This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

AppSec Europe 2014

Revision as of 10:33, 24 June 2014 by Jonathan Marcil (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


We are pleased to announce that the UK Cambridge chapter invites you to join OWASP AppSec Europe 2104 global conference, June 23rd-26th.

This conference is an opportunity to hear about the latest research on a myriad of topics related to web security, as well as establish connections between developers, security experts, and business leaders who are all stakeholders in ensuring applications are as secure as possible.

What will be going on in AppSec Europe 2104

  • Cutting-edge topics presented by renowned security professionals from industry and academia.
  • Training and talks on a variety of security topics including: web security, mobile security, cloud security, vulnerability analysis, defence and much more
  • Premier gathering place for executives from Fortune Global 500 companies and technology thought leaders
  • Group sessions, panel discussions, workshops and learning opportunities for developers, business owners and security experts
  • Learn and network for four days, while taking in the historical ambiance of one of the oldest University cities in the world

Facts in a nutshell:

If you have any questions, please email the conference committee[email protected]

Registration for this is now opened. CLICK HERE to get your ticket.

Don't forget additional items you can select at registration:
- Select the Conference Dinner if you wish to attend
- Grab one of the hotel rooms from the OWASP block
- Sign up for Punting on the River Cam on Friday the 27th

Conference Dinner

Join the OWASP AppSec Europe speakers and your fellow attendees at the official conference dinner, to be held on the evening of Wednesday the 25th of June. The dinner is to be held in the Victorian Gothic style Great Hall at Homerton College, Cambridge University. Built in 1889, this is the largest of the great halls in Cambridge, and will provide a spectacular venue for the dinner.

Dinner will consist of a full three course meal and drinks, however space is limited. Conference dinner tickets will be allocated on a first come first served basis to conference attendees, so please make sure you indicate when asked during registration that you would like to attend the dinner. Companion tickets are also available during registration for £50 (+VAT) if you would like to bring a guest.

Punting on the River Cam

Imagine nothing finer: the typical quintessential British summertime activity, punting on the river Cam on a lovely sunny day. It’s an image often associated with Cambridge – lazy summer days, champagne picnics, men in straw boaters…

What is punting? Punting is one of Cambridge’s chief attractions. Punts are flat-bottomed boats which, because they don’t have a keel, are usually steered with a long pole (about 10 foot long). Somebody (usually the drawer of the short straw!) stands on the platform at the back and pushes the pole against the river bed in order to move the punt. The end of the pole that goes in the water has two metal prongs on it to help you get a grip – especially if you are unfortunate enough to get stuck! If you go punting in Oxford you’ll be doing it from the front, rather than the back like us sensible Cambridge people!

Where did they come from? Pleasure punts were introduced to Cambridge in Edwardian times. Before that, they were used by fisherman and reed-cutters in the Fens. The basic design was developed in Medieval times and made it a very stable craft, particularly suitable for shallow water. These craft were therefore perfect for use in the marshy Fens.

Instructions for punters: - Wear sensible footwear
- Make sure platform is dry to avoid hilarious banana skin-like slide into water
- Get your balance
- Drop the pole straight down into the water. Let it slide through your hands until it touches the river bed
- Push
- Pick up the pole
- Repeat as often as needed
- N.B. Try not to splash your puntees and if you ever need to decide between staying in the boat and keeping hold of the pole, remember that you can always go back for the pole.

Instructions for puntees: - Sit in punt
- Eat
- Shout ‘helpful’ instructions to punter
- Shout ‘helpful’ instructions to other river users e.g. “Please can you get out of the way!”
- Occasionally try to steer the craft yourself by frantically dipping your hands in the water and paddling like mad.
- Don’t rock the boat.

  • Those booking the punting activity as part of their registration process for Friday 27th June will receive joining instructions when when they receive their registration pack at conference start.

Hotel options

We have confirmed rooms at the below accommodation options for the benefit of Conference delegates.

You are encouraged to secure your accommodation via the REGISTRATION FORM to ensure that you receive the negotiated competitive rates.

Rate of 60 GBP per night (+ 20% taxes). Subject to availability.

