Teaching the OWASP Top 10 to Beginning Developers - Olivia Liddell
"Teaching the OWASP Top 10 to Beginning Developers" - Olivia Liddell
For beginning developers who are starting to learn the basics of coding, learning about application security can often feel daunting and overwhelming. To make this process easier, Olivia has created a workbook that beginning developers can use to supplement their study of the OWASP Top 10. Olivia will discuss best practices for teaching security concepts to beginners. She will also cover the approaches that she took in developing her workbook as well as the results of the workbook’s pilot test and some ideas for future development.
Olivia Liddell is a Technical Curriculum Developer at Amazon Web Services (AWS), where she creates training courses for AWS Cloud fundamentals. Previously, Olivia worked as a middle school teacher in Chicago Public Schools and as an educational technology consultant to support various colleges and universities. She frequently speaks at conferences on topics such as mentoring, team building, and social engineering.
Slides: https://www.owasp.org/images/8/86/OWASPLondon-WebTracking-Dr-Alexios-Mylonas-20181122-PDF.pdf
Research Article: https://www.owasp.org/images/7/76/TrackingResearchArticle-08457184-PDF.pdf
Web Storage, Indexed Database API and Web SQL Database allow web browsers to store information in the client in a much more advanced way compared to other techniques, such as HTTP Cookies. They were originally introduced with the goal of enhancing the capabilities of websites, however, they are often exploited as a way of tracking users across multiple sessions and websites. The presentation will be divided into two parts. First, it will quantify the usage of these three primitives in the context of user tracking. This is done by performing a large-scale analysis on the usage of these techniques in the wild. The second part reviews the effectiveness of the removal of client-side storage data in modern browsers.
Speaker: Dr. Alexios Mylonas
Dr. Alexios Mylonas is the program leader of the BSc Forensic Computing and Security at Bournemouth University and he is also a member of the BU Cybersecurity Research Group. His teaching and research focuses on Cyber Security and Digital Forensics. Before starting his academic career he was a security consultant working within VeriSign's PKI Trust Network. He holds a PhD degree in Information and Communication Security and a BSc (Hons) in Computer Science from the Athens University of Economics and Business, as well as an MSc in Information Security from Royal Holloway. Dr Mylonas holds more than 20 well referenced, esteemed journal and conference publications.
This talks was presented at the OWASP London Chapter meetup on 22-November-2018 at Microsoft Reactor
...
https://www.youtube.com/watch?v=Tk9d8C3oRSI
"How To Write Insecure Code and Other Stories" - Shruti Kulkarni
We live in a "speed-to-market" era. Including security controls in applications sometimes may be considered an overhead. However, if security controls are not added to applications during development, it may be challenging to add them later on. In this presentation, we will see how code can be written insecurely and really how simple it is to include the required security controls in the application.
SPEAKER BIO
Shruti is a cyber security / enterprise security architect with experience in ISO27001, PCI-DSS, policies, standards, security tools, threat modelling, risk assessments. Shruti works on security strategies and collaborates with cross-functional groups to implement information security controls in software development life-cycle, service operations, service delivery such that security controls support business requirements.
This talk was presented at the @OWASPLondon Chapter meetup on January 11th, 2024 at JustEat London offices.
...
https://www.youtube.com/watch?v=02cuM0O5cXE
"It’s Not a Bug It’s Emergent Behaviour - Generative AI, Its Cybersecurity Risks and Benefits" - Sherif Mansour
ABSTRACT:
A curated talk on generative AI, where Sherif will present his research findings beginning with an overview of the technology, then discuss its current technical risks, and explore its promising security use cases without making grand claims. Additionally, this talk dive into design considerations when developing web applications utilising generative AI. To conclude, Sherif will introduce open-source software announced during the talk, encouraging attendees to use and investigate them at their own discretion.
SPEAKER BIO:
Sherif Mansour (@kerberosmansour)
Sherif Mansour is the global director of information security at JustEat Takeaway.com and has been working in the field of information security for 19 years. He was the OWASP chairman and sat on of the OWASP foundations' board for four years. He was also one of the founding governing board members for the OpenSSF Foundation which he represented the OWASP Foundation. Sherif contributed to several OWASP projects and was one the main authors of the CIS Benchmark for Tomcat 7/8. As a security researcher he has disclosed vulnerabilities in Microsoft, Oracle, SAP and SiteSpect products.
Jupyter Notebook can be found on GitHub here: https://github.com/kerberosmansour/InfoSecOpenAIExamples/blob/main/Presentation/InfoSecTalkGenAI.ipynb
--
This talk was presented at the OWASP London Chapter Meetup on May 30th 2023. This event was kindly hosted and sponsored by Amazon London.
