This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Singapore"

From OWASP
Jump to: navigation, search
(Welcome to OWASP Singapore Chapter)
(January 2020 Meetup: Current state of DevOps Security)
 
(35 intermediate revisions by the same user not shown)
Line 3: Line 3:
 
Welcome to the Singapore chapter homepage. The chapter leader is [mailto:[email protected] Wong Onn Chee].
 
Welcome to the Singapore chapter homepage. The chapter leader is [mailto:[email protected] Wong Onn Chee].
  
'''[http://lists.owasp.org/mailman/listinfo/owasp-singapore Click here] to join the local chapter mailing list.'''
+
'''[https://groups.google.com/a/owasp.org/forum/#!forum/singapore-chapter/join Click here] to join the local chapter mailing list.'''
  
 
== Participation ==
 
== Participation ==
Line 15: Line 15:
 
= Upcoming Meetup =
 
= Upcoming Meetup =
  
=== '''July 2018 Meetup: IoT Security Research''' ===
+
=== January 2020 Meetup: Current state of DevOps Security ===
Date: 24 July 2018 730pm to 900pm  
+
'''Date''': 13 January 2019 730pm to 900pm
 +
 
 +
'''Venue''': Trend Micro office, 6 Temasek Boulevard #16-01 to 05 Suntec Tower Four · Singapore 038986
 +
 
 +
DevOps security is tough, come listen to how NTUC is tackling application security through the secure pipeline and environment controls for application development and deployment. Ian will cover the what and how and also share some limitations in today’s tools to keep up with development changes.
 +
 
 +
'''Speaker''':  Ian Loe
 +
 
 +
Ian Loe is the current SVP of cybersecurity at NTUC Enterprise Co-operative Limited and an adjunct fellow at the Singapore University of Technology & Design (SUTD). He had been active in DevOps security and application security especially in containers and serverless applications.
 +
 
 +
Many thanks to Trend Micro for sponsoring the venue!
 +
 
 +
Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/
 +
 
 +
= Past Meetups =
 +
 
 +
=== 2019 ===
 +
 
 +
==== November 2019 Meetup: Basic Pentesting on Ethereum Blockchain ====
 +
'''Date''': 14 November 2019 730pm to 900pm
 +
 
 +
'''Venue''': F5 Singapore office, 5 Temasek Boulevard, #08-01/02 Suntec Tower 5, Singapore 038985
 +
 
 +
One of the double edged swords of blockchain software, compared to typical enterprise software stack, is that smart contracts are immutable once deployed. This talk will cover some of the basics of typical security vulnerabilities and mitigation methods on the Ethereum blockchain stack.
 +
 
 +
'''Speaker''':  Dr. Chun Hui
 +
 
 +
Dr. Chun Hui (former Hyperledger research scientist at IBM & Hyperledger Adjunct Lecturer at NUS) is currently developing both distributed software on both public & private blockchains in finance use cases at Kommerce. He has a strong interest in system infrastructure and blockchain, with a focus on design, devops and social-development impact.
 +
 
 +
Many thanks to F5 for sponsoring food and drinks!
 +
 
 +
Please RSVP your attendance at <nowiki>https://www.meetup.com/SGSecurityMG/</nowiki>
 +
 
 +
==== September 2019 Meetup: Introduction to CVSSv3.1 - Minor Release ====
 +
'''Date''': 19 September 2019 730pm to 900pm
 +
 
 +
'''Venue''': Akamai Singapore office, 1 Raffles Place, #17-61, One Raffles Place Tower 2, Singapore 048616
 +
 
 +
Come and listen to Christian share on the new CVSS 3.1. The "Common Vulnerability Scoring System" (CVSSv3.1) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
 +
 
 +
'''Speaker''':  Christian Heinrich
 +
 
 +
Christian Heinrich has presented at the OWASP Conferences in Australia, Europe and USA and OWASP Chapters in the Netherlands, London and Sydney and Melbourne, Australia, ToorCon (USA), Shmoocon (USA), BlackHat (Asia and USA), SecTor (Canada), CONFidence (Europe), Hack In The Box (Europe), SyScan (Singapore), B-Sides (Australia), RUXCON (Australia), and AusCERT (Australia)
 +
 
 +
cmlh has a Public Profile on LinkedIn at http://www.linkedin.com/in/ChristianHeinrich
 +
 
 +
Many thanks to Akamai for sponsoring food and drinks!
 +
 
 +
Please RSVP your attendance at <nowiki>https://www.meetup.com/SGSecurityMG/</nowiki>
 +
 
 +
==== June 2019 Meetup: Understanding Bad Bots ====
 +
'''Date''': 26 June 2019 730pm to 900pm
 +
 
 +
'''Venue''': F5 Singapore office, Suntec City Tower Five, 5 Temasek Boulevard #08-01/02, Singapore 038985, Singapore
 +
 
 +
Bots form a significant chunk of modern day traffic. The talk and demo will show some bot attacks, how it impacts business and user and the need of a layered defence mechanism..
 +
 
 +
'''Speaker''':  Shahnawaz Backer
 +
 
 +
Shahnawaz Backer is a Security Specialist at F5 Networks. With keen interest in Financial Malware and Identity Security. He has been a Consulting Engineer for over a decade and started his career as a Security Product Development Engineer. His noticeable works include designing a Financial Malware Strategy for multiple Tier 1 Banks in APAC, designing a Nation Level Authentication Framework and identity management strategy for multiple Financial and Government Organizations.
 +
 
 +
In his spare time he loves code and automate.
 +
 
 +
Many thanks to F5 for sponsoring food and drinks!
 +
 
 +
Please RSVP your attendance at <nowiki>https://www.meetup.com/SGSecurityMG/</nowiki>
 +
 
 +
==== Mar 2019 Meetup: HTTP2 ====
 +
'''Date''': 20 March 2019 730pm to 830pm
 +
 
 +
'''Venue''': Akamai Singapore office, 1 Raffles Place, #17-61, One Raffles Place Tower 2, Singapore 048616, Singapore
 +
 
 +
The presentation will discuss the relatively new HTTP2 protocol that has been recently adopted as a standard and widely adopted. Most browsers and web servers can support it, however relatively little security research has been done on the new protocol. There are very few tools to perform security testing, and penetration testing is challenging. There will be a demo of a vulnerability being exploited over HTTP2.
 +
 
 +
'''Speaker''':  Adrien de Beaupre
 +
 
 +
Adrien de Beaupre is a Principal SANS instructor and works as an independent consultant in beautiful Ottawa, Ontario. His work experience includes course development, technical instruction, vulnerability assessment, and penetration testing. He is a member of the SANS Internet Storm Center (isc.sans.edu) and is actively involved with the information security community. He is the lead author and lead instructor of two SANS courses; SEC642 Advanced Web Applicication Penetration Testing, Ethical Hacking, and Exploitation Techniques as well as SEC460 Enterprise Threat and Vulnerability Assessment.
 +
 
 +
Please RSVP your attendance at <nowiki>https://www.meetup.com/SGSecurityMG/</nowiki>
 +
 
 +
Many thanks to Akamai for their kind sponsorship of venue and F&B (no beer though)!
 +
 
 +
==== Mar 2019 Meetup #2: ReDTunnel: Explore Internal Networks via DNS Rebinding Tunnel ====
 +
'''Date''': 28 March 2019 730pm to 830pm
 +
 
 +
'''Venue''': F5 Singapore office, Suntec City Tower Five, 5 Temasek Boulevard #08-01/02, Singapore 038985, Singapore
 +
 
 +
Did you wonder how you could browse target's internal network without deploying anything on the victim machine? Sounds like magic, right? Imagine that you could have a one-click setup that will provide you a magic tunnel from the outside world. That's when we came up with the "ReD Tunnel" idea. The design goal was to use tools that exist on the victim's device, like the browser, rather than rely on 0days to stay below the radar of the most advanced AV. To create this new capability, we decided to combine two concepts: JavaScript reconnaissance techniques and the DNS rebinding attack. Open your browser, wait until the victim visits your website and start browsing the internal websites in their network. Now, when red-teaming you could really "be a guest, but feel at home".
 +
 
 +
'''Speaker''':  Tomar Zait
 +
 
 +
Tomer Zait (Principal Security Researcher at F5Networks) worked in a range of professions in the security industry (Web Application Firewall Integrator, Penetration Tester, Application Security Engineer, Security Researcher, Etc.). During this time, he developed open-source projects (most of them are security tools). His projects include: x64dbgpy; PyMultitor (Presented In BlackHat Arsenal ASIA/US/EU 2017); SubDomain-Analyzer; AutoBrowser; phantom-requests, and more. Tomer writes regularly for online security magazines and is a 4-time winner of the Israeli Cyber Challenge (CTF).
 +
 
 +
Please RSVP your attendance at <nowiki>https://www.meetup.com/SGSecurityMG/</nowiki>
 +
 
 +
==== Feb 2019 Meetup: How to make your software security program successful ====
 +
'''Date''': 20 February 2019 730pm to 830pm
 +
 
 +
'''Venue''': Akamai Singapore office, 1 Raffles Place, #17-61, One Raffles Place Tower 2, Singapore 048616, Singapore
 +
 
 +
What is the common between mobile applications, Web application, IOT devices, OS client applications?
 +
 
 +
They are all developed from software.
 +
 
 +
As new software deployment accelerate through wider adoption of DevOps methodology, maintaining software security is crucial to you and your organization. Is your software security program up to the challenge? If you’re not getting the most out of your software security program, come and join this session which will provide the recommendations on how to improve your program for better, faster results.
 +
 
 +
'''Speaker''':  Jason Khoo, CISSP, CSSLP, CISA
 +
 
 +
Jason is the Technical Account Manager from Checkmarx. He has extensive experience in application security consulting services and focusing on secure software analysis.
 +
 
 +
He works with organizations that consist of internal and external development teams as well as the security team who are mostly driven by audits and compliance. He is passionate about the software security and the different software testing methodologies, and will share his ideas and workflow with the audience.
 +
 
 +
Please RSVP your attendance at <nowiki>https://www.meetup.com/SGSecurityMG/</nowiki>
 +
 
 +
Many thanks to Akamai for their kind sponsorship of venue and F&B (no beer though)!
 +
 
 +
==== Jan 2019 Meetup: Security is everybody's job ====
 +
'''Date''': 16 January 2018 730pm to 830pm
 +
 
 +
'''Venue''': Akamai Singapore office, 1 Raffles Place, #17-61, One Raffles Place Tower 2, Singapore 048616, Singapore
 +
 
