Web security track - opening talk:
OWASP & OWASP Switzerland
Swiss Cyber Storm 3 (Rapperswil, May 2011)
Original powerpoint slides can be downloaded and re-used under following conditions:
- you're free to copy, distribute and transmit the work
- you're free to adapt the work
- if you alter, transform, or build upon this work, you may distribute the resulting work under the same or similar rights to this one
Everyone is drawn to the cool new ways to connect devices to the Internet and make life easier—and a little more futuristic. But, do you know that IoT has been around since the past century? Theresa Lanowitz is one of the early advocates of what is now IoT and is thrilled that the pace of acceptance is accelerating—rapidly. This level of acceptance and understanding of IoT was not always the case. Theresa shares the early ideas, vision, and concepts of the Sun Jini project, the pre-cursor to IoT, and offers advice for developers and testers on how to succeed with IoT. Whether you are part of the industrial, consumer, or enterprise IoT, you face challenges of how to ensure your software is fast enough, safe enough, and secure enough to deliver the desired outcome. Uncover the artifacts from 1999 and discover why 2017 is the year that IoT becomes more science than fiction.
This session addresses the technology challenges of continuous security testing to “deliver securely,” and discusses best practices and tooling based on first hand experience in both enterprise and startup environment.
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
A free application security class delivered by world renowned experts: Eoin Keary and Jim Manico.
This class has been delivered to over 1000 people in 2014 alone.
This presentation, by big data guru Bernard Marr, outlines in simple terms what Big Data is and how it is used today. It covers the 5 V's of Big Data as well as a number of high value use cases.
Everyone is drawn to the cool new ways to connect devices to the Internet and make life easier—and a little more futuristic. But, do you know that IoT has been around since the past century? Theresa Lanowitz is one of the early advocates of what is now IoT and is thrilled that the pace of acceptance is accelerating—rapidly. This level of acceptance and understanding of IoT was not always the case. Theresa shares the early ideas, vision, and concepts of the Sun Jini project, the pre-cursor to IoT, and offers advice for developers and testers on how to succeed with IoT. Whether you are part of the industrial, consumer, or enterprise IoT, you face challenges of how to ensure your software is fast enough, safe enough, and secure enough to deliver the desired outcome. Uncover the artifacts from 1999 and discover why 2017 is the year that IoT becomes more science than fiction.
This session addresses the technology challenges of continuous security testing to “deliver securely,” and discusses best practices and tooling based on first hand experience in both enterprise and startup environment.
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
A free application security class delivered by world renowned experts: Eoin Keary and Jim Manico.
This class has been delivered to over 1000 people in 2014 alone.
This presentation, by big data guru Bernard Marr, outlines in simple terms what Big Data is and how it is used today. It covers the 5 V's of Big Data as well as a number of high value use cases.
La OWASP Top Ten fornisce un potente documento di sensibilizzazione per la sicurezza delle applicazioni web. La OWASP Top Ten rappresenta un ampio consenso su ciò che le falle di sicurezza delle applicazioni web più critiche sono. I membri del progetto includono una varietà di esperti di sicurezza di tutto il mondo che hanno condiviso la loro esperienza per produrre questo elenco.
L'objectif du Top Ten de l'OWASP est d'informer et d'évangéliser les responsables de la sécurité des systèmes d'information sur les risques encourus lors de publication d'application sur le net.
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP
Presentation of OWASP Global Chairman of the Board - Martin Knobloch at OWASP Poland meeting in Warsaw on 13 November 2018. Great review of important OWASP Projects.
Slides from the first module of the OWASP Ottawa Training Day 2012, "Integrating security and privacy in a web application project" training.
Module 1: before coding (security during inception and design phases)
The training was designed and produced by:
Antonio Fontes (OWASP Geneva) - http://www.slideshare.net/starbuck3000
Philippe Gamache (OWASP Montreal) - http://www.slideshare.net/PhilippeGamache
Sebastien Gioria (OWASP France) - http://www.slideshare.net/SebastienGioria
Source code security review challenge at Confoo 2012 - Montreal (confoo.ca)
The audience was challenged in attempting to spot security vulnerabilities in a series of source code examples.
Sécurité dans les contrats d'externalisation de services de développement et ...Antonio Fontes
Préparer la sécurité dès la phase contractuelle lors de projets d'externalisation liés aux applications web: développement, hébergement cloud et location (SaaS)
Symposium GRI/CLUSIS sur le rôle de l'état dans la cybsécurité des entreprises suisses / 27 mai 2011
Threat modeling web application: a case studyAntonio Fontes
TAM is a security activity conducted early in the development lifecycle, when we only have ideas, early design specifications and no source code is produced yet. It helps identify major threats to your web application and their appropriate countermeasures.
This session focuses on an introduction to the threat modeling technique through a case study on an online newspaper platform.
Event: Confoo 2011 Montreal
The top 10 web application intrusion techniquesAntonio Fontes
The OWASP foundation published the 2010 version of its reference document describing the top 10 web application security risks.
During this talk, these ten intrusion techniques will be described to the audience.