...
https://www.youtube.com/watch?v=FSPTiw8gSEU
As developers start using front-end frameworks such as React they must be made aware of any related security issues. Whilst React provides developers with proactive measures such as output encoding, there still exist edge cases which can lead to cross-site scripting issues. This talk explores common security issues in the framework and how to defend against them
Speaker:
Amanvir Sangha (@_amanvir) is a Software Security Consultant as Synopsys primarily focused on source code review, developer training and modern web application security. In the past he has worked as a software and security engineer helping developers write secure code.
Talk was presented at the OWASP London Chapter Meeting on the 6th September 2018 at Facebook London HQ
The slides of this talk were built using MDX and can be explored here: https://github.com/amanvir/owasp-fb-react
...
https://www.youtube.com/watch?v=8sPxTurpbe8
Slide-deck:https://www.owasp.org/images/1/19/KevinDelaney_OWASPLondon_03-30-2017.pdf
This talk was presented at OWASP London Chapter Meeting on 30th March 2017 at The Telegraph headquarters in London.
Many application security teams scramble to pinpoint vulnerabilities and flaws during the testing and release stages while managing limited security resources, a multitude of compliance regulations, and surprise feature requests. Although security teams try to follow the right application security practices, many applications are shipped with fragmented security. The most common denominator is the reliance on dynamic and static testing tools during the final stages of the lifecycle. In this session, learn about the benefits of building security during the requirements phase or the first stage of the software development lifecycle (SDLC).
Speaker Bio: Kevin Delaney is an application security professional from Toronto, Canada. With diverse experience in software development, security, and enterprise IT, he takes personal pride in solving challenging security problems and helping businesses stay one step ahead of attackers
...
https://www.youtube.com/watch?v=OS-6i1_eBNA
The real cost of misconfiguration for businesses has been set to several trillion over the past years. These costs are the result of misconfiguration in infrastructure and workloads. One way to proactively identify misconfiguration is through security scanning. The scan results provide us with insights into the security posture of our services over time. However, these scanners treat our resources as static and evaluate misconfiguration only in single instances. To assess the potential impact of misconfiguration in our production environment, we need additional tools. In this talk, we will look at ways Chaos Engineering and Security Experimentation can help us minimise the potential damage of misconfiguration. Chaos Engineering is the process of intentionally introducing fault into a system to test its resilience to failure. Anais will walk you through the principles of Security Chaos Engineering and how it can be used to proactively identify misconfiguration and make our deployment pipeline and services more robust.
SPEAKER BIO:
Anaïs Urlichs (@urlichsanais)
Anaïs Urlichs is a Developer Advocate at Aqua Security, where she contributes to Aqua’s cloud native open source projects. When she is not advocating DevOps best practices, she runs her own YouTube Channel centered around cloud native technologies. Before joining Aqua, Anais worked as SRE at Civo, a cloud native service provider, where she worked on infrastructure for hundreds of tenant clusters. As OpenUK ambassador, her passion lies in making tools and platforms more accessible to developers and community members.
This talk was presented at the OWASP London Chapter meetup on the 30th May 2023 kindly hosted and sponsored by Amazon London
...
https://www.youtube.com/watch?v=DeYhcM_Tan0
Slides of this talk can be downloaded here:
https://www.owasp.org/images/a/a0/OWASPLondon20171130_Cookie_Security_Myths_Misconceptions_David_Johansson.pdf
Cookies are an integral part of any web application and secure management of cookies is essential to web security. However, during my years as a security consultant I've often encountered various myths and misconceptions regarding cookie security from both developers as well as other security professionals. This talk will dive into the details of cookie security and highlight some of the lesser known facts about well-known cookie attributes.This talk will give you a solid understanding of the pitfalls affecting cookie security, the risks associated with these, and how you can leverage modern security specifications to enhance the protection of cookies in your web application.
Speaker Bio:
David Johansson has worked as a security consultant for several leading IT-security companies and has over 10 years of experience in software security. Among other things, he has worked with software development and architecture, web security testing and training developers and testers in security. He has been speaking at conferences such as AppSec USA, InfoSecurity Europe and ISC2 Security Congress EMEA. David lives in London where he works as an Associate Principal Consultant for Synopsys.
This talk was present at the OWASP London Chapter Meeting (meetup) on 30th-November-2017. This event was hosted by JUST EAT Technology
...
https://www.youtube.com/watch?v=rzbhi_MNcJM