When security incidents happen, you often have to respond in a hurry to gather forensic data from the resources that were involved. You might need to grab a bunch of hard drives and physically visit the data centre to capture data from the systems. Getting on airplanes and going to data centres means you have to get dressed, and that's a drag. When infrastructure is in the cloud, you have remote access and APIs for managing all your infrastructure, so you can respond to incidents with automation and do your forensic analysis in your bunny slippers. But is it as good as the capabilities you have in a data centre? Is getting dressed the price you have to pay for high quality forensics and incident response? In this talk Paco will explain the two major domains of cloud events (infrastructure domain and service domain) and describe the security and incident response techniques pioneered by AWS customers like Mozilla, Alfresco, and Netflix. He'll explain how to isolate resources to preserve the integrity of the data; get RAM dumps and disk image snapshots; and identify unauthorised changes to cloud resources using API tools and logs. And all of this while wearing pyjamas.
Speaker Bio: Paco Hope (@pacohope)
Paco Hope is a Principal Consultant in Security, Risk, and Compliance for Amazon Web Services. He helps enterprise customers achieve compliance and secure their workloads on AWS. Based in London, he works with major enterprises across Europe and the UK migrating workloads and building new applications on AWS. Prior to his work with AWS he worked in application security, carrying out threat modelling, source code reviews, and architectural risk analysis for enterprises.
This talk was presented at the OWASP London Chapter Meeting on the 13th February 2019 at Amazon London office.
This remote talk was presented over Skype at OWASP London Chapter Meeting on 24th November 2016
Goran will walk us through the steps to configure and use the new Official ZAP Plugin for Jenkins and will demo a test run with generated HTML reports.
Speaker: Goran Sarenkapa
Goran is a core member of OWASP ZAP development team and a lead developer on OWASP ZAP Jenkins plugin project
Slides of this talk are available to download here: https://www.owasp.org/images/e/e3/OWASPLondon20161124_ZAP_Jenkins_Plugin_Intro.pdf
...
https://www.youtube.com/watch?v=ZxCy1jrsYnY
This talk was presented at OWASP London Chapter Meeting on 26th January 2017.
Identities Exposed: How Design Flaws in Authentication Solutions May Compromise Your Privacy - David Johansson
Slides: https://www.owasp.org/images/5/58/OWASPLondon20170126_Welcome.pdf
...
https://www.youtube.com/watch?v=KmchjwkYAOw
APOLOGIES FOR POOR QUALITY VIDEO - THIS WAS CAUSED BY TECHNICAL ISSUES DURING THE LIVE STREAM RECORDING: THE LINK TO THE SLIDE DECK IS IN THE DESCRIPTION:
Bots are generally seen as a bit of a nuisance and widely regarded as the weapon of choice for DDoS attacks. However, modern bots are capable of much more and are claimed to be behind three quarters of all attacks that hit web sites and APIs. Techniques such as rate limiting, IP blacklisting and even CAPTCHAs often do little to prevent the attacks as they evolve, evading controls which try to differentiate between bots and humans. In this session we’re going to look at what bots are and how they’re created, what they’re now capable of, which industries are most affected by them and how they are evolving to avoid our current defences.
Speaker bio:David Warburton is an information security threat researcher and evangelist for F5 Labs and frequently speaks at conferences and with customers all over the world. His focus areas of research are on SSL/TLS and other cryptographic protocols and certificates, digital identity, web application security, information risk management and compliance & regulation. A recent alumni of Royal Holloway University where he wrote his MSc dissertation on IoT Security, he now works on identifying emerging cyber threats, producing actionable intelligence reports and consulting on cyber security strategy within public sector, retail and financial organisations.
The slide deck can be downloaded as PDF here: https://www.owasp.org/images/8/89/OWASPLondon_20190718_AdvancedBots_warburtr0n.pdf
This talk was presented at the OWASP London Chapter Meeting on July 18th, 2019
...
https://www.youtube.com/watch?v=KhmDfxBFqmc
Slides: https://www.owasp.org/images/8/81/OWASPLondon_20190404_OWASP-RTF.pdf
This lightening talk is about RTF, an open source platform that hosts application security (AppSec) exercises for developers. Candidates manually remediate the code of a vulnerable application running in a disposable development environment accessed using a web browser. The platform provides automated results, a point system with trophies, and the ability to create time-boxed tournaments. The talk will include a live demo and introduce what’s coming next. We hope to be able to run OWASP CTF using RTF!
Speaker Bio: Andrea Scaduto (@sk4ddy)
Andrea is a Senior Penetration Tester and Software Engineer with a MSc in Computer Engineering and several IT Security certifications. He enjoys breaking, building and securing web and mobile applications, and he has an extensive knowledge of secure coding techniques and a focus on reducing the cost of fixing vulnerabilities at scale.
