OWASP Oslo

Past events

2022-03-29 17:00

2022-03-29 17:00 - Virtual event: Where Security meets Forensics

2022-08-29 - 2022-08-31

2022-08-29 - 2022-08-31 - OWASP Track at Sikkerhetsfestivalen. 3 day conference where OWASP Oslo had a 1 day track with 8 talks.

2022-09-15 18:00

2022-09-15 18:00 - Virtual: Are we secure? - Jeff Williams

2022-01-13, 17:00 - 19:00

New Year, new things

Location: Online

Meetup event: https://www.meetup.com/OWASP-Oslo/events/283048482/

Recording: https://www.youtube.com/watch?v=g_YvPpV4Dm8

17:00-17:50 Veronica Schmitt Title: If nothing goes right, push left

If we do not have it we should build it.- If nothing goes right, push left. TL;DR: Your logs should be simple, and structured, they should also contain enough information without disclosing sensitive data. Often accidental information disclosure within the logs can lead to future breaches. This talk focuses on the process of building logs taking into consideration the attack, the defense, and the investigation of breaches. Using the ideals from The Unicorn and The Phoenix project to develop the “Five Philosophies of Logging”. This talk explores different aspects of logging pulling from years of experience of breach investigations and magic-wielding.

Veronica started her forensic career in 2008. She is an Assistant Professor at Noroff University. She is the Non-Executive Director within DFIRLABS. Veronica holds a Master in Science at Rhodes University in Information Security with specialisation in the forensic analysis of malware. She prides herself in keeping patients safe as this is something which is near to her heart. She is also a cyborg sporting an embedded medical device herself. She also is a DEF CON Goon and she is the founder of DC2751.

18:00-18:50 Toby Irvine “If you can’t measure it you can’t improve it. But what should we be measuring in security? How do we measure it? Why should I do a PCR Covid test over a lateral flow test if I have symptoms? And how the heck are these related?”

Toby is the CEO and the co-founder for Secure Delivery. He has 25 years of experience in secure software engineering, and this can be seen in him unlocking his grey beard wizard level. He has got experience in designing and building large scale on-site and cloud systems across many industries some of those being critical industries. He specializes working with highly regulated organisations. He is also the author of the handbook used by HSBC’s Secure Development Handbook, which is a field guide for secure application development for 30,000 software developers across 68 countries. He has trained both technical and non-technical individuals in delivery roles across the Americas, EMEA and APAC. Specifically in modern application security practices. He is a member of OWASP in which he is the project leader for the OWASP Open AppSec Curriculum. He believes in pushing doing right by customers in doing things better. In his spare time he is a musician, and may even have his own Youtube channel. If you have a problem he has probably already encountered it and has the knowledge on how to fix it.

17. august 2021, 18:00 - 19:30

Secure by Design – insights & pitfalls

Location: Online

Meetup event: https://www.meetup.com/OWASP-Norway/events/278808275/

Secure by Design is all about choosing good design principles that yield implicit security benefits. This seems like a solid strategy as it naturally appeals to everyones instinct of crafting good software. We simply fool ourselves into coding more securely! But have there been any further insights since the book release in 2019? In this session we cover the fundamentals of Secure by Design and showcase a few designs that have shown fruitful, as well as some pitfalls from the trenches where usages subtly miss the original intentions.

Daniel Deogun & Dan Bergh Johnsson are authors of the book Secure by Design and have collectively been working with security and development for several decades. They are developers at heart and understand that security is often a side-concern. They’ve also evolved work habits that enable them to develop systems in a way that promotes security while focusing on high-quality design habits – something that’s easier for developers to keep in mind during their daily work. Both are established international speakers and often present at conferences on topics regarding high-quality development and security.

30. juni 2021, 18:00 - 19:00

Anonymous Tokens for more Private Contact Tracing

Location: Online

Meetup event: https://www.meetup.com/OWASP-Norway/events/278808275/

“Anonymous Tokens for more Private Contact Tracing” – Henrik Walker Moe (Bekk) and Tjerand Silde (NTNU)

This talk will be about how we integrated anonymous tokens with the Norwegian contact tracing app Smittestopp (version 2). We will talk about how anonymous tokens work, how we implemented the library (https://github.com/HenrikWM/anonymous-tokens), and we will discuss some challenges and possible improvements to the protocol. Lastly, we will mention some possible future directions and use-cases for the token system.

Henrik Walker Moe works as the Practice Lead for Information Security in Bekk. He’s an advocate for security awareness and promotes skills needed to stay current within cyber-security for his colleagues and customers. He is also a board member on NNUG (Norwegian .Net User Group) and hosts meetups for the .Net-community.

Tjerand Silde is a Ph.D. researcher in cryptography at the Norwegian University of Science and Technology in Trondheim. His main focus of research is post-quantum cryptography and privacy preserving protocols, e.g., zero-knowledge proofs, multi-party computation and anonymous credentials. Website: https://tjerandsilde.no.

27. mai 2021, 20:00 - 21:00

Generalforsamling + valg av ledere

Location: Online

Meetup event: https://www.meetup.com/OWASP-Norway/events/277717277/

Dette blir ingen vanlig meetup, men et todelt møte hvor vi først har generalforsamling i OWASP Norway Chapter (org nr. 994253085). Deretter foretar vi valg av ledere og eventuelt en programkomité.

Del 1: Generalforsamling OWASP Norway Chapter (org nr. 994253085)

Sak 1: Valg av ordstyrer

Sak 2: Valg av referent

Sak 3: Godkjenning av innkalling

Sak 4: Sletting av OWASP Norway Chapter fra Brønnøysundregisteret

Bakgrunn: OWASP Norway Chapter er i dag registrert i Brønnøysundregisteret med organisasjonsnummer 994253085. Lokale chapters skal i følge OWASP Chapter Policy [1] ikke være egne juridiske enheter. Vi ønsker derfor å slette enheten fra Brønnøysundregisteret i henhold til gjeldene vedtekter[2], vedtatt 28. april 2008. Dette vil ikke ha noen påvirking på møteaktivitet eller den daglige driften av OWASP Norway Chapter, da vi fortsetter å eksistere som før under OWASP Foundation. I henhold til vedtektene krever en oppløsning 2/3 flertall på ordinær generalforsamling.

