OWASP Newcastle (UK)

Next Event

23/02/2021 1900 - 2030 Online

Our first event of 2021 and we’re back with two great talks.

Talk 1

Title: Detect complex code patterns using semantic grep

Speaker: Colleen Dai

Bio: Colleen Dai is a security software engineer at r2c, a startup working on building static analysis tools that focus on precision and being custom-fit to the consumer. At r2c, Colleen has worked on the language parsing along with AST matching. She is also writing rules to find security vulnerabilities in open source code. Colleen recently received her B.S. in Computer Science and M.S. in Statistics from Stanford. She regularly enjoys Brazilian Jiujitsu, drawing, and trying (and failing) not to eat everything in her fridge.

Description: We’ll discuss a program analysis tool we’re developing called Semgrep. It’s a multilingual semantic tool for writing security and correctness queries on source code (for Python, Java, Go, C, and JS) with a simple “grep-like” interface. The original author, Yoann Padioleau, worked on Semgrep’s predecessor, Coccinelle, for Linux kernel refactoring, and later developed Semgrep while at Facebook. He’s now full time with us at r2c.

Semgrep is a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. Semgrep is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.

For example, find subprocess calls with shell=True in Python using the query:

subprocess.open(..., shell=True)

This will even find snippets like:

import subprocess as s s.open(f'rm {args}', shell=True)

Or find hardcoded credentials using the query:

boto3.client(..., aws_secret_access_key=”...”, aws_access_key_id=”...” )

Source code: https://github.com/returntocorp/semgrep

Test in your browser: https://semgrep.dev/

Talk 2

Details soon

Previous Events

Here are the details from previous OWASP Newcastle meetups. Often there are links to presentations available.

2020

03/11/2020

Title: iOS Encryption State Handling And Your Sensitive Personal Data

Speaker: James Duffy

Bio*: I’m James - a 19-year-old Cyber Security student. I spend my time researching and expanding my knowledge in the area of Mobile Forensics and iOS Security Research. I enjoy creating free resources for the community, and developing software solutions to aid the research and data extraction process.

Description: From the bootloader to the user-facing interface, we’ll learn how Apple implements data security and encryption state handling on a basic level and how we can take advantage of Apple’s current implementation for forensic purposes

Title: How to setup a new Red Team in a FTSE 100 (and what I learned doing it)

Speaker: Robin Fewster

Bio: Robin currently manages a global internal red team at Sage, which is a fintech company listed in the FTSE 100 having 13,000 employees and hundreds of cloud-hosted services across a variety of cloud service providers. An experienced former CHECK Team Leader / CREST Certified Tester, CREST Registered Intrusion Analyst, PCI QSA and PA-QSA, Robin also spends some of his personal time to co-lead OWASP Newcastle and (ISC)2 North East England security meetups. With a strong interest in offensive security testing, Robin is involved with bug bounty programme management, red teaming and penetration testing but also maintains an interest in blue teams having previously worked in the application security team at Sage in an Agile development environment.

Description:

• Why setup a red team inside your company?
• How to put the business case together
• Getting the buy in and executing the business case
• Lessons learned

05/05/2020

Title: Malware Threat Analysis and Intelligence Recon – Trickbot

Speaker: Chris Young

Bio: Chris is an information security consultant with Pentest Ltd. Despite his youthful looks, Chris is old enough to remember the birth of Internet, dialling into AOL and running amok in #IRC Channels. Late to Infosec party - Chris changed career from Learning Technology to Security in 2016 after completing a MSc in Information & Network Security.

Description: This presentation will provide you with some information on each of the Malware threats that I like to call “the 3 amigos” – Emotet, Trickbot and RYUK. I then focus in on Trickbot and the different types of modules that it uses. I also examine the ecosystems that attackers use to spread their malware. Additionally, I will provide some useful links for anyone thinking of getting started in malware analysis. Not a super technical talk so no reverse engineering skills required! 😊

Title: Alice Through the Cyber Looking Glass

Speaker: Rick Trotter

Bio: Rick Trotter is one of the last Generation-X geeks who grew up in a time of Microcomputers, IRC and BBS systems, becoming a digital pioneer in a new wild west web and falling through time one platform at a time. Join me gazing through the looking glass of an adventure spanning 40 years as we look to a new dawn of computing.

Description: “Living backwards!” Alice repeated in great astonishment. “I never heard of such a thing!” “—but there’s one great advantage in it, that one’s memory works both ways.” “I’m sure mine only works one way,” Alice remarked. “I can’t remember things before they happen.” “It’s a poor sort of memory that only works backwards,” the Queen remarked. Rattling around in my rusty cranium are memories of computing years past; a million lines of code and mistakes aplenty across a varied career that prelude to a dozen possible futures. If there’s one thing that I’ve learned it’s that humans have a tendency to make the same mistakes over and over in new and interesting ways. I’ve lived through a few of the major events in recent computing history: from the dawn of the Internet, the rise of the Microcomputer, the invention of the world-wide-web, the dot-com bubble and the explosion of social media; but what lessons can we learn as a new generation takes over the console while the rest of us shuffle off into the end of line character?