Travelodge Cambridge Newmarket Road Hotel 180-190 Newmarket Road Cambridge, UK

Cambridge Newmarket Road Hotel is the ideal base for those looking to explore the quaint, historic university town.

The hotel has good transport links, just a short taxi ride from Cambridge Railway Station and Cambridge Airport. If you’re looking for accommodation close to Cambridge University, the hotel is just a ten minute drive away. This is a new hotel with our fresh new look and features Travelodge’s new room design complete with Dreamer Bed so you can be sure of a great night’s sleep.

Anglia Ruskin University is a British university, one of the largest in the East of England, United Kingdom, with a total student population of around 31,500. Its campuses are located in Cambridge, Chelmsford and Peterborough, England, UK. It is is one of the largest universities in the East of England, and one of the largest providers of face-to-face part-time training in the country. It has its Royal Charter, being fully accredited by the British Accreditation Council.

Anglia Ruskin University is ranked as the 949th best higher educational intitution by globally, and the 2486th best university in the world according to The primary purpose of this ranking is to promote Internet publication, including formal and informal communication, by supporting Open Access initiatives, electronic access to scientific publications and other academic material thus increasing the visibility of universities.

University map.png
Cambridge campus (in Green on the map: East Road, Cambridge CB1 1PT) is in heart of the city and has recently reached a milestone in its history with the opening of the new £35-million redevelopment. The regenerated campus opened in September 2011 and provides a wealth of new facilities which will benefit our Anglia Ruskin community. We offer all the advice and support you'll need for your studies, career aspirations and personal issues. Halls of residence for first year students are on-site, as well as facilities for leisure activities and societies.

We've secured the use of the Bradmore Street entrance (just off East Road and round the corner from the main entrance) which is the main entrance for the Lord Ashcroft International Business School where the main conference activities are taking place.

Travelling to Anglia Ruskin University Cambridge Campus
This information is for guidance purposes and may be subject to change.
Please note that trains do not run overnight, so if you are arriving in the evening please check train times in advance:
If you would like to book a taxi from an airport it will be cheaper if you book in advance using one of these firms:
A1 Cabco +44 1223 313131
Panther Taxis +44 1223 715715

Arriving at London Stansted Airport

  • Taxi: A pre booked taxi from London Stansted Airport to Cambridge will cost approximately £45-£55 each way.
  • Coach: National Express operates a coach service from Stansted Airport to Cambridge (£8). Coaches leave regularly from the bays at the front of the terminal building. You will need to check the screens for the correct bay. The journey should take approximately 50 minutes. The coach station in Cambridge is a very short walk to the campus.
  • Train: Follow the signs to the main line station and buy a single ticket to Cambridge (£12). Trains go direct to Cambridge from Stansted Airport. The journey should take between 33-51 minutes. The train station in Cambridge is a 15-20 minute walk to the campus.

Arriving at London Heathrow Airport

  • Taxi: A pre booked taxi from London Heathrow to Cambridge will cost approximately £95-£115 each way.
  • Coach: National Express operates a coach service from Heathrow Airport to Cambridge (£20 single) every hour from the Central Bus Station (Terminals 1,2 & 3). Coaches leave around every half an hour from Terminal 4 & 5 and then travel on to the Central Bus Station. You can buy a ticket from the driver (credit cards not accepted). The journey should take approximately 2 hours 45 mins. You can pre-book this by visiting
  • Underground and Train: Follow signs for the Heathrow Express and buy a ticket to Cambridge. From Heathrow, you take the Heathrow Express into central London to Paddington Station. Follow signs and take the underground to King’s Cross (Circleline). Follow signs to the main line station, where you catch a train to Cambridge. The journey should take approximately 2 hours 15 minutes in total. Costs are approximately £44. Alternatively you could choose to take the Underground (Piccadilly Line – Eastbound) all the way from Heathrow to Kings Cross station. The journey should take around 2 hours in total. Depending on the time of day you will be travelling it will cost around £27.