Forslag til vedtak: OWASP Norway Chapter (org nr: 994253085) oppløses i henhold til vedtektene, og slettes fra Brønnøysundregisteret

[1] https://owasp.org/www-policy/operational/chapters

[2] https://owasp.org/www-chapter-norway/assets/files/20080428_Norway_chapter_vedtekter.pdf

Del 2: Valg av ledere til OWASP Norway Chapter

OWASP Norway Chapter skal ha 2-5 ledere og eventuelt en egen programkomité. Dersom du ønsker å engasjere deg i OWASP Norway Chapter, så ta kontakt med [email protected] på forhånd av møtet, så vi har en oversikt over hvor mange som ønsker å være med. Det er en forventning om at man har hovedansvaret for å arrangere minst én meetup per år. I praksis betyr det å skaffe dyktige foredragsholdere, finne egnet lokale og eventuelt skaffe en matsponsor til meetupen. Du vil få hjelp av mer erfarne ledere om det trengs.

Om du ønsker å bidra, anbefales det å lese gjennom Chapter Handbook [1] og Chapters Policy [2].

[1] https://owasp.org/www-policy/operational/chapter-handbook-existing.html

[2] https://owasp.org/www-policy/operational/chapters.html

27. mai 2021, 17:00 - 19:00

Security+Ambidexterity+Devops = FUN / Dependency Confusion

Location: Online

Meetup event: https://www.meetup.com/OWASP-Norway/events/277959854/

Welcome to another online OWASP Norway Chapter meetup. Today we will have two talks, presented by Espen Johansen from Visma and Ståle Pettersen from Schibsted.

I hope we soon will be able to meet again at Teknologihuset to enjoy a slice of pizza. But for now we will continue to host online meetups.

See you!

Security+Ambidexterity+Devops = FUN - Espen Johansen (Visma)

I dette foredraget vil Espen snakke dypere om de tekniske valgene som er gjort hos Visma fra starten av DevOps transformasjonen fram til i dag. Han vil også demonstrere hvordan noen av systemene virker i praksis og gi salen mulighet til å styre han :-) Interaktivt foredrag med store muligheter til å få innsyn.

Experience sharing and storytelling from Visma`s work with integrating security into DevOps by means of Ambidexterity as method. Practical examples on choice of leaders, board composition, spices with technical choices made along the way.

Espen is a passionate Security DevOps-er with a flair for midlifecrisemanagement and enjoying life to it’s fullest. He serves as the Director of Security in Visma but is secretly passionate about gamification, UX, Democracy and Security. He loves difficult words and like to apply their meaning in agile teams.

Dependency Confusion - Ståle Pettersen (Schibsted)

Are you confused about the Dependency Confusion attack? We will explain the bug class that compromised Apple, Microsoft and Tesla, and how you can defend yourself against it in the different package manager systems (npm, python, Java, Ruby and more). We will go through how the Product & Application Security team in Schibsted worked to mitigate this bug class in JFrog Artifactory. One part of our solution was the tool Artishock (https://github.com/schibsted/artishock).

Ståle Pettersen (@kozmic) is leading the Product & Application Security team within Schibsted. He has 10+ years experience as a developer and a security enthusiast and is a big fan of OWASP and doesn’t like to brag about himself :)

30. april 2021, 09:00 - 10:00

Morning meetup: The defender’s new clothes - Eldar Marcussen

Location: Online

Meetup event: https://www.meetup.com/OWASP-Norway/events/277527268/

We’re doing a morning meeting this time, as our speaker is based in Australia.

Description: Proving vulnerabilities in modern web applications is significantly harder than it used to be thanks to WAFs and other protection measures. This talk will discuss and showcase several approaches to bypasses ranging from simple to advanced.

Bio: Eldar Marcussen https://twitter.com/wireghoul is a lead security researcher and penetration tester. He is a long time bug hunter with a large number of published advisories, exploits and conference presentations at leading security conferences all over the world. He was a recipient of the first CVE 10K candidate numbers. In addition to finding vulnerabilities he contributes to and maintain several open source projects in his spare time aimed at web application security and penetration testing. These include graudit, doona, lbmap, dotdotpwn, nikto and more. His tools and research are featured in most security oriented linux distros as well as many industry leading books.

21. april 2021, 18:00 - 19:00

Privacy Case Study: Ambient Light Sensor API

Location: Online

Meetup event: https://www.meetup.com/OWASP-Norway/events/277094300/

Welcome to another remote meetup! This time we will be joined by Lukasz Olejnik, who will walk us through an Ambient Light Sensor API privacy case study. We’ll wrap things up with a short Q&A afterward.

For the majority of users, web browser is the most important computer application. Increasingly complex, exciting and rich, features are standardized by W3C and implemented in web browsers on a normal basis. New browser features introduce interesting privacy challenges for standardization, research and development. I will demonstrate a privacy case study based on the example of Ambient Light Sensor. A web privacy impact assessment of a planned web browser feature, the Ambient Light Sensor API, indicated risks arising from the exposure of overly precise information about the lighting conditions in the user environment. The analysis led to the demonstration of direct risks of leaks of user data, such as the list of visited websites or exfiltration of sensitive content across distinct browser contexts. Our work contributed to the creation of web standards leading to decisions by browser vendors (i.e. obsolescence, non-implementation or modification to the operation of browser features). We highlight the need to consider broad risks when making reviews of new features. I will suggest practically-driven high-level observations lying on the intersection of web security and privacy risk engineering and modeling, and standardization.

