"Scaling Security - Move fast and make things" - Paul Heffernan
APOLOGIES FOR POOR QUALITY VIDEO - THIS WAS CAUSED BY TECHNICAL ISSUES DURING THE LIVE STREAM RECORDING: THE LINK TO THE SLIDE DECK IS IN THE DESCRIPTION:
Revolut has grown to over 5 million customers. This presentation will give an overview of the lessons we have learnt to scaling security that quickly when security fundamentally represents customer trust.
Speaker bio: Paul Heffernan
Paul is the CISO at Revolut, a UK based financial technology company that offers banking services to over 3 million customers worldwide. With over 10 years of experience in the cyber security world, including consulting to some of the world's biggest brands, he believes the role of the security professional is to enable trust. Entering the industry from an 'ethical hacker' background, he deeply understands technical security challenges but is equally passionate about driving effective change through unambiguous leadership. Paul is a regular international speaker at various industry conferences such as the e-Crime Congress, CSO Amsterdam and CISO360 Barcelona. He also sits as an advisory board member of ClubCISO, a private members forum for European information security leaders, working in public and private sector organisations.
OWASP ZAP is great tool but it's not magic! When used in a CI/CD pipeline, ZAP needs some help to discover the routes through a web application. Basic authentication, user logins and form validation can all stop ZAP in its tracks. I show how to drive ZAP using Selenium scripts and increase the security coverage of a web application.
Speaker Bio: Mark Torrens works for Kainos as a Security Architect and this year is completing an MSc in Cyber Security at the University of York.
This lightning talk was presented at OWASP London Chapter Meeting on 30-Aug-2018 at Microsoft Reactor.
Presentation slides can be downloaded here: https://www.owasp.org/images/2/27/OWASPLondon-OWASP-ZAP-Selenium-20180830-PDF.pdf
...
https://www.youtube.com/watch?v=jFBNCM61DbA
Full talk can be found here: https://youtu.be/sg-TnUUXdsA
Part of "The Thermostat, The Hacker, and The Malware" IoT Security Talk by Ken Munro and Andrew Tierney
Following the PoC of thermostat ransomware Ken Munro and Andrew Tierney performed at DefCon 24, this presentation digs even deeper into IoT devices and their apps. Staying with the thermostat Ken and Andrew will walk through the ransomware attack and then move onto general malware - which has no easy method for detection. Even when firewalled these devices are still vulnerable to local attacks so we’ll show you how you can achieve a compromise. We’ll also take a look at CSRF spraying, IoT gear in public areas, supply chain tampering, and malicious firmware updates.
...
https://www.youtube.com/watch?v=apYO3otwZGE
Mark Curphey, founder of OWASP recently wrote an article called The Security Tools Crash is Coming that had a lot of praise from security practitioners and unsurprisingly met with some disdain from some security startup founders and venture capitalists. In this talk Mark will run through the key points of the article and then talk about what he believes in the next generation of tools meeting AppSec and CloudSec into interoperable cloud native platforms.
SPEAKER BIO
Mark Curphey (@crashappsec)
Mark is the founder of OWASP, he is also founder and CEO of SourceClear (acquired by Veracode in 2018) and the co-founder of Open Raven (https://www.openraven.com), a data security company. Mark moved to the U.S. in 2000 to join Internet Security Systems (now a part of IBM), he also held roles including director of application security at Charles Schwab, VP of Professional Services at Foundstone, McAfee and lead the security tools team at Microsoft. Mark holds a Masters of Information Security from Royal Holloway University. After having lived for many years in Seattle and San Francisco Mark makes his return to Great Britain where he continues to work on his next big project. Mark is also an avid cyclist.
----
This talk was presented at the OWASP London Chapter Meeting on December 15th, 2022 kindly hosted by Thought Machine @thoughtmachine6830
#OWASP #DevSecOps #OWASPLondon
...
https://www.youtube.com/watch?v=0E61QBVnCNo
This talk was presented at the OWASP London Chapter [ONLINE] Meeting on 04 March 2021
GraphQL is becoming the next big API technology for developers, but with new technology comes new risk, and for us that means bug bounties! In this talk you will learn everything GraphQL, from how it works to what kind of bugs are common.
Speaker Bio:
KATIE PAXTON-FEAR (@InsiderPhD)
Katie is a Lecturer in Cyber Security at Manchester Metropolitan University, however, in her free time, she's a bug bounty hunter and an educational YouTuber. She started out hacking in June 2019 during a HackerOne mentorship program and now hopes to be a mentor to others, creating educational cyber security videos on YouTube. In her videos, she attempts to bridge the gap between "I know what bug bounties are" and "bug bounty hunter" giving advice specifically tailored to bug hunting. She's now produced over 50 videos on bug bounty hunting for an audience of over 25,000 YouTube subscribers. Aimed at a beginner audience these go from finding your first bug, to how to use specific tools, to how to find specific bug classes.
Katie has discovered and responsibly reported security vulnerabilities to several large organisations such as Verizon Media and the US Department of Defense
Index:
00:00 OWASP Introduction and Member Benefits
01:31 Katie's talk start - About Katie
05:31 What is GraphQL?
09:21 Where to Find GraphQL
12:19 Queries
15:10 Mutations
18:01 Why is it important to learn GraphQL syntax?
