OWASP Manchester

NOTOC

Chapter Sponsors

Thank you to our Silver Chapter sponsor: AutoTrader.jpg

Category:OWASP Chapter Category:United Kingdom


Code of Conduct

OWASP Manchester meetings and events are an inclusive environment where all people should feel safe and respected. We welcome diversity in age, race, ethnicity, national origin, range of abilities, sexual orientation, gender identity, financial means, education, and political perspective.

OWASP Manchester will not tolerate any form of violence, harassment, hate speech or trolling either off or online, or any overly drunken, intimidating or heckling behaviour.

Please respect the presenters, don’t talk amongst yourselves during their presentations and ensure your mobile phones are muted or switched off.

We want you to have fun, in a safe and respectful environment.

If you have any issues or concerns relating to the code of conduct please contact one or the Chapter Leads either in person, though the Meetup page or via email.

Chapter Leaders:

*(Names and emails as per the sidebar on the OWASP Chapter Site) *

As this is a private event we withhold the right to remove and ultimately ban anyone who violates this code of conduct and will report any incidents to the appropriate authorities if necessary.

Polite note to Vendors/Recruiters/Internal Recruiters/Business Development people

Vendors and Recruiters are welcome at OWASP Manchester, however we ask that you remember this is a user group, not a networking event, and tapping people up for jobs or business unprompted is not encouraged.


Past Events


2019

2019 May

  • 28th May (MeetUp)
    • OWASP ZAP - Simon Bennetts
      • OWASP ZAPs lead hacker, Simon Bennetts will be taking us through the new User Interface for ZAP - the ZAP Heads Up Display (or HUD).
    • XML is Evil - Gerald Benischke
      • This talk describes several common security vulnerabilities, how they can be found and mitigated against. Real life examples (though anonymised) are used to illustrate how these issues can be exploited.
      • The slides from Geralds talk can be found on SlideShare
    • Many thanks to BookingGo for hosting this event and DISTIL Networks for sponsoring!

2018

2018 November

  • 13th November (MeetUp)
    • OWASP Manchester CTF 2018
      • Manchester OWASP will be running it’s first annual CTF on November 13th in partnership with Manchester Grey Hats who will be running the challenges. The CTF will be hosted by the Manchester Technology Centre on Oxford Road and is aimed at people working in the tech industry who have an interest in security. The CTF itself will be a jeopardy style challenge aimed at a range of technical capabilities, with some low or non tech challenges.
    • Thanks to our community sponsors; Manchester Grey Hats, North West Testers Gathering, Manchester Girl Geeks, Techs and the City, Tech Leaders of the North West and PowerShell Manchester.

2018 September

  • 4th September (EventBright)
    • Scott Helme (@Scott_Helme)
    • Catherine Chapman (@cathapman)
    • Many thanks to BookingGo (Rentalcars) for hosting this event and forSureCloud (@SureCloud) for kindly sponsoring!

2018 July

  • 17th July
    • Mike Thompson (@AppSecBloke)
    • Liz Bell (@GlitchLiz)
    • Food and drink was kindly sponsored by ReportUri (@reporturi) and NCC Group (@nccgroupplc).

2018 May

  • 3rd May (Eventbrite)
    • Themed around getting started in a career in IT Security/Secure Development will be held at University of Manchester
    • Daniel Dresner
      • Will be taking us through his experience of careers in the IT industry and academia.
    • John Denneny
      • Founder of Pen Test Limited, will be talking about his experience of setting up and running a successful IT Security company.
    • Kindly sponsored by NCC Group.

2017

2017 April

  • 24th April
    • I found a Vulnerability! - Alex Haynes
      • The talk will cover vulnerability disclosure and the pitfalls to avoid both as a security researcher and as a company exposed to vulnerabilities. We’ll also cover different types of disclosure programs like Bugcrowd and Hackerone, and the advantages and disadvantages of each. The Grey market will get a brief look and of course we’ll talk about vulnerabilities. Lots and lots of vulnerabilities.
    • Distributed Policy Enforcement with OpenSSH Certificates - Tim Fletcher
      • OpenSSH is installed on nearly every virtual machine, physical server and many IoT devices. OpenSSH is a critical systems administration tool used to manage everything from the server in the shed to continent spanning collections of systems. Logging in to OpenSSH quickly and security is normally done with keys, sometimes using strong passwords and hardware key storage all too often left lying about on laptops. Managing the list of keys and permissions for an organisation of more than a handful of people rapidly gets challenging, tracking who has used which key to do what even more so. Using the CA feature of OpenSSH it is possible to remove all this complexity, and leverage OpenSSH to enforce your central policies and provide you with strong audit trails. The talk will cover the technical aspects of what can be done with SSH certificates and the implementation for SSH certificates for an IoT focused business. The management server the business uses will be released shortly before the talk as an OSS project during the FLOSSUK Conference in March.
    • Hosted by ThoughtWorks at their newly refurbished City Tower offices right in the heart of the city. ThoughtWorks will also be providing the pizza.