Dr Lukasz Olejnik acts as an independent security and privacy researcher and advisor. His experience spans research, industry, standardization, and policy. His research interests include information and computer security and privacy, user data disclosure and dissemination problems as well as privacy-sensitive matters related to web browser functionalities, web security, privacy reviews, and privacy impact assessments. His research analysing user tracking and profiling on the web has impacted web standards and web browsers.

Lukasz is a World Wide Web Consortium’s (W3C) Invited Expert, where he focuses on privacy of web standards. In 2018-2020 he was elected to the W3C’s Technical Architecture Group. Lukasz is involved in technology policy, focusing on cyber security, privacy, and data protection. He held roles as technology policy advisor at the European Parliament (working on ePrivacy), scientific advisor on cyber warfare at the International Committee of the Red Cross, with a focus on assessing the humanitarian consequences of cyber operations, and science and technology advisor at the European Data Protection Supervisor.

Read more about the case study on his website: https://blog.lukaszolejnik.com/shedding-light-on-designing-web-features-with-privacy-risks-impact-assessments-case-study/

17. mars 2021, 19:00 - 20:00

Google’s Differential Privacy Library – Mirac Vuslat Basaran (Google)

Location: Online

Meetup event: https://www.meetup.com/OWASP-Norway/events/276469937/

Differential privacy helps organizations derive insights from data while simultaneously ensuring that those results do not allow any individual’s data to be distinguished or re-identified. Sound interesting? Come hear Mirac Vuslat Basaran (Google) talk about Google’s Differential Privacy Library!

We will start with a brief introduction to differential privacy and why it might be useful for you. Then, we will go through what kind of tools and functionalities Google’s Differential Privacy Library supports such as secure noise implementations, different aggregations, end-to-end systems that require only minimal knowledge of differential privacy, etc. Finally, we’ll talk about future plans for the library.

We’ll finish with a short Q&A.

Mirac is a Software Engineer in the area of anonymization and differential privacy at Google. Before joining Google, he studied Computer Engineering (and Economics) at Bilkent University. Currently, he helps build and open source infrastructure for product teams to anonymize their data. He also consults product teams on anonymization and differential privacy.

URL to Google’s Differential Privacy Library: https://github.com/google/differential-privacy

10. desember 2020, 19:00 - 20:00

Chat with Emil Vaagland about running FINN.no’s private bug bounty program

Location: Online

Meetup event: https://www.meetup.com/OWASP-Norway/events/274255519/

Curious about how it is to run a bug bounty program? Join our chat with Emil Vaagland to get all your questions answered. He has been running FINN.no’s private bug bounty program for well over a year now, and he will share all his experiences with you in a conversation with Ståle Pettersen.

The format of this event will be an informal conversation, so questions from the audience are very welcome!

13. oktober 2020, 19:00 - 21:00

Enforcing Code & Security Standards with Semgrep

Location: Online

Meetup event: https://www.meetup.com/OWASP-Norway/events/273505813/

Abstract: We’ll discuss a program analysis tool we’re developing called Semgrep. It’s a multilingual semantic tool for writing security and correctness queries on source code (for Python, Java, Go, C, and JS) with a simple “grep-like” interface. The original author, Yoann Padioleau, worked on Semgrep’s predecessor, Coccinelle, for Linux kernel refactoring, and later developed Semgrep while at Facebook. He’s now full time with us at r2c.

Semgrep is a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. Semgrep is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.

For example, find subprocess calls with shell=True in Python using the query: subprocess.open(…, shell=True) This will even find snippets like: import subprocess as s s.open(f’rm {args}’, shell=True)

Or find hardcoded credentials using the query: boto3.client(…, aws_secret_access_key=”…”, aws_access_key_id=”…” )

Source code: https://github.com/returntocorp/semgrep Test in your browser: https://semgrep.dev/

Speaker bio: Bence Nagy is a software engineer at r2c, working on Semgrep, an open-source syntax-aware code search tool. At r2c, his responsibilities tend towards building various interfaces atop the core semgrep CLI. These include CI integrations, editor extensions, and the semgrep.live web app. He previously led a developer experience team at Kiwi.com, the Czech Republic’s top startup at the time of its acquisition in 2019. You should totally ask him for video game recommendations after the talk.

27. februar 2020, 17:00 - 20:00

Secure coding tournament

Location: Microsoft Norway, Dronning Eufemias gate 71, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/268317515/

This event is sponsored by Microsoft and Oslo BSides.

Agenda: (Rough timings)

• 1700 Arrival - Registration, food and drinks
• 1720 Presentation (TBA)
• 1805 Platform Demo
• 1815 Tournament
• 1945 Prize Giving

Secure Code Warrior is coming and they will setup a secure coding tournament! This competition will put your security skills to the test. Players will be presented with a series of code challenges that will ask them to locate the insecure code, identify the vulnerability and then fix it. All challenges are based on real-life code examples, and are ranked from easy to difficult! Each player can choose from a range of software languages (C# .NET, GO, Java, Python etc.) to compete fairly in the Tournament.

Prizes will be awarded to 1st and 2nd place (if you are a sponsor and would like to give a price, contact us).

Check out one of the UK’s OWASP Tournaments last summer: https://www.youtube.com/watch?v=xQJAl1m0_DE

Supported languages: https://securecodewarrior.com/supported-languages

All you need: Your laptop!

11. desember 2019, 17:00 - 20:00

Desembermøte: WebAuthn og Burp-triks

Location: Finn.no, Grensen 5-7, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/266167858/

WebAuthn: Authentication is now a solved problem! ;)

U2F, FIDO, FIDO2, CTAP and WebAuthn, what does it all mean? We will walk through why WebAuthn is ground breaking and different. Why do I think it will change authentication forever. Do we finally have a universal and user friendly second factor that can not be phished? Can it really be true? What about recovery?

Ståle Pettersen is a developer and security enthusiast with 10+ experience, currently working as Head of Product & Application Security in Schibsted.

