Fairly regularly on consultancy jobs, you encounter a "random" number that is actually just the time, or a PRNG seeded with the time, or a hash of the time, etc.. If you had to guess the time on a remote server to a tolerance of a microsecond, how many requests would it take? ... https://www.youtube.com/watch?v=vqgS7agdWSE
This talk was presented at OWASP London Chapter Meeting on 24th November 2016.
Shane will talk about myBBC Security Council and how it demonstrates an organisational approach towards security that ensures the right decisions are made by the right people, and that developers can raise concerns knowing that they will be seen and escalated. It also frames InfoSec as an enabling force rather than a loophole.
Slides can be downloaded here: https://www.owasp.org/images/5/52/OWASPLondon20161124_SecurityCouncil.pptx
Speaker Bio:
Shane is a Senior Software Developer at The BBC, with a keen interest in security. Prior to the BBC he worked for the travel aggregator Travelfusion, and the anti-money laundering firm Fortent (formerly Searchspace).
...
https://www.youtube.com/watch?v=zEEaSCMQ6dw
This talk will discuss a forensic readiness approach to SCADA and IPCS. Through a series of case studies we will discuss forensic requirements as they relate to SCADA and IPCS. We will also define a forensic readiness model in response to these requirements.
This talk was presented at OWASP London Chapter Meeting on 26th April 2018 at EY.
Presentation slides can be downloaded here:
https://www.owasp.org/images/e/ea/OWASPLondon-SCADA-Forensics-Prof-Andrew-Blyth-20180426-PDF.pdf
Speaker Bio:
Professor Andrew Blyth received his PhD in Computer Science in 1995 at Newcastle University, UK. He is currently director of the Cyber Defence Centre at the University Of South Wales. Over the past twenty years he has spent much of his time working and publishing in the area of computer forensic and Computer Network Defence. Andrew and his Information Security Research Group has delivered ground-breaking work in the area of computer network defence over the years. He has published numerous conference/journal papers in the areas of computer network defence and computer forensics, with key highlights including: a) The first forensic analysis of games consoles such as the X-Box and Play-Station, b) first forensic analysis of automobile engine management systems and c) develop and deployment of forensic capability in the automobile engine management systems and SCADA/IPCS. In addition, Professor Blyth, is also lead examiner for the GCHQ accredited Tiger Scheme. He is the author of the "Information Assurance: Surviving in the Information Environment" book that has become the cornerstone of knowledge for every Information Security professional in the past 15 years. Many well-known security professionals and cybersecurity experts across different industries worldwide, have been taught and trained under his watch over the past 20 years. (@ajcblyth)
...
https://www.youtube.com/watch?v=X3DIsOFmXcE
Slides: https://onedrive.live.com/view.aspx?resid=8FA20A9A448FD03!1238&ithint=file%2cpptx&authkey=!AHIAJVhgp2O9FIQ
The more we strive to connect every part the world with IT, IOT & ICS SCADA assets running on legacy and existing infrastructure with IPv6 and upcoming 5G & 6E. The risk of finding connected, insecure assets containing juicy info which can be leveraged by naughty groups rises. How easy is it to find vulnerable databases, solar panels, smart homes, washing machines, space IOT, maritime assets and critical infrastructure? Using OSINT Open source intelligence gathering, an important part of the reconnaissance phase of a application security penetration test. Learning what sources of information is available to start a penetration test is a crucial step in completing a thorough but effective exploration. Risks associated with leveraging, misusing or selling discovered material are all too real. Get your hoodie out and join us on a journey of discovery and exploitation of high profile industrial controls systems spanning land, sea, air and space using legal tools & techniques. Key takeaways include closing the gaps and securing these systems.