Arriving at London Gatwick Airport

  • Taxi: A pre booked taxi from London Gatwick to Cambridge will cost approximately £120-130 each way.
  • Coach: Follow the signs to the coach station. National Express operates a coach service from Gatwick Airport to Cambridge (£15 - £40 single) via Heathrow airport. The journey should take approximately 4 hours.
  • Underground and Train: Follow the signs for the main line station and buy a single ticket to Cambridge. Take the main line train direct to St Pancras. Follow the signs to Kings Cross mainline station (a short walk) and take a mainline train to Cambridge. The journey should take approximately 2 hours 15 minutes. Depending on the time of day it will cost around £30.80.

Arriving at London Luton Airport

  • Taxi: A pre booked taxi from London Luton to Cambridge will cost approximately £55-£70 each way.
  • Coach: National Express operates a coach service from London Luton Airport direct to Cambridge (£15.90). Coaches leave every 2 hours. The journey should take approximately 1 hour 40 minutes.
  • Train: Take the shuttle bus service connecting the airport with Luton Airport Parkway station. Buy a single ticket to Cambridge (£38) and then take the First Capital Connect train to London St Pancras. Follow the signs to the main line station at Kings Cross (a short walk) and from there, take a train to Cambridge. The journey should take approximately 2 hours 20 minutes in total.

Arriving at London City Airport

  • Taxi: A pre booked taxi from London City to Cambridge will cost approximately £80-£95 each way.
  • Underground and Train: Follow the signs for the DLR (Docklands Light Railway). Buy a single ticket to Cambridge (£25.20). Take the train to Bank Underground station and take the Northern Line (Northbound, Platform 4) to King’s Cross St. Pancras Underground Station Kings Cross. Follow the signs to the mainline station and from there, take a train to Cambridge. The entire journey should take approximately 1 hour 45 minutes.

Arriving at Cambridge International Airport

  • Taxi: A pre booked taxi from Cambridge Airport to Cambridge will cost approximately £10-15 each way.
  • Shuttle Bus: The airport Lynx Shuttle Bus service operates 20 minutes after every arrival. It costs £5.50 each way. For more information visit
  • Coach/Bus: Cambridge city centre is only three miles from the airport and a Park & Ride bus provides direct travel into Cambridge. The bus stop is located just a few minute’s walk from the terminal on Newmarket Road. Additionally there is a frequent Stagecoach bus (number 10) that operates from the same location.

Arriving at London St Pancras
If you come into the country by rail - via the Euro tunnel through France - then you will arrive at London St Pancras station. Follow the signs for the Underground and buy a ticket to Chelmsford. Take the Metropolitan line eastbound to Liverpool Street. Follow the signs to the main line station, buy a ticket to Chelmsford and then take a train to Chelmsford. The entire journey should take approximately 1 hour 10 minutes.

On arrival in Cambridge
Coaches from the airports arrive at Parkside directly opposite the Police Station. The University is very close, only about 0.25km on foot from Parkside, simply turn left at the traffic lights into East Rd and the campus is a short way along on the right. It should take you less 2-3minutes to walk to the campus even with a suitcase. Cambridge main line railway station is about 1.5km from the campus, to the south of the city centre. It will take around 20 minutes to walk to the campus from the railway station. You are advised to get a taxi from the station to the campus.

Anglia Ruskin University
East Road/Broad Street Entrance
United Kingdom

Useful maps:

  • Anglia Ruskin University local area, Cambridge and campus maps can be accessed from this page:

Useful Websites:

View the AppSec Europe 2014: "SCHEDULE"

View live event and recordings:

Overview of Available Training

The Mobile App Security Boot Camp
by Dominic Chell and Robert Miller
Duration: 2 days
The Mobile App Security Boot Camp is a 2-day training course covering both Android and iOS App security. As a new course for 2014, we provide the most comprehensive and cutting edge guide to mobile App security that is currently available, including in depth coverage of iOS 7. The course is provided as a partnership between MDSec and MWR InfoSecurity, pioneers in mobile security.
Click here to register for this training course.