Slides

Burp suite “ninja moves”

Have you ever had tested a web application that you knew was vulnerable, but you could not figure out how to get Burp to behave the exact way to find or exploit the vulnerability? Maybe you needed to fetch a certain value before you sent out a request through intruder but could not figure out what was wrong with your Burp macro. Or maybe you could not figure out that macro menu in the first place.

In this talk Thomas will show you the secret ninja moves inside of Burp Suite that you wished you knew before you bought that Pro license. This talk is for those who want to take their web application testing to the next level. We will cover the hidden features of intruder, how to test for the newest security flaws and essential plugins that you need to know in order to find that hidden vulnerability in your next penetration testing engagement or bug bounty adventure.

Thomas Gøytil is a former developer turned security professional, specializing in API and web application security. He has over 9 years of experience as a consultant building, breaking and securing web applications. He is working as the Head of Security in Klaveness Digital, a Norwegiain company building intelligent shipping and logistics solutions. Thomas loves to work with developers to find elegant solution to solve hard security problems. When Thomas is not working on the defense for his company, he is working on his offense doing bug bounty or Brazilian Jiu Jitsu.

Slides

19. november 2019 17:00 - 19:00

Best practices for securing CI/CD pipeline by Victoria Almazova + lightning talk

Location: Teknologihuset, Pilestedet 56, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/266233553/

Best practices for securing CI/CD pipeline - Victoria Almazova

DevOps practices are in a place; containers are everywhere, pipelines are flying. We do Agile. We do DevOps. Now we try to follow security practices for protecting the deployed resources, too. This is a reason why DevSecOps is not hype anymore and is gaining more prominence. There is a lot of information about DevSecOps, but how to do it properly? Where to start? What are the best practices? In this session, we will walk through an end-to-end scenario where we will deploy infrastructure components securely to Azure using Azure DevOps, Azure Container Registry and security tools. We will build a pipeline with security in mind to protect and detect potential security flows during the build.

You will learn:

• How to build end-to-end CI/CD pipeline that builds the application and deploys infrastructure on Azure with security checks for the application, containers and infrastructure;
• What are the security tools available for CI/CD pipeline and how to implement them in the best way into different Git workflows;
• Best practices and patterns of building security pipelines.

Security girl in Microsoft with experience more than 13 years in security. She spends all her time working closely with developers and architects to make security built in from design level. She is a big supporter of making security as culture and shifting security to the left thru DevOps. Victoria believes that empowering developers and architects in security tasks by helping with education will increase security level without increasing additional workload.

During her free time, she deep dives into Cloud security, development, identity and access management. And of course, she doesn’t forget about running, hiking and motorcycles, which are the biggest passion after security.

Crypto for Pentesters - Tor Erling Bjørstad “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge” (Auguste Kerckhoffs, 1883) Modern crypto is actually pretty good. Nobody is going to break RSA or AES by accident on a pentest assignment. Modern crypto is also surprisingly subtle. Even if it says AES on the box, the devil is in the implementation details. In this talk, we’ll look at a few common crypto fails, and discuss their exploitability in a practical setting. The goal is to help the audience recognize and avoid common problems that are common in the field.

Tor leads the application security practice at mnemonic. He has been working full-time in software security and cryptography since 2006, at times playing the role of a security champion and defender, at other times as the attacker hunting for ways to break in. Tor holds a Ph.d. in cryptography from the University of Bergen.

The presentations will be held in English.

Pizza and soda will be served at the meetup, sponsored by Microsoft.

A big thanks to mnemonic (https://www.mnemonic.no/) for supporting the OWASP Norway Day 2018 as a platinum sponsor.

16. oktober 2019 17:00 - 19:00

Location: Miles, Bislettgata 4, Oslo, 6th floor

Meetup event: https://www.meetup.com/OWASP-Norway/events/265374152/

Securing microservices in a serverless world - Andreas Claesson

The world of IT is changing with a vast number of services moving from centralised servers to decentralised server providers the likes of Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). With the concept of “serverless”, the services themselves are also becoming decentralised, meaning that they are broken down into smaller pieces called microservices.

In his presentation, Andreas will explore the major benefits of going serverless, the challenges this approach to architecture presents to traditional IT security, and try to answer the question, “so why isn’t serverless super popular yet?”

The presentation is based on an article published in the annual mnemonic Security Report (www.mnemonic.no/securityreport).

Andreas Claesson works at the European IT and information security company mnemonic as a Senior Security Consultant in their Technical Risk Services department. Based in Oslo, his main focus area is security assessments of cloud environments, which requires a different approach compared to traditional IT security. He has a background in software development giving him an extra dimension in his security work.

The presentation will be held in English.

Wraps and soda will be served at the meetup, sponsored by Miles (https://miles.no).

A big thanks to mnemonic (https://www.mnemonic.no/) for supporting the OWASP Norway Day 2018 as a platinum sponsor.

9. april 2019 17:00 - 19:00

Sted: Teknologihuset, Pilestedet 56, Oslo

Påmelding: https://www.meetup.com/OWASP-Norway/events/259385379/

Security of Machine Learning - Stian Kristoffersen

Stian Kristoffersen from Deepinsight will come and talk about security of machine learning. The presentation will be held in English.

Machine Learning (ML) continues to be a trendy tool for many types of problems, including security. But is ML itself secure? This talk will give an introduction to attacks on ML like changing predictions, recovering sensitive information, and stealing someone else’s models. Examples include misdirection by changing a few pixels in an image, by using 3D printed models, and by hiding long messages in short sound bites. We will conclude with some current research directions to mitigate these attacks. Prior experience with ML is useful, but not required.

Pizza and soda will be served at the meetup, sponsored by Deepinsight (https://deepinsight.io/).

A big thanks to mnemonic (https://www.mnemonic.no/) for supporting the OWASP Norway Day 2018 as a platinum sponsor.

20. november 2018 - OWASP Norway Day

Full day conference: https://owaspnorwayday.org

9. april 2018 17:00 - 20:00

Sikkerhetssvakheter i norske nettjenester - Roy Solberg / Hallvard Nygård

Location: Teknologihuset, Pilestedet 56, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/248655998/

Vi får besøk av Roy Solberg og Hallvard Nygård, som uavhengig av hverandre har avdekket og publisert svakheter ved norske nettjenester.

