Fwd: OWASP Dublin - March Event
12 views
Skip to first unread message
Vicky Lee - Python Ireland
Mar 10, 2013, 9:47:33 AM3/10/13
to pythonie
Hi All
Just passing this on for those who are interested.
Cheers,
/// Vicky (PyCon Ireland co-Chair)
---------- Forwarded message ----------
From: Fabio Cerullo <fcer...@owasp.org>
Date: Sun, Mar 10, 2013 at 12:37 PM
Subject: Fwd: OWASP Dublin - March Event
To: why...@gmail.com, in...@emc23.com, ste...@annertech.com
From: Fabio Cerullo <fcer...@owasp.org>
Date: Sun, Mar 10, 2013 at 12:37 PM
Subject: Fwd: OWASP Dublin - March Event
To: why...@gmail.com, in...@emc23.com, ste...@annertech.com
hi there,
Please find below an invite to the upcoming OWASP Dublin chapter event next March 14th.
You are more than welcome to come and extend the invite to your communities.
Thanks,
Fabio
Thanks,
Fabio
---------- Forwarded message ----------
From: Fabio Cerullo <fcer...@owasp.org>
Date: Sun, Mar 10, 2013 at 12:23 PM
Subject: OWASP Dublin - March Event
To: "owasp-...@lists.owasp.org" <owasp-...@lists.owasp.org>
Cc: Eoin Keary <eoin....@owasp.org>, Fiona Walsh <fiona...@owasp.org>, Barry Alistair <ba...@irishdev.com>
We would kindly like to invite you to the upcoming OWASP Dublin event next Thursday 14th March at 17:00 (registration opens at 16:30) in the TCube at 32-34 Castle St, Dublin.
Registration here: http://www.regonline.com/owaspdublinmarch13
Placemark here: http://goo.gl/maps/Ldcl
From: Fabio Cerullo <fcer...@owasp.org>
Date: Sun, Mar 10, 2013 at 12:23 PM
Subject: OWASP Dublin - March Event
To: "owasp-...@lists.owasp.org" <owasp-...@lists.owasp.org>
Cc: Eoin Keary <eoin....@owasp.org>, Fiona Walsh <fiona...@owasp.org>, Barry Alistair <ba...@irishdev.com>
Dear all,
Registration here: http://www.regonline.com/owaspdublinmarch13
Placemark here: http://goo.gl/maps/Ldcl
Thanks to IrishDev.com and Barry for providing this fantastic venue!
Workshop 1 -
Topic: "Everything we know is Wrong"
(17:00-18:00)
The premise behind this talk is to challenge both the technical controls we recommend to developers and also out actual approach to testing. This talk is sure to challenge the status quo of web security today.
"Insanity is doing the same thing over and over and expecting different results." - Albert Einstein
We continue to rely on a “pentest” to secure our applications. Why do we think it is acceptable to perform a time-limited test of an application to help ensure security when a determined attacker may spend 10-100 times longer attempting to find a suitable vulnerability? Our testing methodologies are non-consistent and rely on the individual and the tools they use. Some carpenters use glue and some use nails when building a wooden house. Which is best and why do we accept poor inconsistent quality. Fire and forget scanners won’t solve security issues. Attackers take time and skill but our industry accepts the output of a software programme to help ensure security? How can we expect developers to listen to security consultants when the consultant has never written a line of code? Why don’t we ask ‘How much code development have you done, seen as you are assessing my code for security bugs?" Currently we treat vulnerabilities like XSS and SQLI as different issues but the root causes it the same. – it’s all code injection theory!! Why do we do this and make security bugs over complex? Why are we still happy with “Testing security out” rather than the more superior “building security in”?