The Art of Exploiting Injection Flaws
by Sumit Siddharth
Duration: 2 days
OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project. This hands-on session will only focus on the injection flaws and the attendees will get an in-depth understanding of the flaws arising from this vulnerability.' The topics covered in the class are:
SQL Injection
XPATH Injection
LDAP Injection
Hibernate Query Language Injection
Direct OS Code Injection
XML Entity Injection
During the two-days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered. The following are the objectives of the course:
Understand the problem of Injection Flaws
Learn a variety of advanced exploitation techniques which hackers use
learn how to fix these problems
Click here to register for this training course

WebHacking: Breaking, Building and Defence
by Jim Manico and Eoin Keary
Duration: 1 day
Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand. The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples. As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality API’s from various languages and frameworks that provide production quality and scalable security controls. This course will include secure coding information for Java, PHP and .NET programmers, but any software developer building web applications or webservices will benefit. This intensive 1-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2013) and the MITRE Top 25. Several other OWASP secure coding projects will be featured. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code. In-depth next-generation XSS attacks and defence, including demos. Introducing students to both server side encoding using the OWASP Java Encoder project and client side controls such as ESAPI4JS with code examples. Introducing students to next-generation web architectures that auto-defend against many classes of XSS. Injection theory and defences for both client and server with code examples. SQL Injection attacks, theory and defence with Labs covering typical SQL injection and more advanced OS/Command Injection attacks with code examples. Comprehensive section covering crypto implementation techniques, best practice and pitfalls with code examples. CSRF attacks and defence including Demos with code examples.
ClickJacking Defence and Demos
Next generation ABAC and capabilities-based web application access control with clear code samples and database design.
Authentication best practice with code examples.
Many interactive design discussions on a variety of other web application breaker, builder and defender topics.
Click here to register for this training course

Defensive Programming – JavaScript & HTML5
by Tiago Teles
Duration: 1 day
Understand JavaScript and HTML5 Features to Secure Your Client-side Code HTML5 is the fifth revision of the HTML standard. HTML5, and its integration with JavaScript, introduces new security risks that we need to carefully consider when writing web front-end code. Modern web-based software, including mobile web front-end applications, makes heavy use of innovative JavaScript and HTML5 browser support to deliver advanced user experiences. Front-end developers focus their efforts on creating this experience and are generally not aware of the security implications of the technologies they use. The Defensive Programming – JavaScript/HTML5 course helps web front-end developers understand the risks involved with manipulating the HTML Document Object Model (DOM) and using the advanced features of JavaScript and HTML 5 such as cross-domain requests and local storage. The course reinforces some important security aspects of modern browser architecture and presents the student with defensive programming techniques that can be immediately applied to prevent common vulnerabilities to be introduced. Additionally, the course provides a detailed description of typical JavaScript sources and sinks and explains how they can be used to detect problems in code.
This course is structured into modules that cover the areas of concentration for defensive programming in JavaScript and HTML5 and includes code analysis and remediation exercises. The high-level topics for this course are:
The HTML5 and JavaScript Risk Landscape
Storage of Sensitive Data
Secure Cross-domain Communications
Implementing Secure Dataflow
JSON-related Techniques
This course includes 2 labs with hands on exercises where students will learn to apply the defensive programming techniques learned in the course. Students are encouraged to bring laptops with VirtualBox installed to run the VM with the labs.
Click here to register for this training course.

Defensive Programming in PHP
by Paco Hope
Duration: 1 day
This course provides hands-on training for PHP developers on how to build secure applications. It addresses both coding and configuration. PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by the same risks that affect all web applications. There are some aspects of PHP, however, that set it apart from other web technologies. Some web security risks are unique to or are amplified by the PHP language and platform.
This course highlights the features and specifics of the platform that can potentially introduce risks including (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Once PHP features and risks are understood by the student, this course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications including in the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery, transport security, and injection attacks. Students should plan to bring a laptop, install a VirtualBox virtual machine, and write some secure PHP code during this class.
Click here to register for this training course.

TLS/SSL in Practice
by Achim Hoffmann
Duration: 1 day
SSL/TLS as used today has more and more problems and it’s difficult to understand, what are the root causes of these problems, and how to detect and finally avoid or fix them.
The course will be a hands-on-training showing by example how to check the established SSL connection (including ciphers) to a web server and show how to analyse the provided certificate. A great amount of tools will be explained and it will be demonstrated how these tools can be used to detect weaknesses in the SSL connection and such.
The main focus will be on SSL used in HTTPS. As a round-up there will be recommendations how to configure SSL securely.
Click here to register for this training course.