Matsponsor: Oslo Market Solutions (https://oms.no)

Roy Solberg Roy Solberg har den siste tiden avdekket en rekke sikkerhetshull i norske tjenester og nettsider. Han tar oss gjennom motivasjonen ved å gå offentlig ut og publisere sikkerhetshullene og hvordan hele reisen har vært. Vi får mer detaljer om noen utvalgte sikkerhetshull - også noen hittil upubliserte. I tillegg får du høre mer om hva som er de oftest observerte svakhetene - slik at du selv kan unngå å bli en sak på bloggen hans.

Om Roy Solberg: Roy Solberg jobber til daglig som mobilutvikler i NorApps AS. Der jobber han med en av verdens mest populære fotball-apper - FotMob. Før dette jobbet han 10 år som IT-konsulent.

Hallvard Nygård Hvis din REST-tjeneste er på Internett, så bør du forvente at noen aksesserer den direkte med alternative parametre. Hallvard Nygård ønsket å undersøke egne data samlet inn av Æ-appen til Rema 1000, men fant alle sine data. I 2 uker var handledata for opptil 500000 kunder tilgjengelig for alle med en nettforbindelse. Security by obscurity.

I denne presentasjon vil Hallvard vise hvordan Æ-appen ble undersøkt med Mitmproxy (Man-in-the-middle proxy) og Curl. Han vil fokusere på hva vi kan lære av dette og hvordan du kan undersøke og sikre din egen app/backend.

Videre vil vi ta en titt på andre tjenester hvor utvikling og integrasjoner har gått galt og data/persondata har blitt eksponert. Et skybasert helseregister, en eiendomstjeneste og en kundeportal (sikkerhet i Javascript!). Hva eier du av boliger? Hvordan ser lånehistorikken (pant) din ut? Tvangsforretning? Hvilke enheter finnes i hjemmet ditt? Hvilke OS kjører de? Dataregistre på nett er skumle greier…

Om Hallvard Nygård: Utvikler. Koder ofte på front-end, men sørger også for å sikre backenden. Sjekker sikkerheten i din applikasjon på fritiden.

19. mars 2018 17:00 - 20:00

Location:* Teknologihuset, Pilestedet 56, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/247571296/

#WatchOut - Serious vulnerabilities in smart watches for children

In October 2017, the Norwegian Consumer Council (Forbrukerrådet) and mnemonic published the #WatchOut campaign, revealing severe security flaws in smart GPS watches marketed towards children and parents. Among other things, it was shown that it was possible for an unauthorized party to:

• take control of the watch through the companion app,
• eavesdrop on and communicate with the child without the parent knowing,
• track the child’s movements, and also make it look like the child is somewhere he or she is not,

In some cases, user-generated data was also being insecurely transmitted and stored. In one case, data such as voice messages was found stored on an unprotected cloud server.

#WatchOut had a global spread and impact. It received coverage all over the world in outlets like the BBC, CBS, Good Morning America, Business Insider, The Telegraph, and Newsweek. This led to complaints being filed towards the US Federal Trade Commission (FTC), and some retailers pulling the devices from their shelves. It has also lead to smart watch vendors making extensive changes to their products.

Harrison Sand and Tor E. Bjørstad from mnemonic will go deeper into the technical details of the #WatchOut research and analysis, and how the technical assessments were carried out.

We will also discuss events in the aftermath of the campaign, concerns relating to vulnerability disclosure, and our general concerns related to securing the Internet of Things.

Links: https://www.forbrukerradet.no/side/significant-security-flaws-in-smartwatches-for-children https://www.forbrukerradet.no/side/critical-security-flaws-remain-in-smartwatches-for-kids/ https://www.mnemonic.no/watchout

28. september 2017 17:15 - 20:15

Location: mnemonic AS, Wergelandsveien 25, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/243307080/

Software security in theory and practice - BSIMM and more

Nick Murison will give a talk on the Building Security In Maturity Model (BSIMM) for secure software development.

Abstract: The Building Security In Maturity Model (BSIMM) (http://bsimm.com/) is a unique tool built from an observation-based approach to capturing the collective activities of diverse software security initiatives. We initiated data gathering and analysis in 2008 with nine firms. There are now over 100 participant organisations in BSIMM, and we have measured many of these organisations more than once. Though secure software initiatives differ, all share common ground. BSIMM captures and describes this common ground. It therefore functions as universal yardstick, capable of measuring any software security initiative and facilitating strategic planning for ongoing software security improvement. This talk will provide an introduction to the model, how you can apply it to your organisation, and what benefits you can achieve in measuring your initiative. It will also provide a sneak preview of BSIMM8, the latest version of the model.

About the speaker: Nick Murison is a Managing Consultant in Synopsys’ Software Integrity Group, and the European lead for BSIMM. His primary responsibility is the successful delivery of software security services to Synopsys’ clients across multiple industry verticals in Northern Europe. Nick holds a MSc in Information Security from Royal Holloway, University of London.

In addition, we’ve scheduled two shorter talks.

Jøran Lillesand will give a short presentation on practical experiences with running a software security programme, based on ongoing work at Digipost (https://www.digipost.no/sikkerhet). This talk will be held in Norwegian.

Patricia Aas will give a short presentation on her recent experiences with the security of the Norwegian election system (http://www.vg.no/nyheter/meninger/stortingsvalget-2017/kampanjen-funket/a/24136153/).

12. juni 2017 17:00 - 20:00

Location: Simula, Ole-Johan Dahls hus, Gaustadaleen 23B, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/238611471/

Talks by Troy Hunt and Scott Helme and lightning talk by Per Thorsheim

Troy Hunt What motivates attackers to dump data publicly? How is it sold, traded and redistributed and for that matter, what even causes people to go public with it? These are all questions I’ve dealt with over the years running the ethical data breach search service “Have I been pwned”. It’s also given me the opportunity to interact with everyone from the attackers breaching these systems to the impacted organisations to law enforcement agencies.

