 2010  ==
 
 
 
Due to popular demand we are hosting the 2nd OWASP IRELAND event, '''OWASP Ireland 2010'''. <br>Continuing last years highly successful conference, with more than 150 attendees from across the globe OWASP is happy to repeat this positive experience. <br>Delegates from numerous industry verticals attended the 2009 event; from government to finance to telecoms. Share your thoughts at this open event with some of the most experienced individuals in the information security industry.
 
 
 
[http://www.owasp.org/index.php/OWASP_IRELAND_2010 [[Image:Dublin2010.gif]]]<br>[[OWASP_IRELAND_2010]]<br>
 
 
 
'''When:''' '''September 17th 2010'''<br>
 
 
 
'''Where:''' Trinity College Dublin, The Hamilton Building <br>
 
 
 
'''Sponsors:''' In case you want to sponsor this event, please contact [[Eoin Keary|Eoin Keary]]. <br>
 
 
 
'''Subscribe to the OWASP Ireland [https://lists.owasp.org/mailman/listinfo/owasp-ireland mail list] for the up-to-date information.'''
 
 
 
<br>
 
 
 
==== OCT 2010  ====
 
 
 
== APPSEC IRELAND INFORMAL MEET-UP  ==
 
 
 
This is a informal gathering to meet others in information security and have a pint&nbsp;;) all are welcome <br>
 
 
 
'''When:''' TBD <br>
 
 
 
'''Where:''' TBD <br>
 
 
 
'''Sponsors:''' In case you want to sponsor this event, please contact [mailto:fcerullo(at)owasp.org Fabio Cerullo]. <br>
 
 
 
==== NOV 2010  ====
 
 
 
== APPSEC IRELAND INFORMAL MEET-UP  ==
 
 
 
This is a informal gathering to meet others in information security and have a pint&nbsp;;) all are welcome <br>
 
 
 
'''When:''' TBD <br>
 
 
 
'''Where:''' TBD <br>
 
 
 
'''Sponsors:''' In case you want to sponsor this event, please contact [mailto:fcerullo(at)owasp.org Fabio Cerullo]. <br>
 
 
 
==== DEC 2010  ====
 
 
 
== APPSEC IRELAND INFORMAL MEET-UP  ==
 
 
 
This is a informal gathering to meet others in information security and have a pint&nbsp;;) all are welcome <br>
 
 
 
'''When:''' TBD <br>
 
 
 
'''Where:''' TBD <br>
 
 
 
'''Sponsors:''' In case you want to sponsor this event, please contact [mailto:fcerullo(at)owasp.org Fabio Cerullo]. <br>
 
 
 
<br>
 
 
 
==== 2010 Chapter Plan  ====
 
 
 
'''Special Project:'''Educational Outreach<br>Summary: Drive education awareness of OWASP among Irish Universities and Third Level Institutions. <br>Plan: &lt;insert plan&gt; <br>Next Milestone: Update the plan<br>Participants: Fabio Cerullo <br><br>
 
 
 
'''Special Project:'''Industry Outreach<br>Summary: Raise awareness of OWASP among Irish industry.<br>Plan: &lt;insert plan&gt; <br>Next Milestone: Update the plan<br>Participants: Eoin Keary<br><br>
 
 
 
'''Special Project:'''Membership Drive <br>Summary: Increase local chapter members individuals and corporate supporters <br>Plan: &lt;insert&gt; <br>Next Milestone: Update the plan<br>Project Participants: Rahim Jina<br><br>
 
 
 
'''Special Project:'''Hands-On Training<br>Summary: Provide 1-day, 3-day and 5-day hands-on classroom / online training classes<br>Next Milestone: Organize Training Offerings<br>Project Participants: Fabio Cerullo<br><br>
 
 
 
<br>Call For Presentations for 2010 is now open - please contact fcerullo(@)owasp.org / +353877817468 if you would like to speak or can host a meeting. <br><br>*Note meeting hosts are provided with annual chapter sponsorship and free seats in training classes. The OWASP Foundation, Ireland chapter focuses on implementation of efforts defined by the [http://www.owasp.org/index.php/Global_Committee_Pages Global Committee] as well as new concepts and ideas defined locally. Below are a list of ACTIVE projects assigned to individual active members and teams within the local chapter. If you would like to help out on ANY of these efforts, contact them directly to get involved
 
 
 
