OWASP Oslo

Past events

2024-11-27, 17:30 - 20:00

Bug Bounty Bonanza

Location: SpareBank 1 Utvikling, Hammersborggata 11, Oslo

Meetup event: https://www.meetup.com/owasp-oslo/events/304502608/

Velkommen til OWASP temakveld om bug bounty! Finnerlønn for sårbarheter burde vært obligatorisk for viktige publikumsløsninger på internett, men i Norge er det unntaket heller enn regelen. Vi har gleden av å invitere til to erfaringsforedrag om innføring og drift av bug bounty-programmer, og et foredrag om hvordan det er å delta som tester.

Det serveres mat kl 17:30, og foredragene starter kl 18:00. Vi vil ha tid til spørsmål og diskusjoner.

Temakvelden arrangeres i SpareBank 1 Utviklings møteromssenter. Vi ber om at dere oppgir telefonnummer under påmelding, så vi kan forhåndsregistrere dere som besøkende.

Sett skuddpremie på sårbarhetene dine - Jon Are Rakvåg, SpareBank 1 Utvikling

SpareBank 1 Utvikling lager nettbank, og vi gjør alt vi kan for å gjøre den sikker. Likevel var vi overbevist om at vi hadde sårbarheter vi ikke hadde funnet ennå. Det stemte!

La oss snakke om hva SpareBank 1 lærte av å innføre finnerlønn for sårbarheter, og hvorfor du er sprø om du ikke gjør det samme. Hva gjør bug bounties unikt, og hvordan reddet det rumpa til foredragsholderen?

30 min

FINN.no’s Secret Sauce: how we went from finding 15 vulnerabilities to over 100 per year! - Emil Vaagland, FINN.no

Since 2019 FINN.no has tried a lot of different appsec tools and processes to improve our security. In this talk you will learn about the most effective of them all, namely our private bug bounty program. In terms of finding real vulnerabilities, this activity outshines any other appsec tool or process by a large margin, it enables us to find a lot more vulnerabilities than before at a fraction of the cost of traditional pen-testing. We will talk about how to run an effective bug bounty program and why it should be the key ingredient of your appsec program. We will also show-case some high impact vulnerability reports we have received to show the real impact you can get from a bug bounty program.

20-30 min

Sårbarheter som hobby - Joakim Harbitz

Å jakte etter sårbarheter kan være både spennende og utfordrende, men hvordan starter man egentlig?

Joakim er pentester på dagtid og en dedikert bug bounty hunter på kveldstid. I dette foredraget deler han sine beste tips og triks for å komme i gang, og hvordan man utvikler et tankesett som øker sjansene for å finne den neste sårbarheten.

Enten du er nybegynner eller har litt erfaring, vil dette foredraget gi deg innsikt i hvordan du kan skille deg ut i en konkurransepreget arena. Hvordan små detaljer kan avsløre store muligheter og lede deg til sårbarheter ingen andre ser.

20-30 min

2024-10-15, 17:00 - 19:00

Gamification of Threat modeling

Location: Visma Enterprise AS, Karenslyst Allé 56, Oslo

Meetup event: https://www.meetup.com/owasp-oslo/events/303410666/

17:00-1730 - Food serving 17:30-18:15 - Gamification of Threat Modeling for Machine Learning, Elias Brattli Sørensen 18:15-19:00 - Let’s play OWASP Cornucopia! Johan Sydseter

Gamification of Threat Modeling for Machine Learning

Artificial Intelligence (AI) has established itself as an important part of our lives, with machine learning spearheading the most notable innovations in the last two decades. Publications about prompt injection and similar attacks get a lot of attention. However, these are far from the only security issues with machine learning systems. We also have to think about challenges like poisoned data, recursive data pollution and all the personally identifiable information the models have memorized, as well as other inherent weaknesses with stochastic systems. Too much focus is directed towards operational security in the OPS part of of MLOps, while the shift-left idea of building systems “secure by design” during planning and development does not get enough emphasis. Threat modeling and risk analysis will likely play an important role in the future of machine learning security. I introduce Elevation of MLsec, which is an extension of Shostack’s threat modeling card game Elevation of Privilege, and based on the risk framework published by the Berryville Institute of Machine Learning (BIML). In this talk, we will demystify how machine learning systems actually work and explore how the threat modeling game can help us engineer more secure machine learning systems.

Let’s play OWASP Cornucopia!

OWASP Cornucopia is a card game to assist software development teams identify security requirements in agile software development processes. It is language, platform, and technology agnostic.

In this session we will learn to play the game in a different way from what we usually do. Johan Sydseter, OWASP Cornucopia co-lead and game master will take you through a provocative scenario. Confronted with the grumpy old senior developer that refuses to shift-left due to too many hours working overtime on his incredible sophisticated pet projects, what will you do? Will you be able to teach him a lesson about why security is important, or will he be laughing all the way to his developer cave? Only true passionate application security engineers will succeed. Expect confetti, swags, (yes, you read right, swag, valued just below the corruption limit) and illegal bribes as you venture into the unknown of OWASP Cornucopia.

Speakers

Elias Brattli Sørensen is a software engineer & security champion at Kantega SSO, engineering digital identity standards for secure authentication to the Atlassian ecosystem while facilitating and promoting secure software development practices. M. Sc. in Computer Science at NTNU, researching usage of static analysis tools like Spotbugs to find vulnerabilities in OpenID Connect client implementations.

Johan Sydseter is co-leader for OWASP® Cornucopia and Co-creator of the OWASP® Cornucopia Mobile App Edition. The man with the long hair, not the long beard. Fresh meat in App Sec and OWASP but has 15 years’ experience building and designing backend and frontend solutions as a designer, developer and architect. He has held several presentations on appsec at various international conferences, loves confetti and funny glasses.

2024-04-29, 17:00 - 19:00

OWASP Oslo Chapter meetup

Location: Nav, Fyrstikkalléen 1, Oslo

Meetup event: https://www.meetup.com/owasp-oslo/events/300368216/

Big thanks to NAV for sponsoring this event!

17:00-17:15 Food 17:15-18:00 Finding a three 0-day exploit chain in Ivanti EPMM and Ivanti Sentry, Tor E. Bjørstad and Erlend Leiknes, mnemonic 18:15-19:00 Testing race conditions has never been faster, Sofia Lindqvist, Binary Security

Finding a three 0-day exploit chain in Ivanti EPMM and Ivanti Sentry

During the summer of 2023, a team at mnemonic discovered three 0-day vulnerabilities in Ivanti Endpoint Protection Manager Mobile (EPMM, formerly known as Mobileiron Core) and Ivanti Sentry.

CVE-2023-35078: authentication bypass in Ivanti EPMM, CVSS 9.8 CVE-2023-35081: path traversal / arbitrary file write in Ivanti EPMM, CVSS 7.2 CVE-2023-38035: authentication bypass in Ivanti Sentry, CVSS 9.8, allowing command execution as root. All three vulnerabilities are listed in CISA’s Known Exploited Vulnerabilities catalog, as they are known to have been exploited by threat actors in the wild. Ivanti has also confirmed that the vulnerabilities can be combined in an exploit chain. In this talk we’ll take a closer look at what actually happened.

Speakers

Tor E. Bjørstad has spent his entire career in security and privacy. For the last decade he has worked as a principal security consultant at mnemonic, based in Oslo. He has mainly focused on software security and security architecture, with a particular interest in society-critical infrastructure. Tor holds a Ph.d. in cryptography from the University of Bergen.

Erlend Leiknes, a security consultant at mnemonic as, Oslo, spends his days as a penetration tester. His professional motto is that most vulnerabilities are obvious, the endeavor is to look at the right places. Erlend holds a master’s degree in technical societal safety from University of Stavanger.

TESTING RACE CONDITIONS HAS NEVER BEEN FASTER

Historically, testing for race condition vulnerabilities in web apps has been a painful ordeal, likely making race conditions an under-explored attack vector. In the summer of 2023, groundbreaking research by James Kettle completely changed the game, suddenly making it much easier for pentesters (and attackers) to test for this type of vulnerability. In this talk I will show how race conditions work, how to test for them and how to protect against them, based off an example vulnerability I found during a recent pentest.

Speaker

Sofia Lindqvist, security specialist, Binary Security

Sofia works as a security specialist at Binary Security. She started her career with a PhD in pure maths, followed by three years at Cisco developing one of their networking OSs. She eventually made her way into security testing, which she has been doing for a year and a half.

2023-11-28, 17:00 - 19:00

The ML(Ops) Security Landscape

Location: Ardoq, Myntgata 2, Oslo

Meetup event: https://www.meetup.com/owasp-oslo/events/297278006/

Welcome to OWASP Oslo’s November meetup, hosted by Ardoq!

You are welcome to arrive anytime between 17:00 and 17:30. Pizza will be served :) We plan to kick off the talk around 17:30.

More Tools Mean More Misconfigurations - The ML(Ops) Security Landscape

In this talk, we will cover some of the issues related to the emerging field of Machine Learning and AI security. We will cover some low hanging fruits related to ML security - we will show how attackers can get access to victims’ secrets, source codes and API keys. We will also talk about OWASP’s initiatives for AI security, such as the OWASP Top10 for ML, the OWASP Top10 for LLM, and the OWASP AI Security Guide.

Mikołaj Kowalczyk

Mikołaj is an experienced engineer with an interest in the offensive side of cybersecurity, and is a part of the Security team at Ardoq.

Since the very beginning of the Large Language Models hype, Mikołaj has been researching the possibilities of these new technologies – both for defence and attack, and has also been involved in a community around Large Language Models security. He runs a bi-weekly AI security newsletter – The Real Threats of Artificial Intelligence and explores the new attack surface that LLMs have brought to software development. Mikołaj also contributes to the development of a new Machine Learning security guideline – OWASP Top10 for Machine Learning.

2023-09-20, 18:00 - 20:00

Test Driven Application Security + Post-Quantum Cryptography 101

Location: Visma Enterprise AS, Karenslyst Allé 56, Oslo

Meetup event: https://www.meetup.com/owasp-oslo/events/295822703/

Welcome to OWASP Oslo September meetup. Special thanks to venue and food sponsor Visma.

First presentation: Test Driven Application Security - Tobias Ahnoff and Martin Altenstedt

Most penetration tests find vulnerabilities present in the OWASP TOP 10 lists. Many originate from unclear non-functional requirements and a lack of tests with security in mind. This presentation will demonstrate a test-driven approach to application security and show how we can write automated tests to prove that our defenses work as expected. Demos will be in C#, for an API in ASP.NET Core 7.

Target audience All concerned with building secure applications. The demos are in C#, it is good to have a basic understanding of C# and unit testing, but the concepts and security best practices relevant regardless of programming background and level.

Tobias Ahnoff - Application security specialist at Omegapoint

Tobias Ahnoff is an experienced .NET developer and architect with focus on application security. He specializes in implementing authentication flows and authorization for web applications and APIs that manage sensitive data in the bank, finance, and health sectors. He performs security reviews and penetration tests as part of Omegapoint Cybersecurity Gothenburg, a group of experts in application security.

Martin Altenstedt - Application security specialist at Omegapoint

Martin Altenstedt is a software developer and architect with 25 years of experience in Sweden’s IT industry. He specializes in being able to take part in both the development and management of software. He is part of Omegapoint Cybersecurity Gothenburg, a group of experts in application security, and has developed several courses in secure application development and gives presentations on application development and security.

Second presentation: Post-Quantum Cryptography 101 - aka. The end of the world as we know it - Stian Svedenborg

You might have heard that the advent of Quantum Computers heralds the end of commonly used cryptography, but what does that mean, and why does it concern you? In this talk, I will help answer some of these questions. You will learn what a Quantum Computer is, why they are such a bad thing for cryptography, and what you should do about it.

Target audience The talk does not require any prior knowledge, but some points will be lost to non-technical participants. Developers, Tech Leads and Architects will get the most out of the talk, but the content is adapted to a varied audience so managers of technology businesses would also benefit.

Stian Svedenborg

Stian is a security enthusiast with a passion for cryptography. He graduated from NTNU in 2014 specializing in cryptography and spent a number of years as a developer. He has entered the eID space as the Security Architect for BankID.

2023-06-29, 17:00 - 19:00

June meetup

Location: Blank, Torggata 15, Oslo

Meetup event: https://www.meetup.com/owasp-oslo/events/294176472/

Blank is the sponsor of this meetup! Thank you!

Agenda:

17:00-17:30 : Food 17:30-17:50 : How to get pwned by npm packages and weak settings in GitHub Actions - Erlend Åmdal 18:00-18:45 : Open Policy Agent in-depth - Anders Eknert

How to get pwned by npm packages and weak settings in GitHub Actions - Erlend Åmdal

Do you know if your GitHub Actions workflows are secure? I will demonstrate a proof of concept of a supply chain attack that exploits weak security settings in a typical GitHub Actions workflow to do things you might not expect an npm package to be able to do, followed by a presentation of simple methods to prevent this kind of attack. Due to Action’s tight integration with the rest of the GitHub platform, the attack can easily target a repository’s contents and metadata, including the issue tracker, pull requests and GitHub Packages. If you value the content on your issue tracker or publish to GitHub Packages and are curious about the security of GitHub Actions, this presentation might prove interesting and useful.

Erlend Åmdal is a software development consultant at Blank with a few years of industry experience. He is a passionate developer who strives for secure software. Having worked with various customers ranging from reMarkable to Autodesk, Erlend has been involved with several organizations depending on GitHub Actions and npm packages for their CI/CD, and knows a thing or two about securing this dependency.

Open Policy Agent in-depth - Anders Eknert

Should user Alice be allowed to read credit reports? Should a cloud compute instance be deployable without basic security configuration in place? Should service X be allowed to query the database? Policy defines the rules of our systems, but how do we ensure our policies are enforced consistently in increasingly distributed and diverse tech stacks? In this technical talk we’ll explore the benefits of decoupling policy from our applications, deployment pipelines and platforms, and how Open Policy Agent (OPA) and its policy language Rego works to unify policy enforcement across the whole stack.

Anders Eknert is a developer advocate at Styra with a long background in software development, security and identity systems in primarily distributed environments. When not in front of his computer he enjoys watching football, cooking and Belgian beers.

2023-05-08, 17:00 - 19:00

May meeting - API Security

Location: Vipps AS, Dronning Eufemias Gate 42, Oslo

Meetup event: https://www.meetup.com/owasp-oslo/events/293025797/

Big thanks to Vipps for sponsoring the event

17:00 Food and mingle

17:30 Security at high speed - How Vipps secures their APIs (40min) - Nora Tomas

From the outside, login systems can seem very simple. In the Vipps app, for example, you just use biometrics (or a PIN code) and you’re in with a blink of an eye! But how much work goes into creating such a system? What actually happens if someone steals my Vipps PIN code? And why doesn’t Vipps just have a “login with Facebook” button? You’ll get the answers to these questions in this presentation. We’ll cover everything from the EU directive PSD2 to how to practically secure APIs so that the next time you log in to Vipps, you’ll know what’s happening behind the scenes!

Nora Tomas

Nora is a developer and security lead for the User Security team at Vipps MobilePay. She is involved in developing Vipps MobilePay’s authentication systems. With a passion for both security and programming, Nora is interested in how to develop at DevOps speed while still keeping the systems secure

18:15 npm provenance (10min) - Erlend Oftedal

Introduction to the recent supply chain additions added to npmjs.

2023-03-23, 17:00 - 19:00

“Defendable Products” and “Opera: Five Years of Championship”

Location: Finn.no, Grensen 5-7, Oslo

Meetup event: https://www.meetup.com/owasp-oslo/events/291637400/

Talk 1: Defendable Products How do you improve security in products? This talk will walk you through what we have done in Schibsted the last three years to improve security in our products (e.g. Application Security and Cloud Security). From guiding principles, training package for developers, risk identification and escalation processes to introducing technical tools like SAST, DAST, CSPM and others. We wrap up with mistakes we made and our road ahead.

Ståle Pettersen (@kozmic / infosec.exchange/@kozmic) is leading the Product & Application Security team within Schibsted that focuses on cloud security and application security. He has 15 years experience as a developer and a security enthusiast with main focus on application security and cloud security.

Talk 2: Opera: Five Years of Championship For the last five years, we have successfully run the security champions program at Opera. During this time, we learned a lot about the advantages and constraints of this model, applied it at scale (with more than 40 champions working in parallel), and improved it with the growing maturity of our processes.

Michael Markevich (LinkedIn)

With more than twenty years of experience as a cybersecurity and digital trust expert, Michael loves to explore new technologies, mentor young security professionals, and do occasional research and hands-on work. Michael started his career as a system administrator at a university campus, then worked as a penetration tester, senior IT auditor, and information security manager. Currently, Michael serves as security advisor for DHIS2, the world’s largest HMIS platform used in more than 70 countries, and leads the security team at Opera, a browser vendor and internet technology company with more than 320

This meet-up is sponsored by Schibsted. We appreciate their support!

If you want to become a sponsor for an OWASP meet-up, contact [email protected].

2023-02-28, 18:00 - 19:00

Purple is the New Black: Modern Approaches to Application Security

Location: Online

Meetup event: https://www.meetup.com/owasp-oslo/events/291636535/

Gone are the days when breaches were rare and security could safely be put low on the priority list; product security is now a customer demand and cyber crime has reached epic proportions. Our idolization of hackers, penetration testing and ‘breaking’ has not resulted in secure software for our industry, only egos, stereotypes and unaffordable security models. Modern application security approaches need to address both offensive (red team) and defensive (blue team) approaches, as well as continuous learning and advocacy for developers. This means Purple Team. This talk will explore how to combine defence, offence, automation, empathy and continuous learning, all without the requirement of ever wearing a hoodie. The future of security is PURPLE.

Tanya Janca

Tanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning community that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty five years, won countless awards, and has been everywhere from public service to tech giants, writing software, leading communities, founding companies and ‘securing all the things’. She is an award-winning public speaker, active blogger & podcaster and has delivered hundreds of talks on 6 continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives.

Advisor: Nord VPN, Cloud Defense, Aiya Corp Faculty: IANs Research Founder: We Hack Purple, OWASP DevSlop, #CyberMentoringMonday, WoSEC

2023-01-17, 18:00 - 20:00

Tune your Toolbox for Velocity and Value - Josh Grossman

Location: Rebel, Universitetsgata 2, Oslo

Meetup event: https://www.meetup.com/owasp-oslo/events/290761822/

We will be at Exposalen at Rebel, and then those who want can join for burgers/beer at Skråplanet (also at Rebel).

Tune your Toolbox for Velocity and Value You bought the application security tools, but now what? Many organizations find themselves drowning in “possible vulnerabilities”, struggling to streamline their processes and not sure how to measure their progress. If you are involved in using automated scanners, such as SAST, DAST or SCA tools, in your organization, these may be familiar feelings to you. In this talk, I will give you ideas on how to streamline your implementation and automation to focus on what matters most. We’ll also discuss what to consider when designing the manual processes and tasks around the automation so that you get more value in less time. You will leave with a much better understanding of these security tools as well as ideas for improving processes and adding value that you can take and apply at your own organizations.

Speaker: Josh Grossman

Josh has worked as a consultant in IT/Application Security and Risk for 15 years now as well as a Software Developer. In that time, he has seen the good, the bad and the stuff which is sadly/luckily still covered by an NDA. He has provided application security advice and support to companies ranging from multi-national software development organizations, Fortune 500 companies as well as early and mid-stage start-ups. This has also led him to work, speak and deliver training both locally and worldwide. He is currently Chief Technology Officer for Bounce Security where he spends his time helping organisations improve and get better value from their Application Security processes and providing specialist Application Security advice. In his spare time, he co-leads the OWASP Application Security Verification Standard project and is on the OWASP Israel chapter board

2022-09-15, 18:00 - 19:30

Virtual meeting: Are we Secure?

Location: Online

Meetup event: https://www.meetup.com/owasp-oslo/events/287853653/

Are we Secure?

We all trust software with the most important aspects of our life… but it’s a blind trust with virtually no justification. Actually, by almost any measure, application security has been failing for 20 years. Software is still riddled with vulnerabilities and gets attacked thousands of times a month – mostly undetected. Yet instead of trying different approaches, we mostly keep pushing the same futile and expensive practices harder. In this talk, we’ll discuss why the underlying asymmetric information problem in the software market makes it impossible to make progress. And we’ll talk about how we can escape this trap, change the software market, and make software trustworthy for everyone.

Jeff Williams - CTO of Contrast Security and OWASP Co-Founder

Jeff Williams is the co-founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API (ESAPI), OWASP Application Security Verification Standard(ASVS), XSS Prevention Cheat Sheet, WebGoat and many other widely adopted free and open projects. Jeff is the co-founder and the CTO of Contrast Security. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

2022-08-29 - 2022-08-31

2022-08-29 - 2022-08-31 - OWASP Track at Sikkerhetsfestivalen.

3 day conference where OWASP Oslo had a 1 day track with 8 talks.

2022-03-29, 17:00 - 19:00

Virtual event: Where Security meets Forensics

Location: Online

Meetup event: https://www.meetup.com/OWASP-Oslo/events/284603583/

This event features an intersection between digital forensics and security. We have two speakers, one a seasoned digital forensic practitioner, and one a leading figure in OWASP and DevOps. The event will spark a conversation between digital forensics and secure application development.

Speaker 1: Emlyn Butterfield - Noroff University College DFIR

Emlyn Butterfield is the Programme Lead for Digital Forensics at Noroff University College, following a spell of time at Leeds Beckett University as their Course Director for Digital Forensics. He is also an experienced practitioner, working with local and international law enforcement agencies, acting as an expert witness in both defence and prosecution capacities. He has authored several articles including the teaching of digital forensics and cybersecurity. Emlyn is experienced in the development and delivery of undergraduate and postgraduate awards across, both for onsite and online delivery. Emlyn’s experience brings together the worlds of academia and industry, brining passion to his teaching for future DFIR graduates. His research focuses upon the analysis of applications and data from unknown sources, utilising this within teaching and delivery to student. Emlyn was also the co-founder of BSides Leeds and is developing coding classes for students within Kristiansand, Norway, for the next generation of techies.

Speaker 2: Vandana Verma - Security Solutions Architect at Snyk and OWASP Board of directors Chair

Vandana is Security Solutions Architect at Snyk. She is a Chair of the OWASP Global Board of Directors. She leads Diversity Initiatives like InfosecGirls and WoSec. She is also the founder of InfosecKids. She has experience ranging from Application Security to Infrastructure and now dealing with Product Security. She has been Keynote speaker / Speaker / Trainer at various public events including Global OWASP AppSec events to BlackHat events to regional events like BSides events in India. Vandana is a member of the Black Hat Asia Review Board as well as multiple other conferences including Grace Hopper India, OWASP AppSec USA to name a few. She is also one of the organiser of BSides Delhi. She has been the recipient of multiple prestigious awards like Cyber Security Woman of the Year Award 2020 by Cyber Sec Awards, Application Security Influencer 2020 by Whitesource, Global cybersecurity influencer among IFSEC Global’s “Top Influencers in Security and Fire” Category for 2019, Cybersecurity Women of the year award by Women Cyberjutsu Society in the Category “Secure Coder”. She has also been listed as one of the top women leaders in this field of technology and cybersecurity in India by Instasafe. She has trained over 10000+ Diverse candidates in cybersecurity. The talks and abstracts will be published soon. Once you have registered you will receive the Zoom information.

2022-01-13, 17:00 - 19:00

New Year, new things

Location: Online

Meetup event: https://www.meetup.com/OWASP-Oslo/events/283048482/

Recording: https://www.youtube.com/watch?v=g_YvPpV4Dm8

17:00-17:50 Veronica Schmitt Title: If nothing goes right, push left

If we do not have it we should build it.- If nothing goes right, push left. TL;DR: Your logs should be simple, and structured, they should also contain enough information without disclosing sensitive data. Often accidental information disclosure within the logs can lead to future breaches. This talk focuses on the process of building logs taking into consideration the attack, the defense, and the investigation of breaches. Using the ideals from The Unicorn and The Phoenix project to develop the “Five Philosophies of Logging”. This talk explores different aspects of logging pulling from years of experience of breach investigations and magic-wielding.

Veronica started her forensic career in 2008. She is an Assistant Professor at Noroff University. She is the Non-Executive Director within DFIRLABS. Veronica holds a Master in Science at Rhodes University in Information Security with specialisation in the forensic analysis of malware. She prides herself in keeping patients safe as this is something which is near to her heart. She is also a cyborg sporting an embedded medical device herself. She also is a DEF CON Goon and she is the founder of DC2751.

18:00-18:50 Toby Irvine “If you can’t measure it you can’t improve it. But what should we be measuring in security? How do we measure it? Why should I do a PCR Covid test over a lateral flow test if I have symptoms? And how the heck are these related?”

Toby is the CEO and the co-founder for Secure Delivery. He has 25 years of experience in secure software engineering, and this can be seen in him unlocking his grey beard wizard level. He has got experience in designing and building large scale on-site and cloud systems across many industries some of those being critical industries. He specializes working with highly regulated organisations. He is also the author of the handbook used by HSBC’s Secure Development Handbook, which is a field guide for secure application development for 30,000 software developers across 68 countries. He has trained both technical and non-technical individuals in delivery roles across the Americas, EMEA and APAC. Specifically in modern application security practices. He is a member of OWASP in which he is the project leader for the OWASP Open AppSec Curriculum. He believes in pushing doing right by customers in doing things better. In his spare time he is a musician, and may even have his own Youtube channel. If you have a problem he has probably already encountered it and has the knowledge on how to fix it.

17. august 2021, 18:00 - 19:30

Secure by Design – insights & pitfalls

Location: Online

Meetup event: https://www.meetup.com/OWASP-Norway/events/278808275/

Secure by Design is all about choosing good design principles that yield implicit security benefits. This seems like a solid strategy as it naturally appeals to everyones instinct of crafting good software. We simply fool ourselves into coding more securely! But have there been any further insights since the book release in 2019? In this session we cover the fundamentals of Secure by Design and showcase a few designs that have shown fruitful, as well as some pitfalls from the trenches where usages subtly miss the original intentions.

Daniel Deogun & Dan Bergh Johnsson are authors of the book Secure by Design and have collectively been working with security and development for several decades. They are developers at heart and understand that security is often a side-concern. They’ve also evolved work habits that enable them to develop systems in a way that promotes security while focusing on high-quality design habits – something that’s easier for developers to keep in mind during their daily work. Both are established international speakers and often present at conferences on topics regarding high-quality development and security.

30. juni 2021, 18:00 - 19:00

Anonymous Tokens for more Private Contact Tracing

Location: Online

Meetup event: https://www.meetup.com/OWASP-Norway/events/278808275/

“Anonymous Tokens for more Private Contact Tracing” – Henrik Walker Moe (Bekk) and Tjerand Silde (NTNU)

This talk will be about how we integrated anonymous tokens with the Norwegian contact tracing app Smittestopp (version 2). We will talk about how anonymous tokens work, how we implemented the library (https://github.com/HenrikWM/anonymous-tokens), and we will discuss some challenges and possible improvements to the protocol. Lastly, we will mention some possible future directions and use-cases for the token system.

Henrik Walker Moe works as the Practice Lead for Information Security in Bekk. He’s an advocate for security awareness and promotes skills needed to stay current within cyber-security for his colleagues and customers. He is also a board member on NNUG (Norwegian .Net User Group) and hosts meetups for the .Net-community.

Tjerand Silde is a Ph.D. researcher in cryptography at the Norwegian University of Science and Technology in Trondheim. His main focus of research is post-quantum cryptography and privacy preserving protocols, e.g., zero-knowledge proofs, multi-party computation and anonymous credentials. Website: https://tjerandsilde.no.

27. mai 2021, 20:00 - 21:00

Generalforsamling + valg av ledere

Location: Online

Meetup event: https://www.meetup.com/OWASP-Norway/events/277717277/

Dette blir ingen vanlig meetup, men et todelt møte hvor vi først har generalforsamling i OWASP Norway Chapter (org nr. 994253085). Deretter foretar vi valg av ledere og eventuelt en programkomité.

Del 1: Generalforsamling OWASP Norway Chapter (org nr. 994253085)

Sak 1: Valg av ordstyrer

Sak 2: Valg av referent

Sak 3: Godkjenning av innkalling

Sak 4: Sletting av OWASP Norway Chapter fra Brønnøysundregisteret

Bakgrunn: OWASP Norway Chapter er i dag registrert i Brønnøysundregisteret med organisasjonsnummer 994253085. Lokale chapters skal i følge OWASP Chapter Policy [1] ikke være egne juridiske enheter. Vi ønsker derfor å slette enheten fra Brønnøysundregisteret i henhold til gjeldene vedtekter[2], vedtatt 28. april 2008. Dette vil ikke ha noen påvirking på møteaktivitet eller den daglige driften av OWASP Norway Chapter, da vi fortsetter å eksistere som før under OWASP Foundation. I henhold til vedtektene krever en oppløsning 2/3 flertall på ordinær generalforsamling.

Forslag til vedtak: OWASP Norway Chapter (org nr: 994253085) oppløses i henhold til vedtektene, og slettes fra Brønnøysundregisteret

[1] https://owasp.org/www-policy/operational/chapters

[2] https://owasp.org/www-chapter-norway/assets/files/20080428_Norway_chapter_vedtekter.pdf

Del 2: Valg av ledere til OWASP Norway Chapter

OWASP Norway Chapter skal ha 2-5 ledere og eventuelt en egen programkomité. Dersom du ønsker å engasjere deg i OWASP Norway Chapter, så ta kontakt med [email protected] på forhånd av møtet, så vi har en oversikt over hvor mange som ønsker å være med. Det er en forventning om at man har hovedansvaret for å arrangere minst én meetup per år. I praksis betyr det å skaffe dyktige foredragsholdere, finne egnet lokale og eventuelt skaffe en matsponsor til meetupen. Du vil få hjelp av mer erfarne ledere om det trengs.

Om du ønsker å bidra, anbefales det å lese gjennom Chapter Handbook [1] og Chapters Policy [2].

[1] https://owasp.org/www-policy/operational/chapter-handbook-existing.html

[2] https://owasp.org/www-policy/operational/chapters.html

27. mai 2021, 17:00 - 19:00

Security+Ambidexterity+Devops = FUN / Dependency Confusion

Location: Online

Meetup event: https://www.meetup.com/OWASP-Norway/events/277959854/

Welcome to another online OWASP Norway Chapter meetup. Today we will have two talks, presented by Espen Johansen from Visma and Ståle Pettersen from Schibsted.

I hope we soon will be able to meet again at Teknologihuset to enjoy a slice of pizza. But for now we will continue to host online meetups.

See you!

Security+Ambidexterity+Devops = FUN - Espen Johansen (Visma)

I dette foredraget vil Espen snakke dypere om de tekniske valgene som er gjort hos Visma fra starten av DevOps transformasjonen fram til i dag. Han vil også demonstrere hvordan noen av systemene virker i praksis og gi salen mulighet til å styre han :-) Interaktivt foredrag med store muligheter til å få innsyn.

Experience sharing and storytelling from Visma`s work with integrating security into DevOps by means of Ambidexterity as method. Practical examples on choice of leaders, board composition, spices with technical choices made along the way.

Espen is a passionate Security DevOps-er with a flair for midlifecrisemanagement and enjoying life to it’s fullest. He serves as the Director of Security in Visma but is secretly passionate about gamification, UX, Democracy and Security. He loves difficult words and like to apply their meaning in agile teams.

Dependency Confusion - Ståle Pettersen (Schibsted)

Are you confused about the Dependency Confusion attack? We will explain the bug class that compromised Apple, Microsoft and Tesla, and how you can defend yourself against it in the different package manager systems (npm, python, Java, Ruby and more). We will go through how the Product & Application Security team in Schibsted worked to mitigate this bug class in JFrog Artifactory. One part of our solution was the tool Artishock (https://github.com/schibsted/artishock).

Ståle Pettersen (@kozmic) is leading the Product & Application Security team within Schibsted. He has 10+ years experience as a developer and a security enthusiast and is a big fan of OWASP and doesn’t like to brag about himself :)

30. april 2021, 09:00 - 10:00

Morning meetup: The defender’s new clothes - Eldar Marcussen

Location: Online

Meetup event: https://www.meetup.com/OWASP-Norway/events/277527268/

We’re doing a morning meeting this time, as our speaker is based in Australia.

Description: Proving vulnerabilities in modern web applications is significantly harder than it used to be thanks to WAFs and other protection measures. This talk will discuss and showcase several approaches to bypasses ranging from simple to advanced.