In this talk, I’ll share the lessons learned from working with billions of publicly dumped records as a result of major data breaches. The talk sheds light on how this class of adversary operates and the weaknesses within organisations they continually manage to exploit. It’s a unique inside look at security from a very real world and very actionable perspective.

About the speaker

Troy Hunt is an Australian Microsoft Regional Director and Microsoft MVP for Developer Security since 2011. Troy is a Pluralsight author of many top-rated courses on web security, and known for his work on “Have I been pwned?” - a free service that aggregates data breaches and helps people establish if they’ve been impacted by malicious activities on the web.

Scott Helme The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it’s valid, potentially years. We need a way to revoke the trust in these certificates so that they can’t be abused but all current revocation mechanisms are largely useless. Let’s look at the new mechanisms being introduced to address the problem of revocation. Per Thorsheim

Per Thorsheim Lightning talk: “From security to safety - when consequences become real”

22. mai 2017 17:00 - 19:00

Location: Microsoft Norge, Lysaker Torg 45, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/239636226/

SDLC at Visma + The keys to the cloud at Microsoft

17:15-18:00 Practical implementation of a Security Program focused on AppSec in a large provider and consumer of WebServices Espen Agnalt Johansen - Operations & Security Manager at Visma R&D

18:15-19:00 The keys to the cloud: Use Microsoft identities to sign in and access API from your mobile and web apps after Microsoft Build 2017

Microsoft identities are the entry point for every Microsoft cloud API and a large ecosystem of SaaS apps. Join the 150,000 apps active today in Azure Active Directory, making your apps available to more than 100M active business users! Based on the same enterprise-grade infrastructure, Azure AD B2C provides to your apps their own hosted identity system – offering social providers integration, local accounts, and advanced customization you can add to your app in minutes. Attend this session and learn how you can easily integrate with Microsoft identities in your mobile and web apps, thanks to the new MSAL libraries. Build a data-rich application thanks to the power of Microsoft Graph API and the rich data about users, groups, mail, calendar, docs, and more.

Vittorio Bertocci is Principal Program Manager in the Windows Azure Active Directory team, where he looks after Developer Experiences in Windows Azure Authentication Library (ADAL), OWIN, JWT Handler, WIF, the development aspects of Windows Azure Active Directory & ACS, and a lot of other things he can’t tell you about. Vittorio holds a master degree in Computer Science, and worked in the software industry for two decades. He devoted the last 10 years to distributed systems, identity management and the promotion of claims-based approaches with Fortune & Global 100 companies. In the last five years his duty brought him to speak about identity in 23 countries and 4 continents. Vittorio is a regular speaker at conferences such as BUILD, Microsoft PDC, TechEd USA, TechEd Europe, TechEd Australia, TechEd New Zealand, TechEd Japan, TechDays Belux, Gartner Summit, European Identity Conference, IDWorld, OreDev, NDC, IASA, Basta and many others.

Vittorio is a published author, both in the academic and industry worlds, and wrote many articles and papers. He wrote Programming Windows Identity Foundation (Microsoft Press, 2010), is co-author of A Guide to Claims-Based Identity and Access Control (Microsoft Press, 2010), and Understanding Windows Cardspace (Addison-Wesley, 2008). He is a prominent authority/blogger on identity, Windows Azure, .NET development, and related topics, and shares his thoughts at www.CloudIdentity.com.

Microsoft is sponsoring the event with food and soft drinks

30. mars 2017 17:00 - 19:00

Location: Bouvet, Sørkedalsveien 8, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/238542931/

#ToyFail: Is you child safe from the Internet of Things?/Broken Crypto is Broken

Pizza will be served from 17:00. Thanks to Bouvet for hosting the meetup and sponsoring the pizza!

#ToyFail: Is you child safe from the Internet of Things?

Martin Gravråk - Software Developer & Kristian Løken Wille - IT Consultant @ Bouvet

Security and Privacy are two major concerns with the Internet of Things, and are especially important when children are involved. In this session, we’ll tell you what happened when the Norwegian Consumer Council asked us to investigate the inner workings of a selection of internet connected toys. Our findings shocked both us and our customer, and lead to worldwide media coverage. We’ll share our methods for testing the toys, and show you examples of what we found. You’ll also learn about various techniques for finding out how secure your own devices are, what these devices know about you and where this information ends up. There will be demonstrations on how we use tools like Fidder, WireShark and Decompilers, there will be movies and there will be toys!

The talk will be held in norwegian.

Broken crypto is broken

Erlend Oftedal

We using an increasing amount of crypto in our code to protect our assets. However we can easily go wrong if we don’t know how to use it correctly. In this talk we will look at what can go wrong when crypto is used the wrong way. We will NOT dive into the algorithms themselves, but look at what the different primitives give us and what happens when our expectations are wrong.

26. januar 2017 17:00 - 19:30

Location: Teknologihuset

Meetup event: https://www.meetup.com/OWASP-Norway/events/236787346/

Bug bounties with Frans Rosén

Bug bounties – What, how and why?

Going through the current state of bug bounties, what is it really? How do you start, and why? Frans will give some insights being one of the top ranked hackers on HackerOne and Bugcrowd and will share some advices on getting started together with some examples of fun bugs.(30 min)

DNS hijacking using cloud providers – no verification needed

A few years ago, Detectify did a blog post regarding domain hijacking using services like AWS, Heroku and GitHub. These issues still remains and are still affecting a lot of companies and there are many tools to find these vulnerabilities that have popped up after this went public.

However, there are many more ways to hijack domains, nameservers and DNS-providers. The tools out there are missing these cases completely. Frans will go through both the currently disclosed and the non-disclosed ways to take control over domains and will share the specific techniques involved.(50 min)

Frans Rosén is a knowledge advisor at Detectify and also spends a lot of his time doing bug bounties, and let’s just say he is quite successful at that.

