This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Bristol"

From OWASP
Jump to: navigation, search
Line 14: Line 14:
  
  
'''Date''': Thursday, 17th March 2016, 19:00
 
  
'''Location''': Cray - Broad Quay House, Broad Quay, Bristol BS1 4DJ, Bristol
 
  
'''Registration''':  http://www.meetup.com/OWASP-Bristol/events/228380487/
 
  
'''Event sponsors''': Cray Supercomputers
+
'''Date''': Friday, 20th May 2016, 18:00
  
'''Agenda''':
+
'''Location''': KMPG
  
* 7:00pm - Social
+
'''Registration''': http://www.meetup.com/OWASP-Bristol/events/229465685/
* 7:25pm - OWASP updates / Speakers intro 
 
* 7:30pm - Presentation 1: Dinis Cruz -  "New Era of Software with modern Application Security"
 
* 8:15pm - Presentation 2:  Scott Alexander-­Bown - "Android app security on a shoestring budget"
 
  
'''Presentation 1''': New Era of Software with modern Application Security
+
'''Event sponsors''': KPMG
  
'''Abstract''': This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive way.
+
'''Workshop''': Secure Application Design and Cyber-Attack Simulation & Testing Using Risk Centric Threat Modelling
  
'''Bio''': Dinis is focused on creating Application Security teams and providing Application Security assurance across the SDL (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by Applications developed internally, outsourced or purchased. He is also an active Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform.
+
'''Event Summary'''
  
 +
The presentation will cover the fundamentals and the practice of using threat modelling to review the design of web and mobile applications and identify design flaws that lead to security weaknesses. Learn how to mitigate threats with the design of security controls and countermeasures and security test cases that can be derived from use and abuse cases and attack vectors to identify vulnerabilities in web and mobile applications. The overall workshop consists of two sessions of one hour each: the first session will provide attendees with an understanding of the fundamentals of threats, attacks vulnerabilities and impact on the data assets. The second session will provide example on how to conduct threat modelling including analysis of the threats affecting a specific application software, the modelling of the attack vectors, the derivation of specific security requirements for the design of the web application during the SDLC and the derivation of test cases to simulate the behaviour of either a web or mobile application under specific types of attacks.
  
 +
'''Part I: Threat Modelling Fundamentals'''
  
'''Presentation 2''': Android app security on a shoestring budget
+
The course will introduce the audience to basic threat and risk terminology, explain the relationships between information security threats, attacks, vulnerabilities, assets and impact on these from technical and business impacts perspectives. We will cover different methodologies to analyze threats to and for the modeling of attacks and data, methods for analyze the application design to identify the design flaws, methods for deriving test cases using use and abuse cases and methods for assigning severity to the risk of the issues being identified.
  
'''Abstract''': Even with all the time & budget in the world you can't make a completely bulletproof app, so how do you stand a chance with a real world app? Real world apps have limited budget, are short on time and the task priorities are often decided by the security oblivious client/project managers.
+
'''Part II: Threat Modelling Process Walkthrough'''
  
So what can we developers do to increase our app’s security and help protect our professional reputation? Where should we focus our app security effort? Isn’t security really difficult? and what gives us the biggest bang for our buck?
+
A new threat modelling process for simulating attacks and analyse threats will be introduced and will be shown how can be used by security architects to identify design flaws, by pen testers to conduct specific types of tests and by  information security managers to manage the risk of targeted cyber-attacks against web and mobile applications. A process walkthrough will cover with examples the various activities that need to be followed to conduct threat modelling during the SDLC such as to derive security requirements for the secure design of applications, data flow diagrams to analyse security controls in the application architecture, threat analysis to analyse specific types of threats to the application assets and attack modelling to derive attack vectors that along with use and abuse cases can be used to derive test cases for simulating real attacks against web and mobile applications. For information risk managers, we will show how threat modelling is a critical assessment that can help to identify countermeasures to mitigate the risk of sophisticated cyber-threats such as malware threats, data compromise threats and denial of service attack threats.
  