Bio: Eldar Marcussen https://twitter.com/wireghoul is a lead security researcher and penetration tester. He is a long time bug hunter with a large number of published advisories, exploits and conference presentations at leading security conferences all over the world. He was a recipient of the first CVE 10K candidate numbers. In addition to finding vulnerabilities he contributes to and maintain several open source projects in his spare time aimed at web application security and penetration testing. These include graudit, doona, lbmap, dotdotpwn, nikto and more. His tools and research are featured in most security oriented linux distros as well as many industry leading books.

21. april 2021, 18:00 - 19:00

Privacy Case Study: Ambient Light Sensor API

Location: Online

Meetup event: https://www.meetup.com/OWASP-Norway/events/277094300/

Welcome to another remote meetup! This time we will be joined by Lukasz Olejnik, who will walk us through an Ambient Light Sensor API privacy case study. We’ll wrap things up with a short Q&A afterward.

For the majority of users, web browser is the most important computer application. Increasingly complex, exciting and rich, features are standardized by W3C and implemented in web browsers on a normal basis. New browser features introduce interesting privacy challenges for standardization, research and development. I will demonstrate a privacy case study based on the example of Ambient Light Sensor. A web privacy impact assessment of a planned web browser feature, the Ambient Light Sensor API, indicated risks arising from the exposure of overly precise information about the lighting conditions in the user environment. The analysis led to the demonstration of direct risks of leaks of user data, such as the list of visited websites or exfiltration of sensitive content across distinct browser contexts. Our work contributed to the creation of web standards leading to decisions by browser vendors (i.e. obsolescence, non-implementation or modification to the operation of browser features). We highlight the need to consider broad risks when making reviews of new features. I will suggest practically-driven high-level observations lying on the intersection of web security and privacy risk engineering and modeling, and standardization.

Dr Lukasz Olejnik acts as an independent security and privacy researcher and advisor. His experience spans research, industry, standardization, and policy. His research interests include information and computer security and privacy, user data disclosure and dissemination problems as well as privacy-sensitive matters related to web browser functionalities, web security, privacy reviews, and privacy impact assessments. His research analysing user tracking and profiling on the web has impacted web standards and web browsers.

Lukasz is a World Wide Web Consortium’s (W3C) Invited Expert, where he focuses on privacy of web standards. In 2018-2020 he was elected to the W3C’s Technical Architecture Group. Lukasz is involved in technology policy, focusing on cyber security, privacy, and data protection. He held roles as technology policy advisor at the European Parliament (working on ePrivacy), scientific advisor on cyber warfare at the International Committee of the Red Cross, with a focus on assessing the humanitarian consequences of cyber operations, and science and technology advisor at the European Data Protection Supervisor.

Read more about the case study on his website: https://blog.lukaszolejnik.com/shedding-light-on-designing-web-features-with-privacy-risks-impact-assessments-case-study/

17. mars 2021, 19:00 - 20:00

Google’s Differential Privacy Library – Mirac Vuslat Basaran (Google)

Location: Online

Meetup event: https://www.meetup.com/OWASP-Norway/events/276469937/

Differential privacy helps organizations derive insights from data while simultaneously ensuring that those results do not allow any individual’s data to be distinguished or re-identified. Sound interesting? Come hear Mirac Vuslat Basaran (Google) talk about Google’s Differential Privacy Library!

We will start with a brief introduction to differential privacy and why it might be useful for you. Then, we will go through what kind of tools and functionalities Google’s Differential Privacy Library supports such as secure noise implementations, different aggregations, end-to-end systems that require only minimal knowledge of differential privacy, etc. Finally, we’ll talk about future plans for the library.

We’ll finish with a short Q&A.

Mirac is a Software Engineer in the area of anonymization and differential privacy at Google. Before joining Google, he studied Computer Engineering (and Economics) at Bilkent University. Currently, he helps build and open source infrastructure for product teams to anonymize their data. He also consults product teams on anonymization and differential privacy.

URL to Google’s Differential Privacy Library: https://github.com/google/differential-privacy

10. desember 2020, 19:00 - 20:00

Chat with Emil Vaagland about running FINN.no’s private bug bounty program

Location: Online

Meetup event: https://www.meetup.com/OWASP-Norway/events/274255519/

Curious about how it is to run a bug bounty program? Join our chat with Emil Vaagland to get all your questions answered. He has been running FINN.no’s private bug bounty program for well over a year now, and he will share all his experiences with you in a conversation with Ståle Pettersen.

The format of this event will be an informal conversation, so questions from the audience are very welcome!

13. oktober 2020, 19:00 - 21:00

Enforcing Code & Security Standards with Semgrep

Location: Online

Meetup event: https://www.meetup.com/OWASP-Norway/events/273505813/

Abstract: We’ll discuss a program analysis tool we’re developing called Semgrep. It’s a multilingual semantic tool for writing security and correctness queries on source code (for Python, Java, Go, C, and JS) with a simple “grep-like” interface. The original author, Yoann Padioleau, worked on Semgrep’s predecessor, Coccinelle, for Linux kernel refactoring, and later developed Semgrep while at Facebook. He’s now full time with us at r2c.

Semgrep is a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. Semgrep is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.

For example, find subprocess calls with shell=True in Python using the query: subprocess.open(…, shell=True) This will even find snippets like: import subprocess as s s.open(f’rm {args}’, shell=True)

Or find hardcoded credentials using the query: boto3.client(…, aws_secret_access_key=”…”, aws_access_key_id=”…” )

Source code: https://github.com/returntocorp/semgrep Test in your browser: https://semgrep.dev/

Speaker bio: Bence Nagy is a software engineer at r2c, working on Semgrep, an open-source syntax-aware code search tool. At r2c, his responsibilities tend towards building various interfaces atop the core semgrep CLI. These include CI integrations, editor extensions, and the semgrep.live web app. He previously led a developer experience team at Kiwi.com, the Czech Republic’s top startup at the time of its acquisition in 2019. You should totally ask him for video game recommendations after the talk.

27. februar 2020, 17:00 - 20:00

Secure coding tournament

Location: Microsoft Norway, Dronning Eufemias gate 71, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/268317515/

This event is sponsored by Microsoft and Oslo BSides.

Agenda: (Rough timings)

• 1700 Arrival - Registration, food and drinks
• 1720 Presentation (TBA)
• 1805 Platform Demo
• 1815 Tournament
• 1945 Prize Giving

Secure Code Warrior is coming and they will setup a secure coding tournament! This competition will put your security skills to the test. Players will be presented with a series of code challenges that will ask them to locate the insecure code, identify the vulnerability and then fix it. All challenges are based on real-life code examples, and are ranked from easy to difficult! Each player can choose from a range of software languages (C# .NET, GO, Java, Python etc.) to compete fairly in the Tournament.

Prizes will be awarded to 1st and 2nd place (if you are a sponsor and would like to give a price, contact us).

Check out one of the UK’s OWASP Tournaments last summer: https://www.youtube.com/watch?v=xQJAl1m0_DE

Supported languages: https://securecodewarrior.com/supported-languages

All you need: Your laptop!

11. desember 2019, 17:00 - 20:00

Desembermøte: WebAuthn og Burp-triks

Location: Finn.no, Grensen 5-7, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/266167858/

WebAuthn: Authentication is now a solved problem! ;)

U2F, FIDO, FIDO2, CTAP and WebAuthn, what does it all mean? We will walk through why WebAuthn is ground breaking and different. Why do I think it will change authentication forever. Do we finally have a universal and user friendly second factor that can not be phished? Can it really be true? What about recovery?

Ståle Pettersen is a developer and security enthusiast with 10+ experience, currently working as Head of Product & Application Security in Schibsted.

Slides

Burp suite “ninja moves”

Have you ever had tested a web application that you knew was vulnerable, but you could not figure out how to get Burp to behave the exact way to find or exploit the vulnerability? Maybe you needed to fetch a certain value before you sent out a request through intruder but could not figure out what was wrong with your Burp macro. Or maybe you could not figure out that macro menu in the first place.

In this talk Thomas will show you the secret ninja moves inside of Burp Suite that you wished you knew before you bought that Pro license. This talk is for those who want to take their web application testing to the next level. We will cover the hidden features of intruder, how to test for the newest security flaws and essential plugins that you need to know in order to find that hidden vulnerability in your next penetration testing engagement or bug bounty adventure.

Thomas Gøytil is a former developer turned security professional, specializing in API and web application security. He has over 9 years of experience as a consultant building, breaking and securing web applications. He is working as the Head of Security in Klaveness Digital, a Norwegiain company building intelligent shipping and logistics solutions. Thomas loves to work with developers to find elegant solution to solve hard security problems. When Thomas is not working on the defense for his company, he is working on his offense doing bug bounty or Brazilian Jiu Jitsu.

Slides

19. november 2019 17:00 - 19:00

Best practices for securing CI/CD pipeline by Victoria Almazova + lightning talk

Location: Teknologihuset, Pilestedet 56, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/266233553/

Best practices for securing CI/CD pipeline - Victoria Almazova

DevOps practices are in a place; containers are everywhere, pipelines are flying. We do Agile. We do DevOps. Now we try to follow security practices for protecting the deployed resources, too. This is a reason why DevSecOps is not hype anymore and is gaining more prominence. There is a lot of information about DevSecOps, but how to do it properly? Where to start? What are the best practices? In this session, we will walk through an end-to-end scenario where we will deploy infrastructure components securely to Azure using Azure DevOps, Azure Container Registry and security tools. We will build a pipeline with security in mind to protect and detect potential security flows during the build.

You will learn:

• How to build end-to-end CI/CD pipeline that builds the application and deploys infrastructure on Azure with security checks for the application, containers and infrastructure;
• What are the security tools available for CI/CD pipeline and how to implement them in the best way into different Git workflows;
• Best practices and patterns of building security pipelines.

Security girl in Microsoft with experience more than 13 years in security. She spends all her time working closely with developers and architects to make security built in from design level. She is a big supporter of making security as culture and shifting security to the left thru DevOps. Victoria believes that empowering developers and architects in security tasks by helping with education will increase security level without increasing additional workload.

During her free time, she deep dives into Cloud security, development, identity and access management. And of course, she doesn’t forget about running, hiking and motorcycles, which are the biggest passion after security.

Crypto for Pentesters - Tor Erling Bjørstad “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge” (Auguste Kerckhoffs, 1883) Modern crypto is actually pretty good. Nobody is going to break RSA or AES by accident on a pentest assignment. Modern crypto is also surprisingly subtle. Even if it says AES on the box, the devil is in the implementation details. In this talk, we’ll look at a few common crypto fails, and discuss their exploitability in a practical setting. The goal is to help the audience recognize and avoid common problems that are common in the field.

Tor leads the application security practice at mnemonic. He has been working full-time in software security and cryptography since 2006, at times playing the role of a security champion and defender, at other times as the attacker hunting for ways to break in. Tor holds a Ph.d. in cryptography from the University of Bergen.

The presentations will be held in English.

Pizza and soda will be served at the meetup, sponsored by Microsoft.

A big thanks to mnemonic (https://www.mnemonic.no/) for supporting the OWASP Norway Day 2018 as a platinum sponsor.

16. oktober 2019 17:00 - 19:00

Location: Miles, Bislettgata 4, Oslo, 6th floor

Meetup event: https://www.meetup.com/OWASP-Norway/events/265374152/

Securing microservices in a serverless world - Andreas Claesson

The world of IT is changing with a vast number of services moving from centralised servers to decentralised server providers the likes of Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). With the concept of “serverless”, the services themselves are also becoming decentralised, meaning that they are broken down into smaller pieces called microservices.

In his presentation, Andreas will explore the major benefits of going serverless, the challenges this approach to architecture presents to traditional IT security, and try to answer the question, “so why isn’t serverless super popular yet?”

The presentation is based on an article published in the annual mnemonic Security Report (www.mnemonic.no/securityreport).

Andreas Claesson works at the European IT and information security company mnemonic as a Senior Security Consultant in their Technical Risk Services department. Based in Oslo, his main focus area is security assessments of cloud environments, which requires a different approach compared to traditional IT security. He has a background in software development giving him an extra dimension in his security work.

The presentation will be held in English.

Wraps and soda will be served at the meetup, sponsored by Miles (https://miles.no).

A big thanks to mnemonic (https://www.mnemonic.no/) for supporting the OWASP Norway Day 2018 as a platinum sponsor.

9. april 2019 17:00 - 19:00

Sted: Teknologihuset, Pilestedet 56, Oslo

Påmelding: https://www.meetup.com/OWASP-Norway/events/259385379/

Security of Machine Learning - Stian Kristoffersen

Stian Kristoffersen from Deepinsight will come and talk about security of machine learning. The presentation will be held in English.

Machine Learning (ML) continues to be a trendy tool for many types of problems, including security. But is ML itself secure? This talk will give an introduction to attacks on ML like changing predictions, recovering sensitive information, and stealing someone else’s models. Examples include misdirection by changing a few pixels in an image, by using 3D printed models, and by hiding long messages in short sound bites. We will conclude with some current research directions to mitigate these attacks. Prior experience with ML is useful, but not required.

Pizza and soda will be served at the meetup, sponsored by Deepinsight (https://deepinsight.io/).

A big thanks to mnemonic (https://www.mnemonic.no/) for supporting the OWASP Norway Day 2018 as a platinum sponsor.

20. november 2018 - OWASP Norway Day

Full day conference: https://owaspnorwayday.org

9. april 2018 17:00 - 20:00

Sikkerhetssvakheter i norske nettjenester - Roy Solberg / Hallvard Nygård

Location: Teknologihuset, Pilestedet 56, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/248655998/

Vi får besøk av Roy Solberg og Hallvard Nygård, som uavhengig av hverandre har avdekket og publisert svakheter ved norske nettjenester.

Matsponsor: Oslo Market Solutions (https://oms.no)

Roy Solberg Roy Solberg har den siste tiden avdekket en rekke sikkerhetshull i norske tjenester og nettsider. Han tar oss gjennom motivasjonen ved å gå offentlig ut og publisere sikkerhetshullene og hvordan hele reisen har vært. Vi får mer detaljer om noen utvalgte sikkerhetshull - også noen hittil upubliserte. I tillegg får du høre mer om hva som er de oftest observerte svakhetene - slik at du selv kan unngå å bli en sak på bloggen hans.

Om Roy Solberg: Roy Solberg jobber til daglig som mobilutvikler i NorApps AS. Der jobber han med en av verdens mest populære fotball-apper - FotMob. Før dette jobbet han 10 år som IT-konsulent.

Hallvard Nygård Hvis din REST-tjeneste er på Internett, så bør du forvente at noen aksesserer den direkte med alternative parametre. Hallvard Nygård ønsket å undersøke egne data samlet inn av Æ-appen til Rema 1000, men fant alle sine data. I 2 uker var handledata for opptil 500000 kunder tilgjengelig for alle med en nettforbindelse. Security by obscurity.

I denne presentasjon vil Hallvard vise hvordan Æ-appen ble undersøkt med Mitmproxy (Man-in-the-middle proxy) og Curl. Han vil fokusere på hva vi kan lære av dette og hvordan du kan undersøke og sikre din egen app/backend.

Videre vil vi ta en titt på andre tjenester hvor utvikling og integrasjoner har gått galt og data/persondata har blitt eksponert. Et skybasert helseregister, en eiendomstjeneste og en kundeportal (sikkerhet i Javascript!). Hva eier du av boliger? Hvordan ser lånehistorikken (pant) din ut? Tvangsforretning? Hvilke enheter finnes i hjemmet ditt? Hvilke OS kjører de? Dataregistre på nett er skumle greier…

Om Hallvard Nygård: Utvikler. Koder ofte på front-end, men sørger også for å sikre backenden. Sjekker sikkerheten i din applikasjon på fritiden.

19. mars 2018 17:00 - 20:00

Location:* Teknologihuset, Pilestedet 56, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/247571296/

#WatchOut - Serious vulnerabilities in smart watches for children

In October 2017, the Norwegian Consumer Council (Forbrukerrådet) and mnemonic published the #WatchOut campaign, revealing severe security flaws in smart GPS watches marketed towards children and parents. Among other things, it was shown that it was possible for an unauthorized party to:

• take control of the watch through the companion app,
• eavesdrop on and communicate with the child without the parent knowing,
• track the child’s movements, and also make it look like the child is somewhere he or she is not,

In some cases, user-generated data was also being insecurely transmitted and stored. In one case, data such as voice messages was found stored on an unprotected cloud server.

#WatchOut had a global spread and impact. It received coverage all over the world in outlets like the BBC, CBS, Good Morning America, Business Insider, The Telegraph, and Newsweek. This led to complaints being filed towards the US Federal Trade Commission (FTC), and some retailers pulling the devices from their shelves. It has also lead to smart watch vendors making extensive changes to their products.

