This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "EUTour2013 Cambridge Agenda"
(Added Descriptions) |
|||
Line 61: | Line 61: | ||
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction & Welcome | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction & Welcome | ||
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Adrian Winckles - OWASP Cambridge Chapter Leader & Senior Lecturer | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Adrian Winckles - OWASP Cambridge Chapter Leader & Senior Lecturer | ||
− | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | | + | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction to OWASP & Anglia Ruskin University |
+ | Schedule for the Day | ||
|- | |- | ||
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 12:00 <br>(45 mins) | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 12:00 <br>(45 mins) | ||
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Real Costs of Cybercrime | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Real Costs of Cybercrime | ||
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Ross Anderson (Cambridge University) | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Ross Anderson (Cambridge University) | ||
− | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | | + | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Following a systematic study of the costs of cybercrime, in response to a request from the UK Ministry of Defence following scepticism that previous studies had hyped the problem, each of the main categories of cybercrime we set out what is and is not known of the direct costs, indirect costs and defence costs { both to the UK and to the world as a whole. We distinguish carefully between traditional crimes that are now `cyber' because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims |
+ | directly. | ||
|- | |- | ||
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 12:45 <br>(45 mins) | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 12:45 <br>(45 mins) | ||
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Three Legged Cybercrime Investigation and its Implications | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Three Legged Cybercrime Investigation and its Implications | ||
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | DI Stewart Garrick (Metropolitan Police ECrime Unit) | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | DI Stewart Garrick (Metropolitan Police ECrime Unit) | ||
− | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | | + | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | DI Stewart Garrick has over 27 years experience in the Metropolitan Police Service, 22 years as a detective and 10 years as a Detective Inspector. His career has been spent primarily on major crime units engaged on both proactive and reactive investigations, including 5 years investigating murders, 3 years on the Homicide Task Force (a proactive unit targeting those who would commit murder) and 5 years managing covert operations against organised crime. In March 2011 he joined Scotland Yard's Police Central eCrime Unit. He has witnessed the PCeU's growth from 40 officers to over 100 and has managed several high profile investigations. He has recently taken charge of the unit's cadre of police and civilian forensic examiners who are integrated into the unit's dynamic investigative model. He has this year completed an MSc in Countering Organised Crime and Terrorism at UCL, with a dissertation examining the emergence of radicalising settings based on Situational Action Theory. |
|- | |- | ||
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 13:30 <br>(45 mins) | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 13:30 <br>(45 mins) | ||
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | OWASP Mobile Top 10 | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | OWASP Mobile Top 10 | ||
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Justin Clarke - London OWASP Chapter Leader | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Justin Clarke - London OWASP Chapter Leader | ||
− | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | | + | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. |
+ | |||
+ | As part of the overall Mobile Project , the Top 10 Mobile Risks include | ||
+ | |||
+ | M1: Insecure Data Storage | ||
+ | M2: Weak Server Side Controls | ||
+ | M3: Insufficient Transport Layer Protection | ||
+ | M4: Client Side Injection | ||
+ | M5: Poor Authorization and Authentication | ||
+ | M6: Improper Session Handling | ||
+ | M7: Security Decisions Via Untrusted Inputs | ||
+ | M8: Side Channel Data Leakage | ||
+ | M9: Broken Cryptography | ||
+ | M10: Sensitive Information Disclosure | ||
|- | |- | ||
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:15 <br>(45 mins) | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:15 <br>(45 mins) | ||
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Refreshments & Networking | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Refreshments & Networking | ||
− | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | | + | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | LAB107 |
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | | ||