Big thanks to Schibsted Products & Technology for sponsoring pizza for the meeting

30. november 2016 17:00 - 19:30

Location: Domus Nova auditorium 7, St. Olavs plass 5, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/235670341/

17:00-17:30 - Pizza sponsored by Microsoft

17:30-18:15 - The Cyber Threat Intelligence Matrix: A simple incident response decision model

Speaker: Frode Hommedal (https://4sics.se/speakers/frode-hommedal.html)

Frode Hommedal is a senior incident responder and threat analyst. He is currently head of incident response and security analysis at Telenor CERT, where he’s part of the team that is establishing the global CERT/SOC capability of Telenor, Norway’s biggest telco. He has previously worked seven years for the Norwegian national CSIRT, NorCERT. One of Frode’s main interests is to model CSIRTs to improve efficacy and performance.

18:15-19:00 - The downloaders (“Nedlasterne”)

Speaker: Einar Otto Stangvik (https://www.linkedin.com/in/einaros)

Einar is working with journalism research and data security in Verdens Gang (VG). “Nedlasterne” (the downloaders) is now a three years old project. In this presentation Einar summes up the (interdisiciplinary) techniques and experiences used to expose the downloaders.

1. november 2016 kl 18:00 - 20:00

Location: mnemonic, Wergelandsveien 25, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/234968368/

Personal security

You are one of the most significant security threats to your company. We all know we are going to fix better passwords / encryption / firewalls / etc. one day. Getting properly hacked is one of those things that is a lot more comfortable to prevent beforehand than to gather the shattered pieces afterwards. In this talk, we will take a practical approach to good personal digital security. We will start with the easy parts before drilling through the layers of security, down to the parts that are unpredictable and dangerous. Bring your laptop and a tin foil hat.

Topics include: What it’s like to get properly hacked. Using password managers. Operating system security. Browser security. Encryption, firewalls, factors, and other means of protection.

Michael Johansen is a software consultant at Knowit during the day and a startup founder during the night. At NTNU I studied entrepreneurship, computer science and psychology. During my studies I also took a year off to be a board member at NTNU’s Board of Directors. As part of my startup venture I’ve gotten first-hand experience with the startup scene in both Boston and in Silicon Valley. Humans and machines are the two things that interest me the most. I’m a bit systematic. I care more than most people about personal security, and it’s a topic on which I’d like to share my insights.

Hacking with Hardware: Tools for Physical Intrusion and Persistent Network Access

Reading about the latest zero-day vulnerabilities can be fun (or scary), but what about known vulnerabilities from years or even decades ago? When it comes to technologies like USB, wireless mice and access cards, many old vulnerabilities are still around, largely ignored in risk assessments and easier than ever to exploit in style, due to the availability of versatile, low-cost hardware gadgets. If humans are tool-using animals, hackers are gadget-using humans.In this presentation attendees will see examples of real physical and short range wireless attacks that will work against most organizations to bypass security controls and gain persistent physical access to the target facility and its network. Yes, billions of people can attack you from the Internet—that doesn’t mean you should forget about the ones who walk through the front door.

Ryan Mattinson is a penetration tester and managing consultant in KPMG Norway’s cyber defence practice. He will share stories from the trenches and introduce some of his favorite gadgets anyone can buy online or easily build at home to get into a target organization’s buildings and onto their network.

24. august 2016 kl 16:30 - 19:00

Location: SpareBank1, Hammersborggata 2, Oslo

Meetup event: https://www.meetup.com/OWASP-Norway/events/232698579/

Generalforsamling og medlemsmøte - social engineering

Amateurs hack systems, professionals hack people. — Bruce Schneier

1. august handler om social engineering! Først kan du være med og hacke OWASP Norway Chapter gjennom vår generalforsamling, med godkjenning av nytt styre. Så vil foredragsholder Kai Roer ta oss på en reise inn i de psykologien som gjør oss mennesker så enkle å hacke, og hvordan personlighetstypene vi finner i virksomheten påvirker sikkerheten. Hva hjelper vel tofaktorautentisering, om full tilgang er en telefonsamtale unna?

Det er mulig å møte opp direkte til pizza og medlemsmøte.

Agenda:

• 16:30-17:00 Generalforsamling - godkjenning av nytt styre
• 17:00-17:30 Pizza
• 17:30-19:00 Social Engineering and The Psychology of Security / Kai Roer

Generalforsamling 2016 - referat

Agenda

1. Valg av møteleder og referent
2. Godkjenning av dagsorden
3. Godkjenning av nytt styre

Referat Bjarte Østvold valgt til styreleder. Erlend Oftedal valgt til referent. Godkjent ved akklamasjon

Innstilling Leder: Erlend Oftedal (gjenvalg) Kasserer: Asbjørn Thorsen (tidl. styremedlem) Styremedlemmer:

• Jostein Tveit (gjenvalg)
• Jon Are Rakvåg (gjenvalg)
• Tor E Bjørstad (ny)
• Ståle Pettersen (ny)

Valgkomite:

• Bjarte M. Østvold (gjenvalg)
• Jøran Lillesand (gjenvalg)
• Joakim Tørmoen (ny)

Godkjent ved akklamasjon

7. juni 2016 kl 17:00 - 19:00

Location: Oslo Spectrum

Meetup event: https://www.meetup.com/OWASP-Norway/events/231166845/

NDC Community Tuesday

NB! Du må også melde deg på her (gratis): https://www.eventbrite.com/e/ndc-community-tuesday-2016-tickets-24643781213

NDC have graciously allowed us to borrow some speakers as a part of NDC Community Tuesday.