We will answer these questions and show that improving your security need not be technically challenging or time consuming. Also I’ll illustrate that it doesn’t necessarily need buy-in from stakeholders.
+
'''Bio: '''
 +
Dr. Marco Morana volunteers for the OWASP organization as project leader of the application security guide for CISOs and is current member OWASP London chapter.  
  
We’ll be using commercially viable open source libraries to level up your app’s network verification, tamper protection, device integrity checks and more! while keeping in mind a shoestring budget!
+
In his current professional role, Dr. Morana works as Senior VicePresident at large Financial Institution (FI) in London, UK where he is responsible for the architecture, risk analysis, and threat modelling program. Dr. Morana also leads strategic initiatives to identity new countermeasures for mitigating the risks of sophisticated cyber-threats targeting web and mobile applications.
  
Many of the presented security protection techniques can be applied to iOS apps too, however the focus and examples will be Android.  
+
In his distinguished 15+ years of career in application security, Dr. Morana held roles in different companies as security consultant, application security architect, professional trainer and program manager. As cyber-security technologist, Dr. Morana most important contributions to cyber-security is the invention of the first secure email plug-in using SMIME protocol that was patented for NASA in 1996.  
  
'''Bio''':  Scott is a Lead Android Developer and co-author of the Android Security Cookbook. Founder of SWmobile, a mobile developer focused meetup.com group with 650+ members.​ ​Creator of several open source Android security libraries.​ ​Enjoys​ ​spending time​ ​with his young family, running, Mexican food, Belgium beer and reading.
+
Dr. Morana has been the advisor of the EU funded project on cyber-crime roadmap research CyberROAD and provide lectures yearly at the PhD Summer School on Computer Security & Privacy at University of Cagliari Italy.
  
 +
Dr. Morana has been an active contributor to the OWASP organization since 2005 volunteering for the following projects: application security guide for CISOs , OWASP security testing guide , the OWASP Source Code Review Project and OWASP Security Analysis of Core J2EE Design Patterns Project and most recently the OWASP cyber-security startup accelerator initiative
  
'''Date''': Friday, 20th May 2016, 18:00
+
His work on application and software security has been widely published on In-secure magazine,Secure Enterprise, ISSA Journal as well as DHS Software Security Assurance and the most recent work is Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis Book published by Wiley in 2015.
  
'''Location''': KMPG
 
  
'''Registration''': 
 
  
'''Event sponsors''': KPMG
 
  
 
= Past Events  =
 
= Past Events  =
  
 
'''2016'''
 
'''2016'''
 +
* [[2016-03-17-Bristol]]
 
* [[2016-01-21-Bristol]]
 
* [[2016-01-21-Bristol]]
  

Revision as of 23:18, 5 May 2016

OWASP Bristol, UK

Welcome to the Bristol, UK chapter homepage. Details of the chapter leaders are here Bristol_Chapter_Leaders.


Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG


<paypal>Bristol UK</paypal> Please contact Bristol Chapter Leaders if you have further questions.

Chapter Sponsors

The following are the list of OWASP Corporate Members who have generously aligned themselves with the Bristol chapter, therefore contributing funds to our chapter:

Meeting Sponsors

The following is the list of organisations who have generously provided us with space for Bristol chapter meetings:

Chapter Meetings

Date: Friday, 20th May 2016, 18:00

Location: KMPG

Registration: http://www.meetup.com/OWASP-Bristol/events/229465685/

Event sponsors: KPMG

Workshop: Secure Application Design and Cyber-Attack Simulation & Testing Using Risk Centric Threat Modelling

Event Summary

The presentation will cover the fundamentals and the practice of using threat modelling to review the design of web and mobile applications and identify design flaws that lead to security weaknesses. Learn how to mitigate threats with the design of security controls and countermeasures and security test cases that can be derived from use and abuse cases and attack vectors to identify vulnerabilities in web and mobile applications. The overall workshop consists of two sessions of one hour each: the first session will provide attendees with an understanding of the fundamentals of threats, attacks vulnerabilities and impact on the data assets. The second session will provide example on how to conduct threat modelling including analysis of the threats affecting a specific application software, the modelling of the attack vectors, the derivation of specific security requirements for the design of the web application during the SDLC and the derivation of test cases to simulate the behaviour of either a web or mobile application under specific types of attacks.