Event: Confoo 2011 - Montreal
Mise au point sur le contexte et les motivations autour des cyberattaques dont il est fait référence dans la presse.
Audience: juridique (avocats, juristes, etc.)
Niveau technique: faible
Lieu: 2 décembre 2010, faculté de Droit à l'Université de Genève
Infos:
http://lexgva.ch/index.php?subaction=showfull&id=1290112460
You want to start integrating security in your web application project but you don't know where to start and don't have access to software security professionals. What are the "cheapest" while very efficient activities that you can already do by yourself?
Agenda:
-Understanding the need for information security and privacy
-Secure design: key principles
-Threat modeling and analysis: building your first threat model and identifying the major risks in your web application
- Testing the security of your web application
- Understanding the big picture: what is a secure SDLC
- Cheap and efficient security activities that might be started immediatly in your SDLC
Within end of March, the OWASP foundation will release the 2010 version of its major documentation project, the "Top 10 security risks in web applications."
Agenda:
- The 10 most common web application attacks
- Discovering the OWASP Top 10 document
- Integrating the Top 10 within an existing SDLC, as a software vendor, or a software buyer.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
Meet the OWASP
1. Open Web Application Security Project Antonio Fontes antonio.fontes@owasp.org SWISS CYBER STORM Conference – May 2011Rapperswil
2. A few words about me Antonio Fontes 6 years background working on software security & privacy Founder and principal consultant at L7 SecuritéSàrl Lecturer at HST Yverdon (HEIG-VD) Focus: Web application threats and countermeasures Secure development lifecycle Penetration testing and vulnerability assessment Software threat modelling and risk analysis OWASP: OWASP Switzerland : member of the board, western Switzerland delegate OWASP Geneva: Chapter leader 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 2
3. cat /wwwroot/agenda.html Why do organizations need OWASP? OWASP worldwide OWASP in Switzerland Q/A 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 3
4. Thermometer: 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 4 “Is your organization already using OWASP material?” - For internal software development? - For outsourced custom software? - For COTS acquisition? photo by Dave Oshry
5. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 5
6. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 6
7. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 7 101 million users! 77 million users!
8. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 8 Handout from Sony Entertainment Online conference on the recent computer intrusion that led to more than 110 million user accounts being stolen.(May. 1st. 2011) photo by Dave Oshry
9. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 9
10. Just a little check: 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 10 “Who knows PBKDF2?”
11. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 11 Who understands this in your organisation?
12. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 12 Use hashes!! No! Don't use hashes!!
13. Why do organisations need OWASP? Outside the organisation: Increasing adoption of “Anything over HTTP” Increasing “hostile” interest in online services: Increasing “threat population” Web hacking/security is easy to understand/teach Low risk of being “caught” Increasing offer in security consulting, services and products 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 13
14. Why do organisations need OWASP? Inside organisations: Developers dealing with dozens web technologies Heterogonous development teams and lifecycles Constant pressure for delivery Turnover and loss of internal know-how Who in the company is actually both up-to-date on the concept of “(web) applications security” and has the power to take decisions? Who in the company is actually able to qualify security products and services that are paid for? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 14
15. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 15 2011 2010 2007 2005 2003 2001
16. OWASP foundation 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 16 “Make application security visible, so that people and organisations can make informed decisions about application security risks.” U.S. 501c3 not-for-profit charitable international organization Structure Mission Core values Code of ethics Open, Global, Innovation, Worldwide Independence from vendors, technology-agnostic
17. "strategy" 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 17 Threat Website Board Web Application Web Application People Committees Methods Summit Tools Chapters ? Projects Company assets Conferences Members
19. Project Leaders Driving volunteers effort on OWASP material projects: Workshops Brainstorming sessions Analysis/reporting Guides editing Tools coding 19 quality-release and 26 beta-status projects 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 19 P T M
20. Chapter Leaders Leading Local Chapters meetings: 188 Chapters worldwide More than 300 yearly meetings worldwide Connection with local organisations 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 20 P T M Next local chapter meeting: Zurich – June 14th
21. Global Committees Driving volunteers effort on global/focused OWASP outreach. Active Global Committees: Industries Membership Government Education Projects Events Connections 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 21 P T M
22. Full-time Kate Hartmann Logistics and day-to-day support for leaders of the 188 local chapters Alison Shrader Accounting & Administration Paulo Coimbra PMO Sarah Basso Operations before/during/after OWASP events 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 22
23. Conference dedicated to research work on application security Conferences: research 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 23 P T M
24. Yearly global application security focused conferences: Europe North America South America Asia Conferences: Appsec 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 24 P T M Next OWASP Conference in Europe: Dublin – June 7th-10th 2011
