This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Bangalore"

From OWASP
Jump to: navigation, search
(Stay Tuned)
(Next Meeting)
Line 7: Line 7:
  
 
== '''Next Meeting'''  ==
 
== '''Next Meeting'''  ==
The next OWASP meeting along with null/G4H/SecurityXploded is scheduled for 14th December 2013.  
+
The next OWASP meeting along with null/G4H/SecurityXploded is scheduled for 18th January 2014.  
  
 
=== '''Venue''' ===
 
=== '''Venue''' ===
Line 25: Line 25:
 
|-
 
|-
 
| 09:30
 
| 09:30
| 10:05
+
| 10:10
| Web Application Security for Beginners: Cross Site Scripting
+
| Web Application Security for Beginners: DOM Based XSS
| Prasanna K / Jayesh Singh
+
| Jayesh Singh
| This is a multipart series on Web Application Security. This session will cover DOM based XSS, the identification and concept behind it. The session will also cover filter bypasses and different XSS payloads in that context.
+
| This is a multipart series on Web Application Security. This session will cover part 2 of the DOM based XSS subsection, the identification and concepts behind it. The session will also cover filter bypasses and different XSS payloads in that context.
 
| [https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 OWASP Cross Site Scripting]
 
| [https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 OWASP Cross Site Scripting]
 
|-
 
|-
| 10:05
+
| 10:10
| 10:15
+
| 10:20
 
| Introductions
 
| Introductions
 
|
 
|
Line 38: Line 38:
 
|
 
|
 
|-
 
|-
| 10:15
+
| 10:20
 
| 10:50
 
| 10:50
| Overview of ISO 27001
+
| Automated Source code review using Fortify
 
| Rupam Bhattacharya
 
| Rupam Bhattacharya
| The session will include a brief introduction to standards and ISO 27001. Moving on to ISO 27001 domains, it's relevance to management, company and it's benefits. After this, the talk will cover ISO guidelines for asset management, asset classification, User registration, password management, clear work environment, operating system, application controls and network security and other domains of ISO 27001. The talk will end with changes in 2013 version from the 2005 version and Q&A.
+
| This talk+demo will cover the automated source code review tool called Fortify . The demo will show on how to configure Fortify, select rules based on pre-determined conditions and scan the code for different vulnerabilities.
 
|  
 
|  
 
|-
 
|-
 
| 10:50
 
| 10:50
| 11:25
+
| 11:20
| XSS - From injection to root
+
| Struts Validation Framework Part 2
| Abeer Banerjee
+
| Satish
| This talk + demo will represent an end to end PoC for XSS and will cover cookie theft, session hijack and gaining a shell.
+
| This session is the second part of the talk on Validation frameworks. These frameworks are used to secure information from entering business model in an MVC architecture. “Struts Validation framework” is a set of predefined plugin codes which have proven best practices in Data validation. We will take a look at the working of the framework and understand how malicious data is treated.
| [https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 OWASP Cross Site Scripting]
+
| [http://struts.apache.org/release/2.3.x/docs/validation.html Struts Validation Framework]
 
|-
 
|-
| 11:25
+
| 11:20
| 11:45
+
| 11:40
 
| Networking Session and Break
 
| Networking Session and Break
 
| Everyone
 
| Everyone
Line 59: Line 59:
 
|  
 
|  
 
|-
 
|-
| 11:45
+
| 11:40
 
| 12:20
 
| 12:20
| Struts Validation Framework
+
| Security Onion
| Satish
+
| Nishanth Kumar
| This session will describe what Validation Frameworks are. These are used to secure information from entering business model in an MVC architecture. “Struts Validation framework” is a set of predefined plugin codes which have proven best practices in Data validation. We will also answer the question of why such frameworks are used?
+
| Security Onion is an full Linux distribution with packet capture, network-based and host-based intrusion detection intrusion detection systems (NIDS and HIDS, respectively) and other powerful analysis tools. The talk will cover the following aspects of this OS:
 +
# Introduction of Security Onion
 +
# Tools included in the OS and usage of these tools for exploitation.
 +
# How to do Analysis of Packets using tools
 
|  
 
|  
# '''Basic understanding of MVC Architecture'''
 
## [http://en.wikipedia.org/wiki/Multitier_architecture#Three-tier_architecture Three Tier Architecture]
 
## [http://en.wikipedia.org/wiki/Model%E2%80%93view%E2%80%93controller Model, View and Controller]
 
# '''Basic understanding Struts framework'''
 
## [http://struts.apache.org/ Apache Struts Page]
 
# '''Basic understanding for Struts-Validation Framework'''
 
## [http://struts.apache.org/release/2.3.x/docs/validation.html Struts Validation Framework]
 
 
|-
 
|-
 
| 12:20
 
| 12:20
| 12:40
+
| 12:50
| Feedback and Topic Discussion for Jan 2014 meet
+
| Web Application Security: The pitfalls and the brickwalls, a developer perspective
 +
| Vamsi Krishna
 +
| This is a multi-part series on common developer mistakes that result in major security vulnerabilities. This month we will see how unsanitized data causes SQL injection due to poor programming practices. We will also take a look at Insecure Direct Object references where a developer does not anticipate a permission model for objects resulting in unauthorized access to data.
 +
|
 +
|-
 +
| 12:50
 +
| 13:10
 +
| Feedback and Topic discussion for next month meet
 
|  
 
|  
 
|
 
|
|
 
|-
 
| 12:40
 
| 14:00
 
| Dissecting the APT malware functionalities
 
| Monappa
 
| This talking is going to be the continuation of Part 1 (Reversing & Decrypting Communications of HeartBeat RAT), In part 1, the speaker covered how malware decrypts strings in memory, demonstrated how it collected system information and encrypted the collected information before sending it to the C2 server. The speaker also showed how to determine the encryption alogirthm and showed how to decrypt the intial C2 communication. 
 