Part I: Threat Modelling Fundamentals

The course will introduce the audience to basic threat and risk terminology, explain the relationships between information security threats, attacks, vulnerabilities, assets and impact on these from technical and business impacts perspectives. We will cover different methodologies to analyze threats to and for the modeling of attacks and data, methods for analyze the application design to identify the design flaws, methods for deriving test cases using use and abuse cases and methods for assigning severity to the risk of the issues being identified.

Part II: Threat Modelling Process Walkthrough

A new threat modelling process for simulating attacks and analyse threats will be introduced and will be shown how can be used by security architects to identify design flaws, by pen testers to conduct specific types of tests and by information security managers to manage the risk of targeted cyber-attacks against web and mobile applications. A process walkthrough will cover with examples the various activities that need to be followed to conduct threat modelling during the SDLC such as to derive security requirements for the secure design of applications, data flow diagrams to analyse security controls in the application architecture, threat analysis to analyse specific types of threats to the application assets and attack modelling to derive attack vectors that along with use and abuse cases can be used to derive test cases for simulating real attacks against web and mobile applications. For information risk managers, we will show how threat modelling is a critical assessment that can help to identify countermeasures to mitigate the risk of sophisticated cyber-threats such as malware threats, data compromise threats and denial of service attack threats.

Bio: Dr. Marco Morana volunteers for the OWASP organization as project leader of the application security guide for CISOs and is current member OWASP London chapter.

In his current professional role, Dr. Morana works as Senior VicePresident at large Financial Institution (FI) in London, UK where he is responsible for the architecture, risk analysis, and threat modelling program. Dr. Morana also leads strategic initiatives to identity new countermeasures for mitigating the risks of sophisticated cyber-threats targeting web and mobile applications.

In his distinguished 15+ years of career in application security, Dr. Morana held roles in different companies as security consultant, application security architect, professional trainer and program manager. As cyber-security technologist, Dr. Morana most important contributions to cyber-security is the invention of the first secure email plug-in using SMIME protocol that was patented for NASA in 1996.

Dr. Morana has been the advisor of the EU funded project on cyber-crime roadmap research CyberROAD and provide lectures yearly at the PhD Summer School on Computer Security & Privacy at University of Cagliari Italy.

Dr. Morana has been an active contributor to the OWASP organization since 2005 volunteering for the following projects: application security guide for CISOs , OWASP security testing guide , the OWASP Source Code Review Project and OWASP Security Analysis of Core J2EE Design Patterns Project and most recently the OWASP cyber-security startup accelerator initiative

His work on application and software security has been widely published on In-secure magazine,Secure Enterprise, ISSA Journal as well as DHS Software Security Assurance and the most recent work is Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis Book published by Wiley in 2015.



We are looking for organizations to sponsor the Bristol chapter.

You can sponsor the chapter for one year at the following levels:

  • £2000 Platinum
  • £1000 Gold
  • £500 Silver


If you are interested in sponsoring the chapter then please get in touch with one of the Bristol Chapter Leaders.

Call for Presentations

OWASP Bristol (UK) Chapter Call For Presentation

As a speaker please review the OWASP speaker agreement

Stay in contact:

Meetup-logo-2x.png Join the list.png Follow-us-on-twitter.png
Retrieved from "https://wiki.owasp.org/index.php?title=Bristol&oldid=216478"