Speaker Bio:
Christina Kubecka (@SecEvangelism), Security Researcher and CEO of HypaSec. Formerly, setting up several security groups for Saudi Aramco’s affiliates after the Shamoon 1 attacks. Implementing and leading the Security Operations Centre, Network Operation Centre, Joint International Intelligence Group and EU/UK Privacy Group for Aramco Overseas Company. With 20+ years of professional experience in the field, her career includes the US Air Force, Space Command, private and public sector. GIAC GPEN certification training & teaches penetration testing on IT, IoT & ICS. Chris has been featured in the media with Viceland News’ Cyber Warfare series, Hacking the Infrastructure, CNN, Fox News, and other news outlets. Chris is currently the Executive Secretary on the board of Geeks Without Bounds, and advises and lectures as an expert for several markets and governments.
See also: Chris Kubecka on Wikpedia: https://en.wikipedia.org/wiki/Chris_Kubecka
This talk was presented at the OWASP London Chapter meeting on the 19th September 2019 at Goodman Masson offices in London.
#OSINT
...
https://www.youtube.com/watch?v=NB9G6yXdknQ
This talk was presented at OWASP London Chapter Meeting on 28-Sep-2017.
The slides can be downloaded here: https://www.owasp.org/images/b/b5/OWASPLondon20170928_ContainerSecurity-BenjyPortnoy.pdfhttps://www.owasp.org/images/b/b5/OWASPLondon20170928_ContainerSecurity-BenjyPortnoy.pdf
Docker containers are transforming the way applications are developed and deployed. Closely tied to DevOps and Continuous Delivery, containers introduce both risks and opportunities to security management in Web applications. This talk will introduce the basic concepts of containers and micro services, how companies use them today, and how to support this technology while elevating the security posture of your application stacks. Various OWASP tools that leverage containers will also be presented.
Speaker Bio:
Benjy Portnoy is a seasoned cyber security professional with over 15 years experience in consulting, designing, and implementing strategic information security projects for organizations across EMEA. He is currently the director of DevSecOps at Aqua Security, helping enterprises streamline security into their DevOps processes to secure their containerized applications. Prior to joining Aqua Security, Benjy held senior security architect roles at CA, BlueCoat, and Symantec where he worked closely with CSO’s and security operations teams focusing on vulnerability management, datacenter security, and incident response. Benjy holds both CISA (Certified Information Systems Auditor) and CISSP (Certified Information Systems Security Professional) certifications and is currently completing his master's degree in Information Security and Digital Forensics.
...
https://www.youtube.com/watch?v=1J1qhMu-2Yg
APOLOGIES FOR POOR QUALITY VIDEO - THIS WAS CAUSED BY TECHNICAL ISSUES DURING THE LIVE STREAM RECORDING: THE LINK TO THE SLIDE DECK IS IN THE DESCRIPTION:
Revolut has grown to over 5 million customers. This presentation will give an overview of the lessons we have learnt to scaling security that quickly when security fundamentally represents customer trust.
Speaker bio: Paul Heffernan
Paul is the CISO at Revolut, a UK based financial technology company that offers banking services to over 3 million customers worldwide. With over 10 years of experience in the cyber security world, including consulting to some of the world's biggest brands, he believes the role of the security professional is to enable trust. Entering the industry from an 'ethical hacker' background, he deeply understands technical security challenges but is equally passionate about driving effective change through unambiguous leadership. Paul is a regular international speaker at various industry conferences such as the e-Crime Congress, CSO Amsterdam and CISO360 Barcelona. He also sits as an advisory board member of ClubCISO, a private members forum for European information security leaders, working in public and private sector organisations.
The presentation slide deck PDF can be downloaded here: https://www.owasp.org/images/8/8d/OWASPLondon_20190718_OWASP-Revolut.pdf
This talk was presented at the OWASP London Chapter Meeting on 18th July 2019
...
https://www.youtube.com/watch?v=S7V3Mn-2He4
#OWASP #CycloneDX #SBOM #DependencyTrack #SoftwareSupplyChain
"OWASP Dependency Track and CycloneDX SBOM Standard" - Steve Springett
Software Bill of Materials (SBOM) have gained wide-spread support from the software industry, to critical infrastructure, to the White House. In this session, the OWASP CycloneDX SBOM standard will be introduced along with strategies for effectively creating SBOMs. Also introduced will be OWASP Dependency-Track, a platform that consumes and continuously analyzes SBOMs for security, operational, and license risk. Both of these flagship OWASP projects work together to allow organizations to make better risk-based decisions.