"Insanity is doing the same thing over and over and expecting different results." - Albert Einstein
We continue to rely on a “pentest” to secure our applications. Why do we think it is acceptable to perform a time-limited test of an application to help ensure security when a determined attacker may spend 10-100 times longer attempting to find a suitable vulnerability? Our testing methodologies are non-consistent and rely on the individual and the tools they use. Some carpenters use glue and some use nails when building a wooden house. Which is best and why do we accept poor inconsistent quality. Fire and forget scanners won’t solve security issues. Attackers take time and skill but our industry accepts the output of a software programme to help ensure security? How can we expect developers to listen to security consultants when the consultant has never written a line of code? Why don’t we ask ‘How much code development have you done, seen as you are assessing my code for security bugs?" Currently we treat vulnerabilities like XSS and SQLI as different issues but the root causes it the same. – it’s all code injection theory!! Why do we do this and make security bugs over complex? Why are we still happy with “Testing security out” rather than the more superior “building security in”?
Eoin has recently delivered this at RSA (Feb 2013) in San Francisco and Semafor (March 2013) in Poland to great effect.
BIO:
Eoin is international board member and vice chair of OWASP, The Open Web Application Security Project (owasp.org). During his time in OWASP he has lead the OWASP Testing and Security Code Review Guides and also contributed to OWASP SAMM, and the OWASP Cheat Sheet Series. Eoin Keary is the CTO and founder of BCC Risk Advisory Ltd. (www.bccriskadvisory.com) an Irish company who specialise in secure application development, advisory, penetration testing, Mobile & Cloud security and training. Eoin has led global security engagements for some of the world’s largest financial services and consumer products companies. He is a well-known technical leader in industry in the area of software security and penetration testing.
Workshop 2 - Topic: "ABAP Code Vulnerabilities - What Your SAP System May Be Hiding" (18:00-19:00)
ABAP is a programming language developed for use within SAP platforms to allow customers to develop their own business applications. However, because the majority of ABAP developers code exclusively for applications that are internal only applications and because these are accessed through the SAP GUI client, rather than web based technologies, many developers believe that application security vulnerabilities either do not exist, or cannot be exploited within their code. This session aims to dispel this myth and will provide a demonstration of some of the common vulnerabilities that exist within ABAP code, such as SQL injection, ABAP code injection, OS command injection and path traversal and show how these issues are exploited through the SAP GUI.
Bio:
Máirtín is a manager within the PwC Information Security and Forensics function with ten years experience in information security. Máirtín began his career in network security and then moved to a broader information security role before moving into consultancy where he has worked for clients in Ireland, the UK and Europe across all domains of information security. Máirtín’s key focuses are on management and delivery of information risk, information security management, information security architecture, compliance, vulnerability management and penetration testing engagements.
Máirtín has extensive experience providing application security testing services for complex web applications and platforms in the public and private sector and has recently been responsible for the implementation of a secure software development lifecycle within an organisation of over twelve hundred developers.
Workshop 2 - Topic: "ABAP Code Vulnerabilities - What Your SAP System May Be Hiding" (18:00-19:00)
ABAP is a programming language developed for use within SAP platforms to allow customers to develop their own business applications. However, because the majority of ABAP developers code exclusively for applications that are internal only applications and because these are accessed through the SAP GUI client, rather than web based technologies, many developers believe that application security vulnerabilities either do not exist, or cannot be exploited within their code. This session aims to dispel this myth and will provide a demonstration of some of the common vulnerabilities that exist within ABAP code, such as SQL injection, ABAP code injection, OS command injection and path traversal and show how these issues are exploited through the SAP GUI.
Bio:
Máirtín is a manager within the PwC Information Security and Forensics function with ten years experience in information security. Máirtín began his career in network security and then moved to a broader information security role before moving into consultancy where he has worked for clients in Ireland, the UK and Europe across all domains of information security. Máirtín’s key focuses are on management and delivery of information risk, information security management, information security architecture, compliance, vulnerability management and penetration testing engagements.
Máirtín has extensive experience providing application security testing services for complex web applications and platforms in the public and private sector and has recently been responsible for the implementation of a secure software development lifecycle within an organisation of over twelve hundred developers.
Reply all
Reply to author
Forward
0 new messages