|- | |- | ||
Line 86: | Line 101: | ||
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Everything We Know is Wrong | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Everything We Know is Wrong | ||
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Eoin Kelly - OWASP Global Committee | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Eoin Kelly - OWASP Global Committee | ||
− | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | | + | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | The premise behind this talk is to challenge both the technical controls we recommend to developers and also out actual approach to testing. This talk is sure to challenge the status quo of web security today. |
+ | |||
+ | "Insanity is doing the same thing over and over and expecting different results." - Albert Einstein | ||
+ | |||
+ | We continue to rely on a “pentest” to secure our applications. | ||
+ | Why do we think it is acceptable to perform a time-limited test of an application to help ensure security when a determined attacker may spend 10-100 times longer attempting to find a suitable vulnerability? | ||
+ | Our testing methodologies are non-consistent and rely on the individual and the tools they use. | ||
+ | Currently we treat vulnerabilities like XSS and SQLI as different issues but the root causes it the same. – it’s all code injection theory!! Why do we do this and make security bugs over complex? | ||
+ | |||
+ | Why are we still happy with “Testing security out” rather than the more superior “building security in”? | ||
|- | |- | ||
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:45 <br>(45 mins) | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:45 <br>(45 mins) | ||
− | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Tricolour Alphanumercial | + | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Tricolour Alphanumercial Spaghetti |
− | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Colin Watson - OWASP | + | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Colin Watson - OWASP Project Leader |
− | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | | + | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Do you know your "A, B, Cs" from your "1, 2, 3s"? |
+ | |||
+ | Is "red" much worse than "orange", and why is "yellow" used instead of "green"? | ||
+ | |||
+ | Just what is a "critical" vulnerability? Is "critical" the same as "very high"? | ||
+ | |||
+ | How do PCI DSS "level 4 and 5" security scanning vulnerabilities relate to application weaknesses? | ||
+ | |||
+ | Does a "tick" mean you passed? Are you using CWE and CVSS? Is a "medium" network vulnerability as dangerous as a "medium" application vulnerability? Can CWSS help? | ||
+ | |||
+ | What is FIPS PUB 199? Does risk ranking equate to prioritisation? What is "one" vulnerability? | ||
+ | |||
+ | Are you drowning in a mess of unrelated, classifications, terminology and abbreviations? If you are a security verifier and want to know more about ranking your findings more meaningfully, or receive test reports and want to better understand the results, or are just new to ranking weaknesses/vulnerabilities and want an overview, come along to this presentation. It will also explain why the unranked information-only ("grey" or "blue"?) findings might contain some of the best value information. | ||
|- | |- | ||
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:30 <br>(45 mins) | | style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:30 <br>(45 mins) | ||
− | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | | + | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Secure Coding, some simple steps help. |
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Steven van der Baan - OWASP Cambridge | | style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Steven van der Baan - OWASP Cambridge | ||
− | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | | + | | style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Secure coding is often perceived as difficult and complex. |
+ | While it is true that 'good security' should be embedded into the design, there are a couple of steps a developer can take which lead to a | ||
+ | more secure application. | ||
+ | In this presentation we will go to the basics of secure application | ||
+ | development and demonstrate these principles which help you build security into your application. | ||
|- | |- | ||
|} | |} |
Revision as of 22:06, 3 May 2013
|
OWASP EUROPE TOUR 2013 Tour Home Page |
CONFERENCE AND TRAINING | |
OWASP Europe Tour - Cambridge 2013Monday 13th May (Conference) | |
DESCRIPTION | |
OWASP Europe TOUR, is an event across the European region that promotes awareness about application security, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
| |
OWASP MEMBERSHIP | |
During the OWASP Europe Tour you could become a member and support our mission. |
CONFERENCE (Monday 13th May) | |
Fecha | Lugar |
Monday 13th May | Venue Location: Anglia Ruskin University (Cambridge) - Lord Ashcroft Building - Room LAB002 Venue Address: East Road, Cambridge, CB1 1PT |
Price and registration | |
This event is FREE Registration Link to the Europe Tour: [TBD REGISTER HERE!]