Harrison Sand and Tor E. Bjørstad from mnemonic will go deeper into the technical details of the #WatchOut research and analysis, and how the technical assessments were carried out.

We will also discuss events in the aftermath of the campaign, concerns relating to vulnerability disclosure, and our general concerns related to securing the Internet of Things.

Links: https://www.forbrukerradet.no/side/significant-security-flaws-in-smartwatches-for-children https://www.forbrukerradet.no/side/critical-security-flaws-remain-in-smartwatches-for-kids/ https://www.mnemonic.no/watchout

28. september 2017 17:15 - 20:15

Location: mnemonic AS, Wergelandsveien 25, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/243307080/

Software security in theory and practice - BSIMM and more

Nick Murison will give a talk on the Building Security In Maturity Model (BSIMM) for secure software development.

Abstract: The Building Security In Maturity Model (BSIMM) (http://bsimm.com/) is a unique tool built from an observation-based approach to capturing the collective activities of diverse software security initiatives. We initiated data gathering and analysis in 2008 with nine firms. There are now over 100 participant organisations in BSIMM, and we have measured many of these organisations more than once. Though secure software initiatives differ, all share common ground. BSIMM captures and describes this common ground. It therefore functions as universal yardstick, capable of measuring any software security initiative and facilitating strategic planning for ongoing software security improvement. This talk will provide an introduction to the model, how you can apply it to your organisation, and what benefits you can achieve in measuring your initiative. It will also provide a sneak preview of BSIMM8, the latest version of the model.

About the speaker: Nick Murison is a Managing Consultant in Synopsys’ Software Integrity Group, and the European lead for BSIMM. His primary responsibility is the successful delivery of software security services to Synopsys’ clients across multiple industry verticals in Northern Europe. Nick holds a MSc in Information Security from Royal Holloway, University of London.

In addition, we’ve scheduled two shorter talks.

Jøran Lillesand will give a short presentation on practical experiences with running a software security programme, based on ongoing work at Digipost (https://www.digipost.no/sikkerhet). This talk will be held in Norwegian.

Patricia Aas will give a short presentation on her recent experiences with the security of the Norwegian election system (http://www.vg.no/nyheter/meninger/stortingsvalget-2017/kampanjen-funket/a/24136153/).

12. juni 2017 17:00 - 20:00

Location: Simula, Ole-Johan Dahls hus, Gaustadaleen 23B, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/238611471/

Talks by Troy Hunt and Scott Helme and lightning talk by Per Thorsheim

Troy Hunt What motivates attackers to dump data publicly? How is it sold, traded and redistributed and for that matter, what even causes people to go public with it? These are all questions I’ve dealt with over the years running the ethical data breach search service “Have I been pwned”. It’s also given me the opportunity to interact with everyone from the attackers breaching these systems to the impacted organisations to law enforcement agencies.

In this talk, I’ll share the lessons learned from working with billions of publicly dumped records as a result of major data breaches. The talk sheds light on how this class of adversary operates and the weaknesses within organisations they continually manage to exploit. It’s a unique inside look at security from a very real world and very actionable perspective.

About the speaker

Troy Hunt is an Australian Microsoft Regional Director and Microsoft MVP for Developer Security since 2011. Troy is a Pluralsight author of many top-rated courses on web security, and known for his work on “Have I been pwned?” - a free service that aggregates data breaches and helps people establish if they’ve been impacted by malicious activities on the web.

Scott Helme The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it’s valid, potentially years. We need a way to revoke the trust in these certificates so that they can’t be abused but all current revocation mechanisms are largely useless. Let’s look at the new mechanisms being introduced to address the problem of revocation. Per Thorsheim

Per Thorsheim Lightning talk: “From security to safety - when consequences become real”

22. mai 2017 17:00 - 19:00

Location: Microsoft Norge, Lysaker Torg 45, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/239636226/

SDLC at Visma + The keys to the cloud at Microsoft

17:15-18:00 Practical implementation of a Security Program focused on AppSec in a large provider and consumer of WebServices Espen Agnalt Johansen - Operations & Security Manager at Visma R&D

18:15-19:00 The keys to the cloud: Use Microsoft identities to sign in and access API from your mobile and web apps after Microsoft Build 2017

Microsoft identities are the entry point for every Microsoft cloud API and a large ecosystem of SaaS apps. Join the 150,000 apps active today in Azure Active Directory, making your apps available to more than 100M active business users! Based on the same enterprise-grade infrastructure, Azure AD B2C provides to your apps their own hosted identity system – offering social providers integration, local accounts, and advanced customization you can add to your app in minutes. Attend this session and learn how you can easily integrate with Microsoft identities in your mobile and web apps, thanks to the new MSAL libraries. Build a data-rich application thanks to the power of Microsoft Graph API and the rich data about users, groups, mail, calendar, docs, and more.

Vittorio Bertocci is Principal Program Manager in the Windows Azure Active Directory team, where he looks after Developer Experiences in Windows Azure Authentication Library (ADAL), OWIN, JWT Handler, WIF, the development aspects of Windows Azure Active Directory & ACS, and a lot of other things he can’t tell you about. Vittorio holds a master degree in Computer Science, and worked in the software industry for two decades. He devoted the last 10 years to distributed systems, identity management and the promotion of claims-based approaches with Fortune & Global 100 companies. In the last five years his duty brought him to speak about identity in 23 countries and 4 continents. Vittorio is a regular speaker at conferences such as BUILD, Microsoft PDC, TechEd USA, TechEd Europe, TechEd Australia, TechEd New Zealand, TechEd Japan, TechDays Belux, Gartner Summit, European Identity Conference, IDWorld, OreDev, NDC, IASA, Basta and many others.

Vittorio is a published author, both in the academic and industry worlds, and wrote many articles and papers. He wrote Programming Windows Identity Foundation (Microsoft Press, 2010), is co-author of A Guide to Claims-Based Identity and Access Control (Microsoft Press, 2010), and Understanding Windows Cardspace (Addison-Wesley, 2008). He is a prominent authority/blogger on identity, Windows Azure, .NET development, and related topics, and shares his thoughts at www.CloudIdentity.com.

Microsoft is sponsoring the event with food and soft drinks

30. mars 2017 17:00 - 19:00

Location: Bouvet, Sørkedalsveien 8, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/238542931/

#ToyFail: Is you child safe from the Internet of Things?/Broken Crypto is Broken

Pizza will be served from 17:00. Thanks to Bouvet for hosting the meetup and sponsoring the pizza!

#ToyFail: Is you child safe from the Internet of Things?

Martin Gravråk - Software Developer & Kristian Løken Wille - IT Consultant @ Bouvet

Security and Privacy are two major concerns with the Internet of Things, and are especially important when children are involved. In this session, we’ll tell you what happened when the Norwegian Consumer Council asked us to investigate the inner workings of a selection of internet connected toys. Our findings shocked both us and our customer, and lead to worldwide media coverage. We’ll share our methods for testing the toys, and show you examples of what we found. You’ll also learn about various techniques for finding out how secure your own devices are, what these devices know about you and where this information ends up. There will be demonstrations on how we use tools like Fidder, WireShark and Decompilers, there will be movies and there will be toys!

The talk will be held in norwegian.

Broken crypto is broken

Erlend Oftedal

We using an increasing amount of crypto in our code to protect our assets. However we can easily go wrong if we don’t know how to use it correctly. In this talk we will look at what can go wrong when crypto is used the wrong way. We will NOT dive into the algorithms themselves, but look at what the different primitives give us and what happens when our expectations are wrong.

26. januar 2017 17:00 - 19:30

Location: Teknologihuset

Meetup event: https://www.meetup.com/OWASP-Norway/events/236787346/

Bug bounties with Frans Rosén

Bug bounties – What, how and why?

Going through the current state of bug bounties, what is it really? How do you start, and why? Frans will give some insights being one of the top ranked hackers on HackerOne and Bugcrowd and will share some advices on getting started together with some examples of fun bugs.(30 min)

DNS hijacking using cloud providers – no verification needed

A few years ago, Detectify did a blog post regarding domain hijacking using services like AWS, Heroku and GitHub. These issues still remains and are still affecting a lot of companies and there are many tools to find these vulnerabilities that have popped up after this went public.

However, there are many more ways to hijack domains, nameservers and DNS-providers. The tools out there are missing these cases completely. Frans will go through both the currently disclosed and the non-disclosed ways to take control over domains and will share the specific techniques involved.(50 min)

Frans Rosén is a knowledge advisor at Detectify and also spends a lot of his time doing bug bounties, and let’s just say he is quite successful at that.

Big thanks to Schibsted Products & Technology for sponsoring pizza for the meeting

30. november 2016 17:00 - 19:30

Location: Domus Nova auditorium 7, St. Olavs plass 5, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/235670341/

17:00-17:30 - Pizza sponsored by Microsoft

17:30-18:15 - The Cyber Threat Intelligence Matrix: A simple incident response decision model

Speaker: Frode Hommedal (https://4sics.se/speakers/frode-hommedal.html)

Frode Hommedal is a senior incident responder and threat analyst. He is currently head of incident response and security analysis at Telenor CERT, where he’s part of the team that is establishing the global CERT/SOC capability of Telenor, Norway’s biggest telco. He has previously worked seven years for the Norwegian national CSIRT, NorCERT. One of Frode’s main interests is to model CSIRTs to improve efficacy and performance.

18:15-19:00 - The downloaders (“Nedlasterne”)

Speaker: Einar Otto Stangvik (https://www.linkedin.com/in/einaros)

Einar is working with journalism research and data security in Verdens Gang (VG). “Nedlasterne” (the downloaders) is now a three years old project. In this presentation Einar summes up the (interdisiciplinary) techniques and experiences used to expose the downloaders.

1. november 2016 kl 18:00 - 20:00

Location: mnemonic, Wergelandsveien 25, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/234968368/

Personal security

You are one of the most significant security threats to your company. We all know we are going to fix better passwords / encryption / firewalls / etc. one day. Getting properly hacked is one of those things that is a lot more comfortable to prevent beforehand than to gather the shattered pieces afterwards. In this talk, we will take a practical approach to good personal digital security. We will start with the easy parts before drilling through the layers of security, down to the parts that are unpredictable and dangerous. Bring your laptop and a tin foil hat.

Topics include: What it’s like to get properly hacked. Using password managers. Operating system security. Browser security. Encryption, firewalls, factors, and other means of protection.

Michael Johansen is a software consultant at Knowit during the day and a startup founder during the night. At NTNU I studied entrepreneurship, computer science and psychology. During my studies I also took a year off to be a board member at NTNU’s Board of Directors. As part of my startup venture I’ve gotten first-hand experience with the startup scene in both Boston and in Silicon Valley. Humans and machines are the two things that interest me the most. I’m a bit systematic. I care more than most people about personal security, and it’s a topic on which I’d like to share my insights.

Hacking with Hardware: Tools for Physical Intrusion and Persistent Network Access

Reading about the latest zero-day vulnerabilities can be fun (or scary), but what about known vulnerabilities from years or even decades ago? When it comes to technologies like USB, wireless mice and access cards, many old vulnerabilities are still around, largely ignored in risk assessments and easier than ever to exploit in style, due to the availability of versatile, low-cost hardware gadgets. If humans are tool-using animals, hackers are gadget-using humans.In this presentation attendees will see examples of real physical and short range wireless attacks that will work against most organizations to bypass security controls and gain persistent physical access to the target facility and its network. Yes, billions of people can attack you from the Internet—that doesn’t mean you should forget about the ones who walk through the front door.

Ryan Mattinson is a penetration tester and managing consultant in KPMG Norway’s cyber defence practice. He will share stories from the trenches and introduce some of his favorite gadgets anyone can buy online or easily build at home to get into a target organization’s buildings and onto their network.

24. august 2016 kl 16:30 - 19:00

Location: SpareBank1, Hammersborggata 2, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/232698579/

Generalforsamling og medlemsmøte - social engineering

Amateurs hack systems, professionals hack people. — Bruce Schneier

1. august handler om social engineering! Først kan du være med og hacke OWASP Norway Chapter gjennom vår generalforsamling, med godkjenning av nytt styre. Så vil foredragsholder Kai Roer ta oss på en reise inn i de psykologien som gjør oss mennesker så enkle å hacke, og hvordan personlighetstypene vi finner i virksomheten påvirker sikkerheten. Hva hjelper vel tofaktorautentisering, om full tilgang er en telefonsamtale unna?

Det er mulig å møte opp direkte til pizza og medlemsmøte.

Agenda:

• 16:30-17:00 Generalforsamling - godkjenning av nytt styre
• 17:00-17:30 Pizza
• 17:30-19:00 Social Engineering and The Psychology of Security / Kai Roer

Generalforsamling 2016 - referat

Agenda

1. Valg av møteleder og referent
2. Godkjenning av dagsorden
3. Godkjenning av nytt styre

Referat Bjarte Østvold valgt til styreleder. Erlend Oftedal valgt til referent. Godkjent ved akklamasjon

Innstilling Leder: Erlend Oftedal (gjenvalg) Kasserer: Asbjørn Thorsen (tidl. styremedlem) Styremedlemmer:

• Jostein Tveit (gjenvalg)
• Jon Are Rakvåg (gjenvalg)
• Tor E Bjørstad (ny)
• Ståle Pettersen (ny)

Valgkomite:

• Bjarte M. Østvold (gjenvalg)
• Jøran Lillesand (gjenvalg)
• Joakim Tørmoen (ny)

Godkjent ved akklamasjon

7. juni 2016 kl 17:00 - 19:00

Location: Oslo Spectrum

Meetup event: https://www.meetup.com/OWASP-Norway/events/231166845/

NDC Community Tuesday

NB! Du må også melde deg på her (gratis): https://www.eventbrite.com/e/ndc-community-tuesday-2016-tickets-24643781213

NDC have graciously allowed us to borrow some speakers as a part of NDC Community Tuesday.

17:30 - 18:15 - Moriarty Hacking i 2016 - Chris Dale

Your solution is deployed in the cloud, it should be secure. After all, it only exposes a simple login field, and it has already been scrutinized by penetration-testers for vulnerabilities. It should be safe… But it wasn’t! You still got owned, and you got owned BIG TIME! This talk will show how a criminal advances through a seemingly hardened solution, fully compromising the solution. The talk will demonstrate how the attacker takes over a customers entire domain, but also how the attacker is able to in fact compromise the cloud solution itself. Attacking the IaaS infrastructure provider

18:15 - 19:00 - CSP: RIP XSS - Christian Wenz

Cross-Site Scripting is one of the main risks for web applications - a position it holds since over a decade! With Content Security Policy, this threat may finally find its end. The W3C standard provides techniques to close many XSS vectors, offers fine-grained control over the security limitations you impose, and enjoys a decent browser support. We will show what CSP is capable of, focusing on new features in CSP 2, and also discuss how you may need to refactor your website.

18. april 2016 kl 18:30 - 20:00

Location: Schibsted Products & Technology, Apotekergata 10, Oslo

Meetup event: http://www.meetup.com/OWASP-Norway/events/230205922/

OWASP temamøte om sikkerhet i medisinsk-teknisk utstyr

Takk til Schibsted Products & Technology som sponser mat og møtelokale!

Marie Moe: Med hjertet på Internett - Sikkerhet i det medisinske IoT

Om foredraget Vår avhengighet av systemer som styres av programvare øker raskere enn vår evne til å sikre systemene. Når alle våre ”dingser” kobles på nett øker angrepsflaten og våre verdier blir sårbare for hacking. Dette utgjør ikke bare en trussel mot informasjonssikkerhet og personvern; også menneskers liv og helse trues når dingser som kan påvirke fysiske systemer i økende grad kobles opp mot Internett. Marie Moe er avhengig av et medisinsk implantat, en pacemaker som sørger for at hjertet hennes slår og som holder henne i live. Som sikkerhetsekspert ønsket hun å finne ut mer om informasjonssikkerheten i denne datamaskinen inne i sin egen kropp. Hun fant den tekniske manualen til pacemakeren og ble overrasket over å få vite at den hadde funksjonalitet for kobles til et medisinsk “Internet of Things”. Programvaren i pacemakeren og enhetene som den kunne kommunisere trådløst med var proprietær og utilgjengelig. Marie startet derfor et hacking-prosjekt for å finne ut av sikkerheten i sin egen personlige kritiske infrastruktur.