17:30 - 18:15 - Moriarty Hacking i 2016 - Chris Dale

Your solution is deployed in the cloud, it should be secure. After all, it only exposes a simple login field, and it has already been scrutinized by penetration-testers for vulnerabilities. It should be safe… But it wasn’t! You still got owned, and you got owned BIG TIME! This talk will show how a criminal advances through a seemingly hardened solution, fully compromising the solution. The talk will demonstrate how the attacker takes over a customers entire domain, but also how the attacker is able to in fact compromise the cloud solution itself. Attacking the IaaS infrastructure provider

18:15 - 19:00 - CSP: RIP XSS - Christian Wenz

Cross-Site Scripting is one of the main risks for web applications - a position it holds since over a decade! With Content Security Policy, this threat may finally find its end. The W3C standard provides techniques to close many XSS vectors, offers fine-grained control over the security limitations you impose, and enjoys a decent browser support. We will show what CSP is capable of, focusing on new features in CSP 2, and also discuss how you may need to refactor your website.

18. april 2016 kl 18:30 - 20:00

Location: Schibsted Products & Technology, Apotekergata 10, Oslo

Meetup event: http://www.meetup.com/OWASP-Norway/events/230205922/

OWASP temamøte om sikkerhet i medisinsk-teknisk utstyr

Takk til Schibsted Products & Technology som sponser mat og møtelokale!

Marie Moe: Med hjertet på Internett - Sikkerhet i det medisinske IoT

Om foredraget Vår avhengighet av systemer som styres av programvare øker raskere enn vår evne til å sikre systemene. Når alle våre ”dingser” kobles på nett øker angrepsflaten og våre verdier blir sårbare for hacking. Dette utgjør ikke bare en trussel mot informasjonssikkerhet og personvern; også menneskers liv og helse trues når dingser som kan påvirke fysiske systemer i økende grad kobles opp mot Internett. Marie Moe er avhengig av et medisinsk implantat, en pacemaker som sørger for at hjertet hennes slår og som holder henne i live. Som sikkerhetsekspert ønsket hun å finne ut mer om informasjonssikkerheten i denne datamaskinen inne i sin egen kropp. Hun fant den tekniske manualen til pacemakeren og ble overrasket over å få vite at den hadde funksjonalitet for kobles til et medisinsk “Internet of Things”. Programvaren i pacemakeren og enhetene som den kunne kommunisere trådløst med var proprietær og utilgjengelig. Marie startet derfor et hacking-prosjekt for å finne ut av sikkerheten i sin egen personlige kritiske infrastruktur.

Om foredragsholderen Marie Moe har en mastergrad i matematikk/kryptografi, samt en doktorgrad i informasjonssikkerhet. Marie har erfaring som seksjonsleder ved NSM NorCERT, Norges nasjonale senter for håndtering av alvorlige dataangrep. Hun jobber i dag som forsker innen informasjonssikkerhet ved SINTEF IKT, og underviser ved NTNU. På fritiden er Marie engasjert i grasrot-organisasjonen ”I Am The Cavalry”.

Med hjertet på Internett

Preben Gustavsen: Bruk av medisinsk teknisk utstyr (MTU) i helsesektoren

Om foredraget Helsetjenesten støtter seg i økende grad til teknologi og utviklingen viser at teknologien kommer tettere på pasienten. Ved bruk av medisinsk teknisk utstyr (MTU) gjelder høye kvalitetskrav for å sikre presise diagnoser eller korrekte måleresultater. Siden informasjonen som behandles ofte er sensitive personopplysninger stilles også strenge krav til informasjonssikkerhet. I enkelte tilfeller er pasienters helse direkte avhengig av velfungerende MTU.

Krav til informasjonssikkerhet endres når MTU tilpasses en moderne infrastruktur med integrasjoner både for å effektivisere pasientbehandlingen og for å gi helsepersonell bedre støtte. Samtidig øker pasienters forventning til helsetjenestens bruk av moderne teknologi.

I en slik situasjon er det flere forhold som påvirker det totale sikkerhetsnivået. I dette foredraget vil jeg peke på noen generelle faktorer som påvirker det totale sikkerhetsnivået i MTU, som:- Forholdet til nasjonale og internasjonale leverandører- Utfordringer og muligheter når helsepersonell blir entreprenører- Avhengighet mellom programvare, operativsystem og tilstøtende programvare- Behov for infrastruktur som kan støtte en bred tjenesteportefølje

Avslutningsvis vil jeg knytte behov for informasjonssikkerhet opp mot spørsmål om pasientsikkerhet og forvaltning av MTU.

Om foredragsholderen Preben Gustavsen har ca 15 års erfaring med risiko ved bruk av teknologi fordelt på roller som rådgiver innen styring og kontroll, programmerer, systemutvikler, sikkerhetsarkitekt og revisor. Preben er bachelor of IT fra Queensland Univeristy of Technology og har utdanning fra tidl. Polytekniske Høgskole. Nå er Preben rådgiver innen informasjonssikkerhet og internkontroll i Sopra Steria.

Informasjonssikkerhet og medisinteknisk utstyr

16. mars 2016 kl 18:00 - 20:00

Location: Brønnøysundregistrene sine lokaler, Grev edels plass 9, 2 etasje

Meetup event: http://www.meetup.com/OWASP-Norway/events/229436674/

Takk til Brønnøysundregisterne som stiller med lokaler og takk til Sopra Steria som sponser pizza til møtet!

Biometrisk autentisering: God (?) UX, men lett å gjøre UX/sikkerhetsfeil

Ingress: Per Thorsheim ventet i 1 år, 3 måneder og 12 dager på sitt biometriarmbånd. Det tok <1 time å finne svakhetene. Biometrisk autentisering har lenge blitt spådd til å skulle erstatte passord, men sannheten er biometri fortsatt lider sterkt av barnesykdommer. Presentasjonen vil vise 3 ulike produkter hvor biometri ødelegger UX og sikkerhet, og hva som kan og bør gjøres for å gjøre ting skikkelig. Bio: Per Thorsheim er selvstendig sikkerhetsrådgiver i Bergen. Han driver PasswordsCon, han fikk verden til å ta i bruk RFC 3207, og han hjalp Facebook med å få på plass PGP støtte. