Actions and Detail Panel
OWASP London Chapter Meeting, Thursday 30th March 2017, 6:30pm
Thu 30 March 2017, 18:00 – 20:45 BST
THIS EVENT IS NOW SOLD OUT. WE ARE WORKING WITH THE HOSTING SPONSOR AND THE VENUE TO SEE IF WE CAN RELEASE FEW MORE TICKETS.
This event is kindly sponsored and hosted by The Telegraph Media Group.
Location: Telegraph Media Group, 111 Buckingham Palace Road, London, SW1W 0DT
Nearest Tube: Victoria (3 minute walk)
Doors Open and refreshments provided at 6:00pm, the talks start at 6:30pm (we start on time).
OWASP Introduction, Welcome and News - Sam Stepanyan and Sherif Mansour
Welcome and a brief update on OWASP Projects & Conferences from the OWASP London Chapter Leaders.
Heroes vs Villains: Building an Application Security Program that Scales - Kevin Delaney
Many application security teams scramble to pinpoint vulnerabilities and flaws during the testing and release stages while managing limited security resources, a multitude of compliance regulations, and surprise feature requests. Although security teams try to follow the right application security practices, many applications are shipped with fragmented security. The most common denominator is the reliance on dynamic and static testing tools during the final stages of the lifecycle. In this session, learn about the benefits of building security during the requirements phase or the first stage of the software development lifecycle (SDLC).
Lightning Talk: Bypassing CSRF Protections: A Double Defeat of the Double-Submit Cookie - David Johansson
Double-Submit Cookie Pattern Protection against cross-site request forgeries (CSRF) is an essential security control in most web applications.
The double-submit cookie pattern is a popular option in stateless applications as it doesn't require the server to store a token value between requests. Instead, the server will verify a token value stored in a cookie against a request parameter. Unfortunately, many popular implementations of this defense pattern can be defeated by attackers and this talk will discuss the misconceptions and pitfalls that may render this protection insufficient. We will look at how the CSRF protection in an AngularJS application using the popular Express.js middleware csurf on the server-side can be defeated. We will also show the options for configuring it securely.
PostMessage Security in Chrome Extensions - Arseny Reutov
PostMessage API is a known source of DOM XSS vulnerabilities on web sites. Browser extensions can use messaging too, and if an extension fails to handle incoming messages securely enough it may lead to a universal XSS. This talk will present an analysis of Chrome extensions that aimed at discovering vulnerabilities caused by insecure postMessage listeners in content scripts that are inserted by browser extensions into web pages. The research will demonstrate the examples of vulnerable Chrome extensions and explain the threats which they present to the end-users and how they can be mitigated.
Kevin Delaney is an application security professional from Toronto, Canada. With diverse experience in software development, security, and enterprise IT, he takes personal pride in solving challenging security problems and helping businesses stay one step ahead of attackers.
David Johansson has worked as a security consultant for several leading IT-security companies and has over 9 years of experience in software security. Among other things, he has worked with software development and architecture, web security testing and training developers and testers in security. He has been speaking at conferences such as InfoSecurity Europe and ISC2 Security Congress EMEA. David lives in London where he works as an Associate Principal Consultant for Cigital (a part of Synopsys).
Arseny Reutov is a web application security researcher from Moscow, Russia. Arseny is the Head of Research Team and Application Security Tools Development Unit at Positive Technologies Ltd where he specializes in information security issues, penetration testing and the analysis of web applications and source code. He is also the author of various security research papers and the security blog raz0r.name.
Arseny has participated in various bug bounty programs and acknowledged by many well-known software vendors. He was a speaker at ZeroNights, CONFidence, PHDays and other conferences. Arseny loves making web security challenges (#wafbypass on Twitter) as well as solving them. His passion are modern web technologies and finding vulnerabilities in them.
This event is free to attend for both members and non-members of OWASP and is open to anyone interested in application security. Please note that you MUST book your place to be admitted to the event by the building security.