Om foredragsholderen Marie Moe har en mastergrad i matematikk/kryptografi, samt en doktorgrad i informasjonssikkerhet. Marie har erfaring som seksjonsleder ved NSM NorCERT, Norges nasjonale senter for håndtering av alvorlige dataangrep. Hun jobber i dag som forsker innen informasjonssikkerhet ved SINTEF IKT, og underviser ved NTNU. På fritiden er Marie engasjert i grasrot-organisasjonen ”I Am The Cavalry”.

Med hjertet på Internett

Preben Gustavsen: Bruk av medisinsk teknisk utstyr (MTU) i helsesektoren

Om foredraget Helsetjenesten støtter seg i økende grad til teknologi og utviklingen viser at teknologien kommer tettere på pasienten. Ved bruk av medisinsk teknisk utstyr (MTU) gjelder høye kvalitetskrav for å sikre presise diagnoser eller korrekte måleresultater. Siden informasjonen som behandles ofte er sensitive personopplysninger stilles også strenge krav til informasjonssikkerhet. I enkelte tilfeller er pasienters helse direkte avhengig av velfungerende MTU.

Krav til informasjonssikkerhet endres når MTU tilpasses en moderne infrastruktur med integrasjoner både for å effektivisere pasientbehandlingen og for å gi helsepersonell bedre støtte. Samtidig øker pasienters forventning til helsetjenestens bruk av moderne teknologi.

I en slik situasjon er det flere forhold som påvirker det totale sikkerhetsnivået. I dette foredraget vil jeg peke på noen generelle faktorer som påvirker det totale sikkerhetsnivået i MTU, som:- Forholdet til nasjonale og internasjonale leverandører- Utfordringer og muligheter når helsepersonell blir entreprenører- Avhengighet mellom programvare, operativsystem og tilstøtende programvare- Behov for infrastruktur som kan støtte en bred tjenesteportefølje

Avslutningsvis vil jeg knytte behov for informasjonssikkerhet opp mot spørsmål om pasientsikkerhet og forvaltning av MTU.

Om foredragsholderen Preben Gustavsen har ca 15 års erfaring med risiko ved bruk av teknologi fordelt på roller som rådgiver innen styring og kontroll, programmerer, systemutvikler, sikkerhetsarkitekt og revisor. Preben er bachelor of IT fra Queensland Univeristy of Technology og har utdanning fra tidl. Polytekniske Høgskole. Nå er Preben rådgiver innen informasjonssikkerhet og internkontroll i Sopra Steria.

Informasjonssikkerhet og medisinteknisk utstyr

16. mars 2016 kl 18:00 - 20:00

Location: Brønnøysundregistrene sine lokaler, Grev edels plass 9, 2 etasje

Meetup event: http://www.meetup.com/OWASP-Norway/events/229436674/

Takk til Brønnøysundregisterne som stiller med lokaler og takk til Sopra Steria som sponser pizza til møtet!

Biometrisk autentisering: God (?) UX, men lett å gjøre UX/sikkerhetsfeil

Ingress: Per Thorsheim ventet i 1 år, 3 måneder og 12 dager på sitt biometriarmbånd. Det tok <1 time å finne svakhetene. Biometrisk autentisering har lenge blitt spådd til å skulle erstatte passord, men sannheten er biometri fortsatt lider sterkt av barnesykdommer. Presentasjonen vil vise 3 ulike produkter hvor biometri ødelegger UX og sikkerhet, og hva som kan og bør gjøres for å gjøre ting skikkelig. Bio: Per Thorsheim er selvstendig sikkerhetsrådgiver i Bergen. Han driver PasswordsCon, han fikk verden til å ta i bruk RFC 3207, og han hjalp Facebook med å få på plass PGP støtte. Han tror at bedre sikkerhet kan oppnås gjennom bedre brukervennlighet.

https://godpraksis.no/ https://linkedin.com/in/thorsheim

With a little help from my friends, …. en tilnærming til fullskala krise og beredskapsøvelser Case : Øvelse “Beneth the cover, høst 2014” Ingress: Raymond Hagen, 36 år. Sikkerhetsansvarlig for Altinn hos Brønnøysundregistrene. Er også stabsoffiser i lokalt Heimevernsområde. Har en akademisk bakgrunn fra sikkerhet knyttet til infrastruktur og utvikling, men arbeider mye for tiden hendelseshåndtering, dokumentasjon og beredskap. Har sterke interesser for kultur og historie, samt benytter mye tid til å reise litt utenfor «allfarvei»

Paneldebatt Ordstyrer: Erlend Oftedal Deltakere: Runa Sandvik, Per Thorsheim, Raymond Hagen Vi benytter Slido til å sende inn spørsmål til paneldebatte. Dette er et verktøy hvor man kan sende inn spørsmål til panelet og stemme opp eksisterende spørsmål man ønsker debatt om. Det er lurt å tenke igjennom spørsmål til panelet på forhånd. Pin kode til Slido blir gitt på oppmøte.

Runa A. Sandvik is a privacy and security researcher, working at the intersection of technology, law and policy. When she is not hacking rifles (https://www.wired.com/2015/07/hackers-can-disable-sniper-rifleor-change-target/) or writing articles for Forbes (https://www.forbes.com/sites/runasandvik/), she teaches digital security to journalists and helps media organizations improve their security posture.

19. november 2015 kl 17:00 - 19:00

Sted: Rom Alfa & Omega, ved Norsk Regnesentral, NR ligger i 4. etasje av Kristen Nygaards hus, Gaustadalleen 23a, 0373 Oslo - også kjent som “det gamle IFI-bygget” på OiU

Påmelding: http://www.meetup.com/OWASP-Norway/events/226703923/ eller send epost til [email protected]

Agenda: http://www.meetup.com/OWASP-Norway/events/226703923/

16. september 2015 kl 17:00 - 19:30

Sted: Teknologihuset Pilestredet 56, Oslo, store salen

Påmelding: http://www.meetup.com/OWASP-Norway/events/225200078/ eller send epost til [email protected]

Agenda: http://www.meetup.com/OWASP-Norway/events/225200078/

7. mai 2015 kl 17:30 - D-Fens

Sted: Forskningsveien 3b, Oslo

Påmelding: http://www.meetup.com/OWASP-Norway/events/221907724/ eller send epost til erlend.oftedal(æt)owasp.org

Agenda: http://www.meetup.com/OWASP-Norway/events/221907724/

Slides: Defender Economics

Generalforsamling

Tid: Mandag 13.04.2015 Sted: Mnemonic, Wergelandsveien 23

1. Valg av nytt styre for OWASP Norway

Følgende styre ble valgt ved akklamasjon:

• Styreleder: Erlend Oftedal [email protected] (Gjenvalg)
• Kasserer: Kåre Presttun [email protected] (Gjenvalg)
• Styremedlem: Audun Dragland [email protected] (Ny)
• Styremedlem: Jostein Tveit [email protected] (Ny)
• Styremedlem: Asbjørn Thorsen [email protected] (Ny)
• Styremedlem: Jon Are Rakvåg [email protected] (Ny)
• Styremedlem: Åsmund Skomedal [email protected] (Ny)

Valgkomite:

• Bjarte Østvold [email protected] (Ny)
• Jøran Vanby Lillesand [email protected] (Ny)
• Markus Harboe [email protected] (Gjenvalg)

1. Eventuelt

Erlend presenterte Trello som et verktøy for styremedlemmene å organisere fremtidige medlemsmøter og foreslo Teknologihuset som fast møtested.

26. juni 2014 kl 17:00

Ansvarlig: Erlend Oftedal, tel: 98219335

Sponsor: N/A

Adresse: Teknologihuset, Pilestredet 56

Agenda: Hacking with Unicode

Tweetdeck was XSSed using unicode in June 2014. If you want to understand how these kinds of attacks work, you should really come see this talk.

If you think you know how unicode is handled in JavaScript, server-side code and databases, you should come see this talk.

If you don’t care about unicode, you really need to see this talk.

Hacking with Unicode

This presentation explores common mistakes made by programmers when dealing with Unicode support and character encodings on the Web. Foreach mistake, I will explain how to fix/prevent it, but also how it could possibly be exploited.

Speaker: Mathias Bynens is a Belgian web standards freak. He likes HTML, CSS, JavaScript, Unicode, performance, and security. At Opera Software he’s a member of the Developer Relations team.

3. mars 2014 kl 16:00

Ansvarlig: Erlend Oftedal, tel: 98219335 Sponsor: N/A Adresse: Teknologihuset, Pilestredet 56

Agenda: Internet of Things

Overordnet tema for møtet er “internet of things”

Einar Otto Stangvik kommer for å snakke om usikkert.no som er en søkemotor for norske IP-adresser. Du kan lese mer om den her: https://usikkert.no/about

Full agenda og beskrivelse kommer litt senere.

7. februar 2013 kl 17:00

Ansvarlig: Erlend Oftedal, tel: 98219335

Sponsor: Bouvet og Secode

Adresse: Bouvet, Sandakerveien 24

Agenda: Crossing Origins by Crossing Platforms

Vi får storfint besøk av Jonas Magazinius ( @internot_ )

Agenda:

• A lanugage based approach to securing mashups
• Mat
• Crossing origins by crossing formats

“A language based approach to securing mashups”

15 years have passed since the “same-origin policy” (SOP) was introduces, with the purpose to control the interaction between web sites. Web sites of today, in particular so called mashups, differ radically in how they interact compared to 15 years ago, and the SOP has become an obstacle that needs to be circumvented. Despite numerous hacks and efforts to control interactions in a secure manner, this problem continues to be challenging. On-going research at Chalmers investigates using language-based techniques to control the flow of information, and by doing so maintaining the hich level of interaction without making compromises in security.

“Crossing Origins by Crossing Formats”

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. We identify the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretations of the content, providing a new space of attack vectors. We characterize of what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins.

Jonas Magazinius is a PhD student in the Language-based Security group at Chalmers University of Technology. The focus of his research is information-flow in mash-up web applications. Jonas is specialized in web application security, but is interested in most aspects of security. When not immersed in JavaScript, Jonas helps organize events in the OWASP Gothenburg chapter.”

Mandag 18. oktober 2012 kl 17:00

Ansvarlig: Erlend Oftedal, tel: 98219335

Sponsor: Bekk

Adresse: Bekk Consulting AS

• 17:00-17:45 - Secure electronic voting? - Security assessment of the E-valg system - Emilie og Fredrik fra Combitech

In the autumn of 2011, electronic voting took place in Norway for the first time. The system used for voting is named E-valg and was developed by EDB ErgoGroup and Scytl during 2010 and 2011.

The security of an electronic voting system is crucial for a fair, free and transparent election process. In addition, people must be able to trust the system enough to use it. Security has been an important part of the E-valg project from the design phase to the implementation of the final production system. Combitech had the role of independent security assessor and has been performing design review, code review and penetration tests of the E-valg system. We will present the security assessment process, the design of the security solution and some details about the tests and the results.

This presentation will be in English

• 17:45-18:15 - Mat
• 18:15-18: - Avinstaller Java nå! - Jostein Tveit**

Utnyttelse av sårbarheter i Java er i ferd med å bli blant de vanligste metodene for en angriper å ta over en PC. Samtidig surfer de fleste av oss på nettet med Java-applets aktivert i nettleseren. Kan man stole på at sandkasseteknologien gjør nettsurfing trygt? Denne lyntalen prøver å gi svar på hvorfor utnytting av Java-sårbarheter nå er i vinden, og du vil få se både angrepskode og en demonstasjon på hvordan et sikkerhetshull i Java kan utnyttes.

24. april 2012, kl 19:30

Ansvarlig: Erlend Oftedal

Sponsor: -

Adresse: Mesh Norway, Tordenskiolds gate 3

Tema denne gang er sikkerhet i mobile applikasjoner. Det blir først en introduksjon, deretter kommer Martin Knobloch fra OWASP Nederland for å snakke om iGoat og GoatDroid, for så å dele erfaringer fra en code review.

Slides:

• OWASP Mobile Top 10 - Ståle Pettersen
• OWASP Mobile - Martin Knobloch

19. mars 2012, kl 17:00

Ansvarlig: Erlend Oftedal

Sponsor: F5

Adresse: The Dubliner

“Web Application Access Control Design Excellence”, Jim Manico

Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and “fail open” access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

30. november 2011 kl 18:30

Ansvarlig: Erlend Oftedal

Sponsor: TBA

Adresse: Hackeriet at Hausmannsgate 34, Oslo

Agenda: Shodan

Felles medlemsmøte med [http://www.meetup.com/hackeriet/ Hackeriet]! “Let me Shodan that for you…“, Eireann Leverett Workshops are fun. Let’s have one.

Bring your laptop and willingness to write ten simple lines of code in Perl, Python, or Ruby. Even if you can’t code, come by and learn to use Shodan the computer search engine through the web interface. While the speaker will share a tiny bit of what he did with this tool, the focus will be on what you could be using it for…this is a interactive workshop, not a boring seminar.

Keywords for interest: banner grabbing, network scanning, application deployment profiling, security research, geolocation, security visualisation, network exploration, open source intelligence, fun.

Eireann Leverett spent six months working with ‘Shodan the computer search engine’. It’s an under-rated tool that was developed by John Matherly. John has given you a surprisingly big gift, why not learn to use it?

27. oktober 2011 kl 17:00 - 19:00

Ansvarlig: Erlend Oftedal, tel: 98219335

Sponsor: Universitetet i Oslo

Adresse: Universitetet i Oslo Forskningsveien 3B

Agenda:

• 17:00-17:15 Next Generation Clickjacking demo - Geir Harald Hansen
• 17:15-17:45 Erfaringer som pentestere. 2 spennende demoer til slutt om det blir tid. Stikkord: Brute-forcing og Burp Suite - Asbjørn Reglund Thorsen
• 17:45-18:15 Pause m pizza
• 18:15-19:00 AppSensor - Jøran Lillesand - Hvordan kan man gjøre applikasjonen selv i stand til å skjønne når den er under angrep? Og hva kan den gjøre med det?

21. juni 2011 kl 17:00 - 19:00

Ansvarlig: Erlend Oftedal, tel: 98219335

Sponsor: BEKK

Adresse: Akershusstranda 21, Vippetangen

Agenda:

• 17:00-17:45 Utvalgte tema fra OWASP AppSecEU
• 17:45-18:15 Pause m pizza
• 18:15-19:00 “Endpoint security & mobility” - Carsten Maartmann-Moe “An adversary’s physical access to a mobile device often makes existing security controls fail - why? This speaking session will demonstrate creative methods to exploit endpoints - that is, mobile units. It will include hands-on demonstrations of coldboot attacks, hacking through FireWire and how to locate encryption keys in mobile device RAM. Potential countermeasures are outlined, and we’ll focus on why end point security is important - and difficult.”

Generalforsamling: 12. mai 2011 kl 17:00 - 17:15

Ansvarlig: Kåre Presttun, tel: 4100 4908

Sponsor: mnemonic as

Adresse: Wergelandsveien 25

Agenda:

• Godkjenning av innkalling
• Årsberetning 2010/2011
• Eventuelt
• Valg

Årsberetning 2010/2011

Etter generalforsamlingen 8. april 2010 har vi hatt 5 medlemsmøter inkludert det i kveld og det har stort sett vært mellom 10 og 25 deltakere på møtene. Ett møte, torsdag 3. juni 2010, bla avlyst. Mandag 10. mai 2010 og tirsdag 22. mars 2011 var det møte sammen med med andre ”Communities” under navnet Communities in Action på Radisson Blu Hotel.

Styret i perioden har bestått av:

• Kåre Presttun (leder)
• Erlend Oftedal (kasserer)
• Harald Øygard (styremedlem)
• Knut Vidar Siem (styremedlem)
• Jøran Lillesand (varamedlem)

og valgkomiteen har bestått av:

• Åsmund Skomedal
• Markus Harboe

Det har ikke vært aktiviteter som har krevd egen økonomi i lokalavdelingen så det ikke noe å rapportere økonomisk. All aktivitet så langt har vært sponset av vertskapet for de forskjellige møtene. Annen aktivitet har det ikke vært. Vi har USD 3808 på konto hos Kate Hartmann som kan benyttes til forskjellige prosjekter. Et eksempel på et slikt prosjekt er kveldens foredragsholder som betales via OWASP Norway sin konto hos Kate gjennom prosjektet OWASP on the Move.

Det konkluderer lederens beretning.

