This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "EUTour2013 Rome Agenda"

From OWASP
Jump to: navigation, search
(OWASP Europe Tour - Rome 2013)
 
(11 intermediate revisions by 2 users not shown)
Line 35: Line 35:
 
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' Thursday 27th June the Conference, Friday 28th June for the Training  '''
 
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' Thursday 27th June the Conference, Friday 28th June for the Training  '''
 
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Venue Location: Università Degli Studi Roma Tre<br>
 
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Venue Location: Università Degli Studi Roma Tre<br>
Venue Address: Via Volterra, 62 - Roma'''<br>
+
Venue Address: Via vito Volterra, 62, 00182 Roma, Italy'''<br>
Venue Map: [http://goo.gl/maps/QZ57x Google Maps]  
+
Venue Map: [http://maps.google.com/maps?q=Via+vito+Volterra,+62,+00182+Roma,+Italy&hl=en&ll=41.853564,12.469354&spn=0.011843,0.013733&sll=41.853836,12.472486&sspn=0.023686,0.027466&t=h&hq=Via+vito+Volterra,+62,+00182+Roma,+Italy&z=16 Google Maps]  
 
|-
 
|-
 
| align="center" style="background:#CCCCEE;" colspan="2" | '''Price and registration'''
 
| align="center" style="background:#CCCCEE;" colspan="2" | '''Price and registration'''
 
|-
 
|-
 
| align="center" style="background:#EEEEEE;" colspan="2" | This event is '''FREE''' <br>
 
| align="center" style="background:#EEEEEE;" colspan="2" | This event is '''FREE''' <br>
  '''Registration Link to the Europe Tour''':[http://www.regonline.com/Register/Checkin.aspx?EventID=1248484| Conference]'''<br>
+
  '''Registration Link to the Europe Tour''':[http://www.eventbrite.it/event/7032513437 | Conference]'''<br>
  
 
<br>
 
<br>
''' Europe Tour Training [https://www.owasp.org/index.php/EUTour2013#Training| Page]<br>
+
''' Europe Tour Training [https://www.owasp.org/index.php/EUTour2013_Training | Page]<br>
  '''Registration Link to the Europe Tour''':[http://www.regonline.com/eutour13itatrainingmobile| Training]'''<br>
+
  '''Registration Link to the Europe Tour''':[http://www.regonline.com/eutour13itatrainingmobile | Training]'''<br>
  
 
<br>
 
<br>
Line 54: Line 54:
 
| style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" colspan="6" | '''Conference Details '''
 