 +
In DevOps everyone performs security work, whether they like it or not.  With a ratio of 100/10/1 for Development, Operations, and Security, it’s impossible for the security team alone to get it all done. We must build security into each of “the three ways”; automating and/or improving efficiency of all security activities, speeding up feedback loops for security related activities, and providing continuous learning opportunities in relation to security. While it may sound like the security team needs to learn to sprint, give feedback, and teach at the same time, the real challenge is creating a culture that embodies the mindset that security is everybody's job.
 +
 
 +
'''Speaker''': Tanya Janca
 +
 
 +
Tanya Janca is a senior cloud security advocate for Microsoft, specializing in application and cloud security; evangelizing software security and advocating for developers and operations folks alike through public speaking, her open source project OWASP DevSlop, and various forms of teaching via workshops, blogs and community events. As an ethical hacker, OWASP Project and Chapter Leader, Women in Security and Technology (WIST) chapter leader, software developer and professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.
 +
 
 +
Pertinent links:
 +
 
 +
https://medium.com/@shehackspurple
 +
 
 +
https://DevSlop.co
 +
 
 +
https://twitter.com/shehackspurple
 +
 
 +
Many thanks to Akamai for their kind sponsorship of venue and F&B (no beer though)!
 +
 
 +
=== 2018 ===
 +
 
 +
==== Oct 2018 Meetup: Lessons from Protecting a Major Conference: What You Do Not Know Will Haunt You ====
 +
Date: 17 October 2018 730pm to 830pm
 +
 
 +
Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore
 +
 
 +
In this session, lessons drawn from protecting a major security conference will be shared. (Identity of the conference will be hidden for confidentiality). These lessons can be easily adopted in most organisations at zero to low costs, so there is no excuse for infosec pros not to implement.
 +
 
 +
Besides looking at IoC or IoA, a new indicator will be proposed for security monitoring with more advance notice and more cost efficient protection.
 +
 
 +
Lastly, on a side note with no relation to the major security conference, common mistakes made during onboarding of CDNs will also be shared and appropriate suitable controls will be shared with the attendees. Hopefully, we will not see any exposed luncheon meat or seaweed when we onboard CDNs. ;-)
 +
 
 +
Download the presentation here https://www.owasp.org/images/a/aa/OWASP_SG_Oct_2018_Lessions_from_Protecting_a_Major_Conference_What_You_Do_Not_Know_Will_Haunt_You.pdf
 +
 
 +
Speaker: Onn Chee
 +
 
 +
Onn Chee is a n00b in infosec for more than 18 years.
 +
 
 +
==== Sep 2018 Meetup: The Three Ways Of Software Security; Revolutionizing AppSec Using DevOps methods ====
 +
Date: 19 September 2018 700pm to 830pm
 +
 
 +
Venue: JP Morgan Singapore office, JP Morgan, 168 Robinson Rd, Capital Tower, Singapore 068912
 +
 
 +
Just as DevOps was a new way of thinking that forever changed software development, application security is in the midst of its own transformation. Taking a page from an IT best seller Gene Kim’s “The Phoenix Project,” this session will provide a new definition of DevSecOps as we explore the “Three Ways of Software Security:”
 +
 
 +
1. Establish security work flow with a direct line-of-sight to business value
 +
 
 +
2. Ensure instant security feedback with continuous assessment and visibility
 +
 
 +
3. Encourage a security culture by reducing builder-breaker cycle time
 +
 
 +
Audience members will leave with a refreshed way of thinking about AppSec and DevOps, as well as an understanding for how to apply redefined DevSecOps within their own organizations.
 +
 
 +
<u>Speaker: Jeff Williams</u>
 +
 
 +
A pioneer in application security, Jeff Williams has over 20 years of security leadership experience. He speaks frequently on cutting-edge AppSec technologies and has helped secure code at hundreds of major enterprises. Jeff was the Co-Founder and Global Chair of OWASP Foundation for eight years, creating the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet and etc. In recent years, Jeff founded Contrast Security and Aspect Security which deliver innovative AppSec solutions and services throughout the world. Aspect Security was acquired by E&Y in early 2018. He has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.
 +
 
 +
Many thanks to JP Morgan and Thomas for agreeing to be our venue sponsor in such short notice.
 +
 
 +
You can download the presentation slides from https://www.owasp.org/images/7/76/OWASP-SG-Sep-2018-Meetup.pdf.pdf
 +
==== Jul 2018 Meetup: IoT Security Research ====
 +
Date: 23 July 2018 730pm to 900pm  
  
 
Venue: NUSS Suntec City Guild House, 3 Temasek Boulevard, #02- 401/402 Suntec City Mall, Singapore 038983
 
Venue: NUSS Suntec City Guild House, 3 Temasek Boulevard, #02- 401/402 Suntec City Mall, Singapore 038983
Line 37: Line 216:
  
 
Many thanks to F5 for their sponsorship.
 
Many thanks to F5 for their sponsorship.
 
+
==== May 2018 Meetup: Introduction to CVSS ====
= Past Meetups =
 
 
 
=== 2018 ===
 
 
 
==== '''May 2018 Meetup: Introduction to CVSS''' ====
 
 
Date: 21 May 2018 730pm to 900pm  
 
Date: 21 May 2018 730pm to 900pm  
  
Line 59: Line 233:
 
Many thanks to Akamai again for their sponsorship.   
 
Many thanks to Akamai again for their sponsorship.   
  
==== '''Apr 2018 Meetup: DevSecOps In Practice''' ====
+
==== Apr 2018 Meetup: DevSecOps In Practice ====
 
Date: 18 April 2018 730pm to 900pm (changed from 17 April)
 
Date: 18 April 2018 730pm to 900pm (changed from 17 April)
  
Line 74: Line 248:
 
Many thanks to Akamai again for their sponsorship.   
 
Many thanks to Akamai again for their sponsorship.   
  
==== '''Jan 2018 Meetup - 2 topics''' ====
+
==== Jan 2018 Meetup: "Accuracy will set you free" - The New Era of AppSec with Interactive Application Security Testing (IAST) and Runtime Application Self Protection (RASP)" and "Hunt for Cold War-like Sleeper Malware" ====
 
Date: 25 January 2018 730 pm to 900 pm
 
Date: 25 January 2018 730 pm to 900 pm
  
Line 94: Line 268:
  
 
(All identities - organisation, security products and malware - will be anonymised due to NDA)
 
(All identities - organisation, security products and malware - will be anonymised due to NDA)
 +
 +
You can download the slides here https://www.owasp.org/images/e/e2/OWASP_SG_Jan_2018_-_Hunt_for_a_Cold_War-like_Sleeper_Malware.pdf
  
 
<u>Speaker: Onn Chee</u>
 
<u>Speaker: Onn Chee</u>
Line 104: Line 280:
 
=== 2017 ===
 
=== 2017 ===
  
==== '''August 2017 Meetup: APNIC Security Engagement in the AP Region''' ====
+
==== Aug 2017 Meetup: APNIC Security Engagement in the AP Region ====
 
Date: 16 August 2017 730 pm to 930 pm
 
Date: 16 August 2017 730 pm to 930 pm
  
Line 119: Line 295:
 
Many thanks to Akamai again for their sponsorship.   
 
Many thanks to Akamai again for their sponsorship.   
  
==== June 2017 Meetup - 2 topics ====
+
==== Jun 2017 Meetup: "Cyber Technical Surveillance & Counter Measures (TSCM) – Looking at the physical attacks on IT Infrastructure using covert data taps and transmission devices" and "Singapore Threat Brief" ====
 
Date: 14 June 2017 730 pm to 930 pm
 
Date: 14 June 2017 730 pm to 930 pm
  
Line 152: Line 328:
 
Many thanks to Akamai again for their sponsorship.   
 
Many thanks to Akamai again for their sponsorship.   
  
==== March 2017 Meetup: "Have I been pwned?" and "Your Arsenal to bypass restrictions" ====
+
==== Mar 2017 Meetup: "Have I been pwned?" and "Your Arsenal to bypass restrictions" ====
  
 
Date: 28 March 2017 730 pm to 930 pm
 
Date: 28 March 2017 730 pm to 930 pm
Line 195: Line 371:
 
=== 2016 ===
 
=== 2016 ===
  
==== '''Dec 2016 Meetup 2: Conducting Threat Modeling in Agile Development''' ====
+
==== Dec 2016 Meetup 2: Conducting Threat Modeling in Agile Development ====
 
Date: 14 Dec 2016 730 pm to 930 pm
 
Date: 14 Dec 2016 730 pm to 930 pm
  
Line 211: Line 387:
 
His complete profile is available on http://www.sumansourav.com
 
His complete profile is available on http://www.sumansourav.com
  
==== '''Dec 2016 Meetup 1: Ransomware in Web Apps''' ====
+
==== Dec 2016 Meetup: Ransomware in Web Apps ====
 
Date: 5 Dec 2016 730 pm to 930 pm
 
Date: 5 Dec 2016 730 pm to 930 pm
  
Line 223: Line 399:
 
Mark Curphey is CEO of SourceClear, the security company for software developers. He founded OWASP (http://www.owasp.org) when he ran software security at Charles Schwab and has written chapters on software security in books published by O’Reilly.
 
Mark Curphey is CEO of SourceClear, the security company for software developers. He founded OWASP (http://www.owasp.org) when he ran software security at Charles Schwab and has written chapters on software security in books published by O’Reilly.
  
==== '''Jul 2018 Meetup Data Exfiltration over DNS''' ====
+
==== Jul 2018 Meetup: Data Exfiltration over DNS ====
 
Date: 12 July 2016 7 pm to 9 pm
 
Date: 12 July 2016 7 pm to 9 pm
  
Line 238: Line 414:
 
=== 2015 ===
 
=== 2015 ===
  
==== '''Dec 2015 Meetup: Learn Web Attacks using OWASP WebGoat, A Demo''' ====
+
==== Dec 2015 Meetup: Learn Web Attacks using OWASP WebGoat, A Demo ====
 
Date: 15 Dec 2015 7:30 pm
 
Date: 15 Dec 2015 7:30 pm
  
Line 258: Line 434:
 
Viswanath S Chirravuri has over 10 years of experience in Software Security. Currently he is a senior Security Architect at a leading digital security company, GEMALTO. He actively holds industry certifications like CISSP, CEH, GWAPT, Security+, PMP and SCJP. Viswanath is accredited by CA Technologies on Identity and Access management suite of products. Over the past few years, he has been giving training's on various SAST and DAST tools to application security engineers across different industries.
 
Viswanath S Chirravuri has over 10 years of experience in Software Security. Currently he is a senior Security Architect at a leading digital security company, GEMALTO. He actively holds industry certifications like CISSP, CEH, GWAPT, Security+, PMP and SCJP. Viswanath is accredited by CA Technologies on Identity and Access management suite of products. Over the past few years, he has been giving training's on various SAST and DAST tools to application security engineers across different industries.
  