Java Web Hacking & Hardening
by Christian Schneider
Duration: 1 day
This hands-on workshop focuses on securing Java web applications against malicious hacker attacks. During the workshop a Java web application (written specifically for this workshop) with lots of vulnerabilities is examined, exploited, and secured. We will start with common vulnerabilities found in web applications: Authentication bypasses, different flavours of XSS (reflected, stored, DOM-based), (blind) SQL-Injection, CSRF, Clickjacking, Command Injection, Path Traversals, SSRF, Session Attacks like Session Fixation, etc. and continue to more specialized security holes (covering XML like XXE Attacks and XPath Injections as well as REST-ful interfaces, JSON and WebSockets). Also prophylactic protection techniques are discussed like introducing protection tokens (e.g. OWASP’s CSRFGuard) as well as adding several security headers (CSP and more) and considering encryption techniques.
The main intention behind this course is to learn and practice web application hardening by stepwise finding security holes and closing them. In addition to the training’s custom Java demo application it includes a digital handout (PDF) of the course material (in English) full of information for the attendees.
Click here to register for this training course.

Security of XML-based Web Services and Single Sign-On
by Christian Mainka and Juraj Somorovsky
Duration: 1 day
Web Services and Single Sign-On belong to the group of the most important Internet technologies. They are used in many fields such as automotive, healthcare, e-government, or military infrastructures. In recent years, it has been shown that these technologies allow for serious attacks. The attacks take advantage of the XML complexity and make it possible to read data from secured servers, authenticate as an arbitrary user in Single Sign-On scenarios, or decrypt confidential data.
In this training, we will give an overview of the most important XML-specific attacks. Participants will get the opportunity to carry out these attacks in a prepared virtual machine. The attacks will be first tested manually (e.g., with soapUI), in order to get a feeling for the attacks. Subsequently, we will present our penetration testing tool WS-Attacker, which will be used to execute the presented attacks automatically. For each of the attacks, countermeasures will be discussed.
Click here to register for this training course.

MDSec’s Web Application Hacker’s Handbook, Live Edition
by Marcus Pinto
Duration: 2 days
Our “Web Application Hacker’s Handbook” Series is still the most deep and comprehensive general purpose guide to hacking web applications that is currently available. In late 2011, MDSec set up the online training labs: over 200 hacking labs hosted in the cloud. In this course, we bring you the solutions, demos, and much more material and technologies for you to try. So if you’re a fan of the original want to try your hand exploiting everything in the new Second Edition, you’re in luck. We have run courses for over 5 years at BlackHat, and we know what you want. This structured course is balanced at 120 slides with numerous opportunities to watch instructor-led demos, whilst hacking our library of over 150 lab exercises, spanning .Net, J2EE, PHP and finishing with a “Capture the Flag” contest. In our labs, no question is left unanswered (or unasked)!
Click here to register for this training course.

CISO training: Managing Web & Application Security – OWASP for senior managers
by Tobias Gondrom
Duration: 1 day
Managing Web & Application Security – OWASP for senior managers Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. How to use and leverage OWASP and other common best practices to improve your security programs and organization. The workshop will also discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation. The author has extensive experience of managing his own secure development organization as well as advising to improve a number of global secure development organisations and processes.
OWASP Top-10 and OWASP projects – how to use within your organisation
Risk management and threat modelling methods (OWASP risk analysis, ISO-27005,…)
Benchmarking & Maturity Models
Security Strategy
Organisational Design and managing change for global information security programs
Training: OWASP Secure Coding Practices – Quick Reference Guide, Development Guide, Training tools for developers
Measuring & Verification: ASVS (Application Security Verification Standard) Project, Code Review Guide, Testing Guide
Development & Operation: Libraries and Frameworks (ESAPI (Enterprise Security API), AppSensor, …), Threat assessments using OWASP Cornucopia
All discussion and issues raised by participants at the workshop will be under the confidentiality
under the Chatham House Rule (
Click here to register for this training course.