This talk includes live demo of OWASP Dependency Track opensource tool.
SPEAKER BIO:
Steve Springett (@stevespringett)
Steve educates teams on the strategy and specifics of developing secure software. He practices security at every stage of the development lifecycle by leading sessions on threat modeling, secure architecture and design, static/dynamic/component analysis, offensive research, and defensive programming techniques.
Steve's passionate about helping organizations identify and reduce risk from the use of third-party and open source components. He is an open source advocate and leads the OWASP Dependency-Track project, OWASP Software Component Verification Standard (SCVS), and is the Chair of the OWASP CycloneDX Core Working Group, a Software Bill of Materials (SBOM) Standard.
OWASP CycloneDX Standard: https://cyclonedx.org/
OWASP Dependency Track: https://dependencytrack.org/
Install DependencyTrack using Docker Compose:
curl -LO https://dependencytrack.org/docker-compose.yml
docker-compose up -d
Install DependencyTrack using Docker Swarm:
curl -LO https://dependencytrack.org/docker-compose.yml
docker swarm init
docker stack deploy -c docker-compose.yml dtrack
This talk was presented at the OWASP London [ONLINE] Chapter Meeting on 10-March-2022
...
https://www.youtube.com/watch?v=QV2JcwHpjeQ
This talk discusses the hostile environments involved in reporting vulnerabilities and the lack of standardisation and laws protecting security researchers reporting vulnerabilities to vendors and organisations. Dylan and Sarah will present some real-world examples and outcomes and discuss common problems, such as what to do when there is no bug bounty program in place. The world of vulnerability disclosure can be treacherous, but if handled correctly it can be beneficial to all parties involved.
Speakers Bio:
Dylan Wheeler (@degenerateDaE)
Dylan Wheeler is an independent security researcher, recently he and his team at Day After Exploit discovered many critical vulnerabilities in a major casino vendor, Atrient, leading to complete compromise of systems. This discovery also led to Wheeler being assaulted by Atrient's CFO at the International Casino Expo (ICE) at London's Excel Expo Centre. His work has been featured in numerous magazines and popular news website. Back in 2011 he was a former member of the Xbox Underground international hacking group. Since then he began a career as a white-hat security researcher.
Sarah White (@PolarToffee)
Sarah White is a Cyber Security student at the Royal Holloway University of London and a malware analyst working at Emsisoft, a fully remote antivirus company.
This talk was presented at the OWASP London Chapter meeting on the 24th October 2019 at Aon London offices.
Slides: https://bit.ly/347Pxbp
...
https://www.youtube.com/watch?v=lKtVSOarWiU
Slides can be downloaded here: https://www.owasp.org/images/a/a3/OWASP-London-2017-May-18-ApostolosGiannakidis-JavaDeserializationTalk.pdf
This talk was presented at OWASP London Chapter Meeting on 18-May-2017.
A great number of Java applications utilize native Object Serialization to transfer or persist objects. Recently it has become popular the fact that the deserialization process in Java is flawed and if not used properly it can be easily abused by attackers. This talk provides an introduction and detailed overview of the problem of Java deserialization. You will understand the basic concepts of how Java deserialization exploits (gadget chains) work. Additionally, you will learn what solutions exist to the problem and the advantages and disadvantages of each. Finally, a new approach will be presented that protects the JVM from these attacks using a completely different approach than any other existing solution.
Speaker Bio:
Apostolos Giannakidis is the Security Architect at Waratek. Before joining Waratek in 2014, Apostolos worked in Oracle for 2 years focusing on Destructive Testing on the whole technology stack of Oracle and on Security Testing of the Solaris operating system. Apostolos has more than a decade of experience in the software industry and holds an MSc in Computer Science from the University of Birmingham.
...
https://www.youtube.com/watch?v=I09Chd65Cig