Title : A High Level Overview of the UK Smart Metering Programme

Speaker: Zach Anucha

Description: This presentation will provide you with a high level overview of the UK Smart Metering Programme, its timelines, what the government is looking to achieve through the programme and the role CGI its implementation. Also, an overview of the intended impact on the UK, issues of privacy – personal and personal sensitive data, and critical national security data will be explored. CGI’s role in securing the infrastructure, the data and assurance regime covering Independent Competent Organisation, SOC2, ISO27001 Certification, CHECK Pen Tests will be discussed at high level. Finally the core Security Services that CGI provides - (DCCKI (PKI), Federated IDM, Anomaly Detection, Access Control Broker, will be covered at high level.

Title: 5G and LTE security

Speaker: Matt Summers

Bio: Matt is an accomplished security consultant with over 2 decades of experience. A former Army Captain within the British Army’s Information Assurance unit and former HMG Science Advisor specialising in research and development of secure hardware and software solutions. A co-founder of the BSides London security conference, co-founder and director of the BSides Manchester security conference and chief cat herder for the DefCon Aerospace Village Matt has a passion for knowledge sharing and community engagement. He was recently appointed to the executive at CREST.

Description: This presentation is about 5G and LTE security and an adaption of his 44Con talk from 2019 which wasn’t recorded. We will initially get an overview of the technology followed by a deep dive into LTE flaws and misconceptions. Followed on by a look at 5G security and how most security experts are getting it wrong with 5G.

Title: What I learned from running a honeypot

Speaker: Andi

Description: Towards the end of 2019 I ran several honeypots for around a week. This talk aims to walk through how to set up your own, learning from my mistakes, and then examines the data about what attacks are really taking place.

2019

03/12/2019

Capture the flag event

Following on from the success of their recent Avalanche CTF, we’ve asked Pentest to build a brand new CTF for everyone to tackle at OWASP Newcastle. Avalanche 2, as they’re calling it, will still be based on a petition/campaign website like 38 degrees or the UK.gov, but promises to be bigger and better than the original, with a host of new challenges.

With assistance from our friends at Pentest Limited, we present to you Avalanche 2.

All levels of experience are welcome, starting from zero knowledge right up to experienced red teamer. All you need to do is bring yourself plus a laptop. You will learn something new, and if you don’t you will have fun anyway! You can work alone or in a team.

If you’d like to have a go at the original Avalanche CTF you still can by visiting https://pentest.co.uk/labs/avalanche-ctf/

As always, we will be providing pizza and drinks courtesy of our sponsors at Sage. If you have any dietary requirements please just message one of the organisers and we can make sure you’re catered for.

Schedule:

• 1800 - 1815 - Arrival and networking
• 1815 - 2100 - Avalanche 2 CTF
• 2100 - onwards Pub?

23/09/2019

Title: Stalk Awareness

Speaker: Cian

Description: We often focus on nation states and corporation’s role in eroding our privacy and expanding omnipresent surveillance worldwide, meanwhile an entire niche industry that caters to regular consumers who want similar spying capabilities has slipped largely under the radar. Mobile apps that are designed to enable toxic and abusive behavior are being openly sold on the internet, marketed directly to abusers, these apps have come to be termed “stalkerware”.

This talk will present analysis of the stalkerware industry, its products, marketing and the scope of the problem it represents, as well as potential solutions. I’ll be examining these topics from both a technical and non-technical standpoint, based on many months of personal research.

Title: Rethinking Threat Intelligence - a quick glance at intelligence led risk management - Slides

Speaker: Adam Pickering

Description: 45 min chat about rethinking how we use threat intelligence capabilities within enterprise to bring about changes to the way we deploy countermeasures against threat actors

13/06/2019

Red Team versus Blue Team event

Title: Red Teaming a view from the field

Speakers: Andi Pannell and Gavin Johnson-Lynn

Description: A talk about what red teaming is, how it is different from a penetration test, and then we’ll reveal some hardware we use during red team engagements and some success stories.

Title: Protecting the museum – HIPS

Speaker: Marek Banas

Description: How you can minimise the manual labour with increasing the security on legacy servers, plus some issues we hit while choosing the solutions, challenges we had.

26/02/2019

The talk will be three smaller talks, covering:

• Remote online social engineering (how attackers use catfishing techniques)
• Hacking with light and sound (using infrared, ultrasound, and lasers to exfiltrate data and disrupt sensors)
• Attack linkage (using granular attack behaviours to link different cyber attacks)

Speaker: Matt Wixey

Title: Getting stakeholders on board”

Speaker: Kathryn Cardose

Description: So you’ve nailed the tech, you’ve found the controls, you’ve requested remediation…..how do you get stakeholders of all levels to buy in and support security?

2018

25/09/2018

Title: Don’t tell your Big Brother

Speaker: Andy Ferguson

Description: Encryption tips and tricks.