2016

2016 November

  • 30th November
    • An Anatomy of IoT Security - Dominic Chell
      • With an estimated 26 billion devices online by 2020 and in wake of a number of large scale IoT hacks, IoT security has come under close scrutiny of late. This talk provides a whistle-stop tour in to the world of IoT hacking, discussing the various IoT attack surfaces and using practical examples to illustrate the OWASP Internet of Things Top 10.
    • JSON Hijacking - Gareth Heyes
      • JSON hijacking is supposedly dead after the Array constructor and “Object.prototype” setter bugs have been patched or is it? This talk will show how it’s still possible to steal JSON data cross domain using various browser bugs. Gareth will take us on an epic journey of bug discovery and if we have time he may even bypass CSP for fun.
    • Kindly sponsored by Computer Science at University of Salford (Host), Pentest UK and Hedgehog Security.

2016 June

  • 16th June (Eventbrite)
    • Digital Forensics: The missing piece of the Internet of Things promise - Dr. Ali Dehghantanha
      • Every new device we create, every sensor we deploy, every byte we synchronize to other locations will at some point come under scrutiny in the course of investigations and legal matters. Yet no reliable forensics applications nor digital forensics guidance exists to retrieve the data from IoT devices in the event of a cyber event, an active investigation or a litigation request. The digital forensics of internet of things (IoT) technologies is the missing conversation in our headlong rush to the promise of connecting every device on the planet. This presentation discuss about issues and importance of further development in this field and elaborates on how forensics practitioners, device manufacturers and legal authorities could share the efforts and minimise this gap.
      • Speaker’s Bio: Dr. Ali Dehghantanha is a Marie-Curie International Incoming Fellow in Cyber Forensics and has served for many years in a variety of research and industrial positions. Other than Ph.D in Cyber Security he holds many professional certificates such as GREM, CISM, CISSP, and CCFP. He has served as an expert witness, cyber forensics analysts and malware researcher with leading players in Cyber-Security and E-Commerce.
    • Teaching secure coding - Paul Johnston
      • Many organisations invest heavily in detecting application vulnerabilities, using static analysis and pen testing. Another tool in your security arsenal is to prevent vulnerabilities being introduced in the first place. To help with this, Pentest provide a “Secure coding workshop”. The workshop teaches developers how to code securely, and avoid vulnerabilities like SQL injection and XML external entities. Having run this course with several programming languages, and students of various abilities, we’ve learned a lot about the pedagogy of secure coding. In this talk we share some of our key insights for delivering a successful secure coding workshop.
      • Speaker’s Bio: Paul is a security consultant at Pentest, working mostly on web application tests, and the secure coding workshop. He is interested in static analysis, and how frameworks can encourage developers to write secure applications. When he’s not on the computer, you might see him running or on a mountain bike.
    • Tackling Cyber Crime in the North West - Jennie Williams
      • The National Security Strategy categorised cyber-attacks as a Tier One threat to our national security, alongside international terrorism. The threat to our national security from cyber-attacks is real and growing. Terrorists, hostile states and cyber criminals are among those targeting computer systems in the UK. We all need to work together to combat this threat and help protect one another.
      • Speaker’s Bio: Jennie Williams is a Cyber Protect Officer at TITAN, the North West Regional Organised Crime Unit. Her role involves working with business, education and the general public to raise awareness of the potential risk and impact of Cyber Crime along with the simple steps that can be taken to prevent becoming a victim.
    • Kindly hosted by SpaceportX and sponsored by Avecto