==== FEB 2010  ====
 
 
 
== OWASP Ireland Event - What is the O2 Platform?  ==
 
 
 
'''When:''' 19/2/2010 3:00pm - 5:00pm <br>
 
 
 
'''Where:''' Ernst &amp; Young, Harcourt Street, Dublin 2, Opposite the Odeon Pub, Dublin, Ireland
 
 
 
'''Sponsors:''' [[Image:Ey logo.gif]]<br>
 
 
 
'''Title:''' OWASP O2 Platform - Open Platform for automating application security knowledge and workflows <br>'''Abstract:''' In this talk Dinis Cruz will show the OWASP O2 Platform which is an open source toolkit specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews. The OWASP O2 Platform (http://www.owasp.org/index.php/OWASP_O2_Platform) consumes results from the scanning engines from Ounce Labs, Microsoft's CAT.NET tool, FindBugs, CodeCrawler and AppScan DE, and also provides limited support for Fortify and OWASP WebScarab dumps. In the past, there has been a very healthy skepticism on the usability of Source Code analysis engines to find commonly found vulnerablities in real world applications. This presentation will show that with some creative and powerful tools, it IS possible to use O2 to discover those issues. This presentation will also show O2's advanced support for Struts and Spring MVC.
 
 
 
'''Presenter:''' Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences. At OWASP, Dinis is the leader of the [[OWASP O2 Platform]] project, member of the OWASP [[Global Projects Committee]], chair of the [[OWASP Connections Committee]] and member of the [[About The Open Web Application Security Project#Global_Board_Members|OWASP Board]].
 
 
 
'''Download Presentation:''' http://www.o2-ounceopen.com/files-binaries-source-and-demo/old-documents-and-presentations/OWASP_O2_Platform_-_AppSec_Ireland_Sep_2009.pdf
 
 
 
== IISF/OWASP – February Chapter Meeting  ==
 
 
 
'''When:''' 25/2/2010 2:00pm - 4:00pm <br>
 
 
 
'''Where:''' Georgian Suite, Buswells Hotel, Molesworth St., Dublin 2
 
 
 
'''Title:''' An overview of Web Application Security threats and technologies. Practical advice and techniques for improving Application Security, presented by OWASP.
 
 
 
2:00 - Introduction by IISF Chairman
 
 
 
2:05 - Presentation&nbsp;: “Practical advice for improving Application Security” - Introduction to OWASP and OWASP Top Ten - Demonstration video of typical web based attacks with high level explanation - Live SQL injection demo using WebGoat &amp; WebScarab - Live Cross Site Scripting demo using WebGoat &amp; WebScarab
 
 
 
'''Download Presentation:''' [[Image:IISF 250210 part1.ppt]]
 
 
 
3:00 - Coffee
 
 
 
3:20 – Presentation continues - Application Security: "The problems we are faced with" - The Application Security Verification Standard - SDLC &amp; Security Assurance Maturity Model - Code Review versus traditional Runtime Testing. - Q&amp;A
 
 
 
'''Download Presentation:''' [[Image:IISF 250210 part2.pptx]]
 
 
 
4:00 - Close of Meeting
 
 
 
4:05 - Traditional networking in Buswells Bar
 
 
 
<br>
 
 
 
==== MAR 2010  ====
 
 
 
== APPSEC IRELAND INFORMAL MEET-UP - 26/3/2010  ==
 
 
 
This is a informal gathering to meet others in information security and have a pint&nbsp;;) all are welcome <br>
 
 
 
'''When:''' TBD <br>
 
 
 
'''Where:''' TBD <br>
 
 
 
'''Sponsors:''' In case you want to sponsor this event, please contact [mailto:fcerullo(at)owasp.org Fabio Cerullo]. <br>
 
 
 
==== APR 2010  ====
 
 
 
== OWASP Live CD - An open environment for Web Application Security  ==
 
 
 
'''When:''' 16/4/2010 2:30pm - 5:00pm <br>
 
 
 
'''Where:''' Ernst &amp; Young, Harcourt Street, Dublin 2, Opposite the Odeon Pub, Dublin, Ireland
 
 
 
'''Sponsors:''' [[Image:Ey logo.gif]]<br>
 
 
 
'''Title:''' OWASP Live CD - An open environment for Web Application Security <br>'''Abstract:''' This CD collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. This presentation aims to provide a showcase for the great OWASP tools and documentation materials available in the CD, tips and tricks, and also some introductory stuff regarding code review and penetration testing. <br>Training is aimed at introductory /intermediate level in terms of pen testing, code review and tools.
 
