Security solutions for developers who have no time for security - Edwin Aldridge
This talk was presented at OWASP London Chapter Meeting on 18-May-2017 at Worldpay.
Within a large organisation different IT groups support different business areas. They typically use different technology stacks and operate different SDLCs. Small projects in particular have short development cycles and do not always have time to educate new developers in secure coding. This makes targeting of security education difficult and training which is not followed up by practice is quickly forgotten. The OWASP Cheat Sheets provide an concise source of sound advice but they can still leave the development team with a lot to do. They can be more complicated than necessary for a simple project. This lightning talk aims to sound out interest in an even more concise approach compared with OWASP Cheat Sheets.
Speaker Bio: Edwin Aldridge is an IT security consultant with a background in development who has worked for various financial institutions in the City of London and is currently focused on application security and red teaming ... https://www.youtube.com/watch?v=jIKHINswc8w
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free and open source security tools. It has a powerful desktop UI, a highly functional API and is used by everyone from people new to security, including developers and QA, right up to professional pentesters. It’s also more complex for newcomers than we would like. We are therefore introducing a new Heads Up Display (HUD) interface which overlays data and controls for ZAP over the web based application being tested.
Speaker Bio:
Simon Bennetts (@psiinon)
Simon Bennetts is the OWASP Zed Attack Proxy (ZAP) Project Leader and works for Mozilla as part of the Cloud Services Security Team. He has talked about and demonstrated ZAP at conferences all over the world, including Blackhat, JavaOne, FOSDEM and OWASP AppSec EU, USA & AsiaPac. Prior to making the move into security he was a developer for 25 years and strongly believes that you cannot build secure web applications without knowing how to attack them.
This talk was presented at the OWASP London Chapter Meeting at Amazon London Offices on the 13th February 2019
#ZAP #ZAPROXY #HUD
...
https://www.youtube.com/watch?v=1hbKGDgx_p0
APOLOGIES FOR POOR QUALITY VIDEO - THIS WAS CAUSED BY TECHNICAL ISSUES DURING THE LIVE STREAM RECORDING: THE LINK TO THE SLIDE DECK IS IN THE DESCRIPTION:
Revolut has grown to over 5 million customers. This presentation will give an overview of the lessons we have learnt to scaling security that quickly when security fundamentally represents customer trust.
Speaker bio: Paul Heffernan
Paul is the CISO at Revolut, a UK based financial technology company that offers banking services to over 3 million customers worldwide. With over 10 years of experience in the cyber security world, including consulting to some of the world's biggest brands, he believes the role of the security professional is to enable trust. Entering the industry from an 'ethical hacker' background, he deeply understands technical security challenges but is equally passionate about driving effective change through unambiguous leadership. Paul is a regular international speaker at various industry conferences such as the e-Crime Congress, CSO Amsterdam and CISO360 Barcelona. He also sits as an advisory board member of ClubCISO, a private members forum for European information security leaders, working in public and private sector organisations.
The presentation slide deck PDF can be downloaded here: https://www.owasp.org/images/8/8d/OWASPLondon_20190718_OWASP-Revolut.pdf
This talk was presented at the OWASP London Chapter Meeting on 18th July 2019
...
https://www.youtube.com/watch?v=S7V3Mn-2He4
Slides are available to download here: https://www.owasp.org/images/5/58/OWASPLondon20170330_ModSecurity_CRS_v3_Intro.pdf
This talk was presented at OWASP London Chapter Meeting on 27th July 2017 . The event was hosted by JustEat.
The OWASP CRS is a set of generic attack detection rules for use with ModSecurity (or compatible) Web Application Firewall (WAF) that saw a new major release in November 2016. CRS is the 1st line of defense against web application attacks like those summarized in the OWASP Top Ten and all with a minimum of false alerts. This talk demonstrates the installation of the rule set and introduces the most important groups of rules. It covers key concepts like anomaly scoring and thresholds, paranoia levels, stricter siblings and the sampling mode.
Speaker Bio:
Christian Folini is a partner at netnea AG in Berne, Switzerland. He holds a PhD in medieval history and enjoys defending castles across Europe. Unfortunately, defending medieval castles is no big business anymore and Christian turned to defending web servers which he thinks equally challenging. With his background in humanities, Christian is able to bridge the gap between techies and non-techies. He brings more than ten years experience in this role, specialising in Apache / ModSecurity configuration, DDoS defense and threat modeling. Christian is a frequent committer to the OWASP ModSecurity Core Rules project (he is also the author of the Second Edition of the ModSecurity Handbook), vice president of Swiss Cyber Experts (a public private partnership), program chair of the Swiss Cyberstorm conference and many other things.
...
https://www.youtube.com/watch?v=oCxW966128A
Slides of this talk can be downloaded here:
https://www.owasp.org/images/a/a0/OWASPLondon20171130_Cookie_Security_Myths_Misconceptions_David_Johansson.pdf
Cookies are an integral part of any web application and secure management of cookies is essential to web security. However, during my years as a security consultant I've often encountered various myths and misconceptions regarding cookie security from both developers as well as other security professionals. This talk will dive into the details of cookie security and highlight some of the lesser known facts about well-known cookie attributes.This talk will give you a solid understanding of the pitfalls affecting cookie security, the risks associated with these, and how you can leverage modern security specifications to enhance the protection of cookies in your web application.