==== '''Nov 2015 Meetup: Security In The World Of CI-CD''' ====
+
==== Nov 2015 Meetup: Security In The World Of CI-CD ====
 
Date: 26 Nov 2015 730pm
 
Date: 26 Nov 2015 730pm
  
Line 279: Line 455:
 
For more information about Aniket, kindly get connected with him on linkedin: https://sg.linkedin.com/pub/aniket-kulkarni/10/653/202 , and he will be happy to interact with you for various security related discussions.
 
For more information about Aniket, kindly get connected with him on linkedin: https://sg.linkedin.com/pub/aniket-kulkarni/10/653/202 , and he will be happy to interact with you for various security related discussions.
  
==== '''Sep 2015 Meetup: OWASP Zed Attack Proxy Advanced Features - A Demo''' ====
+
==== Sep 2015 Meetup: OWASP Zed Attack Proxy Advanced Features - A Demo ====
 
Date: 29 Sep 2015 7pm
 
Date: 29 Sep 2015 7pm
  
Line 289: Line 465:
 
Viswanath S Chirravuri has over 10 years of experience in IT Security space. Currently he is a Software Security Architect for Asia region at a leading digital security company, GEMALTO. He actively holds industry certifications like CISSP, CEH, GWAPT, Security+, PMP and SCJP. Viswanath is accredited by CA Technologies on Identity and Access management suite of products. Over the past 3 years, he has been giving training's on various SAST and DAST tools to application security engineers in financial services and telecommunications industries.
 
Viswanath S Chirravuri has over 10 years of experience in IT Security space. Currently he is a Software Security Architect for Asia region at a leading digital security company, GEMALTO. He actively holds industry certifications like CISSP, CEH, GWAPT, Security+, PMP and SCJP. Viswanath is accredited by CA Technologies on Identity and Access management suite of products. Over the past 3 years, he has been giving training's on various SAST and DAST tools to application security engineers in financial services and telecommunications industries.
  
==== '''Jan 2015 Meetup: Introducing Application Security in Your Organization - Think Like a Developer''' ====
+
==== Jan 2015 Meetup: Introducing Application Security in Your Organization - Think Like a Developer ====
 
Date: 22 Jan 2015 7pm
 
Date: 22 Jan 2015 7pm
  
Line 308: Line 484:
 
=== 2014 ===
 
=== 2014 ===
  
==== '''Oct 2014 Meetup: Mobile Security''' ====
+
==== Oct 2014 Meetup: Mobile Security ====
 
Date: 21 October 2014 7pm
 
Date: 21 October 2014 7pm
  
Line 319: Line 495:
 
PS: Please take note of our new meeting place and the shortened meetup duration due to venue constraints.
 
PS: Please take note of our new meeting place and the shortened meetup duration due to venue constraints.
  
==== '''Information Security Seminar (ISS) 2014''' ====
+
==== Information Security Seminar (ISS) 2014 ====
 
Date: 26-27 August 2014
 
Date: 26-27 August 2014
  
Line 329: Line 505:
  
 
The seminar, comprising a main plenary as well as breakout tracks, is expected to draw about 500 infocomm security decision makers and practitioners from the Public and Private sectors, as well as students from institutes of higher learning. On the second day of the seminar, workshops which aim to provide an in-depth and hands-on approach to managing infocomm security challenges will be held for security professionals and students from institutes of higher learning.
 
The seminar, comprising a main plenary as well as breakout tracks, is expected to draw about 500 infocomm security decision makers and practitioners from the Public and Private sectors, as well as students from institutes of higher learning. On the second day of the seminar, workshops which aim to provide an in-depth and hands-on approach to managing infocomm security challenges will be held for security professionals and students from institutes of higher learning.
 
 
  
 
For paid OWASP members, you are entitled to two complimentary seminar passes on a first-come-first-serve basis.
 
For paid OWASP members, you are entitled to two complimentary seminar passes on a first-come-first-serve basis.
Line 339: Line 513:
 
Do sign up soon and see you at ISS 2014!
 
Do sign up soon and see you at ISS 2014!
  
==== '''Jul 2014 Meetup 2: 2 topics''' ====
+
==== Jul 2014 Meetup 2: "A technical introduction to FIDO - Is the age of of simple consumer-oriented strong-authentication finally arriving?" and "Source code review with focus on technical resolution challenges" ====
 
Date: 21 July 2014
 
Date: 21 July 2014
  
Line 358: Line 532:
 
See ya!
 
See ya!
  
==== '''Jul 2014 Meetup 1: OWASP Top 10 Proactive Controls''' ====
+
==== Jul 2014 Meetup: OWASP Top 10 Proactive Controls ====
 
Date: 4 July 2014
 
Date: 4 July 2014
  
Line 375: Line 549:
 
See ya!
 
See ya!
  
==== '''Jun 2014 Meetup: Covert Redirect Vulnerability''' ====
+
==== Jun 2014 Meetup: Covert Redirect Vulnerability ====
 
Date: 18 June 2014
 
Date: 18 June 2014
  
Line 391: Line 565:
 
See ya!
 
See ya!
  
'''Apr 2014 Meetup: OWASP Cornucopia'''
+
==== Apr 2014 Meetup: OWASP Cornucopia ====
 
 
 
Date: 23 April 2014
 
Date: 23 April 2014
  
Line 411: Line 584:
 
See ya!
 
See ya!
  
 
+
==== Mar 2014 Meetup: HTML5 Security ====
 
 
'''HTML5 Security'''
 
 
 
 
Date: 12 March 2014
 
Date: 12 March 2014
  
Line 440: Line 610:
 
=== 2013 ===
 
=== 2013 ===
  
==== '''Jul 2013 Meetup: Managing Web & Application Security with OWASP – bringing it all together''' ====
+
==== Jul 2013 Meetup: Managing Web & Application Security with OWASP – bringing it all together ====
 
Date: 18 July 2013
 
Date: 18 July 2013
  
Line 457: Line 627:
 
See ya!
 
See ya!
  
 
+
==== May 203 Meetup: Wordpress (In)Security: How hackers bypassed manual defacement monitoring ====
 
 
'''Wordpress (In)Security: How hackers bypassed manual defacement monitoring'''
 
 
 
 
Date: 30 May 2013
 
Date: 30 May 2013
  
Line 480: Line 647:
 
See ya!
 
See ya!
  
==== '''Feb 2013 Meetup: Bypassing Local Microsoft Security Policies''' ====
+
==== Feb 2013 Meetup: Bypassing Local Microsoft Security Policies ====
 
Date: 28 Feb 2013
 
Date: 28 Feb 2013
  
Line 492: Line 659:
 
Local Microsoft security policies are one of the few areas of security that are rarely researched or focused on by the security community. These policies are designed to prevent local users from accessing functionality which has been "Disabled By Your Administrator". From Local Group Policy, Software Restriction Policies, App Locker to Internet Explorer, each Microsoft technology has its own way of restricting what you can and cannot do. For local exploitation attempt these technologies can be troublesome, frustrating and restrict the true potential of your attack. This talk will cover a broad view of the current attacks against Microsoft local policies and the underlying issues affecting this form of security.
 
Local Microsoft security policies are one of the few areas of security that are rarely researched or focused on by the security community. These policies are designed to prevent local users from accessing functionality which has been "Disabled By Your Administrator". From Local Group Policy, Software Restriction Policies, App Locker to Internet Explorer, each Microsoft technology has its own way of restricting what you can and cannot do. For local exploitation attempt these technologies can be troublesome, frustrating and restrict the true potential of your attack. This talk will cover a broad view of the current attacks against Microsoft local policies and the underlying issues affecting this form of security.
  
'''Speaker Profile'''
+
Speaker Profile
  
 
Paul is the Principal Security Consultant at Security-Assessment.com Singapore. Labeled "A malicious hacker" by the media in his native New Zealand, Paul is now based in sunny Singapore where he leads the SE Asian Penetration Testing Team. Paul has been an avid security researcher and all-round advocate for security from a young age with a passion for exploitation and finding creative methods of getting shell.
 
Paul is the Principal Security Consultant at Security-Assessment.com Singapore. Labeled "A malicious hacker" by the media in his native New Zealand, Paul is now based in sunny Singapore where he leads the SE Asian Penetration Testing Team. Paul has been an avid security researcher and all-round advocate for security from a young age with a passion for exploitation and finding creative methods of getting shell.
Line 505: Line 672:
 
=== 2012 ===
 
=== 2012 ===
  
==== '''Nov 2012 Meetup 2: AISP-OWASP: Hacking Techniques''' ====
+
==== Nov 2012 Meetup 2: AISP-OWASP: Hacking Techniques ====
 
Date: 14 Nov 2012
 
Date: 14 Nov 2012
  
Line 538: Line 705:
 
See ya!
 
See ya!
  
==== '''Nov 2012 Meetup: AISP-OWASP: New web attacks & short intro on IT Impact of SG data privacy law''' ====
+
==== Nov 2012 Meetup: AISP-OWASP: New web attacks & short intro on IT Impact of SG data privacy law ====
 
Date: 7 Nov 2012
 
Date: 7 Nov 2012
  
Line 559: Line 726:
 
See ya!
 
See ya!
  
==== Oct 2012 Meetup 3: '''AISP-OWASP: WAFs - An attacker's perspective''' ====
+
==== Oct 2012 Meetup 3: AISP-OWASP: WAFs - An attacker's perspective ====
 
Date: 29 Oct 2012
 
Date: 29 Oct 2012
  
Line 579: Line 746:
 
See ya!
 
See ya!
  
==== '''Oct 2012 Meetup 2: AISP-OWASP: Dynamic Web Defense''' ====
+
==== Oct 2012 Meetup 2: AISP-OWASP: Dynamic Web Defense ====
 
Date: 22 Oct 2012
 
Date: 22 Oct 2012
  
Line 600: Line 767:
 
See ya!
 
See ya!
  
==== '''Oct 2012 Meetup: AISP-OWASP Joint Series: Learn how Taiwanese organisations defend themselves against constant Chinese cyber attacks''' ====
+
==== Oct 2012 Meetup: AISP-OWASP Joint Series: Learn how Taiwanese organisations defend themselves against constant Chinese cyber attacks ====
 
Date: 3 Oct 2012
 
Date: 3 Oct 2012
  
Line 625: Line 792:
 
See ya!
 
See ya!
  