Title: My Path to CSSLP

Speaker: Gavin Johnson-Lynn

Description: Join me on a journey from a vague knowledge of security to gaining a valued security certification. For anyone considering certification as a route to success, self-improvement, or even just some thoughts on how I approached it. We’ll look at what I learned and how I learned it, including some tricks I picked up along the way to help cram information into my brain (and keep it there).

26/06/2018

We held our first CTF (Capture The Flag) event.

The CTF event was facilitated by Secarma. The attendees were split into groups, each group had their own sandboxed environment to connect into, and prizes were offered to the teams who captured the most flags.

27/03/2018

Title: The Internet of (broken) things.

Speaker: Andi Pannell

Description: This talk will focus on the internet of things, how we’re connecting everything to the internet now, because why not add a WiFi connection to your Fridge? And how security is unlikely to be a consideration when making these products. I’ll also talk about DefCon, as last year my company sent a team of us to DefCon 25 in Las Vegas, explaining what DefCon is, what happens there, and how we won the IoT Village 0-day contest and I’ll conclude with a live hacking demo.

Title: An introduction to the OWASP automated threats to web applications

Speaker: Colin Watson

Description: Web applications are subjected to unwanted automated usage – day in, day out. The vast majority of these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is often mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the attacker’s primary intent.

• Project page
• Handbook PDF file
• Handbook print version

30/01/2018

Title: Code that fights back

Speaker: Neil Dixley

Description: Lessons from the gaming world on detecting and responding to attacks on software assets. An introduction to proactive software security including a philosophical look at how far we should go to protect our apps.

Title: Practical demonstration of mobile software penetration

Speaker: Luke Sadler

Description: Luke Sadler walks us through hands on examples of cracking mobile technology.

2017

21/11/2017

Title: Explain hacking in ten minutes

Speaker: Lorenzo Grespan

Description: Recently I had to show a 10-minute “live hack” to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go “aha!” turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users.

Title: Building a Development Environment That’s ‘Secure Enough’

Speaker: Robin Sillem

Description: This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data. Media:Modern_DevOps_and_security.pptx

19/09/2017

Title: Running a security event using OWASP Security Shepherd

Speaker: Gareth Dixon

Description: In this talk I will cover running a security event using OWASP Security Shepherd. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective.

Title: Enter the (Threat) Dragon

Speaker: Mike Goodwin

Description: Threat Modeling with OWASP Threat Dragon. Threat modelling is a great technique for hardening your application designs, but current tooling is a bit “crashy”, limited to Windows or not free. OWASP Threat Dragon is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it’s future road map and a look under it’s hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you.

2016

23/08/2016

Title: 50 Million Downloads and All I Got Was Malware

Speaker: Andi Pannell

Description: How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too.

Title: OWASP Cornucopia

Speaker: Colin Watson

Description: OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal).

2015

24/11/2015

Title: The problems with proving identity

Speakers: Ben Lee and Ross Dargan

Description: In this talk Ross and Ben will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren’t. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don’t have all the answers. The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…* (*Talk may not be historically accurate! ;))

Title: Think about the Top 10 Controls, not the Top 10 Risks

Speaker: Colin Watson

Description: The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities. Take a copy of the game away with you - it is suitable for developers of all sizes.

Title: Automated Security Testing Using The ZAP API

Speaker: Michael Haselhurst

Description: This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi.

Title: Real world defence in depth (part 1)

Speaker: Mike Goodwin

Description: Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality.

29/09/2015

Title: Securing Real-Time Networks

Speaker: John Beddard

Title: Content Security Policy

Speaker: Ian Oxley

Title: Threat Dragon - a new threat modelling tool project from OWASP

Speaker: Mike Goodwin

Title: OWASP Top 10 Mobile Risks

Speaker: Neil Dixley

28/07/2015

Title: Honeypots; from research to the Enterprise

Speaker: Andrew Waite

Title: Security in the World of Containerisation

Speaker: George Chlapoutakis

29/05/2015

Title: An introduction to basic application penetration testing

Speaker: Robin Fewster

Description: An introduction to penetration testing, using several OWASP projects as well as other open source and free programs.

Title: The Elevation of Privilege Threat Modelling Tool

Speaker: Neil Dixley

Description: An introduction to threat modelling and using the ‘Elevation of Privilege’ card game to facilitate and improve team threat modelling exercises.

24/03/2015

Title: Cognitive Bias and Security Vulnerabilities

Speaker: Neil Dixley

Description: The psychology of software engineering. An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security.

Title: Security Compliance for Developers - Are we Certified… or Certifiable?

Speaker: Andy Ward

Description: Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it’s never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning ‘banking grade encryption’! After a quick reminder of “what’s the worst that can happen…”, Andy will introduce some of the security Compliance and Certification systems that help you ‘walk the walk’, and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams.

Sponsorship

Sponsor(s): Many thanks to Sage for sponsoring our chapter and allowing us to continue to run our events. They are a platinum sponsor and we are grateful for their generous support.

Also a big thank you to CGI for sponsoring us from February 2020. This will allow us to record our events going forward.