Oslo 12/5-2011

Kåre Presttun Leder OWASP Norway Chapter

12. mai 2011 kl 17:15 - 19:15

Ansvarlig: Kåre Presttun, tel: 4100 4908

Sponsor: mnemonic as

Adresse: Wergelandsveien 25

Slides:

• The_image_that_called_me.pdf
• Locking_the_throneroom.pdf

Agenda:

• 17.15 - 18.00 The Image that called me - Security impact of Scalable Vector Graphics on the WWW - Mario Heiderich

Scalable Vector Graphics are about to conquer the web. Unlike most of their raster based companions from the GIF, PNG and JPEG family, their vector based structure allows to display them on many different devices with various screen sizes without losing visual information. The open XML based SVG sources permit addition of meta data, helping even the visually impaired and blind to get the most out of these images. Additional modules, such as animations, events, SVG fonts, several scripting APIs and inclusion of hyper-links, other images and documents and even arbitrary content from cross-domain sources make SVG the perfect image format for the future WWW.

Nevertheless, a powerful standard such as SVG certainly poses a lot of risks. This presentation provides a close look at SVG from a security perspective. How can attackers abuse this mighty image format, which ways exist to execute script code and worse, and what should web developers and browser vendors consider when dealing with SVG. How will HTML5 change the way to work with SVGs and why does it matter for security professionals to know about things like SVG Tiny, in-line SVG, SVGz and other acronyms from a world where imaging and scripting collide? Besides many examples of malicious SVGs the talk will shed light on a novel filtering tool capable of filtering and sanitizing SVG images without loss of important content.

• 18.00 - 18.30 Mat

• 18.30 - 19.15 Locking the Throne Room - ECMA Script 5, a frozen DOM and the eradication of XSS - Mario Heiderich

Cross Site Scripting has been a topic in countless presentations over the last decade. That easy to grasp but hard to solve problem has been shaking the web and caused major trouble on hundreds to thousands of high traffic and commercial and well as governmental websites. Mitigation techniques have been developed and discussed in depth - starting with restrictive content filters, educational programs and trainings, programmer’s best practices and guidelines, proxy filters and many more. Still XSS remains a major problem far from being solved. The multilayer model on which the web relies causes too much reciprocity to find an easy cure - and the DOM as the actually affected layer is still lying unprotected open for the attacker.

This presentation introduces and discusses a novel approach of encountering XSS and similar attack techniques by making use of several new features included in the ECMA Script 5 specification draft. It will be shown how to create a simple JavaScript to seal important DOM properties, and take away the attackers ability to read and modify sensitive data in a tamper resistant and light-weighted way - without being “too loud”. Modern browsers, such as Chrome 8 and Firefox 4, for the first time provide the possibility of creating and using client side IDS/IPS systems, written in JavaScript and running without special execution privileges. The presentation will show how these work, what the implications are, and what the future of XSS mitigation and eradication might look like.

Speaker: Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany as well as Microsoft, Redmond and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft while finishing his PhD thesis. Mario invoked the HTML5 security cheat-sheet and maintains the PHPIDS filter rules. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of Web Application Obfuscation: ‘-/WAFs..Evasion..Filters/

22. mars 2011 kl 16:00

Ansvarlig: Kåre Presttun

Sponsor: Communities in Action 2011

Adresse: Radisson Blu Hotel, Holbergsgt. 30

Dette møtet er i samarbeid med Communities in Action 2011. OWASP Norway Chapter deltar sammen med javaBin, Kode kata, XP meetup, Framsia, Makers, Cocoaheads, NNUG og Oslo Lean Meetup. Dette er en spennende anledning til å mingle med andre “communities”.

Program:

• 16:00 - 17:30 Enkel bevertning
• 17:30 - 19:30 Parallellsesjoner
• 20:00 - 21:00 Paneldebatt
• 21:00 –> Mingling i Skybar

Detaljert program for CiA 2011 her

1. september 2010 kl 17:00 - 19:00

Ansvarlig: Knut Vidar Siem Sponsor: Itera Consulting (tidl. Objectware) Adresse: Sognsveien 77 A-B, 0806 Oslo

• Securing Web Services with OpenSSO — Mario Aparicio
• Security by clarity — Knut Vidar Siem

Det vil bli servert mat på møtet.

3. juni 2010 kl 17:00 - 19:00 - AVLYST

Ansvarlig: Kåre Presttun Sponsor: mnemonic as Adresse: Wergelandsveien 25, 0167 Oslo

• 17.00 - 17.45
• 17.45 - 18.15 Mat
• 18.15 - 19.00

10. mai 2010 kl 18:00 - 23:00

Sponsor: Communities in Action 2010, Adresse: Radisson Blu Hotel, Holbergsgt. 30

Dette møtet er i samarbeid med Communities in Action 2010.

Generalforsamling: 8. april 2010 kl 16:30 - 17:00

Agenda:

• Godkjenning av innkalling
• Årsberetning 2009/2010
• Eventuelt
• Valg

Årsberetning 2009/2010

Det har vært et jamt stigende antall medlemmer på vår mailing-liste og i skrivende stund er det 134 medlemmer med 19 på sammendrag og 115 på direkte-mail.

Etter generalforsamlingen 4. juni 2009 har vi hatt 7 medlemsmøter inkludert det i kveld og det har stort sett vært mellom 10 og 25 deltakere på møtene. I tillegg hadde vi en sosial runde med OWASPils 3. desember 2009.

Styret i perioden har bestått av:

• Kåre Presttun (leder)
• Erlend Oftedal (kasserer)
• Harald Øygard (styremedlem)
• Knut Vidar Siem (varamedlem)

og valgkomiteen har bestått av:

• Åsmund Skomedal
• Markus Harboe

Det har ikke vært aktiviteter som har krevd egen økonomi i lokalavdelingen så det ikke noe å rapportere økonomisk. All aktivitet så langt har vært sponset av vertskapet for de forskjellige møtene. Annen aktivitet har det ikke vært. Vi har USD 2020 på konto hos Kate Hartmann som kan benyttes til forskjellige prosjekter.

1. mai blir det møte sammen med andre ”Communities” under navnet Communities in Action. I den forbindelse er det bestilt roll up og stand for å ha en informasjonsstand i fellesområdet. Det er også bestilt to komplette sett med OWASP bøker til å ha på standen. Noe av dette vil trekkes fra vår konto sentralt.

OWASP Norway Chapter er representert med Kåre Presttun i organisasjonskomiteen til AppSec Europe 2010 som blir i Aula Magna, Stockholm University 21-24 juni 2010. I denne sammenheng har Kåre vært involvert i å plukke ut kurs til de to første dagene og foredrag til selve konferansen.

Det konkluderer lederens beretning.

Oslo 6/4-2010

Kåre Presttun Leder OWASP Norway Chapter

8. april 2010 kl 17:00 - 19:00

Ansvarlig: Erlend Oftedal Sponsor: BEKK Adresse: Skur 39, Vippetangen

Agenda:

• 17.00 - 17.45 Web Security Dojo, last ned og installer på forhånd
• 17.45 - 18.15 Mat
• 18.15 - 19.00 Web Security Dojo

Kontaktperson: Erlend Oftedal, 98219335

4. mars 2010 kl 17:00 - 19:00

Ansvarlig: Knut Vidar Siem Sponsor: Objectware Adresse: Sognsveien 75z, 0806 Oslo

Agenda:

• 17.00 - 17.45 Communities in Action 2010 Planlegging
• 17.45 - 18.15 Mat
• 18.15 - 19.00 Møteplanlegging - mars 2010

4. februar 2010 kl 17:00 - 19:00

Ansvarlig: Kåre Presttun Sponsor: Bouvet ASA Adresse: Sandakerveien 24C D11, Oslo

Agenda:

• 17.00 - 17.45 Sikkerhet i flash, Erlend Oftedal
• 17.45 - 18.15 Mat
• 18.15 - 19.00 Åpen diskusjon. Knut Vidar og eventuelle andre interesserte vil bruke litt tid på sikkerheten i Springs web-demoapplikasjon: Petclinic.

Kontaktperson: Arnar Lundesgaard

7. januar 2010 kl 17:00 - 19:00

Ansvarlig: Kåre Presttun Sponsor: Buypass AS Adresse: Nydalsveien 30A, Oslo

Agenda:

• 17.00 - 17.45 “Sikkerhet i HTML5 og Google Gears off-line applikasjoner”, Anja Svartberg
• 17.45 - 18.15 Mat
• 18.15 - 19.00 “Gjennomgang av Promon Shield”, Lars Egil Sætrang (Promon)

Kontaktperson: John Arild A. Johansen

3. desember 2009 kl 18:00

OWASPils, Oslo Mikrobryggeri

12. november 2009 kl 17:00 - 19:00

Ansvarlig: Kåre Presttun Sponsor: mnemonic as Adresse: Wergelandsveien 23, 0167 Oslo

Agenda:

• 17.00 - 17.45 “Sikkerhet i rike internettapplikasjoner”, Øyvind Mengshoel Reistad
• 17.45 - 18.15 Mat
• 18.15 - 19.00 Open space - diskusjon - tenk gjennom tema du vil diskutere på forhånd

Kontaktperson: Harald Øygard, Tel: 9825 6072

8. oktober 2009 kl 17:00 - 19:00

Ansvarlig: Kåre Presttun Sponsor: Sparebank 1 Adresse: Hammersborggata 2, 0181 Oslo

Agenda:

• 17.00 - 17.45 “Fra funn til sårbarhet”, Carsten Maartmann-Moe (Ernst & Young)
• 17.45 - 18.15 Mat
• 18.15 - 19.00 “Inputvalidering i Spring Web MVC”, Knut Vidar Siem (Objectware)

3. september 2009 kl 17:00 - 19:00

Ansvarlig: Erlend Oftedal Sponsor: BEKK Adresse: Skur 39, Vippetangenkaia, 0150 Oslo

Agenda:

• 17.00 - 17.45 “Analyse av malware”, Einar Oftedal (NSM)
• 17.45 - 18.15 Mat
• 18.15 - 19.00 “Click-jacking”, Torgeir Thoresen

Watchcom kunne dessverre ikke stille allikevel - kommer forhåpentligvis tilbake ved en senere anledning

4. juni 2009 kl 16:30 - 17:00

Generalforsamling

Kåre Presttun ønsket velkommen og presenterte årsberetning 2008/2009. Det var ingen kommenterer til årsberetningen.

Deretter var det valg. Valgkomiteen, ved Markus Harboe og Åsmund Skomedal, foreslo gjenvalg av sittende styre og det ble vedtatt med akklamasjon. Videre foreslo Kåre Presttun gjenvalg av valgkomité som også ble vedtatt med akklamasjon. Derved heves møtet.

Årsberetning 2008/2009

Det har vært et jamt stigende antall medlemmer på vår mailing-liste og i skrivende stund er det 113 medlemmer med 20 på sammendrag og 93 på direkte-mail.

Etter generalforsamlingen 28. april 2008 har vi hatt 7 medlemsmøter (8 med det i kveld) og det har stort sett vært mellom 10 og 25 deltakere på møtene.

Styret i perioden har bestått av:

• Kåre Presttun (leder)
• Erlend Oftedal (kasserer)
• Harald Øygard (styremedlem)
• Knut Vidar Siem (varamedlem)

og valgkomitéen har bestått av:

• Åsmund Skomedal
• Markus Harboe

Det har ikke vært aktiviteter som har krevd egen økonomi i lokalavdelingen så det ikke noe å rapportere økonomisk. All aktivitet så langt har vært sponset av vertskapet for de forskjellige møtene. Annen aktivitet har det ikke vært.

Etter kommunikasjon med John Wilander (OWASP SE) og Ulf Munkedal (OWASP DK) er det enighet om å arrangere AppSec Europe 2010 som en feller OWASP Skandinavisk konferanse. John Wilander har fått godkjent i OWASP at de skal være vert for konferansen som sannsynligvis blir i Aula Magna, Stockholm University 21-24 juni 2010.

Det betyr at OWASP NO og OWASP DK blir involvert i følgende aktiviteter:

• Join the Organizing Committee (OC). Means you’re on the mailing list and share your opinions on issues brought up there.
• Help out in finding sponsors, good talks, research papers, and attendees
• Communicate conference info to your chapters and press releases to media in Norwegian/Danish

Det konkluderer lederens beretning.

Oslo 4/6-2009

Kåre Presttun Leder OWASP Norway Chapter

4. juni 2009 kl 17:00 - 19:00

Ansvarlig: Knut Vidar Siem Sponsor: Mnemonic AS Adresse: Wergelandsveien 23, 0167 Oslo

Agenda:

• 17.00 - 17.15 Om OWASP AppSec Europe 2009
• 17.15 - 18.00 Reprise fra AppSec Europe 09: Leveraging agile to gain better security, Erlend
• 18.00 - 18.25 Mat
• 18.30 - 19.00 Referat fra noen av foredragene på OWASP AppSec Europe 2009, Affi/Markus

Avstemning om hvilken dag i måneden vi skal ha møter endte med første torsdag i måneden.

7. mai 2009 kl 17:00 - 19:00

Ansvarlig: Kåre Prestun Sponsor: Mnemonic AS Adresse: Wergelandsveien 25, 0167 Oslo

Agenda:

• 17.00 - 18.00 Diskusjon
• 18.00 - 18.25 Mat
• 18.30 - 19.00 Diskusjon

Diskutert på møtet:

• Utvalgte spørsmål fra [[Sikkerhet_i_hverdagen_1#Ikke_tatt_opp]]
• Notater fra møtet [[Sikkerhet_i_hverdagen_2]]

25. februar 2009 kl 17:00 - 19:00

Ansvarlig: Knut Vidar Siem Sponsor: Objectware Adresse: Sognsveien 75z, 0806 Oslo

Agenda: For dette møtet planlegger vi ingen foredrag. I stedet ønsker vi å få til en mer interaktiv sammenkomst hvor vi diskuterer hvilke utfordringer relatert til sikkerhet som møter oss i hverdagen og hvordan vi kan løse dem. Prøv gjerne å inkludere din rolle i spørsmålet/utfordringen slik at det blir litt enklere å sette seg inn i situasjonen. Ta også med navnet ditt slik at temaet kan utdypes eller oppklares på møtet. Og husk: vi gjør dette for å hjelpe hverandre!

• 17.00 - 17.10 Prioritering
• 17.10 - 18.00 Diskusjon
• 18.00 - 18.25 Mat
• 18.30 - 19.00 Diskusjon

Diskutert på møtet: [[Sikkerhet i hverdagen 1]]

26. november 2008 kl 17:00 - 19:00

mnemonic AS sto for lokale og mat. Stedet var: Litteraturhuset, Wergelandsveien 29, 0167 Oslo

Agenda:

• 17.10 - 17.45 Kåre Presttun - Opplevelser og erfaringer fra OWASP EU Summit i Portugal
• 17.45 - 18.05 Alf-Ivar Holm - Demo av ratproxy
• 18.05 - 18.25 Pause m/mat (Husets lapskaus)
• 18.25 - 18.45 Harald Øygard - Hva kan vi i Norge bidra med til OWASP-prosjekter generelt? Eksempler og diskusjon.
• 18.50 - 19.15 Markus Harboe - Trusselmodelleringserfaringer

29. oktober 2008 kl 17:00 - 19:00

En stor takk til USIT som stiller med lokale og pizza. Adressen er: Forskningsveien 3b, Blindern

Lyntaler

• 17.10 - 17.20 Harald Øygard - “Paros”
• 17.25 - 17.35 Abjørn Thorsen - “IT-sikkerhet ved UiO”
• 17.40 - 17.50 Knut Vidar Siem - “Inputvalidering”
• 17.50 - 18.10 Pause m/pizza
• 18.10 - 18.20 Geir Harald Hansen - “CSRF: angrep og forsvar”
• 18.25 - 18.35 Arne Berner, Visiti - “Personopplysningsloven & Sentralisering og outsourcing av drift”
• 18.40 - 18.50 Alf-Ivar Holm - “Burp Proxy”
• 18.55 - 19.05 Erlend Oftedal - “Virusjakt”

30. september 2008 kl 17:00 - 19:00

Sted: Bouvet, Sandakerveien 24c, Bygning d11, Boks 4430 Nydalen

• 17:00 - 17:45 - PCI DSS - oversikt og websikkerhet, Kåre Presttun
• 17:45 - 18:00 - Pause
• 18:00 - 18:45 - Reprise fra Javazone: Sikkerhet i norske webapplikasjoner - Markus Harboe og Erlend Oftedal

27. august 2008 kl 17:00 - 19:00

Møtet var hos Objectware, som også stilte med pizza.