==== '''Sep 2012 Meetup 2: AISP-OWASP Joint Series: Security Testing with OWASP ZAP''' ====
+
==== Sep 2012 Meetup 2: AISP-OWASP Joint Series: Security Testing with OWASP ZAP ====
 
Date: 18 Sep 2012
 
Date: 18 Sep 2012
  
Line 646: Line 813:
 
See ya!
 
See ya!
  
==== '''Sep 2012 Meetup: AISP-OWASP Joint Series: Use of OWASP ESAPI to Defend Against OWASP Top 10 Risks''' ====
+
==== Sep 2012 Meetup: AISP-OWASP Joint Series: Use of OWASP ESAPI to Defend Against OWASP Top 10 Risks ====
 
Date: 12 Sep 2012
 
Date: 12 Sep 2012
  
Line 668: Line 835:
  
  
'''HITBSecConf2012 - Malaysia: #TenYearsInTheBox'''
 
  
 +
==== HITBSecConf2012 - Malaysia: #TenYearsInTheBox ====
 
[[File:Hitb2012kul-banner-300-250.jpg]]
 
[[File:Hitb2012kul-banner-300-250.jpg]]
  
Line 694: Line 861:
 
Please contact Onn Chee for the discount code. Do note only paid registered OWASP members are eligible for the discounts.
 
Please contact Onn Chee for the discount code. Do note only paid registered OWASP members are eligible for the discounts.
  
==== A'''pr 2012 Meetup: Rethinking web-application architecture for the Cloud''' ====
+
==== Apr 2012 Meetup: Rethinking web-application architecture for the Cloud ====
 
Date: 23 April 2012
 
Date: 23 April 2012
  

Latest revision as of 06:07, 14 January 2020

Welcome to OWASP Singapore Chapter

Welcome to the Singapore chapter homepage. The chapter leader is Wong Onn Chee.

Click here to join the local chapter mailing list.

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif Donate to this chapter or become a local chapter supporter.

Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

Upcoming Meetup

January 2020 Meetup: Current state of DevOps Security

Date: 13 January 2019 730pm to 900pm

Venue: Trend Micro office, 6 Temasek Boulevard #16-01 to 05 Suntec Tower Four · Singapore 038986

DevOps security is tough, come listen to how NTUC is tackling application security through the secure pipeline and environment controls for application development and deployment. Ian will cover the what and how and also share some limitations in today’s tools to keep up with development changes.

Speaker: Ian Loe

Ian Loe is the current SVP of cybersecurity at NTUC Enterprise Co-operative Limited and an adjunct fellow at the Singapore University of Technology & Design (SUTD). He had been active in DevOps security and application security especially in containers and serverless applications.

Many thanks to Trend Micro for sponsoring the venue!

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

Past Meetups

2019

November 2019 Meetup: Basic Pentesting on Ethereum Blockchain

Date: 14 November 2019 730pm to 900pm

Venue: F5 Singapore office, 5 Temasek Boulevard, #08-01/02 Suntec Tower 5, Singapore 038985

One of the double edged swords of blockchain software, compared to typical enterprise software stack, is that smart contracts are immutable once deployed. This talk will cover some of the basics of typical security vulnerabilities and mitigation methods on the Ethereum blockchain stack.

Speaker: Dr. Chun Hui

Dr. Chun Hui (former Hyperledger research scientist at IBM & Hyperledger Adjunct Lecturer at NUS) is currently developing both distributed software on both public & private blockchains in finance use cases at Kommerce. He has a strong interest in system infrastructure and blockchain, with a focus on design, devops and social-development impact.

Many thanks to F5 for sponsoring food and drinks!

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

September 2019 Meetup: Introduction to CVSSv3.1 - Minor Release

Date: 19 September 2019 730pm to 900pm

Venue: Akamai Singapore office, 1 Raffles Place, #17-61, One Raffles Place Tower 2, Singapore 048616

Come and listen to Christian share on the new CVSS 3.1. The "Common Vulnerability Scoring System" (CVSSv3.1) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

Speaker: Christian Heinrich

Christian Heinrich has presented at the OWASP Conferences in Australia, Europe and USA and OWASP Chapters in the Netherlands, London and Sydney and Melbourne, Australia, ToorCon (USA), Shmoocon (USA), BlackHat (Asia and USA), SecTor (Canada), CONFidence (Europe), Hack In The Box (Europe), SyScan (Singapore), B-Sides (Australia), RUXCON (Australia), and AusCERT (Australia)

cmlh has a Public Profile on LinkedIn at http://www.linkedin.com/in/ChristianHeinrich

Many thanks to Akamai for sponsoring food and drinks!

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

June 2019 Meetup: Understanding Bad Bots

Date: 26 June 2019 730pm to 900pm

Venue: F5 Singapore office, Suntec City Tower Five, 5 Temasek Boulevard #08-01/02, Singapore 038985, Singapore

Bots form a significant chunk of modern day traffic. The talk and demo will show some bot attacks, how it impacts business and user and the need of a layered defence mechanism..

Speaker: Shahnawaz Backer

Shahnawaz Backer is a Security Specialist at F5 Networks. With keen interest in Financial Malware and Identity Security. He has been a Consulting Engineer for over a decade and started his career as a Security Product Development Engineer. His noticeable works include designing a Financial Malware Strategy for multiple Tier 1 Banks in APAC, designing a Nation Level Authentication Framework and identity management strategy for multiple Financial and Government Organizations.

In his spare time he loves code and automate.

Many thanks to F5 for sponsoring food and drinks!

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

Mar 2019 Meetup: HTTP2

Date: 20 March 2019 730pm to 830pm

Venue: Akamai Singapore office, 1 Raffles Place, #17-61, One Raffles Place Tower 2, Singapore 048616, Singapore

The presentation will discuss the relatively new HTTP2 protocol that has been recently adopted as a standard and widely adopted. Most browsers and web servers can support it, however relatively little security research has been done on the new protocol. There are very few tools to perform security testing, and penetration testing is challenging. There will be a demo of a vulnerability being exploited over HTTP2.

Speaker: Adrien de Beaupre

Adrien de Beaupre is a Principal SANS instructor and works as an independent consultant in beautiful Ottawa, Ontario. His work experience includes course development, technical instruction, vulnerability assessment, and penetration testing. He is a member of the SANS Internet Storm Center (isc.sans.edu) and is actively involved with the information security community. He is the lead author and lead instructor of two SANS courses; SEC642 Advanced Web Applicication Penetration Testing, Ethical Hacking, and Exploitation Techniques as well as SEC460 Enterprise Threat and Vulnerability Assessment.

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

Many thanks to Akamai for their kind sponsorship of venue and F&B (no beer though)!

Mar 2019 Meetup #2: ReDTunnel: Explore Internal Networks via DNS Rebinding Tunnel

Date: 28 March 2019 730pm to 830pm

Venue: F5 Singapore office, Suntec City Tower Five, 5 Temasek Boulevard #08-01/02, Singapore 038985, Singapore

Did you wonder how you could browse target's internal network without deploying anything on the victim machine? Sounds like magic, right? Imagine that you could have a one-click setup that will provide you a magic tunnel from the outside world. That's when we came up with the "ReD Tunnel" idea. The design goal was to use tools that exist on the victim's device, like the browser, rather than rely on 0days to stay below the radar of the most advanced AV. To create this new capability, we decided to combine two concepts: JavaScript reconnaissance techniques and the DNS rebinding attack. Open your browser, wait until the victim visits your website and start browsing the internal websites in their network. Now, when red-teaming you could really "be a guest, but feel at home".

Speaker: Tomar Zait

Tomer Zait (Principal Security Researcher at F5Networks) worked in a range of professions in the security industry (Web Application Firewall Integrator, Penetration Tester, Application Security Engineer, Security Researcher, Etc.). During this time, he developed open-source projects (most of them are security tools). His projects include: x64dbgpy; PyMultitor (Presented In BlackHat Arsenal ASIA/US/EU 2017); SubDomain-Analyzer; AutoBrowser; phantom-requests, and more. Tomer writes regularly for online security magazines and is a 4-time winner of the Israeli Cyber Challenge (CTF).

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

Feb 2019 Meetup: How to make your software security program successful

Date: 20 February 2019 730pm to 830pm

Venue: Akamai Singapore office, 1 Raffles Place, #17-61, One Raffles Place Tower 2, Singapore 048616, Singapore

What is the common between mobile applications, Web application, IOT devices, OS client applications?

They are all developed from software.

As new software deployment accelerate through wider adoption of DevOps methodology, maintaining software security is crucial to you and your organization. Is your software security program up to the challenge? If you’re not getting the most out of your software security program, come and join this session which will provide the recommendations on how to improve your program for better, faster results.

Speaker: Jason Khoo, CISSP, CSSLP, CISA

Jason is the Technical Account Manager from Checkmarx. He has extensive experience in application security consulting services and focusing on secure software analysis.

He works with organizations that consist of internal and external development teams as well as the security team who are mostly driven by audits and compliance. He is passionate about the software security and the different software testing methodologies, and will share his ideas and workflow with the audience.

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

Many thanks to Akamai for their kind sponsorship of venue and F&B (no beer though)!

Jan 2019 Meetup: Security is everybody's job

Date: 16 January 2018 730pm to 830pm

Venue: Akamai Singapore office, 1 Raffles Place, #17-61, One Raffles Place Tower 2, Singapore 048616, Singapore

In DevOps everyone performs security work, whether they like it or not.  With a ratio of 100/10/1 for Development, Operations, and Security, it’s impossible for the security team alone to get it all done. We must build security into each of “the three ways”; automating and/or improving efficiency of all security activities, speeding up feedback loops for security related activities, and providing continuous learning opportunities in relation to security. While it may sound like the security team needs to learn to sprint, give feedback, and teach at the same time, the real challenge is creating a culture that embodies the mindset that security is everybody's job.

Speaker: Tanya Janca

Tanya Janca is a senior cloud security advocate for Microsoft, specializing in application and cloud security; evangelizing software security and advocating for developers and operations folks alike through public speaking, her open source project OWASP DevSlop, and various forms of teaching via workshops, blogs and community events. As an ethical hacker, OWASP Project and Chapter Leader, Women in Security and Technology (WIST) chapter leader, software developer and professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.

Pertinent links:

https://medium.com/@shehackspurple

https://DevSlop.co

https://twitter.com/shehackspurple

Many thanks to Akamai for their kind sponsorship of venue and F&B (no beer though)!

2018

Oct 2018 Meetup: Lessons from Protecting a Major Conference: What You Do Not Know Will Haunt You

Date: 17 October 2018 730pm to 830pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

In this session, lessons drawn from protecting a major security conference will be shared. (Identity of the conference will be hidden for confidentiality). These lessons can be easily adopted in most organisations at zero to low costs, so there is no excuse for infosec pros not to implement.