This talk was presented at the OWASP London Chapter Meeting on the 4th April 2019 at Facebook London HQ
...
https://www.youtube.com/watch?v=mQWjrxPx8_4
This talk was presented at OWASP London Chapter Meeting on 18-May-2017 at Worldpay.
Within a large organisation different IT groups support different business areas. They typically use different technology stacks and operate different SDLCs. Small projects in particular have short development cycles and do not always have time to educate new developers in secure coding. This makes targeting of security education difficult and training which is not followed up by practice is quickly forgotten. The OWASP Cheat Sheets provide an concise source of sound advice but they can still leave the development team with a lot to do. They can be more complicated than necessary for a simple project. This lightning talk aims to sound out interest in an even more concise approach compared with OWASP Cheat Sheets.
Speaker Bio:
Edwin Aldridge is an IT security consultant with a background in development who has worked for various financial institutions in the City of London and is currently focused on application security and red teaming
...
https://www.youtube.com/watch?v=jIKHINswc8w
OWASP ZAP is great tool but it's not magic! When used in a CI/CD pipeline, ZAP needs some help to discover the routes through a web application. Basic authentication, user logins and form validation can all stop ZAP in its tracks. I show how to drive ZAP using Selenium scripts and increase the security coverage of a web application.
Speaker Bio: Mark Torrens works for Kainos as a Security Architect and this year is completing an MSc in Cyber Security at the University of York.
This lightning talk was presented at OWASP London Chapter Meeting on 30-Aug-2018 at Microsoft Reactor.
Presentation slides can be downloaded here: https://www.owasp.org/images/2/27/OWASPLondon-OWASP-ZAP-Selenium-20180830-PDF.pdf
...
https://www.youtube.com/watch?v=jFBNCM61DbA
APOLOGIES FOR POOR QUALITY VIDEO - THIS WAS CAUSED BY TECHNICAL ISSUES DURING THE LIVE STREAM RECORDING: THE LINK TO THE SLIDE DECK IS IN THE DESCRIPTION:
Revolut has grown to over 5 million customers. This presentation will give an overview of the lessons we have learnt to scaling security that quickly when security fundamentally represents customer trust.
Speaker bio: Paul Heffernan
Paul is the CISO at Revolut, a UK based financial technology company that offers banking services to over 3 million customers worldwide. With over 10 years of experience in the cyber security world, including consulting to some of the world's biggest brands, he believes the role of the security professional is to enable trust. Entering the industry from an 'ethical hacker' background, he deeply understands technical security challenges but is equally passionate about driving effective change through unambiguous leadership. Paul is a regular international speaker at various industry conferences such as the e-Crime Congress, CSO Amsterdam and CISO360 Barcelona. He also sits as an advisory board member of ClubCISO, a private members forum for European information security leaders, working in public and private sector organisations.
The presentation slide deck PDF can be downloaded here: https://www.owasp.org/images/8/8d/OWASPLondon_20190718_OWASP-Revolut.pdf
This talk was presented at the OWASP London Chapter Meeting on 18th July 2019
...
https://www.youtube.com/watch?v=S7V3Mn-2He4
"SBOMS and why they can help make your software more secure" - Anthony Harrison
With a growing interest (or maybe it is just awareness) in Software Bill of Material (SBOM) raised by various initiatives from governments (US, EU and now the UK with the recently announced consultation on software security and resilience), SBOMs are starting (in certain markets) to form part of the development landscape. As software systems become increasingly complex relying on an extensive (and often unknown) software supply chain, it is essential to have a full understanding of all of the components which are used in a solution. This applies at all stages of the life cycle and an SBOM is considered to be a key artefact in providing the necessary information to support a vulnerability management process. This talk will explain what a SBOM is, how and when they should be produced (and some of the challenges that need to be overcome) and demonstrate how they should form part of a DevSecOPs lifecycle. I will try and supplement the talk with some demonstrations using a number of open source applications.
SPEAKER BIO:
Anthony Harrison
Anthony is an independent systems/software/cyber consultant. Anthony is a member of the OpenSSF SBOM Everywhere working group and SBOM Forum. Anthony has presented on SBOMs at FOSDEM (2002 and 2023), EuroPython 2022 and at PyCascades (Vancouver). In his spare time Anthony teaches Python at Manchester CoderDojo and has acts as a mentor for Google Summer of Code (GSOC) projects supported by the Python Software Foundation
----
This talk was presented at the @OWASPLondon on April 18th, 2024 kindly hosted by ThoughtMachine and sponsored by @CheckmarxOfficial
--
Do you want to attend OWASP London meetups in person? Follow OWASPLondon on LinkedIN/Meetup/EventBrite/Facebook/Twitter.
Please SUBSCRIBE to this channel so you get notified when new videos are published
#OWASP #OWASPLondon #SCA #AppSec
...
https://www.youtube.com/watch?v=kAn4yjg3pqY