2016 March

  • 17th March (Eventbrite)
    • Turning over a new Leaf - Scott Helme
      • How the world’s bestselling electric car, the Nissan Leaf can be accessed remotely to activate the climate control and spy on details of the driver’s journeys simply by knowing or guessing the VIN of the vehicle. This may seem like a harmless prank but could be used to void warranties or drain batteries remotely, with Nissan looking to add GPS tracking to the vehicles this issue could have become a whole lot worse.
      • Speaker bio: Scott is a Pen Tester by day and runs several well-known security sites and blogs by night including report-uri.io, securityheaders.io and scotthelme.co.uk.
    • Blind detection of path traversal-vulnerable file uploads - Julian Horoszkiewicz
      • Presentation of an experimental web penetration testing technique, aiming at detection of path traversal issues in file upload implementations, with zero knowledge about the remote directory structure.
      • Speaker bio: Julian Horoszkiewicz, IT Security Consultant at Pentest Ltd, OSCP, open source and security enthusiast, recently focused on methodology

2015

2015 November

  • 12th November
    • Scott Helme
      • Modern browsers have introduced new security features that websites can activate using server headers: CSP, HSTS and HPKP. I analysed the use of these headers on the Alexa Top 1 Million sites. The results are not what you might expect and the data shows some interesting trends.
      • Speaker bio: Scott Helme is an Information Security Consultant who blogs about security, privacy and performance online. He develops tools and tutorials to help you deploy the latest web security features. Read more at scotthelme.co.uk.
    • Nikola Milosevic
      • Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are always exposed to the attacks. Users are usually not aware of the threats. OWASP Seraphimdroid is an OWASP project initiative with an aim to protect users from the threats by giving them the right tools in the form of mobile application and to educate them trough it. In this talk Nikola will present the current state and some interesting features of OWASP Seraphimdroid.
      • Speaker bio: Nikola is a project leader of OWASP Seraphimdroid project and one of the chapter leaders in Manchester. Previously, he founded and led OWASP local chapter in Serbia in 2012. At the moment he is doing his PhD at the University of Manchester. Read more at http://inspiratron.org/
    • Kindly hosted by UKFast

2015 June

  • 17th June
    • OWASP 2015 Event Introduction at the UKFast Campus
    • Do we need standardisation in penetration testing? - William Knowles
    • What we (Mozilla) and other browser vendors are doing about various problems with Internet PKI - Mark Goodwin of Mozilla
    • A busy person’s plain English guide to OWASP - Raymond Ayonote *(YouTube)
    • This event is kindly hosted by UKFast and NCC Group.

2015 February

  • 17th February
    • PRSSI Quirks - James Kettle
      • James Kettle is a web security researcher on the Burp Suite team. He will be talking about a prevalent but little-understood web vulnerability, with a real example of a recent 0day in a popular web platform.
    • OWASP ZAP 2.4.0 - Simon Bennetts
      • ZAP is an OWASP Flagship project and the most active open source web application scanner. Simon is the OWASP ZAP project lead and works for Mozilla as part of their security team. In this talk Simon will give an overview of the new features available in the forthcoming 2.4.0 release.
    • Burp Collaborator - Dafydd Stuttard
      • Dafydd Stuttard is the creator of Burp Suite and author of The Web Application Hacker’s Handbook. He will be talking about a new technique for web testing that will soon be available in Burp Suite, and which will enable the automated and manual discovery of many types of vulnerability that currently elude all but the best penetration testers.
    • This event kindly hosted by KPMG, with sponsorship for refreshments from MDSec.

2014

2014 September

  • 8th September
    • Manipulation 101 (Social engineering) - Craig Fox
      • This talk will teach you about social engineering from basic concepts to real life examples, it will discuss why it’s so powerful, relevance to penetration testing, common targets in a corporate environment and how, if at all possible it can be prevented - providing a brief, yet fully scoped introduction to the art of human manipulation.
      • Speaker bio: Craig started researching IT Security and programming within his early teen years and later pursued a career within these fields doing multiple courses and various relevant jobs. He setup his own software company in 2009 Dreamwalker Software and had his security tools featured on many infosec websites and Pentest magazine and has also created the OWASP URL Checker. Several months back he joined Pentest ltd as a penetration tester which has enabled him to learn a lot and respectively put his training and experience to practice in live testing which is incredibly challenging yet fun
    • When XML Attacks (XML External Entities) - Richard Moore
      • Richard is CTO of Westpoint Ltd, a security testing company based in Manchester. He has been working in the security industry for many years providing services to a wide range of clients including multi-nationals and banks.
    • This event kindly hosted by PwC, with sponsorship for drinks and pizza from Pentest.