Besides looking at IoC or IoA, a new indicator will be proposed for security monitoring with more advance notice and more cost efficient protection.

Lastly, on a side note with no relation to the major security conference, common mistakes made during onboarding of CDNs will also be shared and appropriate suitable controls will be shared with the attendees. Hopefully, we will not see any exposed luncheon meat or seaweed when we onboard CDNs. ;-)

Download the presentation here https://www.owasp.org/images/a/aa/OWASP_SG_Oct_2018_Lessions_from_Protecting_a_Major_Conference_What_You_Do_Not_Know_Will_Haunt_You.pdf

Speaker: Onn Chee

Onn Chee is a n00b in infosec for more than 18 years.

Sep 2018 Meetup: The Three Ways Of Software Security; Revolutionizing AppSec Using DevOps methods

Date: 19 September 2018 700pm to 830pm

Venue: JP Morgan Singapore office, JP Morgan, 168 Robinson Rd, Capital Tower, Singapore 068912

Just as DevOps was a new way of thinking that forever changed software development, application security is in the midst of its own transformation. Taking a page from an IT best seller Gene Kim’s “The Phoenix Project,” this session will provide a new definition of DevSecOps as we explore the “Three Ways of Software Security:”

1. Establish security work flow with a direct line-of-sight to business value

2. Ensure instant security feedback with continuous assessment and visibility

3. Encourage a security culture by reducing builder-breaker cycle time

Audience members will leave with a refreshed way of thinking about AppSec and DevOps, as well as an understanding for how to apply redefined DevSecOps within their own organizations.

Speaker: Jeff Williams

A pioneer in application security, Jeff Williams has over 20 years of security leadership experience. He speaks frequently on cutting-edge AppSec technologies and has helped secure code at hundreds of major enterprises. Jeff was the Co-Founder and Global Chair of OWASP Foundation for eight years, creating the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet and etc. In recent years, Jeff founded Contrast Security and Aspect Security which deliver innovative AppSec solutions and services throughout the world. Aspect Security was acquired by E&Y in early 2018. He has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

Many thanks to JP Morgan and Thomas for agreeing to be our venue sponsor in such short notice.

You can download the presentation slides from https://www.owasp.org/images/7/76/OWASP-SG-Sep-2018-Meetup.pdf.pdf

Jul 2018 Meetup: IoT Security Research

Date: 23 July 2018 730pm to 900pm

Venue: NUSS Suntec City Guild House, 3 Temasek Boulevard, #02- 401/402 Suntec City Mall, Singapore 038983

Come and learn about the findings from F5 Lab’s extensive original research into mapping IoT Thingbots such as Mirai, Persirai and Reaper. The research also tracks which countries appear to be attacking which other countries. Lots of rich discussion around IoT DDOS, the new IoT security legislation and some promising long term protocols that may fix all of this.

F&B will be provided with thanks to F5!

Speaker: David Holmes

Based in Asia Pacific, David Holmes is the Global Security Evangelist for F5 Networks. In this role, Holmes is spokesman, researcher and evangelist for F5’s threat intelligence division, with an emphasis on cryptography, distributed denial of service attacks, and the Internet of Things. He speaks at conferences such as RSA, InfoSec and Gartner Data Center.

Holmes authors white papers on security topics such as global cryptography trends and modern DDoS threat spectrum. He has also written for industry magazines such as the SCMagazine and Network World. These days,he writes regularly about vulnerabilities, technical solutions and the security industry for SecurityWeek.com and F5 Labs.

He joined F5 Networks in 2001, and, as a Principal Software Engineer, where he designed many of the system and core security features. Holmes has 20 years of experience in security and product engineering.

Prior to F5, Holmes was a Vice President of Engineering at Dvorak Development (in Boulder, CO) and a Senior Software Engineer (Security) at CyberSafe, Inc.

Holmes majored in Computer Science and Engineering Physics at the University of Colorado at Boulder. For public speaking, Holmes has a Competent Communicator award from Toastmasters International and other public speaking awards.

Many thanks to F5 for their sponsorship.

May 2018 Meetup: Introduction to CVSS

Date: 21 May 2018 730pm to 900pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

The "Common Vulnerability Scoring System" (CVSSv3) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

Speaker: Christian Heinrich

Christian Heinrich has presented at the OWASP Conferences in Australia, Europe and USA and OWASP Chapters in the Netherlands, London and Sydney and Melbourne, Australia, ToorCon (USA), Shmoocon (USA), BlackHat (Asia and USA), SecTor (Canada), CONFidence (Europe), Hack In The Box (Europe), SyScan (Singapore), B-Sides (Australia), RUXCON (Australia), and AusCERT (Australia)

cmlh has a Public Profile on LinkedIn at http://www.linkedin.com/in/ChristianHeinrich

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

Apr 2018 Meetup: DevSecOps In Practice

Date: 18 April 2018 730pm to 900pm (changed from 17 April)

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

Software development is pressed for faster and faster release cycles with acceptable quality, budget and security. As movements like CI, CD and Devops aim to cut down on release cycles, it's security's job to help control the risk. The risk landscape is complex as modern development practices increasingly consume more and more third party code. Traditional methods do not cut it anymore - it's time for DevSecOps. This session gives an overview of how companies have implemented DevSecOps practices in their own delivery pipelines and how this can help increase developer awareness of risks affecting them. We'll walk an example CICD Pipeline and explore how security has been embedded as a part of it, how the movement is shaping up and how standards are starting to follow suite.

Speaker: Cameron Townsend

Cameron Townshend Bsc, MSysDev, MCP CP Snr, MCSD - has extensive experience building large mission critical applications. Initial project lead on NSW Biosecurity Information System. Developed the WeatherChannel.com.au website. This site won 2010 Kentico site of the year for Integration and 2011 Astra award for Most Outstanding Use of Technology. He is both a hands-on developer and a skilled communicator and leader of project teams.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

Jan 2018 Meetup: "Accuracy will set you free" - The New Era of AppSec with Interactive Application Security Testing (IAST) and Runtime Application Self Protection (RASP)" and "Hunt for Cold War-like Sleeper Malware"

Date: 25 January 2018 730 pm to 900 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

Topic A: "Accuracy will set you free" - The New Era of AppSec with Interactive Application Security Testing (IAST) and Runtime Application Self Protection (RASP)

Application attacks continue to be the #1 source of data breaches; why after decades of efforts and billion dollars security investments it is still the #1 source of data breaches?

What are the discrepancies and inadequacies in the current security postures and AppSec technologies?

Limited context and visibility of the application under test or under protection produces inaccurate and erroneous results which dramatically diminishes the effectiveness of current AppSec solutions and dev team productivities. Sharing the insights of the innovative AppSec technologies such as IAST and RASP which are delivering unprecedented accuracy and speed for both application security testing and application runtime protection.

See how these revolutionary AppSec technologies are freeing scarce and valuable technical resources to be better allocated.

Speaker: Jeff Chen

Jeff is the VP of Contrast Security APAC. He started Parasoft Asia/Pacific in 2003 and manage the Parasoft APAC operation until 2012. He has extensive experience in Static Analysis, Unit Testing, Service Virtualization, Test Automation and SDLC processes. Prior to Parasoft; Jeff was involved with multiple Cyber Defense projects with Taiwan MND; representing Northrop Grumman’s Network Early Warning Systems (NEWS) and etc.

Topic B: "Hunt for Cold War-like Sleeper Malware"

In a short, 30mins presentation, Onn Chee will walk through a case study of a Cold War-like malware which had masqueraded as a "goodware" and was actively used by users for more than a year without any adverse impact. Learn why the organisation's enterprise-grade sandbox and EDR solutions were not able to detect the sleeper malware. Just like the Cold Ware sleeper agents who browsed the newspapers' classifieds every day for activation code, the sleeper malware came on live after more than 1 year of usage and wiped off all user data in the users' endpoint. In the end, it is still the manual grunt work of investigation that helps to identify this sleeper malware. A demo version of the malware was recreated and will be used to demo the MO of the sleeper malware.

(All identities - organisation, security products and malware - will be anonymised due to NDA)

You can download the slides here https://www.owasp.org/images/e/e2/OWASP_SG_Jan_2018_-_Hunt_for_a_Cold_War-like_Sleeper_Malware.pdf

Speaker: Onn Chee

Onn Chee has been a n00b in infosec for 18 years.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

2017

Aug 2017 Meetup: APNIC Security Engagement in the AP Region

Date: 16 August 2017 730 pm to 930 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

APNIC Security Engagement in the AP region

APNIC is one of the 5 regional internet registries responsible for allocating and registration of Internet number resources (IP addresses & AS Number). In the last 3 years APNIC has been working with different stakeholders in the AP region to promoting security best practices in areas like security incident handling &  response. In addition to sharing his experience, Adli will also highlight some of the opportunities and challenges AP region.

Speaker: Adli Wahid

Adli Wahid is a Senior Internet Security Specialist at the Asia Pacific Network Information Centre (APNIC) based in Brisbane, Australia.  He is responsible APNIC’s cyber security engagement and capacity building activities in the region.  Adli is also a board member of the Forum of Incident Response and Security Teams (FIRST.org). Prior to joining APNIC, he was the Head of Malaysia CERT (MyCERT) and a member of Bank of Tokyo Mitsubishi-UFJ CERT (MUFG-CERT).

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

Jun 2017 Meetup: "Cyber Technical Surveillance & Counter Measures (TSCM) – Looking at the physical attacks on IT Infrastructure using covert data taps and transmission devices" and "Singapore Threat Brief"

Date: 14 June 2017 730 pm to 930 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

Topic A: Cyber Technical Surveillance & Counter Measures (TSCM) – Looking at the physical attacks on IT Infrastructure using covert data taps and transmission devices

Traditional Technical Surveillance has changed from large audio and video eavesdropping devices heavily reliant on Radio Frequency to miniaturised devices that use cellular & wifi. No longer do you need a static listening post nearby but you can access the covert feeds anywhere in world through cheap readily available technology.

This talk will look at how the world of technical surveillance has changed, why it uses cellular & wifi, what is a cyber TSCM, gaps in current IT Pen tests and how 5G will accelerate the threat.

Speaker: Jason Wells

Jason is the CEO of QCC Global (Asia), a company that specialises in Technical Surveillance and Counter Measures (TSCM) and Digital Forensics.

His 30 years of experience spans public and private sector from leading the: 

- Global team for Business Risk & Control Management within HSBC Financial Crime & Regulatory Compliance, 

- Corporate Security & Anti Illicit Trade Manager in British American Tobacco in the Middle East, 

- UK military attaché in Damascus, Syria or the Head of Overseas Intelligence team for the British SAS, special forces

Having a honours degree in IT, was qualified as a CISSP and holds post graduate diplomas in Security & Risk Management and Anti Money Laundering Jason has both extensive experience and technical expertise.