 
 
'''Presenters:'''
 
 
 
'''Rahim Jina''' <br>Rahim Jina currently works as a senior consultant for Ernst &amp; Young's Risk Advisory Services in Dublin. He has worked there for nearly four years primarily delivering penetration testing services to clients globally, focusing on web applications and secure code review. He has been involved with OWASP for the past two years, being involved in the Summer of Code 2008 as lead reviewer for the Code Review Guide 2009. He has also made contributions to the SAMM project (OpenSAMM). He holds an MSC in Security and Forensic Computing from DCU and a degree in computer science from Trinity college. <br>'''Eoin Keary''' <br>Eoin is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and run the Ernst &amp; Young application security team across Europe. His OWASP contributions to date include the OWASP Code Review Guide, OWASP Testing Guide, OWASP SAMM, and OWASP ASVS. He is a member of the OWASP Global Industry Committee, chair of the OWASP Conferences Committee and member of the OWASP Global Board. Eoin founded the OWASP Ireland chapter back in 2004 and currently serves as Vice President of the OWASP Ireland Board.
 
 
 
'''Pictures from the event:'''
 
<center>
 
{| class="FCK__ShowTableBorders"
 
|-
 
|
 
[http://www.owasp.org/images/d/db/P1040923_1024.JPG [[Image:|P1040923_small.jpg]]]<br>[http://www.owasp.org/images/d/db/P1040923_1024.JPG zoom]
 
 
 
|
 
[http://www.owasp.org/images/f/f3/P1040927_1024.JPG [[Image:|P1040927_small.jpg]]]<br>[http://www.owasp.org/images/f/f3/P1040927_1024.JPG zoom]
 
 
 
|
 
[http://www.owasp.org/images/6/64/P1040929_1024.JPG [[Image:|P1040929_small.jpg]]]<br>[http://www.owasp.org/images/6/64/P1040929_1024.JPG zoom]
 
 
 
|}
 
</center>
 
'''Download Presentation:''' [http://www.owasp.org/images/e/ee/OWASP_Live_CD.pptx [[Image:|Download.png]]]
 
 
 
== APPSEC IRELAND INFORMAL MEET-UP  ==
 
 
 
This is a informal gathering to meet others in information security and have a pint&nbsp;;) all are welcome <br>
 
 
 
'''Where:''' Odeon Pub <br>
 
 
 
'''When:''' After OWASP Live CD training <br>
 
 
 
'''Sponsors:''' In case you want to sponsor this event, please contact [mailto:fcerullo(at)owasp.org Fabio Cerullo]. <br>
 
 
 
==== MAY 2010  ====
 
 
 
== OWASP Event: Trials &amp; Tribulations of WAF Implementation  ==
 
 
 
'''When:''' 20/5/2010 6:30pm - 7:30pm <br>
 
 
 
'''Where:''' Ernst &amp; Young, Harcourt Street, Dublin 2, Opposite the Odeon Pub, Dublin, Ireland
 
 
 
'''Sponsors:''' [[Image:Ey logo.gif]]<br>
 
 
 
'''Title:''' Trials &amp; Tribulations of WAF Implementation<br>'''Abstract:''' A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.<br>Mark will be presenting on his experience in implementing a Web Application Firewall solution through all phases from research to implementation.
 
 
 
'''Presenters:'''
 
 
 
'''Mark Hillick - Application Networking Team, Citrix Systems''' <br>Mark Hillick has 10 years experience in relation to Internet, networking, systems administration and security engineering.
 
 
 
Mark graduated from Queen's University, where he studied Mathematics.
 