Bootstrap and improve your SDLC with OpenSAMM
by Bart De Win and Sebastien Deleersnyder
Duration: 1 day
Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equasion: company structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance can have a significant impact on the organisation. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements.
OWASP OpenSAMM gives you a structural and measurable framework to do just that. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organisation. The goal of this one-day training, which is conceived as a mix of training and workshop, is for the participants to get a more in-depth view on and practical feeling of the OpenSAMM model.
The training is setup in three different parts.
In a first part, an overview is presented of the OpenSAMM model and similarities and differences with other similar models are explained.
The different domains (governance, construction, verification, deployment), their activities and relations are explained.
Furthermore, different constituent elements (e.g., metrics) are discussed and the overall usage scenarios of the model are explained.
Next, approx. half a day will be spent on doing an actual OpenSAMM evaluation of your own organisation (or one that you have worked for).
We will go through an evaluation of all the OpenSAMM domains and discuss the results in group. This will give all participants a good indication of the organisation’s maturity wrt. software assurance.
In the same effort, we will define a target model for your organisation and identify the most important challenges in getting there. The final part of the training will be dedicated to specific questions or challenges that you are facing wrt. secure development in your organisation. In this group discussion, experience between the different participants will be shared to address these questions. In case you haven’t started a secure software initiative in your organisation yet, this training should provide you with the necessary foundations and ideas to do so. Be prepared for a highly effective and applicable treatment of this large domain ! And in case you would be concerned about confidentiality issues, we adhere to the Chatham House Rule.
After the conference the OpenSAMM project team comes together for their first OpenSAMM summit in Cambridge.
If you want to contribute to this flagship project, stay and join us at the summit. More details on
Click here to register for this training course

The OWASP Project Summit

What is the Project Summit? Project Summit is a smaller version of the much larger OWASP Summits. This year’s summit aims to give our project leaders the opportunity to have attendees sit down and work on project related activities during AppSec EU. It is an excellent opportunity to engage with active OWASP Project Leaders if you are a conference attendee, and it gives project leaders the chance to move forward on their project milestones while meeting new potential volunteers that can assist with future milestones. Where and When is the Project Summit being held? This year’s project summit will be held at Anglia Ruskin University: Cambridge, UK from June 23-24, 2014. The Project Summit will be occurring in tandem with the first two days of AppSec EU 2014.
What is the cost to attend the Project Summit? We want the Project Summit to be open for the community to attend and participate. The Project Summit is designed based on what the OWASP community wants and is for the benefit of all OWASP projects. If you are interested in registering for the Project Summit, contact Samantha ([email protected]). To read up on successes of last year’s Project Summit at AppSec USA, and read the project reports from participating projects, refer to the OWASP 2013 Project Summit Report.

Women in AppSec Program

The OWASP AppSec EU 2014 planning team have decided to take the lead and run the Women in AppSec Program in the European region this summer, following the success of the AppSec APAC program that took place earlier this year in Tokyo, Japan. The team are looking to send at least one woman from the European region to this year’s AppSec EU conference in Cambridge, UK taking place June 23-26. The objective of the Women in AppSec Program is to encourage women, from all levels in application/ information security to expand their skills in application security. This year’s winner will be awarded attendance to the AppSec EU conference, and at least one in-depth training session. The Women in AppSec Program was successfully launched in 2011 at AppSec USA, and will be making its European debut at this year’s global conference. Submissions to the Women in AppSec are now open, and will close on May 26, 2014 by 5pm GMT. Applicants will need to submit the form and one letter of recommendation to be considered for the Women in AppSec Program sponsorship.
Sponsors OWASP London Chapter OWASP MSP (Minneapolis/St. Paul MN) Chapter University of Washington, Bothell: on behalf of their MS in Cyber Security Engineering degree program

The University Challenge

The University Challenge will be held also this year at the Appsec EU Conference. A Maximum of 8 teams consisting of 4 to 8 students will get the opportunity to compete and demonstrate their knowledge on software security. So if you have a team in your Uni and want to show that you have what it takes to win, look at this document to see how you can sign up.

