This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit


Revision as of 11:31, 1 December 2014 by Justin42 (talk | contribs) (Next Meeting/Event(s))

Jump to: navigation, search

OWASP London

Welcome to the London chapter homepage. The chapter leader is Justin Clarke (justin.clarke [at] since January 2009, with Tobias Gondrom (tobias.gondrom [at], and Dennis Groves (dennis.groves [at] constituting the London Chapter Board. Follow chapter news on Facebook at , Twitter at and


OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.


Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

Chapter Sponsors

The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:
GDS_LOGO_SMALL.jpg        LogoQuotium.png        NetSparker_Logo_ResizedLondon.png       

Meeting Sponsors

The following is the list of organisations who have generously provided us with space for London chapter meetings:
Hicon_hotels-128-TM-R.PNG        Skype_logo_solid.jpg       

Next Meeting/Event(s)

Thursday, December 4th 2014 (Central London)

Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Time: Thursday, 18 September 2014 from 18:30 to 20:30 (BST) (We start on time)


  • Offensive OSINT - Christian Martorella and Zigor Zumalde
    Overview of OSINT process, techniques and how attackers are using it to prepare their cyber attacks
  • Round-up - Colin Watson
    OWASP news and Christmas gift
  • OWASP Testing Guide v4 - Matteo Meucci
    The talk will present the new version 4 of the OWASP Testing Guide, the standard de facto for performing a web application penetration test on online services.


  • Christian Martorella
    Christian Martorella has been working in the field of Information Security for the last 14 years, currently working in the Product Security team at Skype, Microsoft. Before he was the Practice Lead of Threat and Vulnerability, for Verizon Business, where he lead a team of consultants delivering Security testing services in EMEA for a wide range of industries including Financial services, Telecommunications, Utilities and Government.
    He is cofounder an active member of Edge-Security team, where security tools and research is released. He presented at Blackhat Arsenal USA, Hack.Lu, What The Hack!, NoConName, FIST Conferences, OWASP Summits and OWASP meetings. Christian has contributed with open source assessment tools like OWASP WebSlayer, Wfuzz, theHarvester and Metagoofil. He likes all related to Information Gathering and offensive security.
  • Zigor Zumalde
    Bio to follow
  • Colin Watson
    Technical Director, Watson Hall.
  • Matteo Meucci
    Matteo has more than 13 years specialising in Application Security and has worked with OWASP since 2002: he founded the OWASP Italy Chapter in 2005 and has lead the OWASP Testing Guide since 2006. Matteo is invited to speak at many events all around the world talking about Web Application Security.
    Matteo has undergraduate degrees in Computer Science Engineering from the University of Bologna. He is also the CEO and a cofounder of Minded Security since 2007, where he is responsible for strategic direction and business development for the Company. Prior to founding Minded Security, Matteo had several consultancy experiences from BT Global Services, INS, Business-e and CryptoNet.


RSVP is now open at Eventbrite -

Future Events

2015 event details to come!

Past Events

Thursday, September 18th 2014 (Central London)

Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Speakers: John Smith, Joe Pelietier, Colin Watson

  • Global Application Security Survey & Benchmarking - John Smith
    This talk will discuss the results of the recent global application security survey conducted by IDG Research and Veracode. Topics covered will include how enterprise application portfolios are growing and application security budgets are changing, and how benchmarking your organisation against your peers can bring your application security posture to the next level.
  • Anatomy of a Data Breach - Joe Pelletier
    The types of data breaches and how they happen, the cost impact of data breaches, and actionable tips to reduce risk.
  • OWASP Roundup - Colin Watson
    Information on some recent project releases, conference recordings and AppSec EU 2015. (PPT)

Thursday, May 15th 2014 (Central London)

Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Speakers: Hacker Fantastic, Colin Watson

  • Heartbleed Teardown - Hacker Fantastic
    An analysis of CVE-2014-0160 ("heartbleed") covering detailed assessment of the vulnerability since it's introduction to OpenSSL on NYE 2011. The talk will also cover exploitation notes and detailed usage scenarios from an attackers perspective. We will discuss exploit development processes, traffic analysis and signature creation by IDS/IPS vendors as well as interesting things learned during exploitation. A demonstration of the vulnerability being exploited and its implications within multiple scenarios will also be performed.
  • AppSensor 2.0 - Colin Watson (PDF)
    The AppSensor Project defines the concept of application-specific real time attack detection and response. A new AppSensor Guide book has been written to document the cumulative knowledge of the project's contributors, to provide illustrative case studies, and most importantly to showcase several demonstration working implementations. In this presentation Colin Watson will summarise the concept, bring the topic up-to-date, explain alternative architectural models, discuss the newly published implementation guide, demonstrate application security dashboards, and explain the code and web services implementations that attendees will be able to use immediately in their own projects.