Topic B: Singapore Threat Brief

The threat environment on the Internet is a constantly evolving arms race, and the activities of adversaries vary greatly by geography, industry, and even individual websites. As a result, security managers often seek the latest attack information that is relevant to their specific country and industry in order to predict what they should look for in the present and how attacks will evolve in the future. The Singapore threat report serves to inform approaches for security professionals to improve their defensive posture.

2nd Speaker: Dawson Sewo (CISSP, ITIL, CCSK) – Senior Enterprise Security Architect, Akamai Technologies Asia-Pacific & Japan

As an Enterprise Security Architect in Akamai, Dawson focuses on network security and application security.  He has more than 16 years of IT and security experience working in telco, managed hosting and cloud security companies. He has also obtained numerous certifications around areas of network, hosting and security.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

Mar 2017 Meetup: "Have I been pwned?" and "Your Arsenal to bypass restrictions"

Date: 28 March 2017 730 pm to 930 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

Topic A: Have I been pwned?

"Have I been pwned?" allows you to search across multiple data breaches to see if your email addresses or aliases has been compromised by Duowan, Taobao, Tianya, etc. Maltego is a link analysis application of technical infrastructure and/or social media networks from disparate sources of Open Source INTelligence (OSINT). Maltego is listed on the Top 10 Security Tools for Kali Linux by Network World and Top 125 Network Security Tools by the Nmap Project.

The integration of "Have I been pwned?" with Maltego presents these breaches in an easy to understand graph format that can be enriched with other sources of data.

Speaker: Christian Heinrich

Christian Heinrich has presented at the OWASP Conferences in Australia, Europe and USA and OWASP Chapters in the Netherlands, London and Sydney and Melbourne, Australia, ToorCon (USA), Shmoocon (USA), BlackHat (Asia and USA), SecTor (Canada), CONFidence (Europe), Hack In The Box (Europe), SyScan (Singapore), B-Sides (Australia), RUXCON (Australia), and AusCERT (Australia)

cmlh has a Public Profile on LinkedIn at http://www.linkedin.com/in/ChristianHeinrich

Topic B: Your Arsenal to bypass restrictions based on IP counters

PyMultiTor tool – Many mitigation devices (FW, WAF, Anti-DoS) are detecting attacks based on certain IP address that sends many requests. The tools showcases that it’s not enough to have such protection. It is unique because it is easily integrated in any attacking tool (written in python programming language).

Speaker: Tomer Zait

Tomer Zait, from F5 Labs (part of F5 Network), has worked in a range of professions in the security industry (W.A.F Integrator, Penetration Tester, Application Security Engineer, Security Researcher, Etc.). During this time he developed open source projects (most of them are security tools). Tomer is a 3 Times Winner of the Israeli Cyber Challenge (CTF). His projects include: x64dbgpy; PyMultitor; SubDomain-Analyzer; AutoBrowser; phantom-requests.


Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

Feb 2017 Meetup: Attacker’s Perspective of Active Directory

Date: 28 Feb 2017 730 pm to 930 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

This talk is a compilation of Red Team’s Tactics, Techniques and Procedures to fully compromise an Active Directory environment. The emphasis will be on post-exploitation techniques that attackers/red teamers have been abusing for years, however they were not well documented until recent years. Apart from offensive techniques, mitigation and detection methods will be covered as well.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Speaker: Sunny Neo Sunny is a Penetration Tester with BT Security, Ethical Hacking Centre of Excellence, a global team that performs security testing for various industries. Besides his day job, he teaches Ethical Hacking at Temasek Polytechnic as an Adjunct Lecturer, and is one of the CREST Assessors in Singapore. He is certified with CCT APP, OSCE, OSCP and GXPN. He has 1 year plus of working experience.

2016

Dec 2016 Meetup 2: Conducting Threat Modeling in Agile Development

Date: 14 Dec 2016 730 pm to 930 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

With the increasing demand for continuous application delivery in the fast pace application development methodologies, we see the rapid change in security verification & validation activities also. On the same way, traditional threat modelling has to be adapted to fit into agile development culture. This session will focus on how we can introduce automaticity and repeatability in the threat modeling process and identify the threats in the application. Also how we can map the threat modeling outputs to security requirements to give better visibility to release manager or product owner about the possible business risk.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Speaker: Suman Sourav Suman has more than a decade experience in designing software security defense programs and is passionate about integrating security into the development life-cycle. He has worked with various financial and non-financial institutions to implement software security life-cycle.

Suman believes in a purpose driven life, acting with integrity, honesty, and honour. Professionally he looks to add value to his skills by reaching out, learning, and building relationships with those in his community, as well as promoting those he believes in.

His complete profile is available on http://www.sumansourav.com

Dec 2016 Meetup: Ransomware in Web Apps

Date: 5 Dec 2016 730 pm to 930 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

In recent years, ransomware has become a major problem for individuals and enterprises alike. A large attack surface, low barriers to entry and good rewards make it a very attractive option for attackers. We are already seeing hackers try out new infection vectors like social media (http://www.digitaltrends.com/computing/locky-ransomware-self-downloading-image-files/) and targets like IoT and PoS systems (http://www.theverge.com/2016/11/27/13758412/hackers-san-francisco-light-rail-system-ransomware-cybersecurity-muni). In this talk, we will demonstrate and show PoC exploits on how ransomware can move up the stack from desktop apps to enterprise apps using a novel attack vector of library dependencies and package managers. Protecting and securing your software supply toolchain is going to be of paramount importance against such threats.

Food and drinks are provided, courtesy of Akamai!

Speaker: Mark Curphey Mark Curphey is CEO of SourceClear, the security company for software developers. He founded OWASP (http://www.owasp.org) when he ran software security at Charles Schwab and has written chapters on software security in books published by O’Reilly.

Jul 2018 Meetup: Data Exfiltration over DNS

Date: 12 July 2016 7 pm to 9 pm

Venue: BridgingMinds Network, 190 Middle Road, #12-10/11 Fortune Centre, Singapore 188979

Come and join us to learn how data can be leaked via DNS. Learn how such techniques can bypass NGFW and watch a live demo of how such attack can occur. The speaker will also walk through actual case studies of past incidents.

Food and drinks are provided. ;-)

Speaker: Starting off as a military based SOC operator, Yeo Deng Jie (DJ) carries with him over 10 years of network security experiences working with leading companies like AlgoSec, Palo Alto Networks and Infoblox. With cyber defense always at the top of his mind, he provided network security assessment workshops for many organizations in ASEAN, reviewed their network security posture for vulnerabilities. In a few occasions, DJ was called back by the organization when the security gaps he highlighted were subsequently exploited by the attackers. In Infoblox, DJ focuses on data leakage over DNS, defense against DNS DDoS and exploits, which are some of the least addressed security gaps in many organizations today.

2015

Dec 2015 Meetup: Learn Web Attacks using OWASP WebGoat, A Demo

Date: 15 Dec 2015 7:30 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616

A lot of us talk about various security attacks on the web, but do we actually know how they are done in real time and where's the problem in coding? This demo will showcase how attackers are misusing the web application to bypass security controls. Following attacks will be covered in the demo: 1. Path Traversal attack 2. Bypassing functional access control 3. Bypassing data access control 4. AJAX security loopholes (DOM injection, XML Injection, JSON injection, Silent transaction attacks) 5. Cross Site Scripting (Reflected, Stored and DOM based) 6. SQL Injection (numeric and string based) 7. Malicious file uploads and impact on back-end servers This is purely a demo and doesn't involve any PPT. So, this is only for technical people.

Speaker: Viswanath S Chirravuri has over 10 years of experience in Software Security. Currently he is a senior Security Architect at a leading digital security company, GEMALTO. He actively holds industry certifications like CISSP, CEH, GWAPT, Security+, PMP and SCJP. Viswanath is accredited by CA Technologies on Identity and Access management suite of products. Over the past few years, he has been giving training's on various SAST and DAST tools to application security engineers across different industries.

Nov 2015 Meetup: Security In The World Of CI-CD

Date: 26 Nov 2015 730pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616

Continuous Delivery (CD) is a set of practices and principles in software engineering aimed at, building, testing, and releasing software, faster and more frequently. These principles help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.

Continuous integration (CI) is the practice, in software engineering, of merging all developer working copies to a shared mainline several times a day.

In the same vein, the practice of continuous delivery further extends CI by making sure the software checked in on the mainline is always in a state that can be deployed to users and makes the actual deployment process very rapid.

So, in this rapid and fast world of CI-CD, focusing on highly scalable & highly portable software landscape, which offers high usage oriented web apps, the security landscape has really reached to cutting edge point.

This talk, will focus on how to posturize security with this fast pace world, covering most of all security verticals.

Speaker: Aniket Kulkarni, carries decade+ of software security experience flowing from QA, Development & Architecture. Currently he works as Software Security Architect (Bigdata\Cloud\Mobile\Web), in Autodesk Singapore R&D, one of world class design software developing companies across the globe.

For more information about Aniket, kindly get connected with him on linkedin: https://sg.linkedin.com/pub/aniket-kulkarni/10/653/202 , and he will be happy to interact with you for various security related discussions.

Sep 2015 Meetup: OWASP Zed Attack Proxy Advanced Features - A Demo

Date: 29 Sep 2015 7pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616

OWASP Zed Attack Proxy (ZAP) is an integrated penetration testing tool for finding vulnerabilities in web applications. Over the past few years, it has significantly grown its popularity, features and contributions from WW engineers, as it comes straight out of the OWASP community, absolutely free of cost and most of all, easy to use! This demo-based training session covers the basics and advanced features of ZAP, which will enable application developers to understand and automate the tool usage, application testers to perform security tests and security engineers to provide consultation on best-practices of using the tool.

Speaker: Viswanath S Chirravuri has over 10 years of experience in IT Security space. Currently he is a Software Security Architect for Asia region at a leading digital security company, GEMALTO. He actively holds industry certifications like CISSP, CEH, GWAPT, Security+, PMP and SCJP. Viswanath is accredited by CA Technologies on Identity and Access management suite of products. Over the past 3 years, he has been giving training's on various SAST and DAST tools to application security engineers in financial services and telecommunications industries.