Keynote Speakers

Lorenzo Cavallaro has recently joined the Information Security Group at Royal Holloway, University of London as a Lecturer (Assistant Professor) of Information Security. His research interests focus on systems security, and malware analysis and detection.

Lorenzo is Principal Investigator on “MobSec: Malware and Security in the Mobile Age”, Principal Investigator on “Mining the Network Behavior of Bots”, co-Investigator on “Cyber Security Cartographies (CySeCa)”, Academic Partner of the EPSRC-funded “Network in Internet and Mobile Malicious Software (NIMBUS)”, Associate Member of the EU FP7 NoE SysSec and member of the SysSec RedBook Task Force, and Partner of the EU FP7 CSA CyberROAD aimed at the development of a cybercrime and cyber-terrorism research roadmap. He is author and co-author of several papers and has published in well-known venues and served as PC member and reviewer of various conferences and journals.

Dr. Steven J. Murdoch is a Royal Society University Research Fellow in the Security Group of the University of Cambridge Computer Laboratory, working on developing metrics for security and privacy. His research interests include covert channels, banking security, anonymous communications, and censorship resistance.

Following his PhD studies on anonymous communications, he worked with the OpenNet Initiative, investigating Internet censorship. He then worked for the Tor Project, on improving the security and usability of the Tor anonymity system. Currently he is supported by the Royal Society on developing methods to understand complex system security. He is also working on analyzing the security of banking systems especially Chip & PIN/EMV, and is Chief Security Architect of Cronto, an online authentication technology provider and part of the Vasco group.

Wendy Seltzer is Policy Counsel to the World Wide Web Consortium (W3C), where she leads the Technology & Society Domain’s focus on privacy, security, and social web standards. As a visiting Fellow with Yale Law School’s Information Society Project, she researches openness in intellectual property, innovation, privacy, and free expression online. As a Fellow with Harvard’s Berkman Center for Internet & Society, Wendy founded and leads the Chilling Effects Clearinghouse, helping Internet users to understand their rights in response to cease-and-desist threats. She serves on the Board of Directors of The Tor Project, promoting privacy and anonymity research, education, and technology; the World Wide Web Foundation, devoted to achieving a world in which all people can use the Web to communicate, collaborate and innovate freely. She seeks to improve technology policy in support of user-driven innovation and communication.

Wendy has been a Fellow with Princeton University’s Center for Information Technology Policy and the University of Colorado’s Silicon Flatirons Center for Law, Technology, and Entrepreneurship in Boulder. She has taught Intellectual Property, Internet Law, Antitrust, Copyright, and Information Privacy at American University Washington College of Law, Northeastern Law School, and Brooklyn Law School and was a Visiting Fellow with the Oxford Internet Institute, teaching a joint course with the Said Business School, Media Strategies for a Networked World. Previously, she was a staff attorney with online civil liberties group Electronic Frontier Foundation, specializing in intellectual property and First Amendment issues, and a litigator with Kramer Levin Naftalis & Frankel.

Jacob West is chief technology officer for Enterprise Security Products (ESP) at HP. In his role, West influences the security roadmap for the ESP portfolio and leads HP Security Research (HPSR), which drives innovation with research publications, threat briefings, and actionable security intelligence delivered through HP security products.

Prior to this role, West served as chief technology officer for Fortify products and leader of Software Security Research within HP ESP. West has spent more than a decade developing, delivering, and monetizing innovative security solutions, beginning with static analysis research at the University of California, Berkeley and as an early security researcher at Fortify prior to its acquisition by HP.

A world-recognized expert on software security, West co-authored the book, “Secure Programming with Static Analysis” with colleague and Fortify founder, Brian Chess, in 2007. Today, the book remains the only comprehensive guide to how developers can use static analysis to avoid the most prevalent and dangerous vulnerabilities in code.

West is co-author of the Building Security in Maturity Model and a frequent speaker at customer and industry events, including RSA Conference, Black Hat, Defcon and OWASP. A graduate of the University of California, Berkeley, West holds dual-degrees in Computer Science and French and resides in San Francisco, California.