• 17:00 - 17:45 - Sikkerhetstesting av AJAX-applikasjoner - Ole Jacob Eriksen
• 17:45 - 18:00 - Pause
• 18:00 - 18:45 - Cross Site Request Forgery - Erlend Oftedal
• 18:45 - 19:00 - Tooltip: Firefox som sikkerhetsverktøy - Erlend Oftedal

28. mai 2008 kl 17:00 - 19:00

Møtet var hos mnemonic as i Wergelandsveien 25 rett ved Slottsparken og to hus ovenfor Kunstnernes Hus. Det er parkering tilgjengelig.

• 17:00 - 17:30 - Hva er OWASP og hva driver de med, Kåre Presttun
• 17:30 - 17:45 - Kort oppsummering fra AppSecEU08 i Ghent, Kåre Presttun
• 17:45 - 18:00 - Pause, (alle)
• 18:00 - 19:00 - Kort introduksjon til applikasjonssikkerhet, Bård Farstad, eZ systems

28. april 2008

Generalforsamling i OWASP Norway Chapter

Erlend Oftedal ønsket velkommen og gjorde en kort introduksjon til hjemmeside og mailingliste. Deretter ble Kåre Presttun valgt til møteleder og Markus Harboe til referent.

Innkallingen ble godkjent.

Kåre gikk gjennom forslaget til Norway Chapter vedtekter. Vedtektene ble vedtatt.

Til foreningens styre ble valgt:

• Kåre Presttun (leder)
• Erlend Oftedal (kasserer)
• Harald Øygard (styremedlem)
• Knut Vidar Siem (varamedlem)

Til valgkomite ble valgt

• Åsmund Skomedal
• Markus Harboe

Bekk sponset generalforsamlingen med lokaler og bevertning.

2. april 2008

OWASP Norway Stiftelsesmøte

Bjørvika Konferansesenter kl 1500-1800 2. april 2008

Kåre Presttun sendte den 6. mars ut invitasjon til 145 potensielle interessenter. 21 personer meldte seg på innen fristen og følgende 16 personer møtte opp.

Agendaen for stiftelsesmøte var:

• 15:00 - Velkommen. Godkjenning av dagsorden. Innkomne forslag
• 15:10 - Om OWASP
• 15:40 - Forslag til vedtekter
• 16:00 - Diskusjon og avklaringer
• 16:45 - Nedsettelse av interimstyre
• 17:00 - Første generalforsamling og arbeidet fremover
• 17:15 - OWASP Guide og OWASP top ten
• 17:50 - Oppsummering kommentarer

Kåre ønsket velkommen og gikk gjennom dagsordenen. Det var ingen innkomne forslag og dagsordenen ble godtkjent uten kommentarer. Kåre ble valgt til ordstyrer og Markus Harboe til referent.

Harald Øygard presenterte OWASP og en oversikt over deres viktigste prosjekter.

Kåre presenterte forslag til vedtekter. Etter noe diskusjon og små endringer endte vi opp med de vedtektene vi inviterer den første generalforsamlingen å vedta.

Til interimstyret ble valgt:

• Kåre Presttun fra mnemonic
• Harald Øygard fra mnemonic
• Erlend Oftedal fra Bekk

Interimstyret har i oppgave å forberede og invitere til generalforsamling.

Veien videre ble deretter diskutert. Målet er å arrangere den første generalforsamlingen innen utgangen av april (forslagsvis onsdag 29/4 kl 16) og senest i løpet av mai. Deltakerene oppfordres til å komme med forslag til endelig styre. Å arrangere medlemsmøter blir en viktig aktivitet. Forslag om relativt hyppige medlemsmøter i starten for å få opp aktiviteten og for å senke terskelen for å presentere interessant fagstoff. Forslag om å arrangere medlemsmøter i andre universitetsbyer i tillegg til Oslo.Deltakerene oppfordres til å rekruttere nye medlemmer og deltakere til generalforsamlingen. Initiativtakerene planlegger å sende ut en pressemelding etter stiftelsesmøtet

Til slutt presenterte Harald OWASP Guide og OWASP top ten.

mnemonic as var sponsor for stiftelsesmøtet og er medlem av OWASP.

2024-08-26 - 2024-08-28: Application security track at Sikkerhetsfestivalen 2024

The OWASP Oslo chapter were responsible for the application security track at Norway’s largest security conference in Lillehammer.

More information available at https://sikkerhetsfestivalen.no and full agenda at https://sikkerhetsfestivalen-2024.sessionize.com.

Tuesday 9:00 AM · 30 min · 3 - Scandic Victoria, Kongressal 1

FINN.no’s Secret Sauce: how we went from finding 15 vulnerabilities to over 100 per year!

Emil Vaagland - IT Security Manager @ FINN.no

Since 2019 FINN.no has tried a lot of different appsec tools and processes to improve our security. In this talk you will learn about the most effective of them all, namely our private bug bounty program. In terms of finding real vulnerabilities, this activity outshines any other appsec tool or process by a large margin, it enables us to find a lot more vulnerabilities than before at a fraction of the cost of traditional pen-testing. We will talk about how to run an effective bug bounty program and why it should be the key ingredient of your appsec program. We will also show-case some high impact vulnerability reports we have received to show the real impact you can get from a bug bounty program.

Tuesday 9:45 AM · 30 min · 3 - Scandic Victoria, Kongressal 1

The security metric to rule them all: MTTR!

Ståle Pettersen - Head of Product & Application Security

You now scan everything! Great job! Now you have a huge pile of vulnerabilities scattered around in different scanners…. what to do next? We’ll see how we have put all vulnerabilities into one open source platform, created a single overview across all of your security solutions and why we believe our Mean Time To Remediation (MTTR) metrics is considered the best security metric of them all, and how you can also start to track your MTTR.

Tuesday 10:45 AM · 30 min · 3 - Scandic Victoria, Kongressal 1

Secure code at DevOps speed: How security can drive non-functional requirements

Nora Tomas - Vipps MobilePay

Is security slowing down your development process for you as a developer? This talk aims to change that perception. We will present real case studies showcasing how systems with high security requirements can still be responsive, user friendly, and easy for developers to work with.

Learn about the security code patterns that enable development efficiency, user friendliness, and response speed, with examples from the Vipps MobilePay login system that handles over 1.2 billion user logins per year.

We’ll explore:

1. How JWT tokens can aid developers with more than just authentication.
2. How Zero Knowledge Proof can be utilised to achieve both increased security and user friendliness.
3. An async-first strategy for implementing security features (such as blocking of users) while still keeping a system quick and responsive.

Tuesday 11:30 AM · 30 min · 3 - Scandic Victoria, Kongressal 1

Secure system integrations

Tobias Ahnoff - Application security specialist at Omegapoint

Integrations between backend services, without human interaction, is a requirement for most businesses.

Over the years this has been done in many ways, to fit both business requirements and relevant threat models. Some solutions are less secure than others and often integrations introduce risk and attack vectors.

Based on experiences from both building integrations and performing penetration tests and security reviews, this presentation will look at some common solutions. Focus will be on authentication for integrations using HTTP, from custom API-keys and Basic Authentication to mutual TLS and OAuth 2.0 DPoP.

Tuesday 1:15 PM · 30 min · 3 - Scandic Victoria, Kongressal 1

Visualizing Access Control: Simplifying Testing for helsenorge.no

Davrondzhon Gafurov - Software Security

Access control is the heart of security of the software. Paradoxically, issues related to access control top the list in the OWASP Top 10. Effectively preventing and mitigating such issues requires rigorous testing approach of access control.

However, comprehending the access control mechanism of complex system like helsenorge.no, with millions of users and lines of code, is inherently challenging. Traditional methods involve reading extensive textual requirements or delving into low-level code details and database tables. To overcome these challenges by adhering to the principle of “a picture speaks a thousand words”, we developed a holistic and graphical representation of the helsenorge.no’s intricate access control mechanism, so called Access Control Tree (ACT). The ACT facilitated the systematic extraction of test cases with minimal cognitive load. Beyond its role in security testing, ACT serves as a valuable tool for learning, especially for newcomers, and promotes collaboration by fostering a common understanding among various roles in the team.

In my talk I will present how we created Access Control Tree of helsenorge.no for security testing and hopefully it can inspire you as well.

Tuesday 2:00 PM · 30 min · 3 - Scandic Victoria, Kongressal 1

Http Header Injections: a Splitting Headache

Sofia Lindqvist - Security Specialist

In this talk I will explore so-called HTTP request splitting vulnerabilities, and how they can be used to perform Server-Side Request Forgery (SSRF). I will present the results of looking for such vulnerabilities in open source code bases, and show examples of exploiting them in the wild.

Tuesday 3:00 PM · 30 min · 3 - Scandic Victoria, Kongressal 1

How to not do security

Emil Lunde - Utvikler i Bekk

This is the story about the time I looked at the security in one of the apps on my phone and got access to a cloud environment with data for millions of users.

In this presentation I will share a real-world example of poor security and my efforts to responsibly disclose the issues.

Tuesday 3:45 PM · 30 min · 3 - Scandic Victoria, Kongressal 1

Modding Multiplayer Into a 20 Year Old Single-Player Game

Vetle Hjelle - Pentester and Security Researcher at Kovert

Through years of reverse engineering and development, we’ve modded a 20 year old PlayStation game with online multiplayer functionality. This mod has been made to work with legacy hardware as well as running on emulator on PC. It runs a custom network protocol on a Lua scriptable game server.

In this talk we’ll look at how we’ve reverse engineered the game to find the necessary functions and data to add our custom behavior. We’ll also briefly go into the server and protocol design considerations, as well the jailbreaks that enable the mod to work on console hardware.

Wednesday 9:00 AM · 30 min · 3 - Scandic Victoria, Kongressal 1

Secure code from start – a journey through security training for developers

Nora Bodin - Teknisk sikkerhetskonsulent

Research shows that developers experience a responsibility for the security in the code they are writing. We also introduce more and more security tools in our development processes. However, we still develop software with known vulnerabilities over and over again, so what is the problem? In this presentation, I will introduce some structural problems related to security training of developers and the way automatic tools often are used. The last two years I have worked in Skatteetaten with a structured security training program for developers. The security training is part of a bigger project in Skatteetaten to strengthen the organisation’s operational security. One of the focus areas in the project is security reporting. We’ve seen first-hand how this contributes to the security training by making training and competency measurable. In this presentation, I’ll share some tips and tricks based on our experience over the last two years.

Wednesday 9:45 AM · 30 min · 3 - Scandic Victoria, Kongressal 1

How to gamify your mobile application security using OWASP Cornucopia

Johan Sydseter - Admincontrol AS, Application Security Engineer

OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional, and formal development processes. It is language, platform, and technology agnostic. Admincontrol is using OWASP cornucopia to scale their security efforts and empower their teams to do application security work using gamification as a motivational factor.

Cornucopia had its 10th anniversary last year, it’s about time we released a new version of Cornucopia with a new Website App Edition updated with the ASVS 4.0 mapping and a Mobile App Edition with the MASVS 2.0 mapping for mobile development. At the same time we are also releasing the online version “Copi” for online and distributed collaboration.

Together with other Cornucopia enthusiasts, we are doing this to ensure the successful implementation of security practices for web- and mobile applications. We believe the best way to scale application security efforts and empower development teams to take ownership for application security and improve application security posture is to gamify the security requirement- and threat modelling processes. Let the development team come up with the requirements themselves and support them in the planning, design and implementation of application security. Cornucopia will help development teams come up with those requirements and support them in planning, designing and implementing application security best practices, and if they don’t find the game interesting, why don’t let them create their own threat modelling game using OWASP Cornucopia.

In this presentation we will talk about how Admincontrol uses Cornucopia to improve their product security using the upcoming mobile version of Cornucopia and what we have learned and gained from using Cornucopia in our development processes.

Wednesday 10:45 AM · 30 min · 3 - Scandic Victoria, Kongressal 1

White Box Application Security Testing

Torjus Bryne Retterstøl - Security Specialist - Binary Security

Web application security testing has traditionally been performed black (or gray) box, without access to source code. This type of testing is susceptible to randomness, and the vulnerabilities that are identified are often dependent on the security tester’s word lists or fuzzing techniques. I will present how to perform white box security testing with access to source code and infrastructure to ensure better coverage of security testing and better bugs. The talk will showcase techniques and tools used with white box testing, and will demonstrate how these techniques were used to identify vulnerabilities in very popular software.

Wednesday 11:30 AM · 30 min · 3 - Scandic Victoria, Kongressal 1

DevSecOps and ASPM: How to get there with insufficient funds and resources

Kim Engebretsen - Ops guy turned pentester turned security architect turned IAM implementer turned CISO turned manager turned developer turned engineer turned entrepreneur

The buzzwords DevSecOps and ASPM (Application Security Posture Management) have increased in popularity lately. What do they actually mean, what value do they bring, where do they fit in, and why will you eventually have to care about it? When we know the What and the Why, we are left with the How. How many tools and products do you need? And how much will it cost to both train your teams and buy all those licenses? Constrained with not enough funds or resources, how much of this growing technology stack can utilize FOSS (free open source software) alternatives, and at the same time how should we shape our teams core competency to stop recreating the wheel in every company?

2023-08-28 - 2023-08-30: Application security track at Sikkerhetsfestivalen 2023

The OWASP Oslo chapter were responsible for the application security track at Norway’s largest security conference in Lillehammer.

More information available at https://sikkerhetsfestivalen.no and full agenda at https://sikkerhetsfestivalen-2023.sessionize.com.

Track keynote: OWASP Juice Shop - Björn Kimminich, OWASP Juice Shop Project Leader

Tuesday 9:00 AM · 30 min · 11 - Lillehammer Kino, sal 2

Once upon a time, developers and security experts relied on mostly server-side rendered vulnerable applications to train their web hacking skills. In 2014 the Juice Shop entered the stage as one of the first Rich Internet Application representatives. What started as a personal pet project with two dozen hacking challenges, became an OWASP Flagship project shortly after and grew in size, scope and use case coverage significantly over the years. Join Björn Kimminich on a tour through the origins, history and evolution of OWASP Juice Shop from 2014 to 2023, closing with a peek into the future of this juicy hacking delicacy.

An interactive approach to secure coding training & awareness - Bjørnar Fidje Liberg, Security Engineer @ DNB

Tuesday 9:45 AM · 30 min · 11 - Lillehammer Kino, sal 2

Developers are facing a steadily increasing pressure to deliver new functionality in a faster tempo, to stay competitive. This tempo means that the security responsibility, and therefore the need for security competence, has shifted more towards the developers. Paradoxically, higher pressure makes it more difficult to take the time for necessary training.

What can the security organization do to ease this issue? How can we motivate developers to spend more time on skills training? How should you balance between mandatory and optional training? And how can you keep the training material relevant to ~1000 developers working with totally different frameworks, languages, and infrastructure?

Hear more about how we have been working with these issues in DNB, and how to start a training & awareness program for secure coding.

Prompt Injection: When Hackers Befriend Your AI - Vetle Hjelle, Pentester i Kovert

Tuesday 10:45 AM · 30 min · 11 - Lillehammer Kino, sal 2

This is a technical presentation where we’ll look at attacks on implementations of Large Language Models used for chatbots, sentiment analysis, and similar applications. In the lecture, we will look at how so-called “prompt injection” attacks occur, why they work, and then find good solutions on how to mitigate attacks and damage potential. AI is not brand new, but we know that its use will increase drastically in the next few years, and therefore it is important to take security seriously by considering security before using AI for sensitive operations.

In language models, the initial prompt (or “prompt”) to direct the AI is a critical part of how your use of AI is unique and therefore also a business-critical secret. Prompt injection attacks can, among other things, be used to reveal the prompt. If you use AI to make automated decisions, it is even more critical if an attacker can turn your AI into their own ally.

Secure authentication with FIDO, biometrics and security keys - Tjerand Silde, Security and Cryptography Expert and Trond Peder Hagen, CTO at PONE Biometrics

Tuesday 11:30 AM · 30 min · 11 - Lillehammer Kino, sal 2

​​This talk is about how to replace passwords with biometrics and/or physical security keys using the FIDO protocol, an open standard that is available on all the most used devices, operating systems and browsers.

Passwords today pose the greatest risk to digital systems. They can be guessed, hacked or phished, and outdated password routines often mean that passwords have low entropy, are reused, or are stored insecurely. We have to do something about this. Now.

Biometrics is both a more user-friendly and secure way of authenticating users; biometric data provides a strong link between the person and digital identity, you don’t have to remember many passwords, and biometric sensors are difficult to deceive.

Physical security keys can generate cryptographic keys that can be used instead of passwords, and you thus get much more entropy that makes them impossible to guess. These keys can be carried in your pocket, and be used to log in via USB, BLE or NFC.

