AngularJS is one of those wonderful frameworks that seems to hide so many of JavaScript’s warts. But while Angular adds much-needed features to the language, it also creates a handful of new security problems for developers to discover and work around. Lewis will walk you through an application that illustrates security issues discovered in real-world applications and will explain the problem with usable solutions.
Speaker Bio:
Lewis Ardern is a security consultant at Synopsys/Cigital, where he specializes in application security, red teaming, and network assessments. He’s the founder of the Leeds Ethical Hacking Society and has helped develop projects such as SecGen, which generates vulnerable virtual machines on the fly for security training purposes. Lewis is currently working toward his PhD in web security. ... https://www.youtube.com/watch?v=3vuLPzjc4RI
OWASP London Chapter Meeting 26th-Jan-2017. Talks presented by @DinisCruz:
Introducing OWASP Summit 2017
Dinis will talk us through the open source tool he has been building for some time - the tool to perform and visualise the assessments using the OWASP Software Assurance Maturity Model (SAMM) and Building Security in Maturity Model (BSIMM) .
Speaker Profiles:
Dinis Cruz
Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to 'Automate Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform.
Francois Raynaud
Francois is the founder of DevSecCon a conference dedicated to DevSecOps, the fusion of Devops and Secops. He is actively involved in security automation projects supporting continuous delivery and currently working as the enterprise security architect for a global retailer preceded by 17 years at ASOS, Betfair, Verizon Business, HSBC and RSA where his consulting engagement spanned across implementing CERT teams, incident response strategy, security architecture design, IT security management and penetration testing.
...
https://www.youtube.com/watch?v=n6R_pJh3l0w
This talk was presented at OWASP London Chapter meeting on 29th September 2016. Please subscribe to this YouTube channel to watch video recording of OWASP London Chapter events. Our events are free to attend - please visit https://www.owasp.org/index.php/London to find out about our future events and download the presentation slides.
Fairly regularly on consultancy jobs, you encounter a "random" number that is actually just the time, or a PRNG seeded with the time, or a hash of the time, etc.. If you had to guess the time on a remote server to a tolerance of a microsecond, how many requests would it take?
...
https://www.youtube.com/watch?v=WiGif0D3fIc
OWASP Juice Shop Project v9.x Showcase at Global AppSec Amsterdam 2019 Conference presented by Björn Kimminich - livestream recording, apologies for low resolution. https://www.facebook.com/OWASPLondon/videos/362227157995438/
...
https://www.youtube.com/watch?v=XXkMY_VyJ-Y
Facebook's Whitehat bug bounty program receives 1000's of security bug reports annually, covering a wide range of issues and products. Come listen to some of the interesting bugs Facebook's Whitehat program team handled over the past year, and some pro-tips when looking for bugs outside of "facebook.com".
Jack Whitton is a Security Engineer, based at Facebook's London HQ. Jack focuses primarily on the Whitehat program, which involves interacting with the security community who find vulnerabilities in Facebook-family products, in addition to working with internal teams to ensure code is shipped securely. Prior to joining Facebook in 2016, he was one of the top researchers in the Whitehat program.
This talk was presented at the OWASP London Chapter Meeting on the 6th September 2018 at Facebook London HQ
...
https://www.youtube.com/watch?v=ldt__TFEu9c
Pwning the CI Workflow and How to Prevent It "- Steve Giguere
Our journey to open source and GitOps heaven has exposed new security challenges as our CI platforms are exposed to the outside world. The soft underbelly of our development pipeline is visible as much to willing contributors as it is malicious subversives looking for the keys to the backdoor. In this talk, we'll look at some known potential exploits to GitHub Actions workflows to show how simple misconfigurations or straight up bad practices can leave our supply chain wide open to attackers.
SPEAKER BIO:
Steve Giguere (@SteveGiguere)
Steve Giguere is a Developer Advocate with Bridgecrew by Prisma Cloud specialising in cloud and infrastructure security automation. Prior to this Steve was a Solution Architect for StackRox and Aqua Security specialising in container and kubernetes security and also previously spent several years at Synopsys establishing DevSecOps best practices for enterprise CI/CD pipelines. Steve runs DevSecOps London Gathering community and several security podcasts including CoSeCast - The Continuous Security Podcast, Twitch/YouTube show C9K, as well as a personal blog and podcast called Codifyre.