OWASP Board Member

Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and CEO at Thames Stanley, a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany.
He has over 15 years of experience leading global teams in information security, software development, application security, cryptography, electronic signatures and global standardization organizations working for independent software vendors and large global corporations in the financial, technology and government sector. And he holds the most senior business degree from London Business School, the Sloan Masters in Leadership and Strategy.
Over the years, he has trained and advised dozens of CISOs and senior information security leaders around the world on the management and organisation of security teams and programs. Since 2003 he is the chair of working groups of the IETF (, a member of the IETF security directorate, since 2010 chair of the web security WG at the IETF and since 2014 member of the IETF Administrative Oversight Committee (IAOC). He has been in a number of project and chapter leadership roles for OWASP since 2007. Currently, he is serving as global board member of OWASP, leading the OWASP CISO Report and Survey project and a contributor to the OWASP CISO Guide. Tobias Gondrom is also serving as a member of the NIS Platform of the European Commission, advising the European Union on Cyber Security and Risk Management. He serves on the board of the CSA Hong Kong and Macau chapter and is an ISC2 CSSLP and CISSP Instructor. Tobias has authored the Internet security standards RFC 4998, RFC 6283 and RFC 7034, co-authored the OWASP CISO Guide and the book „Secure Electronic Archiving“ and is a frequent presenter at conferences and author of articles on security (e.g. AppSec, IETF, etc.)

E-mail: [email protected]

LinkedIn Tobias Gondrom

OWASP AppSec Europe 2014 Conference Team

The following are the members of the Organising Committee:

  • Jason Alexander (OWASP Leeds Chapter)
  • Simon Bennetts (OWASP Manchester Chapter)
  • Justin Clarke (OWASP London Chapter)
  • Tobias Gondrom (OWASP London Chapter)
  • Martin Law (OWASP Leeds Chapter)
  • Steven van der Baan (OWASP Cambridge Chapter)
  • Adrian Winckles, Chair (OWASP Cambridge Chapter)
  • Mike Woodhead (OWASP Leeds Chapter)

In addition, the following permanent staff from the OWASP Foundation are also helping make the conference a success:

  • Sarah Baso (Executive Director)
  • Laura Grau (Global Conference Manager)
  • Samantha Groves (Project Manager)
  • Kate Hartmann (Operations Director)
  • Kelly Santalucia (Membership and Business Liaison)
  • Alison Shrader (Accounting)
  • Matt Tesauro (IT)

We are looking for sponsors for the Global AppSec Europe 2014

This is a truly unique opportunity to increase your brand recognition as a company dedicated to the highest standards of professional technology & security not only in Europe but also internationally throughout the world while supporting the continued activities conducted by OWASP both in the UK and abroad.

  • Sponsorship benefits for organizations specializing in IT & Security:
    • Opportunity to use the latest technological trends for professional training / development
    • Strengthen your company strategy by learning the latest trends in web software security
    • Improve your business development strategy with leading information from the security industry
    • Get networking and headhunting opportunities with world-class specialists and professionals
    • Get the chance to interact with high-need discerning users to improve product development
    • Increase your image as a professional company through this unique branding opportunity
  • Sponsorship benefits for organizations utilizing the internet in their business:
    • Opportunity to increase the international brand awareness and conduct business networking
    • Strengthen your company strategy by learning the latest trends in web software security
    • Improve your service development by understanding the latest trends in security issues & risks
    • Contribute to information society as a company by developing safe and secure services
    • Get the chance to interact with high-need discerning users to improve product development
    • Opportunity to brand your company as one that focuses on the highest standards in technology

If you are interested in sponsoring Global AppSec Europe 2014, please contact Kelly Santalucia: [email protected]

To find out more about the different sponsorship opportunities please check: SPONSORSHIP OPPORTUNITIES


Gold Sponsors


Gds logo 2.png


HP Blue RGB 150 MD.png


Quotium black hires transparent.png


Sonatype logo whiteBG.jpg


AppSecEU2013 Logo WhiteHat.png


Silver Sponsors






Acunetix Insignia Name HiRes.jpg