25. Intensive 1-week workshop event with leaders, contributors, sponsors and software vendors: Ability to connect with leading software vendors and corporate members More than 150 reunited chapter & project leaders 80 workshops The Summit 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 25 P T M
27. OWASP Membership Individual members: Annual fee: 50$/year Free access to OWASP Training day events Reduced fees at OWASP Events Current count: 1383 individual contributing members 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 27
28. OWASP Membership Corporate members: 52 public corporate members Annual fee: 5’000$/year Delegates for the Summit event Logo on website, use as marketing argument Majority is from the US, but Switzerland is also there 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 28
29. OWASP Membership Academic members: Annual fee: 0$/year Donate: support 40 members Switzerland: 1 officialised partnership (HEIG-VD) 2 pending partnerships 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 29
30. OWASP: the web portal 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 30
31. https://www.owasp.org 250’000 unique visitors monthly 650’000 pages viewed monthly 60% driven by search engines 19% referred by other websites Highest traffic motives: OWASP Top 10 Webscarab project XSS prevention cheat sheet “sql injection” 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 31
32. http://lists.owasp.org More than 400 mailing lists currently running 25’900 memberships About: tools, documents, methods, committees, events, outreach, leaders, etc. 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 32
36. COTS web application for webapp security (CBT) training Click and run /index.php/Webgoat Tools: webgoat 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 36 P T M
37. Tools: ModSecurity core ruleset Critical protections centralized in a core ruleset (CRS) to be installed on ModSecurity enabled Apache servers Provides: HTTP Protocol compliance Attack detection Error detection Search engine monitoring https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 37 P T M
38. Tools: Entreprise Security API Control library encapsulating most security functions required in web applications: Authentication Access control Sessions Encoding Input validation Encryption Logging Intrusion detection … https://www.owasp.org/index.php/ESAPI 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 38 P T M
39. Documents: OWASP Top 10 https://www.owasp.org/index.php/Top10 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 39 P T M
40. Documents: code review guide Instructions and methodology manual for conducting code security reviews Guidance on detecting the major security flaws created during implementation https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 40 P T M
41. Documents: ASVS ASVS: Application SecurityVerification Standard 4 verification (assurance) levels across more than 120 security controls Tailored to your own risk aversion https://www.owasp.org/index.php/ASVS 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 41 P T M
42. Documents: OpenSAMM Open Software Assurance Maturity Model https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 42 P T M
44. OWASP Switzerland's structure No legalform (yet, just a few daysleft) Leader: Sven Vetsch Board members: Tobias Christen, Antonio Fontes Based in Zurich 130 mailing list members Next meeting: June 14th Other local city/region chapters: OWASP Geneva 90 list members Next meeting: September 6th 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 44
45. Activities: meetings and conferences Local chapter meetings: 1,2,3 speakers per event Geneva, Yverdon, Zurich ~8 meetings/year Attendance: 15-100 people People love these meetings! (Historical) conference partnerships: 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 45
46. Activities: awareness sessions Awareness session for Swiss organizations: 1 hour, head-to-head session with an OWASP representative at your company Syllabus: OWASP organization, OWASP projects and membership opportunities 4 Swiss private companies requested this in 2010 It’s free! BUT: it’s not free training or consulting!! No product names No "reviews" No training. 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 46
47. Swiss speakers and contributors(non exhaustive list, sorry for those I forgot ) Ivan Butler: Web application firewall & Hacking lab Tobias Christen: Security & Usability Alexis Fitzgerald : Gathering application security requirements Christian Folini : ModSecurity CRS & DDoSdefense Antonio Fontes : Threat modelling & Lifecycle security Axel Neumann: Zed Attack Proxy Sylvain Maret : Strong authentication Pierre Parrend : Java mobile applications Sven Vetsch : Advanced XSS attacks and defense ... come to me after the talk if you want your name here 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 47
48. Visit the OWSAP Website: https://www.owasp.org Join the OWASP Switzerland mailing list: http://www.owasp.ch Follow us on Twitter: @OWASP_ch / @OWASP Get in touch with your local OWASP representatives: Sven Vetsch Antonio Fontes(Switzerland) (Western/French Switzerland) sven.vetsch@disenchant.chantonio.fontes@owasp.org 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 48 Thank you!
Editor's Notes
1) Web frontends, Web 2.0 portals Intranets / Extranets for b/c/c servicesVPN over SSLsWeb services, SOAs, online APIs, …Access to public services, personal data, business automation, etc.2) the value of information / service3) GovernmentsCompetitorsDisgruntled peopleHackers…?4) The advantage of not being “there”“Blacklist” countries (from a legal perspective)
Basic context: threat exercice on a web facingentity, potentiallyexposingcompanyassets.Need for information, visibility.Achievedwith people, methods and toolsOWASP creates the necessaryecosystem to build up these 3 componentsVisibility on appsecuritythenisbrought to the company
Statisticsindicate the major searchtermsbeing support for XSS defense and understanding SQL injection. Althoughvery "basic" and quiteold, SQL Injection remains a major searchtermthe message STILL needs to betransmitted do not OVERSTIMATE!!!
Coverageacross the developmentlifecycle
Objective: Help youidentifywhat OWASP canprovideyou Help youidentifyopportunities for internalsecuredevelopment Help youidentifyopportunities for secure COTS/outsourced software vendor agreement Help youidentifymaterialthatyoucan use to leverageyour relation withyoursecurity services/product provider