Jan 2015 Meetup: Introducing Application Security in Your Organization - Think Like a Developer

Date: 22 Jan 2015 7pm

Venue: SR10 (Seminar room 10), COM1 Building #02-10, 13 Computing Drive, NUS, Singapore 117417

In this session, the speaker, Sandeep Nain, from HP Australia and a former co-lead from OWASP Melbourne Chapter, will cover the following topics:

1. How to build secure development lifecycle for development teams using modern software development methodologies

2. Challenges of enforcing secure development lifecycle at an enterprise scale

3. Reasons why most application security programmes fail and how we can collaborate with development teams for easier enterprise adoption

Come join us for our 1st 2015 meetup which comes with free pizzas and soft drinks, courtesy of HP Fortify.

PS: Please take note of our new meeting place in NUS.

2014

Oct 2014 Meetup: Mobile Security

Date: 21 October 2014 7pm

Venue: Cavenagh Room, UOB Conference Suite, Basement 1 Tower 2, One Raffles Place, Singapore 048616

In this session, our fellow OWASP member, Cecil Su, will share the current mobile security threat landscape. Coupled with this, he will also share some of the challenges in the mobile application assessment process, as well as address some of the existing methodologies and frameworks for secure coding and security testing of mobile applications.

Cecil is 24-by-7 OWASP Evangelist. However, Mondays to Fridays, he works with the Professional Security Services team in a pure-play local InfoComm Security firm. Extra-curricular activities include the Honeynet Project, OWASP and AISP.?

PS: Please take note of our new meeting place and the shortened meetup duration due to venue constraints.

Information Security Seminar (ISS) 2014

Date: 26-27 August 2014

Venue: Marina Bay Sands Convention Centre

The Information Security Seminar is an annual event held since 2008 to provide thought leadership on infocomm security as well as to promote greater understanding of the key infocomm security issues and challenges faced by public and private sector organisations. This event is jointly organised by the Infocomm Development Authority (IDA), the Association of Information Security Professionals (AiSP) and the Cyber Security Awareness Alliance (CSAA) to amalgamate expertise, resources and communication channels in reaching out to both the public and private sector organisations.

The theme for the 2014 Seminar is “Security of Our Cyber Environment – Challenges of the Mobile Workspace”, which centres on sensitising the Public and Private sectors on the need to heighten vigilance in securing organisations’ digital information, and to build capabilities to prepare against ever evolving infocomm security threats. With the advent and adoption of new technology trends such as mobility, cloud computing and big data management, organisations need to be guarded against their inherent security risks, such as data loss, that may result due to improper infocomm security management. The seminar will discuss on the areas of security considerations and means to secure these technologies from exploits.

The seminar, comprising a main plenary as well as breakout tracks, is expected to draw about 500 infocomm security decision makers and practitioners from the Public and Private sectors, as well as students from institutes of higher learning. On the second day of the seminar, workshops which aim to provide an in-depth and hands-on approach to managing infocomm security challenges will be held for security professionals and students from institutes of higher learning.

For paid OWASP members, you are entitled to two complimentary seminar passes on a first-come-first-serve basis. Thereafter, you are entitled to a 10% discount off the list prices.

Please email me to register.

Do sign up soon and see you at ISS 2014!

Jul 2014 Meetup 2: "A technical introduction to FIDO - Is the age of of simple consumer-oriented strong-authentication finally arriving?" and "Source code review with focus on technical resolution challenges"

Date: 21 July 2014

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

Come and hear from 2 great speakers in this meetup, which comes with free pizzas and soft drinks, courtesy of Checkmarx.

Our first speaker is a familiar to us - Arshad Noor. He will be presenting on "A technical introduction to FIDO - Is the age of of simple consumer-oriented strong-authentication finally arriving?"

The 2nd speaker is Kobi Tzruya, Director of Pre/Post Sales in Checkmarx. He will be sharing on 2 case studies on source code review with focus on technical resolution challenges.


Many thanks to Dick and Prudential for providing the venue for our chapter evening again!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 20 July 2014 730pm.

See ya!

Jul 2014 Meetup: OWASP Top 10 Proactive Controls

Date: 4 July 2014

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

You have heard of the OWASP Top 10 Web Application Risks. Now, hear about OWASP Top 10 Proactive Controls to learn about active steps you can take to avoid the common web application risks.

The speaker is Jim Manico, a member of OWASP Global Board. He is the lead behind the excellent OWASP Cheat Sheets on top of many other OWASP projects that he is leading. He is a frequent speaker on secure software practices and is a member of the JavaOne "rockstar hall of fame". He has a 18+ year history building software as a developer and architect.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings! In such short notice too!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 4 July 2014 1230pm.

See ya!

Jun 2014 Meetup: Covert Redirect Vulnerability

Date: 18 June 2014

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

In this presentation, the speaker, Wang Jing, will share on the following:

Unvalidated Redirects and Forwards, also known as Open Redirect, is on the OWASP top 10 list in 2010 and 2013. One repercussion of the vulnerability is that it can be used for phishing attacks. According to Kaspersky, in 2012-2013, 37.3 million users around the world were subjected to phishing attacks — up 87% from 2011-2012. This presentation introduces a new kind of attack, Covert Redirect. The name is derived from and to contrast with Open Redirect. Covert Redirect could affect those who use OAuth 2.0 and OpenID to “login” websites such as Facebook, Google, Yahoo, LinkedIn, Microsoft, Paypal and many others. We will then simulate a Covert Redirect attack and provide some precautionary steps that companies can take to ensure security.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 17 June 2014.

See ya!

Apr 2014 Meetup: OWASP Cornucopia

Date: 23 April 2014

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

In this presentation, the speaker, Tobias Gondrom, will share on the following:

Bringing fun into threat modelling. Based on Microsoft's Escalation of Privilege (EoP) threat modelling card game, OWASP has designed this card game into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide and other sources. We will also have a few card decks to show and share.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings!

Speaker Profile: Tobias Gondrom, OWASP Global Board Member Tobias Gondrom has over 15 years of experience leading global teams in information security, software development, application security, cryptography, electronic signatures and global standardization organizations working for independent software vendors and large global corporations in the financial, technology and government sector. And he holds the most senior business degree from London Business School, the Sloan Masters in Leadership and Strategy.

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 22 April 2014.

See ya!

Mar 2014 Meetup: HTML5 Security

Date: 12 March 2014

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

In this presentation, the speaker, Aatif Khan, will share on the following:

HTML5 has several new components like XHR-Level2, DOM, Storage, App Cache, WebSQL etc. All these components are making underlying backbone for HTML5applications and by nature they look very silent. It allows crafting stealth attack vectors and adding risk to end client. Here is a list of top 10 attack vectors. Structured layers as mentioned in the above section provide more clarity on a possible enhanced attack surface. This exposes browser components of an application to a set of possible threat which can be exploited. Listed below are possible top 10 threats where new HTML5 features along with emerging software developing patterns, have significant impact.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings!

Speaker Profile: Aatif Khan Aatif Khan, Application Security Evangelist, has delivered highly technical security training for conferences, universities, and corporate clients like Bank of America, Verizon,Amazon, Google, Yahoo, etc. to excellent reviews. He is also one of the main founding member of HDCRB (Hack Defense Certification Review Board). Aatif consults for application security, and is having specialization in security assessments/penetration testing, infosec training's, and reverse engineering/malware analysis.

Apart from his stupendous exposure in application security consulting from seven years, he has also worked with Defense Personnel, Cyber Crime Police Officials and has also delivered over more than 2000 hours of Information Security training to IT Security Professional's & Government Agencies. He has authored Books entitled "Ethical Hacking", "Advance Penetration Testing", "Backtrack Starter Manual" published by Packt Publications, UK.

He is popularly known for designing the most advance course on "Advance Penetration Testing" with his Lab Book & Lab Exam, and has received stupendous feedback from top notch security experts. You can find more about him here - facebook.com/thenapsterkhan

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 11 March 2014.

See ya!

2013

Jul 2013 Meetup: Managing Web & Application Security with OWASP – bringing it all together

Date: 18 July 2013

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

In this presentation, the speaker, Tobias Gundrum, will share on the following:

Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. A journey through different organisational stages and how OWASP tools help organisations moving forward improving their web and application security. This talk will discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation.


Many thanks to Prudential for providing the venue for our chapter evenings!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 17 July 2013.

See ya!

May 203 Meetup: Wordpress (In)Security: How hackers bypassed manual defacement monitoring

Date: 30 May 2013

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

In this presentation, the speaker, Onn Chee, will share on the following:

Onn Chee will walk through a case of web defacement of Wordpress by hackers which outwitted the manual defacement services offered by managed security services providers.

He will also share some tips on how to better secure Wordpress deployments.

If you are running Wordpress, come and share your experiences and security tips too.

Many thanks to Prudential for providing the venue for our chapter evenings!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 29 May 2013.

See ya!

Feb 2013 Meetup: Bypassing Local Microsoft Security Policies

Date: 28 Feb 2013

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 1st meetup of 2013!

In this presentation, the speaker, Paul Craig, will share on the following:

Local Microsoft security policies are one of the few areas of security that are rarely researched or focused on by the security community. These policies are designed to prevent local users from accessing functionality which has been "Disabled By Your Administrator". From Local Group Policy, Software Restriction Policies, App Locker to Internet Explorer, each Microsoft technology has its own way of restricting what you can and cannot do. For local exploitation attempt these technologies can be troublesome, frustrating and restrict the true potential of your attack. This talk will cover a broad view of the current attacks against Microsoft local policies and the underlying issues affecting this form of security.

Speaker Profile

Paul is the Principal Security Consultant at Security-Assessment.com Singapore. Labeled "A malicious hacker" by the media in his native New Zealand, Paul is now based in sunny Singapore where he leads the SE Asian Penetration Testing Team. Paul has been an avid security researcher and all-round advocate for security from a young age with a passion for exploitation and finding creative methods of getting shell.


Many thanks to Prudential for providing the venue for our chapter evenings!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 28 Feb 2013.

See ya!

2012

Nov 2012 Meetup 2: AISP-OWASP: Hacking Techniques

Date: 14 Nov 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 7th session of the joint AISP-OWASP series of chapter evenings!

In this presentation, the speaker, Ryan Baxendale will share on these topics:

- Tips and tricks for hacking Microsoft SharePoint sites.

- Taking advantage of administrative interfaces to get shell.

- Breaking end to end encryption implemented in JavaScript.

- Weak two factor authentication and how to get around it.

- Abusing poorly designed password reset functions to get admin access.

- Bypassing a web application firewall.


Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 12 Nov 2012.

See ya!

Nov 2012 Meetup: AISP-OWASP: New web attacks & short intro on IT Impact of SG data privacy law

Date: 7 Nov 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 6th session of the joint AISP-OWASP series of chapter evenings!

In this presentation, the speaker, Onn Chee will share some latest discoveries of web attacks and walk through a short 30-min introduction to the IT impact of the new Singapore Personal Data Protection Act.


Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 5 Nov 2012.

See ya!

Oct 2012 Meetup 3: AISP-OWASP: WAFs - An attacker's perspective

Date: 29 Oct 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 5th session of the joint AISP-OWASP series of chapter evenings!

In this presentation, the speaker, Bernhard will look at the effectiveness of WAFs from the perspective of a long-time security tester.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 26 Oct 2012.

See ya!

Oct 2012 Meetup 2: AISP-OWASP: Dynamic Web Defense

Date: 22 Oct 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 4th session of the joint AISP-OWASP series of chapter evenings!

In this presentation, the speaker, Bernard, will share on the latest developments in dynamic web defense techniques used by WAFs.


Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 20 Oct 2012.

See ya!

Oct 2012 Meetup: AISP-OWASP Joint Series: Learn how Taiwanese organisations defend themselves against constant Chinese cyber attacks

Date: 3 Oct 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544


Welcome to the 3rd session of the joint AISP-OWASP series of chapter evenings!

It has long been rumored that the Chinese government has an army of trained hackers to carry out national level attacks. Taiwan, despite being their closest neighbor in terms of language and culture, become a convenient target and constant victim since they have opposing political stance.

As Taiwan has been moving into e-government since 2005, this phenomenon forced the Taiwanese government to strengthen their IT security, especially on application security.

In this presentation, the speaker, Kae Bin, will share some common attacks that was observed and how does Taiwan react to those constant bombardment from their friendly neighbor.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 1 Oct 2012.

See ya!

Sep 2012 Meetup 2: AISP-OWASP Joint Series: Security Testing with OWASP ZAP

Date: 18 Sep 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544


Welcome to the 2nd session of the joint AISP-OWASP series of chapter evenings!

AISP and OWASP Singapore have lined up a series of speakers to share on interesting security topics related to web security.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to [email protected] latest by 16 Sep 2012.

See ya!

Sep 2012 Meetup: AISP-OWASP Joint Series: Use of OWASP ESAPI to Defend Against OWASP Top 10 Risks

Date: 12 Sep 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544


Welcome to the 1st session of the joint AISP-OWASP series of chapter evenings!

AISP and OWASP Singapore have lined up a series of speakers to share on interesting security topics related to web security.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to [email protected] latest by 10 Sep 2012.

See ya!


HITBSecConf2012 - Malaysia: #TenYearsInTheBox

Hitb2012kul-banner-300-250.jpg

Date: 8th - 11th October

Venue: InterContinental, Kuala Lumpur, Malaysia

Website: HITBSecConf2012 Malaysia Portal

To commemorate TEN YEARS of playing host to the brilliant minds that have helped shaped the security landscape to where it is today, HITBSecConf2012 – Malaysia (#HITB2012KUL) will be welcoming back on stage over 42 of our most popular speakers from the last 10 years!

Here's your chance to meet the legends of the computer security industry including the likes of John ‘Captain Crunch’ Draper, The Founders of The Pirate Bay, Mikko Hypponen, DNS guru and president of ISC, Paul Vixie,OpenBSD creator Theo de Raadt and even members of the LEGENDARY iPhone Dev Team and jailbreak DreamTeam will be on hand for a very very special iOS / OS X panel discussion! Featuring @MuscleNerd @pod2g @planetbeing and joined by non other than Charlie @0xcharlie Miller and Stefan @i0n1c Esser!

The event takes place on the 8th till 11th of October and as always we kick off the first two days with 8 tracks of hands on technical training sessions (8th and 9th October) followed by the 2-day triple track conference with NO KEYNOTES, NO LAB SESSIONS and NO SIGINT slots.

We’re also ramping up this year’s show by expanding on HITB favorites – including an expanded CommSec village with an updated round-the-clock 36 hour nonstop Capture The Flag competition and also an expanded 36 hour HackWEEKDAY hackathon to go with it. Registration for HackWEEKDAY is COMPLETELY FREE and we strongly encourage professional developers and students to sign up.

Do note that there will only be a maximum of 1010 seats for the conference on the 10th and 11th of October and registration is already open. OWASP members are entitled to the conference seats at SGD580 (normal price SGD640) - Discount code is limited to the first 15 sign ups on a first-come, first-serve basis.

Register Online: HITBSecConf2012 Malaysia Registration

Please contact Onn Chee for the discount code. Do note only paid registered OWASP members are eligible for the discounts.

Apr 2012 Meetup: Rethinking web-application architecture for the Cloud

Date: 23 April 2012

Unless your organization is unique, not all your data is sensitive. This raises the question: should scarce security resources be used to protect 100% of your data? The logical approach should be to build your IT infrastructure in a manner that optimizes your investments: protecting what matters while managing non-sensitive data with minimal controls.

This talk presents an architecture for building the next generation of web-applications. This architecture allows you to leverage emerging technologies such as cloud-computing, cloud-storage and enterprise key-management Infrastructure (EKMI) to derive benefits such as lower costs, faster time-to-market and immense scalability with smaller investments – while proving compliance to PCI-DSS, HIPAA/HITECH and similar data-security regulations. We call this "Regulatory Compliant Cloud Computing (RC3)". Papers describing RC3 can be found on the following websites:

IBM: http://ibm.co/rc3dw

ISSA Journal: http://bit.ly/rc3issa

InfoQ: http://bit.ly/rc3infoq

StrongAuth: http://www.strongauth.com/pdf/RC3-WebAppArch-1.2-2.pdf


Speaker's Bio

Arshad is the CTO of StrongAuth, Inc., a Silicon Valley-based company focused on encryption and key-management for the last 11 years. He is the architect and lead developer of many open-source cryptographic software including CSRTool, StrongKey, KeyAppliance and the CryptoEngine. He has written many papers and spoken at many conferences - most recently at OWASP AppSec 2012 - on the subject of encryption and key-management.

Meetup details

Monday, April 23, 2012 7:00 PM

Prudential Assurance Company Singapore (Pte) Ltd

156 Cecil Street #10-00, Far Eastern Bank Building

Singapore 069544


Please RSVP at http://security.meetup.com/77

See ya!

2011

OWASP Singapore is a Supporting Organisation for Asia Cloud Conference 2011 scheduled to be held the Grand Hyatt Hotel Singapore on 2 Nov 2011

The Asia Cloud 2011 Conference will provide insights and key learning to understand how your organization can take advantage of cloud technologies. Leading industry practitioners will address the emerging cloud technology trends, examine best practices in successfully integrating cloud technologies into the enterprise’s infrastructure and meets various challenges in managing cloud’s performance in the enterprise.

Members Benefits!!

The above event organiser has given two complimentary delegate passes for two registered OWASP SG members (first-come-first-serve basis). Priority will be given to those registered members who did not enjoy free complimentary passes before. Contact me @ [email protected] if you want one of the complimentary delegate passes.

Note: Conference seats at this event are complimentary to senior-level end users of IT solutions. The fee for other professionals to attend this event is US$995. The Organizer reserves the final right to accept or reject any registrations.

AsiaCloudForum 100x100.png


OWASP Singapore is a Supporting Organisation for IDA's Information Security Seminar 2011 from 13-14 April 2011

Members Benefits!!

The above event organiser has given two complimentary delegate passes for two registered OWASP SG members (first-come-first-serve basis). Contact me @ [email protected] if you want the one of the complimentary delegate passes.

For other members, you too can enjoy discounted affiliate rates when you register.

Click here to know more about Information Security Seminar 2011

Bg.jpg


OWASP Singapore is a Supporting Organisation for Info Security Conference 2011 in Singapore on 5 May 2011

Members Benefits!!

The above event organiser has given two complimentary delegate passes for two registered OWASP SG members (first-come-first-serve basis). Contact me @ [email protected] if you want the one of the complimentary delegate passes.

Click here to know more about Info Security Conference Singapore

Infosec2011 600x100.gif

News

OWASP Moves to MediaWiki Portal - 11:31, 20 May 2006 (EDT)

OWASP is pleased to announce the arrival of OWASP 2.0!

OWASP 2.0 utilizes the MediaWiki portal to manage and provide the latest OWASP related information. Enjoy!

The chapter leader is Onn Chee.

Contact Information for Onn Chee is as follow:

Mobile: (65) 9838 7930

Skype VOIP: ocwong

Email: [email protected]


OWASP Singapore have combined its activities with Singapore Security Meetup Group (SSMG) since Dec 2007

We are holding our regular joint OWASP-SSMG meetings on the 2nd Thursday of each month.

Do check out http://www.meetup.com/SGSecurityMG/ for the calendar of events.

For our past meetings, please check out http://www.meetup.com/SGSecurityMG/calendar/past_list/

For ease of management, updates on activities will be made on the http://www.meetup.com/SGSecurityMG/, though updates will still be sent to OWASP Singapore mailing list.


OWASP Singapore Get Together on 19:30, 9 Oct 2007 (SGT)

We will meet at Geek Terminal (http://www.geekterminal.com)

Address: 55 Market Street 01-01 Singapore 048941

Telephone No: +65 65570098

Nearest Carpark: Golden Shoe Carpark Nearest MRT: Raffles Place MRT

OWASP Singapore Nov Chapter Meeting on 19:30, 7 Nov 2007 (SGT)

Michael Boman will be presenting "Overcoming USB (In)Security"

Venue : GeekTerminal

OWASP Singapore Dec Chapter Meeting on 19:30, 13 Dec 2007 (SGT)

Venue : GeekTerminal

OWASP Singapore Jan Chapter Meeting on 19:30, 10 Jan 2008 (SGT)

Venue : SODS, 51 Tras Street

OWASP Singapore Feb Chapter Meeting on 19:30, 14 Feb 2008 (SGT)

Venue : SODS, 51 Tras Street (We loved each other so much that we met on Valentine's Day!)

OWASP Singapore Feb Chapter Meeting on 19:30, 13 Mar 2008 (SGT)

Venue : SODS, 51 Tras Street

OWASP Singapore Apr Chapter Meeting on 19:30, 10 Apr 2008 (SGT)

Venue : JCU, 2 Bukit Merah Central, #03-01, SPRING Singapore Building, S(159835) (http://www.jcu.edu.sg/ContactUs_Location.htm)

Topic : Intro to WebGoat by Onn Chee and a Hacking demo by Johnny.

OWASP Singapore May Chapter Meeting on 19:30, 29 May 2008 (SGT)

Venue : JCU, 2 Bukit Merah Central, #03-01, SPRING Singapore Building, S(159835) (http://www.jcu.edu.sg/ContactUs_Location.htm)

Topic : Intro to WebScarab by Rogan and Burp proxy suite by Rick.