Thursday, March 20th 2014 (Central London)

Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Speakers: Nikos Vassakis, Rodrigo Marcos, and Yiannis Pavlosoglou

  • Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos
    Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.
  • OWASP WebSpa - Yiannis Pavlosoglou (PPTX)
    The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.

Thursday, January 16th 2014 (Central London)

Location: Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

Speakers: Justin Clarke, Marco Morana and Tobias Gondrom

  • Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke
    Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application,, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).
  • 2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom
    Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.

Thursday, December 12th 2013 (Central London)

Location: Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA

Speakers: Ofer Maor and Colin Watson

  • IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor
    Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...
  • OWASP Cornucopia - Colin Watson
    Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.

Thursday, October 24th 2013 (Central London)

Location: Expedia Inc (, Angel Building, 407 St John Street, London, EC1V 4EX

Speakers: Dinis Cruz and Justin Clarke

  • Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz
    This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.
  • OWASP Mobile Top 10 - Justin Clarke
    The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.

Monday, June 3rd 2013 (London EUTour2013 One Day Conference)

Location: Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY

For full details, including slides and videos of sessions, go to the main EUTour2013 Page and click through to the London event.

Thursday, November 8th 2012 (Central London)

Location: Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA

Speakers: Petko Petkov and Marco Morana

  • A Short History of The JavaScript Security Arsenal - Petko D. Petkov
    In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.
    This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.
  • The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana (PPTX)
    The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.

Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members)

Location: Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB

Time: 10:00am - 4:30pm

ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!

Thursday, March 29th 2012 (Central London)

Location: Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA

Speakers: Jim Manico and Manish Saindane

  • Top 10 Web Defences - Jim Manico (PPTX)
    We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.
  • IronWASP - Manish Saindane (PPTX)
    IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.

Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway)

Location: Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX

Speakers: Viet Pham and Tobias Gondrom

  • Implementing cryptography: good theory vs. bad practice - Viet Pham ([PDF])
Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.
  • Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([PDF])
"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."

Thursday, February 2nd 2012 ,18:30-21:00

Location: Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX

Speakers: Sarah Baso, Dinis Cruz, Dennis Groves

  • Security as Pollution (lessons learned) - Dinis Cruz
    Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010
  • Making Security Invisible by Becoming the Developer's Best Friends - Dinis Cruz
    Based on Dinis' presentation at OWASP AppSec Brazil 2011
  • How to get a job in AppSec by Hacking and fixing TeamMentor - Dinis Cruz and Dennis Groves
    This is for students and developers who want to get into the application security space and need to have/show real-world experience.
  • What's Happening on OWASP Today - Sarah Baso
    This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment

Thursday, September 8th 2011

Location: Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX

Speaker: Daniel Cuthbert (deck)

Title: Doing it for the Lulz: Why Lulzsec has shown us to be an ineffective industry.

Friday, June 3rd 2011

Location: Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX

  • Wordpress Security - Steve Lord (PDF)
    Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.

Thursday, April 14th 2011

Location: Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH

  • Wordpress Security - Steve Lord (PDF)
    Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.
  • Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit
    Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future

Thursday, February 17th 2011

Location: ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA

A special meeting event, in conjunction with London Geek Nights on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.

Archived Events

For events before 2011, see Archived OWASP London Events

Other Activities

  • February 2010 - Personal Information Online COP

The Leeds UK, London and Scotland Chapters joint response to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.

  • March 2009 - Entry for Nominet Best Practice Challenge 2009

Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award (File:Nominet best practice challenge 2009 owasp entry.pdf) in the Nominet Best Practice Challenge 2009. Short-listed June 2009. Announcement due 2 July 2009.

  • 16th October 2008 - COI Browser Standards for Public Websites

The London and Scotland Chapters joint response to the Central Office of Information draft document on browser standards for public websites (version 0.13) (File:OWASP-COI-Browser-Standards.pdf).