The Fast ID Online (FIDO) protocol is an open standard that is now available on all the major platforms and enables password-free login to all digital services you want to use at work or in your free time. This talk will explain how all this is connected and how it can be put to use.

Improving product and cloud security across over 100 teams - Ståle Pettersen, Schibsted, Head of Product & Application Security

Tuesday 1:15 PM · 30 min · 11 - Lillehammer Kino, sal 2

Experience based presentation how we improved product security in Schibsted’s 60+ companies and 150+ teams over the last 3 years. We have over 1000 developers and therefore do a lot of development. What kind of approach did we have to the challenge, and what specific processes, training, tools, and solutions did we introduce across Schibsted? We’ll talk concrete tools (commercial and non-commercial), share our threat model template, our tiered risk based approach we took and more.

Don’t miss out on this unparalleled opportunity to discover how Schibsted conquered the realm of product security. Join us for an unforgettable presentation that will leave you inspired, informed, and empowered.

Start with why: Are we doing stuff just because? - Jenny Marie Ellingsæter, Director and Henrik Jenssen, Manager

Tuesday 2:00 PM · 30 min · 11 - Lillehammer Kino, sal 2

Many businesses in Norway have made great strides in establishing agile software development. Autonomous and multidisciplinary teams are largely the norm and CI/CD has almost become standard practice, all made possible by new technologies and tools.

DevOps and agile principles allow for efficient software development, and it can be argued that they have contributed to several successful IT projects. At the same time, these trends in software development have brought about challenges regarding information security and privacy.

We highlight the importance of being aware of one’s own organizational context and objectives, and to question whether we are doing stuff just because they work for others, rather than to select the development practices which are right for our organization.

2022-08-29 - 2022-08-31: OWASP track at Sikkerhetsfestivalen 2022

The OWASP Oslo chapter were responsible for the OWASP track at Norway’s largest security conference in Lillehammer.

More information is available at https://sikkerhetsfestivalen.no/program-2022.

Account hijacking chaining abnormal flows in OAuth combined with URL-leaking gadgets - Frans Rosén, Security Advisor, Detectify

TRACK 11 – OWASP Applikasjonssikkerhet

WHERE? Lillehammer Kino Sal 2

WHEN? Tuesday, 09:00 - 09:30

Language English

ABOUT THE PRESENTATION Intentionally triggering abnormal flows in “Sign-in”-functionality using OAuth, combined with various third-party javascript gadgets allows vulnerable scenarios where authorization credentials could leak to an attacker – even without XSS. Frans Rosén, Security Advisor at Detectify goes through different scenarios found in the wild and shows examples and methodologies used to find and exploit these attack chains also affecting some of the larger and more popular bug bounty programs out there.

ABOUT THE PRESENTER Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs.

Policy-powered authorization with Open Policy Agent - Anders Eknert, Developer Advocate, Manage

TRACK 11 – OWASP Application Security

WHERE? Lillehammer Kino sal 2

WHEN? Tuesday, 09:45 - 10:15

Language English

ABOUT THE PRESENTATION With our digital systems growing increasingly distributed and our tech stacks increasingly heterogeneous, we need to devise new models around both identity and access control. In this presentation we’ll explore a distributed, scalable model for API security, identity and authorization policy enforcement in a microservice environment. After a brief introduction to the technologies involved, we’ll take a deep dive into an architecture utilizing OAuth2 and OpenID Connect for carrying identity across our distributed systems, and how once identity is established, we may leverage Open Policy Agent (OPA) for fine-grained policy based access control in our APIs. We’ll learn how to use Rego, the policy language used by OPA, to write concise and clear policies for access control, as well as methods for distributing them across our platforms and how to monitor policy enforcement in real-time.

ABOUT THE PRESENTER Developer advocate and a member of the Open Policy Agent team at Styra with a long background in software development, security and identity systems in primarily distributed environments. Interested in organizational structures and problems as much as he is in technical challenges. When not in front of his computer he enjoys watching football, cooking and Belgian beers.

LinkedIn: https://www.linkedin.com/in/anderseknert/

Security debt - Maren Maritsdatter Kruke, Masterstudent, Universistetet i Oslo

Spor 11 – OWASP Applikasjonssikkerhet

Hvor? Lillehammer Kino sal 2

Når? Tirsdag, 10:45 - 11:15

Om foredraget Resultater fra en casestudie om forholdet mellom security debt og technical debt. Dette inkluderer en definisjon av security debt og en prosess for å håndtere denne gjelden.

Om foredragsholderen Jeg har fullført master i programmering og systemarkitektur ved Universitetet i Oslo hvor masteroppgaven min handlet om security debt.

LinkedIn: www.linkedin.com/in/maren-maritsdatter-kruke-58828a139

Sikkert for hvem? - Brukervennlige grensensitt i digital økonomi - Cecilie Wian, Rådgiver, Bouvet

Spor 11 – OWASP Applikasjonssikkerhet

Hvor? Lillehammer Kino sal 2

Når? Tirsdag, 11:30 - 12:00

Om foredraget Norsk økonomi er veldig digitalisert, det er vanskelig å komme utenom digitale løsninger i hverdagen. Dessverre tilrettelegger flere norske apper og løsninger for svindel og trakassering av intetanende og uskyldige. Brukervennlighet settes opp mot sikkerhetshensyn, men må det være sånn? Foredraget ser på problemene knyttet til manglende brukervennlig sikkerhet, med eksempler fra norske apper, og noen mulige løsninger.

Om foredragsholderen Bachelor i læringspsykologi, Master i digital kultur. Cecilie har et hjerte for mennesker, og teknologien vi bruker. Hos Bouvet jobber hun med sikkerhet og test. Cecilie er en erfaren tester fokusert på trygg og brukervennlig teknologi. I 2020 viste hun hvordan Rema 1000 sin Æ app kunne misbrukes.

LinkedIn: https://www.linkedin.com/in/lcwian/

Hacking through the Software Supply Chain - Felix Leder, Sr. Director, Crosspoint Labs

TRACK 11 – OWASP Applicationsecurity

WHERE? Lillehammer Kino sal 2

WHEN? Tuesday, 13:15 - 13:45

Language English

ABOUT THE PRESENTATION Attackers like to use the easiest way into organizations that’s in line with their goals. Most recently, the software supply chain has been that path. Implanting a back door during build time or directly in the source code allows for far-reaching breaches. This can be via commercial vendors, like with SolarWinds hack or the spread of NotPetya through MeDoc in the Ukraine. It the same way, malicious implants can be introduced through open source packages that are not curated sufficiently. Companies like PayPal and Microsoft have fallen victim to this. In this presentation, we give a 360 degree overview about potential risks to the software supply chain using real-world breaches. Of course, we want to discuss options for how to secure your organization and supply chain.

ABOUT THE PRESENTER Felix Leder has trained specialized teams across the world on reverse engineering and machine learning, driving open knowledge sharing and enabling cooperation and innovation. Prior to joining Crosspoint Labs, Dr. Leder led R&D teams at Symantec, NortonLifeLock and Blue Coat. He also conducted research projects for global technology leaders like Google, Microsoft, T-Mobile, and Nokia. Open source and information sharing are close to his heart and Dr. Leder regularly speaks at security conferences across the globe. He has also been involved in Google’s Summer of Code and served 12 years on the board of The Honeynet Project.

LinkedIn: https://www.linkedin.com/in/felix-leder/

Serverless Security: New risks require new approach - Paolo Spagli, Sr. Security Researcher, Cloud-Native

TRACK 11 – OWASP Applicationsecurity

WHERE? Lillehammer Kino sal 2

WHEN? Tuesday, 14:00 - 14:30

Language English

ABOUT THE PRESENTATION Serverless technology eliminates the need for development teams to provision servers, and it also results in some security threats being passed to the cloud provider. This frees up the developers to concentrate on building logic and producing value quickly. But cloud functions still execute code. If the software is written poorly, it can lead to a cloud disaster.

What are the new challenges that organization now faces? In many organizations, the application security team struggles to keep up with the speed of development in a serverless environment. Traditional testing tools not only provide very limited coverage, but also slow development cycles unacceptably. Serverless code contains a mixture of cloud configurations and application programming interfaces. As a result, legacy solutions lack the context that is necessary in a serverless environment, and the consequence is a lack of observability and slower response times. Fortunately, it does not have to be this way. Organizations can leverage robust security during serverless development, automatically—if it is done properly.

ABOUT THE PRESENTER Paolo Spagli is Senior Security Researcher for Cloud-Native technologies at Contrast Security. In this role he is committed to help development teams shipping secure applications in the cloud. Prior to Contrast, Paolo was a Cloud Security Lead Architect at Baker Hughes. Paolo has over 15 years of experience in many fields including web development, software architecture, cloud technologies, security architecture, application security, DevSecOps.

OWASP API Security TOP 10 in plain English - Ahmad Rehman, Penetration Testing Manager, Experis AS

TRACK 11 – OWASP Applicationsecurity

WHERE? Lillehammer Kino sal 2

WHEN? Tuesday, 15:15 - 15:45

Language English

ABOUT THE PRESENTATION API security abuses are the leading cause of data breaches. OWASP API Security Top 10 solves this fundamental problem. OWASP API Security is the leading standard when it comes to API security and its testing. However, its understanding is vague among many professionals. This session will focus on a clearer understanding and usability of this amazing standard from OWASP.

ABOUT THE PRESENTER Ahmad er en erfaren sikkerhetsspesialist og testleder innen sikkerhets- og penetrasjonstesting med 10 års konsulent erfaring. Han har levert 50+ penetrasjonstesting oppdrag og er Top 0.01% hacker på TryHackMe. Han er omtalt som etisk hacker i NRKs “Security hall of fame 2022” for sine bidrag. Han har erfaring fra offentlig og privat-sektoren, hvor han ledet et team innen penetrasjonstesting. I Telenor ASA arbeidet han blant annet med sikkerhetsoperasjoner (SecOPS), og han ledet sikkerhetsprosjekter på tvers av forretningsenheter i flere land. I offentlig sektor leverte han penetrasjonstesting og sikkerhetsoppdrag til Digitaliseringsdirektoratet, Utdanningsdirektoratet, Landbruksdirektoratet, Bergen og flere kommuner. https://www.ahmad.science/

LinkedIn: https://www.linkedin.com/in/ahmadpk/

Ingenting er nytt i OAuth 2.1-spesifikasjonen. Hvorfor trenger vi den da? - Jon Even Rosengren, Sikkerhetskonsulent, Accenture

Spor 11 – OWASP Applikasjonssikkerhet

Hvor? Lillehammer Kino sal 2

Når? Tirsdag, 16:00 - 16:30

Om foredraget OAuth er en veldig populær åpen standard som lar deg delegere tilganger til tredjepartsapplikasjoner uten å måtte dele påloggingsdetaljene dine. Den opprinnelige OAuth 2.0-spesifikasjonen (RFC 6749) ble publisert i oktober 2012 og det har vært en rekke utvidelser de siste årene som enten har lagt til eller fjernet funksjonalitet fra kjernespesifikasjonen. OAuth 2.1 forsøker å konsolidere og forenkle alt som har skjedd siden 2012 inn i en ny spesifikasjon basert på beste praksis, teknologiske endringer og oppdaterte trusselbilder. Foredraget vil ta for seg behovet for en ny konsolidert versjon av kjernespesifikasjonen, hvilke endringer som er innført og begrunnelsen for disse endringene. Det blir gitt en kort introduksjon til OAuth, men det anbefales å ha noe forhåndskjennskap til standarden ettersom vi vil dykke ned i en del tekniske detaljer utover i foredraget.

Om foredragsholderen Jon Even er sikkerhetskonsulent i Accentures IT-sikkerhetsavdeling. Han har erfaring fra leveranseprosjekt innen både offentlig og privat sektor, og har hatt roller innen både arkitektur og design, samt utvikling og test av sentrale sikkerhetskomponenter i store integrasjonsplattformer. Jon Even har jobbet på de største smidige leveranseprosjektene som Accenture leverer og har mye erfaring med teknisk sikkerhetsarkitektur og sikker utviklingsmetodikk. Jon Even har en sterk interesse for applikasjonssikkerhet og han trives best når han får grave seg ned i standarder og detaljerte beskrivelser om tekniske løsninger. På fritiden går det mest i søndagssykling og sjakkspilling på hobbynivå. Han tar gjerne et slag sjakk hvis det er et sjakkbrett i nærheten!

LinkedIn: https://www.linkedin.com/in/jonevenrosengren/

2018-11-20: OWASP Norway Day

To celebrate OWASP Norway 10 year anniversery, OWASP Norway Day was held in Oslo, November 20th 2018.

More information about the event is available at https://owaspnorwayday.org.

Presentations

What We’ve Learned From Billions of Security Reports - Scott Helme, Security Researcher

Running one of the largest security reporting platforms of its kind, we handle billions of security reports for our customers every single month. Come and learn how we’ve scaled from handling 10,000 reports per month to 10,000 reports per second and the many evolutions our infrastructure has gone through. Alongside that come and see how, with our bird’s-eye view of such a diverse ecosystem, we’ve helped identify malware in a multinational organisation, had a malicious browser plugin taken down and much more!

Building an agile Security Organization - Monica Verma, PwC Digital Trust

In 2017, Vipps was carved out from DNB. It is now owned by multiple banks, and Vipps has had to re-engineer its approach to Security Governance. PwC had been contracted by Vipps in Winter 2017 to build an agile Information Security Management System (ISMS). Additionally, PwC was engaged to help with the implementation of metrics & security monitoring within the organization, handling security incident operations and assisting Vipps with ISMS and Security Governance following the merger. In this talk, we’ll go through the business case of how we built agile ISMS, how PwC intends to support Vipps’ ISMS and Security Architecture, and how this could transform the way Vipps is seen and experienced by its customers.

The State of Your Supply Chain - Andrew Martin, Control Plane

Container security often focuses on runtime best-practices whilst neglecting delivery of the software in the supply chain. Application, library, and OS vulnerabilities are a likely route to data exfiltration, and emerging technologies in the container ecosystem offer a new opportunity to mitigate this risk. Treating containers as immutable artefacts and injecting configuration allows us to “upgrade” images by rebuilding and shipping whole software bundles, avoiding configuration drift and state inconsistencies. This makes it possible to constantly patch software, and to easily enforce governance of artefacts both pre- and post-deployment. In this talk we detail an ideal, security-hardened container supply chain, describe the current state of the ecosystem, and dig into specific tools. Grafeas, Kritis, in-toto, Clair, Micro Scanner, TUF, and Notary are covered, and we demo how to gate container image pipelines and deployments on cryptographically verified supply chain metadata.

When exploits are blind - Chris Dale, Netsecurity

Demonstration based presentation. Only intro and outro powerpoint slides. Demonstrate user enumeration using timing attacks. Especially prominent when companies have implemented bcrypt/scrypt/pbkdf#2. Attack vector which is very useful in many cases today, notably against Lync/Skype4B installations today. Further password spray into a solution. Discover, analyze and fully exploit reverse-shell command injection. How to find these across large systems? How dose vulnerability scanners work, and how do they detect this? Introduction to Burp Collaborator. Introduction to script for merging attack data into hundreds of Burp Collaborators. Discover, analyze and fully exploit blind SQL Injection. Demonstrating Burp Intruder cluster bomb attack to enumerate out table data.

Modern Web Application Vulnerabilities - Erlend Oftedal, Blank AS

With the emerging popularity of bug bounty programs, lesser known and even brand new vulnerability classes are gaining popularity. This talk will give a walk-though of some of these vulnerabilities, how they occur in modern web applications and how they can be found and fixed.

Machine Learning for Security - Alan Saied, Visma

The ability to mathematically classify patterns, predict events and/or identify abnormalities within a wide range of data is known as Machine Learning. For the purpose of this conference , we explain the power of data and how it can be used with Machine Learning models to identify abnormal behaviour within complex environments. We also explain the ingredients and the steps required to build a Machine Learning models to serve security tasks. This will further be followed by its complications in terms of false positives, accuracy of detection and validity of model and how this can be improved.

Linux Security APIs and the Chromium Sandbox - Patricia Aas, TurtleSec

The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.

VG under Attack! War Stories from the Ops Trenches - Audun Ytterdal, Schibsted Media Group

A collection of old and new war stories from Norways largest news site as seen from the perspective of the VG/Schibsted operation including stuff like Nazis, Pink Blogs, Anonymous, FBI, and how to build you own DDOS canon.