This talk was presented at the OWASP London Chapter Meeting on September 8th, 2022. This event was kindly sponsored and hosted by @Thought Machine
...
https://www.youtube.com/watch?v=erD-ClTUmck
Please [SUBSCRIBE] to our YouTube Channel to be notified when we are Live/new videos are published.
AGENDA:
00:01:17 - Introduction, OWASP News & Updates - Sam Stepanyan
00:17:01 - Talk 1 : "Teaching the OWASP Top 10 to Beginning Developers" - Olivia Liddell
00:52:10 - - Talk 1 Q & A
00:59:35 - Talk 2 : "Finding Your Next Bug: GraphQL Hacking" - Katie Paxton-Fear
01:39:19 - - Talk 2 Q & A
TALK ABSTRACTS
"Teaching the OWASP Top 10 to Beginning Developers" - Olivia Liddell
For beginning developers who are starting to learn the basics of coding, learning about application security can often feel daunting and overwhelming. To make this process easier, Olivia has created a workbook that beginning developers can use to supplement their study of the OWASP Top 10. Olivia will discuss best practices for teaching security concepts to beginners. She will also cover the approaches that she took in developing her workbook as well as the results of the workbook’s pilot test and some ideas for future development.
"Finding Your Next Bug: GraphQL Hacking" - Katie Paxton-Fear
GraphQL is becoming the next big API technology for developers, but with new technology comes new risk, and for us that means bug bounties! In this talk you will learn everything GraphQL, from how it works to what kind of bugs are common.
SPEAKERS:
OLIVIA LIDDELL (@oliravi)
Olivia Liddell is a Technical Curriculum Developer at Amazon Web Services (AWS), where she creates training courses for AWS Cloud fundamentals. Previously, Olivia worked as a middle school teacher in Chicago Public Schools and as an educational technology consultant to support various colleges and universities. She frequently speaks at conferences on topics such as mentoring, team building, and social engineering.
KATIE PAXTON-FEAR (@InsiderPhD)
Katie is a Lecturer in Cyber Security at Manchester Metropolitan University, however, in her free time, she's a bug bounty hunter and an educational YouTuber. She started out hacking in June 2019 during a HackerOne mentorship program and now hopes to be a mentor to others, creating educational cyber security videos on YouTube. In her videos, she attempts to bridge the gap between "I know what bug bounties are" and "bug bounty hunter" giving advice specifically tailored to bug hunting. She's now produced over 50 videos on bug bounty hunting for an audience of over 25,000 YouTube subscribers. Aimed at a beginner audience these go from finding your first bug, to how to use specific tools, to how to find specific bug classes.
Katie has discovered and responsibly reported security vulnerabilities to several large organisations such as Verizon Media and the US Department of Defense
...
https://www.youtube.com/watch?v=pIWThCwn6Gw
As developers start using front-end frameworks such as React they must be made aware of any related security issues. Whilst React provides developers with proactive measures such as output encoding, there still exist edge cases which can lead to cross-site scripting issues. This talk explores common security issues in the framework and how to defend against them
Speaker:
Amanvir Sangha (@_amanvir) is a Software Security Consultant as Synopsys primarily focused on source code review, developer training and modern web application security. In the past he has worked as a software and security engineer helping developers write secure code.
Talk was presented at the OWASP London Chapter Meeting on the 6th September 2018 at Facebook London HQ
The slides of this talk were built using MDX and can be explored here: https://github.com/amanvir/owasp-fb-react
...
https://www.youtube.com/watch?v=8sPxTurpbe8
Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to 'Automate Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform.
Presentation-1: https://www.owasp.org/images/c/c6/OWASP20160929_NodeJS_Security.pdf
Presentation-2: https://www.owasp.org/images/b/bc/OWASP20160929_NodeJS_Surrogate_Dependencies.pdf
...
https://www.youtube.com/watch?v=mbugRIajjw8