2014 May

  • 13th May (Eventbrite)
    • Andy Hornsby-Jones
      • Andy’s bio line probably best introduces this:”I also like to break things.” Andy has a tool talk covering some of the methods used to identify vulnerabilities and exploit them.
    • Matt Summers (NCC)
      • Matt’s research into website & online reputation identified a need to gauge how far a site considered ‘safe’ such as maybe the BBC was from links to known malware. He’s been developing the tool and wants to introduce it to the chapter.
    • PwC Penetration tester
      • PwC’s information security team has been busy with the topical heartbleed and is going to look at some methods used to detect the vulnerability, (if the demo works) detect attempts to exploit the vulnerability and share some of the defence mechanism’s.
    • This event kindly hosted by PwC, with sponsorship from NCC.

2014 February

  • 27th February
    • EyeFi - Quick, convinient, secure? - Paul Johnston
      • (YouTube Part 1, Part 2)
      • Eye-Fi cards ingeniously embed a WiFi transmitter within an SD card. They are very convenient for transferring pictures from your camera to your computer. But are there hidden security risks?
      • Paul is a security consultant and software engineer at Pentest. He has particular interests in: web application security, static code analysis, and the design of secure end user environments. He is the lead engineer on Source Patrol.
    • OWASP Cornucopia - Colin Watson
      • (YouTube Part 1, Part 2)
      • Microsoft’s Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. “OWASP Cornucopia - Ecommerce Web Application Edition” will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.
      • Colin is an application security consultant, working for Blackfoot, based in London. He was a member of the former OWASP Global Industry Committee, and is currently project leader for the OWASP Codes of Conduct and OWASP Cornucopia projects, co-leader for the OWASP AppSensor project, and wrote the Application Logging Cheat sheet. He is now working on the new AppSensor Guide which is due for publication in 2014.
    • This event kindly sponsored KPMG and Pentest.

2013

2013 April

  • 30th April
    • The Silk Road - The Underground Website Where You Can Buy Any Drug Imaginable - Paul Johnston - Security Consultant at Pentest
    • Data Protection Act changes - Ben Ramduny - KPMG
    • OWASP Top 10 2013 update - Changes to the top 10, why, do we agree, what’s missing? - Ben Fountain - PwC, Simon Bennetts - Mozilla

2012

2012 September

  • 11th September
    • CVE-2012-2122 - MySQL authentication bypass and code analysis - Campbell Murray
      • Campbell will give a proper tekky talk on CVE-2012-2122, more readily known as the MySQL authentication bypass and code analysis.
      • Speaker Bio: A UK pen tester & community contributor. Tech Director of Encription Limited, Director and member of the Technical Panel for Tigerscheme
    • The OWASP Zed Attack Proxy - Simon Bennetts
      • Simon will explain what ZAP is, how you can use it, recently added features and features planned..
      • Speaker Bio: Mozilla Security Team and OWASP ZAP Project Leader
    • Open mic: bring a topic!
      • Depending how things go theres an optional session where anyone can stand up and talk (or start a discussion) for up to (say) 5 mins about any security topic they like. You can either put your name forward via the mailing list before hand or just speak up at the meeting. Its the first time we’ll have tried it, so no idea how it will work out, but it sounded like a good idea :)
    • This meeting was kindly hosted by PwC.

2012 May

  • 30th May
    • OWASP Chapter introduction. OWASP values and membership. Chapter information.
    • BYOD Could You Would You Should You - Mobile Device Management for BYOD - Ben Ramduny - KPMG
      • PPTX
      • This presentation discussed the current trend of adopting some form of BYOD policy and the security implications in doing so. Also discussed are the options avalable to help mitigate some of the risks associated with allowing personal mobile devices to access corporate data
    • Building a secure SDLC utilising OWASP resources - Jason Alexander - Security Architect - KPMG
      • In this presentation Jason will showed how the free and open resources of OWASP (Open Web Application Security Project) can be utilised to initially measure the current status and maturity of security within your software development life cycle and then drive improvements at every stage. From setting security requirements and implementing standards to developer training, software testing and all importantly measuring results.
    • This meeting was kindly hosted by KPMG.

2012 February

  • 1st February
    • OWASP Chapter introduction. OWASP values and membership. Chapter information.
    • An Introduction to the OWASP Top Ten - Simon Bennetts
      • PPTX
      • The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
      • In this presentation Simon will give an introduction to each of the top 10 security flaws and explain why they are so dangerous.
    • Evaluating iOS Applications - Dominic Chell - MDSec
      • PDF
      • In this presentation, Dominic will discuss the lessons learned from evaluating iOS applications. It will cover a brief introduction to the security features of the platform and how they affect mobile applications then delve in to details on some of the most common iOS vulnerabilities the author has experienced during testing.
      • Speaker Bio: Dominic is the co-owner and director of MDSec; a security consultancy based in the UK. Prior to this, Dominic worked at NGS Software for 6 years where he was a CHECK Team Leader & CREST consultant. Dominic has published numerous exploits and advisories over the years as well as given web application security training at BlackHat Vegas.
    • This meeting was kindly hosted by PwC.

2011

2011 November

  • 16th November
    • OWASP Chapter introduction. OWASP values and membership. Chapter information.
    • Policy is the best honesty - Dr Daniel Dresner, Head of Information Assurance Practice, National Computing Centre
      • PDF
      • Technology is rapidly emerging and maturing to enable connectivity and interoperability of a panoply of devices. The right investment relies on addressing workable, realistic policies first. Daniel will tell you about what NCC members are doing to allow staff to ‘BYOD’ and build pragmatic iPolicies.
    • Non-alphanumeric code in JavaScript and PHP - Gareth Heyes
      • PDF
      • Understanding how to create non-alpha code leads to a deeper understanding on how the particular language works. Gareth shall discuss the history of non-alpha JavaScript, the challenges and creativity behind it. How can you decode this (Gareth will explain)
          `$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")
          [$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};
          $.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])
          +($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+
          $.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+
          $.__$+$.$$_+$._$_+$.__+"("+$.__$+")"+"\"")())();
        

        Gareth shall also cover how to create this in PHP and what techniques are involved.

      • Speaker Bio: Gareth Heyes is an independent security researcher who specializes in browser and JavaScript research. He has authored many free online tools and sandboxes including Hackvertor and JSReg.

2011 August

  • 24th August
    • As part of the Leeds Chapter
    • OWASP Chapter introduction. OWASP values and membership. Chapter information.
      • OWASP Manchester board member
    • SSL: Paved with Good Intentions - Richard Moore, CTO Westpoint Ltd
      • PDF: Slides
      • PDF: Colour map of CAs
      • At first glance, SSL seems very complicated to add to your site. Once you become a little more knowledgeable you know that it’s a simple matter of getting a certificate from a trusted CA and installing it. Unfortunately you were right the first time, and it is actually very complicated to do correctly. This talk aims to explain how the various parts of SSL fit together to provide users with decent security, showing the problems components like OCSP and certificates solve. As well as explaining the evolution of SSL over time, it will cover enhancements that are just reaching deployment such as Server Name Indication and OCSP stapling. Finally, it will also highlight various ways that everyone from SSL implementers, system administrators, browser developers to users can manage to undo all this hard work and make it insecure anyway.
      • Speaker Bio: Richard is CTO of Westpoint Ltd, a security testing company based in Manchester. He has been working in the security industry for many years providing services to a wide range of clients including multi-nationals and banks. Richard has extensive experience in SSL from both the point of view of a software developer as one of the maintainers of the SSL support in Nokia’s Qt library and KDE, and also from a security testing perspective.
    • Forensic Readiness – Give your investigators a fighting chance - Ryan Jones, SpiderLabs Incident Response Team leader
      • Investigators are often faced with poorly configured systems which thwart the investigative process. This leads commonly leads to incident response reports with fragmented timelines of attack and leaves risk managers having to make difficult decisions based on incomplete information. Companies that consider Forensic Readiness put their investigators in a much stronger position and can expect considerably more accurate outcomes from a forensic investigation. This talk looks at the same web application attack, carried out on systems with differing audit controls. The first system has ‘out of the box’ logging and the second has had logging improved through a Forensic Readiness process carried out before the attack. We approach the machines as an Incident Response Specialist would and compare the evidence stores and the ability of the investigators to make accurate conclusions based on the evidence available. We will look at the contrasting final reports which are produced with the differing levels of forensic evidence, highlighting the decisions that have to be made based on the varying level of detail provided in the reports. Someone for whom forensic investigation of web application exploits is a new topic will gain an understanding of some of the forensic techniques possible. Whilst attendees who already have some forensic investigation knowledge will understand how forensic readiness can have a massive effect on the outcome of investigations.
      • Speaker Bio:Ryan Jones currently leads the SpiderLabs Incident Response Team in EMEA. The team commonly manages data compromises related to cardholder data but are also regularly involved in other projects such as ATM compromises and data breaches caused by internal staff. The Incident Response team also carry out proactive engagements to ensure that customers have an effective incident response plan; drawing upon extensive knowledge of how it goes wrong in real data security breaches to improve companies’ approach to Incident Response. During Ryan’s incident response career Ryan has worked for both UK National Law enforcement and private companies. He has been involved with both criminal and corporate investigations with scope ranging from a single mobile telephone to multinational networks. For the past 4 years, Ryan has been a corporate first responder involved with a wide variety of businesses from small companies to multinationals during times when they have been struggling to react to a rapidly changing data compromise situation. Ryan firmly believes that a consultative approach coupled with the appropriate technical knowledge is key to successful incident response engagements. Ryan graduated from the University of Kent with a First Class BSc in Computer Science. He is also a PCI QSA. In his spare time he can be found skydiving at various dropzones around the country.
    • This meeting was kindly hosted by KPMG.