| style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" colspan="6" | '''Conference Details '''
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" |  '''Time'''  
+
| style="width:7%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" |  '''Time'''  
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Title'''
+
| style="width:20%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Title'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Speaker'''
+
| style="width:20%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Speaker'''
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
 +
| style="width:13%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Presentation'''
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 09:00 am<br>(30 mins)
+
| style="width:7%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 09:00 am<br>(30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Registration
+
| style="width:20%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Registration
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  
+
| style="width:20%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  
+
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |
 +
| style="width:13%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:30 am<br>(15 mins)  
+
| style="width:7%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:30 am<br>(15 mins)  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction to the OWASP Europe Tour
+
| style="width:20%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Introduction by the Academic Authorities to the event OWASP European Tour 2013 - Rome
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | OWASP Italy
+
| style="width:20%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Università Degli Studi Roma Tre
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
 +
| style="width:13%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:45 am<br>(45 mins)  
+
| style="width:7%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:45 am<br>(45 mins)  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | OWASP Shepherd project  
+
| style="width:20%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | OWASP Shepherd project  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Mark Denhian, Jason Flood, William Bailey
+
| style="width:20%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Mark Denhian, David Ryan and Paul McCann
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Competing in CTF events can be difficult for some and winning them can even be strenuous. Behind the curtains creating a fun and resilient CTF to be played with in the first place is the near impossible challenge. The Honeyn3t Ireland team have spent the last better part of a year working on providing CTFs. This talk will chronicle how to run a successful CTF by highlighting the common mistakes made and by utilising existing OWASP projects
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Competing in CTF events can be difficult for some and winning them can even be strenuous. Behind the curtains creating a fun and resilient CTF to be played with in the first place is the near impossible challenge. The Honeyn3t Ireland team have spent the last better part of a year working on providing CTFs. This talk will chronicle how to run a successful CTF by highlighting the common mistakes made and by utilising existing OWASP projects
 +
| style="width:13%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/4/4a/CTF_Magic_OWASP_EU_Tour_2013.pdf Slides]
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:30 am<br>(30 mins)  
+
| style="width:7%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:30 am<br>(30 mins)  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | PCI for Developers
+
| style="width:20%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | PCI for Developers
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Fabio Cerullo, OWASP Dublin Chapter, CEO & Founder of Cycubix
+
| style="width:20%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Fabio Cerullo, OWASP Dublin Chapter, CEO & Founder of Cycubix
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | The PCI-DSS and PA DSS standards are well known to security professionals and auditors, but how are these interpreted by software development teams? Usually is not clear whether all requirements are necessary and most importantly, how these should be implemented. This talk aims to help developers understanding the key points of these standards in a simple and fast approach and be able to implement them during the software development cycle
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | The PCI-DSS and PA DSS standards are well known to security professionals and auditors, but how are these interpreted by software development teams? Usually is not clear whether all requirements are necessary and most importantly, how these should be implemented. This talk aims to help developers understanding the key points of these standards in a simple and fast approach and be able to implement them during the software development cycle
 +
| style="width:13%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://prezi.com/eqjkvu9bahop/?utm_campaign=share&utm_medium=copy Slides]
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:00AM <br>(30 mins)
+
| style="width:13%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:00AM <br>(30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Scripting Application Security
+
| style="width:20%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Scripting Application Security
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Dinis Cruz, OWASP Evangelist, AppSec Guru, OWASP OWASP O2 leader  
+
| style="width:20%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Dinis Cruz, OWASP O2 Platform project leader  
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Pentesting at the speed of Scripting (using O2 Platform)
 +
This presentation will show how the OWASP O2 Platform scripting capabilities can be used to 'codify' an pen-testers mind/action and perform advanced analysis, fuzzing and exploitation of both Web and desktop-based Applications.
 +
| style="width:13%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | -
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:30 am<br>(30 mins)  
+
| style="width:7%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:30 am<br>(30 mins)  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Client-Side Security in the modern Web
+
| style="width:20%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Client-Side Security in the modern Web
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Mauro Gentile, Software Security Consultant
+
| style="width:20%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Mauro Gentile, Software Security Consultant of Minded Security
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | The web is evolving day by day: interactive and effective web applications are progressively adopted in the Internet thanks to innovative solutions implemented in modern web browsers. These latters offer sensational capabilities for running complex applications since client-side scripting languages ensure flexibility and varied functionalities. As the complexity of the web moves on the client-side, web security needs to shift its focus on this part too; indeed, enriching browsers capabilities may pave the way to new possible threats and attack surfaces. In this talk, we analyse how the adoption of HTML5 impacted the Web in terms of security and we dissect how attackers might exploit such introduction in order to realize successful attacks. By touching novel XSS attack vectors, clickjacking techniques, CSRF exploits, and cross domain communication approaches, we present interesting and real attack methodologies, and at the same we report robust defenses, such as CSP, against these today's threats by trying to understand the hindrances which could slaken their adoption. Eventually, practical examples are provided for each discussion point and the behaviors of the parties, which are involved in the attack, are considered in order to understand how attackers move, how victims are cheated and how developers should act.
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | The web is evolving day by day: interactive and effective web applications are progressively adopted in the Internet thanks to innovative solutions implemented in modern web browsers. These latters offer sensational capabilities for running complex applications since client-side scripting languages ensure flexibility and varied functionalities. As the complexity of the web moves on the client-side, web security needs to shift its focus on this part too; indeed, enriching browsers capabilities may pave the way to new possible threats and attack surfaces. In this talk, we analyse how the adoption of HTML5 impacted the Web in terms of security and we dissect how attackers might exploit such introduction in order to realize successful attacks. By touching novel XSS attack vectors, clickjacking techniques, CSRF exploits, and cross domain communication approaches, we present interesting and real attack methodologies, and at the same we report robust defenses, such as CSP, against these today's threats by trying to understand the hindrances which could slaken their adoption. Eventually, practical examples are provided for each discussion point and the behaviors of the parties, which are involved in the attack, are considered in order to understand how attackers move, how victims are cheated and how developers should act.
 +
| style="width:13%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/7/7c/Gentile_OWASP_EU_Tour_2013.pdf Slides]
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 12:00 am<br>(30 mins)  
+
| style="width:7%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 12:00 am<br>(30 mins)  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Android Apps permissions model (in)security
+
| style="width:20%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Android Apps permissions model (in)security
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Davide Danelon, Software Security Consultant
+
| style="width:20%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Davide Danelon, Software Security Consultant of Minded Security
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | The Android devices, as well as the Android applications, are growing exponentially and as a result increase the personal data that users retain on such devices. Android has made the model "permits" a flag the security of your operating system. As, however, this model turns out to be really sure? An application that can not require any permission to access sensitive data and send them to a remote handler? We will focus on the safety management of Android and how this model can be bypassed in part independently from version in use. Will then be shown an example of the application, seemingly harmless, however, able to steal the data recorded on the a device updated to the latest version of Android currently available.
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Android devices, as well as applications developed for them, are growing exponentially and, as result, the personal data that users retain on such devices are increasing. Android has made of the "permissions model", a flag of the security of the operating system. How this model turns out to be really secure? Can an application, that do not require any permission, access to sensitive data and send them to a remote handler? We will focus on the security management of Android and how this model can be, in part, bypassed independently from the version in use. In the example shown, an application, seemingly harmless, is able to steal the data stored on a device updated to the latest version, currently available, of Android.
 