|
Conference Details | |||||
Time | Title | Speaker | Description | ||
11:00 (0 mins) |
Registration | ||||
11:45 (0 mins) |
Introduction & Welcome | Adrian Winckles - OWASP Cambridge Chapter Leader & Senior Lecturer | Introduction to OWASP & Anglia Ruskin University
Schedule for the Day | ||
12:00 (45 mins) |
Real Costs of Cybercrime | Ross Anderson (Cambridge University) | Following a systematic study of the costs of cybercrime, in response to a request from the UK Ministry of Defence following scepticism that previous studies had hyped the problem, each of the main categories of cybercrime we set out what is and is not known of the direct costs, indirect costs and defence costs { both to the UK and to the world as a whole. We distinguish carefully between traditional crimes that are now `cyber' because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims
directly. | ||
12:45 (45 mins) |
Three Legged Cybercrime Investigation and its Implications | DI Stewart Garrick (Metropolitan Police ECrime Unit) | DI Stewart Garrick has over 27 years experience in the Metropolitan Police Service, 22 years as a detective and 10 years as a Detective Inspector. His career has been spent primarily on major crime units engaged on both proactive and reactive investigations, including 5 years investigating murders, 3 years on the Homicide Task Force (a proactive unit targeting those who would commit murder) and 5 years managing covert operations against organised crime. In March 2011 he joined Scotland Yard's Police Central eCrime Unit. He has witnessed the PCeU's growth from 40 officers to over 100 and has managed several high profile investigations. He has recently taken charge of the unit's cadre of police and civilian forensic examiners who are integrated into the unit's dynamic investigative model. He has this year completed an MSc in Countering Organised Crime and Terrorism at UCL, with a dissertation examining the emergence of radicalising settings based on Situational Action Theory. | ||
13:30 (45 mins) |
OWASP Mobile Top 10 | Justin Clarke - London OWASP Chapter Leader | The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
As part of the overall Mobile Project , the Top 10 Mobile Risks include M1: Insecure Data Storage M2: Weak Server Side Controls M3: Insufficient Transport Layer Protection M4: Client Side Injection M5: Poor Authorization and Authentication M6: Improper Session Handling M7: Security Decisions Via Untrusted Inputs M8: Side Channel Data Leakage M9: Broken Cryptography M10: Sensitive Information Disclosure | ||
14:15 (45 mins) |
Refreshments & Networking | LAB107 | |||
15:00 (45 mins) |
Everything We Know is Wrong | Eoin Kelly - OWASP Global Committee | The premise behind this talk is to challenge both the technical controls we recommend to developers and also out actual approach to testing. This talk is sure to challenge the status quo of web security today.
"Insanity is doing the same thing over and over and expecting different results." - Albert Einstein We continue to rely on a “pentest” to secure our applications. Why do we think it is acceptable to perform a time-limited test of an application to help ensure security when a determined attacker may spend 10-100 times longer attempting to find a suitable vulnerability? Our testing methodologies are non-consistent and rely on the individual and the tools they use. Currently we treat vulnerabilities like XSS and SQLI as different issues but the root causes it the same. – it’s all code injection theory!! Why do we do this and make security bugs over complex? Why are we still happy with “Testing security out” rather than the more superior “building security in”? | ||
15:45 (45 mins) |
Tricolour Alphanumercial Spaghetti | Colin Watson - OWASP Project Leader | Do you know your "A, B, Cs" from your "1, 2, 3s"?
Is "red" much worse than "orange", and why is "yellow" used instead of "green"? Just what is a "critical" vulnerability? Is "critical" the same as "very high"? How do PCI DSS "level 4 and 5" security scanning vulnerabilities relate to application weaknesses? Does a "tick" mean you passed? Are you using CWE and CVSS? Is a "medium" network vulnerability as dangerous as a "medium" application vulnerability? Can CWSS help? What is FIPS PUB 199? Does risk ranking equate to prioritisation? What is "one" vulnerability? Are you drowning in a mess of unrelated, classifications, terminology and abbreviations? If you are a security verifier and want to know more about ranking your findings more meaningfully, or receive test reports and want to better understand the results, or are just new to ranking weaknesses/vulnerabilities and want an overview, come along to this presentation. It will also explain why the unranked information-only ("grey" or "blue"?) findings might contain some of the best value information. | ||
16:30 (45 mins) |
Secure Coding, some simple steps help. | Steven van der Baan - OWASP Cambridge | Secure coding is often perceived as difficult and complex.
While it is true that 'good security' should be embedded into the design, there are a couple of steps a developer can take which lead to a more secure application. In this presentation we will go to the basics of secure application development and demonstrate these principles which help you build security into your application. |