19:32 Introspection
17:15 GraphQL IDE
27:55 InQL Burp add-on and scanner
28:40 GraphQL Map
19:43 Common GraphQL Bugs
32:47 How To Hack GraphQL APIs
41:15 Q&A session
Presentation Slides can be downloaded from the OWASP London GitHub repo here: https://github.com/OWASP/www-chapter-london/raw/master/assets/slides/GraphQL_Hacking-Katie_Paxton_Fear_OWASPLondon.pdf
#BugBounty #OWASP #GraphQL #InsiderPhD
...
https://www.youtube.com/watch?v=GlvNwhq-uBg
Slides: https://www.owasp.org/images/8/86/OWASPLondon-WebTracking-Dr-Alexios-Mylonas-20181122-PDF.pdf
Research Article: https://www.owasp.org/images/7/76/TrackingResearchArticle-08457184-PDF.pdf
Web Storage, Indexed Database API and Web SQL Database allow web browsers to store information in the client in a much more advanced way compared to other techniques, such as HTTP Cookies. They were originally introduced with the goal of enhancing the capabilities of websites, however, they are often exploited as a way of tracking users across multiple sessions and websites. The presentation will be divided into two parts. First, it will quantify the usage of these three primitives in the context of user tracking. This is done by performing a large-scale analysis on the usage of these techniques in the wild. The second part reviews the effectiveness of the removal of client-side storage data in modern browsers.
Speaker: Dr. Alexios Mylonas
Dr. Alexios Mylonas is the program leader of the BSc Forensic Computing and Security at Bournemouth University and he is also a member of the BU Cybersecurity Research Group. His teaching and research focuses on Cyber Security and Digital Forensics. Before starting his academic career he was a security consultant working within VeriSign's PKI Trust Network. He holds a PhD degree in Information and Communication Security and a BSc (Hons) in Computer Science from the Athens University of Economics and Business, as well as an MSc in Information Security from Royal Holloway. Dr Mylonas holds more than 20 well referenced, esteemed journal and conference publications.
This talks was presented at the OWASP London Chapter meetup on 22-November-2018 at Microsoft Reactor
...
https://www.youtube.com/watch?v=Tk9d8C3oRSI
When security incidents happen, you often have to respond in a hurry to gather forensic data from the resources that were involved. You might need to grab a bunch of hard drives and physically visit the data centre to capture data from the systems. Getting on airplanes and going to data centres means you have to get dressed, and that's a drag. When infrastructure is in the cloud, you have remote access and APIs for managing all your infrastructure, so you can respond to incidents with automation and do your forensic analysis in your bunny slippers. But is it as good as the capabilities you have in a data centre? Is getting dressed the price you have to pay for high quality forensics and incident response? In this talk Paco will explain the two major domains of cloud events (infrastructure domain and service domain) and describe the security and incident response techniques pioneered by AWS customers like Mozilla, Alfresco, and Netflix. He'll explain how to isolate resources to preserve the integrity of the data; get RAM dumps and disk image snapshots; and identify unauthorised changes to cloud resources using API tools and logs. And all of this while wearing pyjamas.
Speaker Bio:
Paco Hope (@pacohope)
Paco Hope is a Principal Consultant in Security, Risk, and Compliance for Amazon Web Services. He helps enterprise customers achieve compliance and secure their workloads on AWS. Based in London, he works with major enterprises across Europe and the UK migrating workloads and building new applications on AWS. Prior to his work with AWS he worked in application security, carrying out threat modelling, source code reviews, and architectural risk analysis for enterprises.
This talk was presented at the OWASP London Chapter Meeting on the 13th February 2019 at Amazon London office.
Slides: https://www.owasp.org/images/6/60/OWASPLondon-IR-In-Your-Pyjamas-Paco-Hope-20190213-PDF.pdf
#OWASP
#OWASPLondon
#CloudSecurity
#IIncidentResponse
...
https://www.youtube.com/watch?v=VEr0SmgXJ4c
This talk was presented at OWASP London Chapter Meeting on 24th November 2016.
Shane will talk about myBBC Security Council and how it demonstrates an organisational approach towards security that ensures the right decisions are made by the right people, and that developers can raise concerns knowing that they will be seen and escalated. It also frames InfoSec as an enabling force rather than a loophole.
Slides can be downloaded here: https://www.owasp.org/images/5/52/OWASPLondon20161124_SecurityCouncil.pptx
Speaker Bio:
Shane is a Senior Software Developer at The BBC, with a keen interest in security. Prior to the BBC he worked for the travel aggregator Travelfusion, and the anti-money laundering firm Fortent (formerly Searchspace).
...
https://www.youtube.com/watch?v=zEEaSCMQ6dw
In the era of neobanks with no branches and broadly adopted eKYC standards, the entry barriers for cybercriminals are extremely low. How could FinTech win in this ongoing cat-and-mouse game? How criminals utilise gaps in workflows of the modern payment ecosystem? After looking at mobile applications and the API workflows of dozens of FinTech companies across Europe, the USA and Asia, I will provide real-world examples from both sides of the battle.
SPEAKER BIO:
Timur Yunusov (@a66ot)
Timur Yunusov, Payment security researcher, an application security expert with a focus on FinTech, and one of the Payment Village organisers. Some of Timur's research in the field of application security includes "Bruteforce of PHPSESSID" and "XML Out-Of-Band" shown at the BlackHat EU back in 2013 . Timur has previously spoken at conferences such as BlackHat EU, BlackHat USA, HackInTheBox, Nullcon, NoSuchCon, CanSecWest, Hack In Paris, ZeroNights, Positive Hack Days and at OWASP meetups.
This talk was presented at the OWASP London Chapter Meetup on February 28th, 2023 at @MonzoBank London offices
#OWASPLondon
...
https://www.youtube.com/watch?v=vQZayZV_C90