Speaker Bio:
David Johansson has worked as a security consultant for several leading IT-security companies and has over 10 years of experience in software security. Among other things, he has worked with software development and architecture, web security testing and training developers and testers in security. He has been speaking at conferences such as AppSec USA, InfoSecurity Europe and ISC2 Security Congress EMEA. David lives in London where he works as an Associate Principal Consultant for Synopsys.
This talk was present at the OWASP London Chapter Meeting (meetup) on 30th-November-2017. This event was hosted by JUST EAT Technology
...
https://www.youtube.com/watch?v=rzbhi_MNcJM
If security is (still?) an afterthought, is shifting security to the left with automation enough for DevSecOps to deliver on its promises in the era of software at the speed of thought?
This talks was presented at OWASP London Chapter Meeting on 26th April 2018 at EY.
Presentation slides can be downloaded here: https://www.owasp.org/images/c/cd/OWASPLondon-SecArch-DevSecOps_-DP20180426-PDF.pdf
Speaker: Dimitrios Petropoulos
Over the last thirty years, Dimitrios Petropoulos has been developing security middleware, designing enterprise security architectures, performing security R&D, conducting technical security assessments and advising on security strategy across EMEA. He is currently a Principal for DXC's Security Advisory practice.
...
https://www.youtube.com/watch?v=zRsoiDUiX1Q
How do you make sure your detections work in a cloud native organisation? Software engineers have integration tests, reliability engineers have chaos engineering frameworks. Detection engineers lack an equivalent standardised approach to E2E testing. A natural approach is a binary that generates a suspicious event, validates that a suitable alert is generated in your SIEM, closes it, and reports the result. An open source Datadog tool named Threatest does just this. We are working on extending this to work with Elasticsearch, with the hope of automating a huge portion of the work of the red team, and providing constant validation for our detections.
SPEAKER
George Gilligan (@ggilligan12)
George Gilligan is a security engineer at Thought Machine, where his work includes securing Kubernetes clusters, container security, intrusion detection, security testing, and implementing security policies. George participates in various CTF competitions and his CTF achievements include the Deloitte CTF Qualifier, Scottish Universities Cybersecurity Challenge and Hack Harvard 2018.
George holds an Offensive Security Certified Professional (OSCP) certification and a BSc (Honours) degree in Computer Science and Mathematics from the University of Edinburgh. George is now studying part-time for a MSc in Software and Systems Security at the University of Oxford.
This talk was presented at the OWASP London Chapter meetup on December 5th, 2023
...
https://www.youtube.com/watch?v=i5vYh-BQ9NI
Secure development is hard. Throughout the entire development of an open source project, security needs to be top of mind due to a potential myriad threats. Some open source orgs are starting to ask for security matrices, and expect some threat modelling to have taken place, so that the threats of a system can be evaluated. This however, can be difficult. Considering the different use cases of a project that may be running in different architectures can be quite a struggle, combined with sometimes working with developers that may not be familiar with threat modelling in general. This talk will explore how to make threat modelling easier for open source developers through using open source tools such as OWASP Threat Dragon and Threagile, and where each is better suited than the other.
SPEAKER BIO
Dan Conn (@danjconn)
Dan Conn likes to sit in the point between cyber security and development and over the past 10 years has worked as a developer in small startups, large corporates and many in between, catering for clients both public and private sector from SME size to enterprise. He has also had a strong interest in cybersecurity for just as long culminating in a postgraduate certificate in Advanced Security and Digital Forensics. Dan is now a Developer Advocate for Sonatype. When not coding, hacking, or talking about these things… you can find Dan running, skateboarding, DJ-ing or making music!
This talk was presented at the OWASP London Chapter Meetup on February 28th 2023 at Monzo Bank London offices
#DevSecOps #OWASPLondon
...
https://www.youtube.com/watch?v=S1UXqPQs2Sw
Paul Schwarzenberger, project leader of OWASP Domain Protect, describes how the OVO Energy Bug Bounty program led to the launch of a new OWASP project to prevent subdomain takeovers, and gives a live demonstration of detection of vulnerable domain records, followed by automated takeover.
SPEAKER BIO:
Paul Schwarzenberger (@paulschwarzen)
Paul Schwarzenberger is a cloud security architect and DevSecOps specialist, using an agile DevSecOps approach to lead the implementation and migration of critical systems to public cloud. Paul has extensive experience leading a wide range of cyber security engagements for customers across sectors including UK Government and financial services. Paul is a speaker on Cloud Security and DevSecOps at conferences such as (ISC)2 Congress, fwd:cloudsec, Security BSides, DevSecCon, 44CON, Enterprise Cloud Computing, CRESTcon, DevSecOps London and now OWASP.
...
https://www.youtube.com/watch?v=nw6uR0glJKk
Full talk can be found here: https://youtu.be/sg-TnUUXdsA
Part of "The Thermostat, The Hacker, and The Malware" IoT Security Talk by Ken Munro and Andrew Tierney. Following the PoC of thermostat ransomware Ken Munro and Andrew Tierney performed at DefCon 24, this presentation digs even deeper into IoT devices and their apps. Staying with the thermostat Ken and Andrew will walk through the ransomware attack and then move onto general malware - which has no easy method for detection. Even when firewalled these devices are still vulnerable to local attacks so we’ll show you how you can achieve a compromise. We’ll also take a look at CSRF spraying, IoT gear in public areas, supply chain tampering, and malicious firmware updates.
...
https://www.youtube.com/watch?v=uAWOzQRK4aI