+
| style="width:13%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/3/3e/Danelon_OWASP_EU_Tour_2013.pdf Slides]
 
|}
 
|}

Latest revision as of 15:25, 2 September 2013

Eu tour1.png

OWASP EUROPE TOUR 2013

Tour Home Page
Tour Scheadule
Tour Organizers Resources
Mailing List

CONFERENCE AND TRAINING

OWASP Europe Tour - Rome 2013

Thursday 27th June (Conference)
Friday 28th June (Training)

DESCRIPTION
OWASP Europe TOUR, is an event across the European region that promotes awareness about application security, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
  • Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle.
  • This event aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.
OWASP MEMBERSHIP
During the OWASP Europe Tour you could become a member and support our mission.

Become an OWASP member by clicking here


CONFERENCE (Thursday 27th June)

When Where
Thursday 27th June the Conference, Friday 28th June for the Training Venue Location: Università Degli Studi Roma Tre

Venue Address: Via vito Volterra, 62, 00182 Roma, Italy
Venue Map: Google Maps

Price and registration
This event is FREE
Registration Link to the Europe Tour:| Conference


Europe Tour Training | Page

Registration Link to the Europe Tour:| Training



Conference Details
Time Title Speaker Description Presentation
09:00 am
(30 mins)
Registration
9:30 am
(15 mins)
Introduction by the Academic Authorities to the event OWASP European Tour 2013 - Rome Università Degli Studi Roma Tre
9:45 am
(45 mins)
OWASP Shepherd project Mark Denhian, David Ryan and Paul McCann Competing in CTF events can be difficult for some and winning them can even be strenuous. Behind the curtains creating a fun and resilient CTF to be played with in the first place is the near impossible challenge. The Honeyn3t Ireland team have spent the last better part of a year working on providing CTFs. This talk will chronicle how to run a successful CTF by highlighting the common mistakes made and by utilising existing OWASP projects Slides
10:30 am
(30 mins)
PCI for Developers Fabio Cerullo, OWASP Dublin Chapter, CEO & Founder of Cycubix The PCI-DSS and PA DSS standards are well known to security professionals and auditors, but how are these interpreted by software development teams? Usually is not clear whether all requirements are necessary and most importantly, how these should be implemented. This talk aims to help developers understanding the key points of these standards in a simple and fast approach and be able to implement them during the software development cycle Slides
11:00AM
(30 mins)
Scripting Application Security Dinis Cruz, OWASP O2 Platform project leader Pentesting at the speed of Scripting (using O2 Platform)

This presentation will show how the OWASP O2 Platform scripting capabilities can be used to 'codify' an pen-testers mind/action and perform advanced analysis, fuzzing and exploitation of both Web and desktop-based Applications.

-
11:30 am
(30 mins)
Client-Side Security in the modern Web Mauro Gentile, Software Security Consultant of Minded Security The web is evolving day by day: interactive and effective web applications are progressively adopted in the Internet thanks to innovative solutions implemented in modern web browsers. These latters offer sensational capabilities for running complex applications since client-side scripting languages ensure flexibility and varied functionalities. As the complexity of the web moves on the client-side, web security needs to shift its focus on this part too; indeed, enriching browsers capabilities may pave the way to new possible threats and attack surfaces. In this talk, we analyse how the adoption of HTML5 impacted the Web in terms of security and we dissect how attackers might exploit such introduction in order to realize successful attacks. By touching novel XSS attack vectors, clickjacking techniques, CSRF exploits, and cross domain communication approaches, we present interesting and real attack methodologies, and at the same we report robust defenses, such as CSP, against these today's threats by trying to understand the hindrances which could slaken their adoption. Eventually, practical examples are provided for each discussion point and the behaviors of the parties, which are involved in the attack, are considered in order to understand how attackers move, how victims are cheated and how developers should act. Slides
12:00 am
(30 mins)
Android Apps permissions model (in)security Davide Danelon, Software Security Consultant of Minded Security Android devices, as well as applications developed for them, are growing exponentially and, as result, the personal data that users retain on such devices are increasing. Android has made of the "permissions model", a flag of the security of the operating system. How this model turns out to be really secure? Can an application, that do not require any permission, access to sensitive data and send them to a remote handler? We will focus on the security management of Android and how this model can be, in part, bypassed independently from the version in use. In the example shown, an application, seemingly harmless, is able to steal the data stored on a device updated to the latest version, currently available, of Android. Slides