 
 
Mark joined AIB from Queen's where he joined the Internet Infrastructure team, where he was responsible for designing, building and securing the Internet service in and out of AIB. He is a prominent member of the IT Security community in Ireland and has presented at several local security forums such as IISF and Owasp. Mark is one of the founding members of IRISS CERT, where he is also a Volunteer Incident Handler. He helped organise IRISSCon 2009, where he also designed and built HackEire 2009, the first Ethical Hacking 'Capture The Flag' contest in Ireland.<br>
 
 
 
'''Pictures from the event:'''
 
 
 
{| class="FCK__ShowTableBorders"
 
|-
 
|
 
[[Image:20052010017.jpg|thumb|A caption from Mark's talk]]
 
 
 
|}
 
 
 
<br>
 
 
 
'''Download Presentation:''' [http://docs.google.com/fileview?id=0B3vrVYEosFeEZDMyZjIzYTktMzNkZC00ZjBlLWFiYTgtNThjZGE4YTE1NmFj [[Image:|Download.png]]]
 
 
 
== APPSEC IRELAND INFORMAL MEET-UP  ==
 
 
 
This is a informal gathering to meet others in information security and have a pint&nbsp;;) all are welcome <br>
 
 
 
'''Where:''' Odeon Pub <br>
 
 
 
'''When:''' After WAF presentation <br>
 
 
 
'''Sponsors:''' In case you want to sponsor this event, please contact [mailto:fcerullo(at)owasp.org Fabio Cerullo]. <br>
 
 
 
<br>
 
 
 
==== JUN 2010  ====
 
 
 
== OWASP Event: Define Security Requirements - A practical approach  ==
 
 
 
'''When:''' 20/5/2010 6:30pm - 7:30pm <br>
 
 
 
'''Where:''' Ernst &amp; Young, Harcourt Street, Dublin 2, Opposite the Odeon Pub, Dublin, Ireland
 
 
 
'''Sponsors:''' [[Image:Ey logo.gif]]<br>
 
 
 
'''Title:''' Define Security Requirements - A practical approach<br>'''Abstract:''' The Data Protection Act states that "appropriate security measures" must be taken to protect personal data. How do you specify the appropriate security measures for a website which processes personal data? It is an important step in a development project, but is often neglected. In this talk, Alexis will descibe his own experiences of assessing web application, and will also look in more detail at what the Data Protection Commissioner says. He will then take a fictional website and look at a practical approach to specifying the security requirements that the fictional application should meet. This will use the kind of risk-based techniques outlined by OWASP or the Microsoft Secure Development Lifecycle (SDL). Issues discussed will include encryption, authentication, access control, audit, etc. The result will be a list of security requirements that can be carried into the design and development phases. Attendees should be able to apply the ideas to their own development projects.
 
 
 
'''Presenters:'''
 
 
 
'''Alexis Fitzgerald - Rits Information Security Group''' <br>For the last six years Alexis has worked for Rits Information Security Group, where he performs application penetration testing assignments as well as advising clients on application security issues. Before that, he spent many years as a developer (mainly in the financial sector), and he continues to be involved in development. Alexis holds an MSc in Information Security from the University of London, Royal Holloway.<br>
 
 
 
'''Pictures from the event:'''
 
 
 
{| class="FCK__ShowTableBorders"
 
|-
 
|
 
|}
 
 
 
<br>
 
 
 
'''Download Presentation:''' [[Image:OWASP Ireland June10.pdf]]
 
 
 
== APPSEC IRELAND INFORMAL MEET-UP  ==
 
 
 
This is a informal gathering to meet others in information security and have a pint&nbsp;;) all are welcome <br>
 
 
 
'''When:''' After Alexis presentation <br>
 
 
 
'''Where:''' Odeon Pub <br>
 
 
 
'''Sponsors:''' In case you want to sponsor this event, please contact [mailto:fcerullo(at)owasp.org Fabio Cerullo]. <br>
 
 
 
==== JUL 2010  ====
 
 
 
== APPSEC IRELAND INFORMAL MEET-UP  ==
 
 
 
This is a informal gathering to meet others in information security and have a pint&nbsp;;) all are welcome <br>
 
 
 
'''When:''' TBD <br>
 
 
 
'''Where:''' TBD <br>
 
 
 
'''Sponsors:''' In case you want to sponsor this event, please contact [mailto:fcerullo(at)owasp.org Fabio Cerullo]. <br>
 
 
 
 
 
<br>
 
 
 
<br>
 
 
 
__NOTOC__ <headertabs />
 
 
 
[[Category:Ireland]]
 

Latest revision as of 16:42, 20 June 2019

Owasp logo ireland small.jpg


OWASP Dublin

Welcome to the Dublin chapter homepage. The chapter leaders are Denise Murtagh Dunne, Brendan Gormley and Tony Clarke

Upcoming Events

Meetup_logo3.jpg Dublin Schedule of Events

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

Local News

Everyone is welcome to join us at our chapter meetings.