2011 June

  • 22nd June
    • As part of the Leeds Chapter
    • OWASP Chapter introduction. OWASP values and membership. Chapter information.
    • Talk Title to follow Rapid 7
    • How to become Twitter’s admin: An introduction to Modern Web Service Attacks - Andreas Falkenberg, RUB
    • This meeting was kindly hosted by KPMG.

2010

2010 December

  • 8th December
    • As part of the Leeds Chapter
    • OWASP Chapter introduction. OWASP values and membership. Chapter information.
    • upSploit - Vulnerability Advisory Solution - Thomas Mackenzie
      • Over the past year a lot of vulnerabilities have been released out into the wild and a lot of discussion has been had on what ethical disclosure is. upSploit is an online web application / tool that can be used by researchers to release vulnerabilities as ethically as possible. The talk consists of a number of parts including: Information on vulnerability disclosure before upSploit was around, the creation / idea of upSploit and how it has helped and is helping the community at the moment.
      • Speaker Bio: Tom studies a BSc (Hons) in Ethical Hacking for Computer Security at Northumbria University in Newcastle and worked part time for Wetherby based company RandomStorm conducting Web Penetration testing, External Penetration testing and building wireless analysis solutions. Tom found a vulnerability in WordPress back in February 2010 which helped him kickstart his career in infosec whilst still studying. Previously the Co-host of popular UK student podcast Disaster Protocol Tom now spend all the time away from that on the upSploit project making sure his team get stuff done!
    • Avoiding the CWE/SANS Top 25 Most Dangerous Programming Errors - Jason Steer - Solution Architect at Veracode
      • The CWE/SANS list of the Top 25 Most Dangerous Programming Errors is becoming the standard for developing secure applications in large enterprises. Even the State of New York and the Depository Trust & Clearing Corporation (DTCC) plan to implement procurement contracts that include language mandating application security. Whether you manage internal development activities, work with third party developers or are developing commercial-of-the-shelf (COTS) applications for enterprises, your mandate is clear- safeguard your code and avoid the CWE/SANS Top 25 Most Dangerous Programming Errors.
      • During this presentation, Jason will discuss:
        • Prevalence of attacks using vulnerabilities listed in the CWE/SANS Top 25
        • CWE categories illustrated with code snippets in .NET, Java, and other languages
        • Impact of attacks on your application and your customers
        • Methods to identify, track and remediate these vulnerabilities
      • Session attendees will leave armed with the necessary steps to ensure that they’re building secure applications.
    • OWASP Zed Attack Proxy - Simon Bennetts - Project Lead and technical team lead at Sage UK
      • The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing.
      • In this presentation Simon will explain why it was released, who it is aimed at and where it is headed.
    • This meeting was kindly hosted by KPMG.

Sponsorship

We are looking for organizations to sponsor the Manchester chapter.

You can sponsor the chapter for one year at the following levels:

  • £1000 Silver
  • £2000 Gold
  • £3000 Platinum

You can also sponsor a meeting by hosting the event or donating £200.

If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.


Local Organizations

Other related organizations in the Manchester area:

Please get in touch with one of the chapter leaders to get your organization listed here.

And feel free to use the mailing list to publicise related events.