In part 2, the speaker will show how to determine various functionalities supported by HeartBeat RAT and will also cover various commands supported by the HeartBeat RAT and will also be showing how to decrypt the various communications between infected machine and the command and control server.
 
| [http://securityxploded.com/security-training-advanced-malware-analysis.php Security Training-Advanced Malware Analysis]
 
 
|}
 
|}
  

Revision as of 08:36, 12 January 2014

OWASP Bangalore

Welcome to the Bangalore chapter homepage. The chapter leaders are Prashant Kv and Akash Mahajan


Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG


Chapter News

  • null and OWASP are doing a JavaScript Security Hands-on Workshop on 21st December 2013 [1]
  • To view pictures from OWASP Bangalore's 2011 Meetings: click here.

Next Meeting

The next OWASP meeting along with null/G4H/SecurityXploded is scheduled for 18th January 2014.

Venue

ThoughtWorks, Ground Floor, ACR Mansion, 147/f, 8th Main Road, 3rd Block, Koramangala, Bangalore - 560034 Google Map Link

Schedule

Start Time End Time Title Speakers Description References
09:30 10:10 Web Application Security for Beginners: DOM Based XSS Jayesh Singh This is a multipart series on Web Application Security. This session will cover part 2 of the DOM based XSS subsection, the identification and concepts behind it. The session will also cover filter bypasses and different XSS payloads in that context. OWASP Cross Site Scripting
10:10 10:20 Introductions Introduction for new comers and start of the meet for everyone.
10:20 10:50 Automated Source code review using Fortify Rupam Bhattacharya This talk+demo will cover the automated source code review tool called Fortify . The demo will show on how to configure Fortify, select rules based on pre-determined conditions and scan the code for different vulnerabilities.
10:50 11:20 Struts Validation Framework Part 2 Satish This session is the second part of the talk on Validation frameworks. These frameworks are used to secure information from entering business model in an MVC architecture. “Struts Validation framework” is a set of predefined plugin codes which have proven best practices in Data validation. We will take a look at the working of the framework and understand how malicious data is treated. Struts Validation Framework
11:20 11:40 Networking Session and Break Everyone The idea of the networking session is for everyone to get up, go around the room and say hi to various attendees and the experts.
11:40 12:20 Security Onion Nishanth Kumar Security Onion is an full Linux distribution with packet capture, network-based and host-based intrusion detection intrusion detection systems (NIDS and HIDS, respectively) and other powerful analysis tools. The talk will cover the following aspects of this OS:
  1. Introduction of Security Onion
  2. Tools included in the OS and usage of these tools for exploitation.
  3. How to do Analysis of Packets using tools
12:20 12:50 Web Application Security: The pitfalls and the brickwalls, a developer perspective Vamsi Krishna This is a multi-part series on common developer mistakes that result in major security vulnerabilities. This month we will see how unsanitized data causes SQL injection due to poor programming practices. We will also take a look at Insecure Direct Object references where a developer does not anticipate a permission model for objects resulting in unauthorized access to data.
12:50 13:10 Feedback and Topic discussion for next month meet

Previous Meeting Venue and Dates

No Date Venue Time
26 14th December 2013 ThoughtWorks Office (http://goo.gl/bokSL) 9:30 AM
25 1st November 2012 KPMG Office 7 PM
24 16th May 2012 Kieon (http://g.co/maps/dahhv) 10 AM
23 19th May 2012 Kieon (http://g.co/maps/dahhv) 10 AM
22 21th April 2012 Kieon (http://g.co/maps/dahhv) 10 AM
21 10th March 2012 Kieon (http://g.co/maps/dahhv) 10 AM
20 04th February 2012 Kieon (http://g.co/maps/dahhv) 10 AM
19 07th January 2012 Kieon 10 AM
18 3rd October 2009 Praxeva India 10 AM
17 19th September 2009 Praxeva India 10 AM
16 5th September 2009 Praxeva India 10 AM
15 12 July 2009 Cubbon Park 10.30 AM
14 07 June 2009 ICH, Church Street 09.00 AM
13 11 April 2009 ThoughtWorks Bangalore, (DevCamp2) 10.00 AM
12 07 March 2009 Yahoo, Embassy Golf Links Business Park 11.00 AM
11 02 February 2009 India Coffee House, MG Road 9.00 AM
10 11 January 2009 India Coffee House, MG Road 9.00 AM
9 14 December 2008 India Coffee House, MG Road 9.00 AM
8 16 November 2008 India Coffee House, MG Road 9.00 AM
7 13 September 2008 IIM Bangalore (Part of BarCamp Bangalore-7)
6 09 August 2008 Microland Office 3.00 PM
5 12 July 2008 RSA Office (Part of Secure Camp) 9.30 AM
4 29 June 2008 India Coffee House, MG Road 9.30AM
3 28 June 2007 (Part of Barcamp Bangalore-4)
2 2006

1 2006

Meeting Summaries

Summaries from Past Meetings

Stay Tuned

Subscribe to Mailing list - https://lists.owasp.org/mailman/listinfo/owasp-bangalore

Twitter Update - https://twitter.com/owaspbangalore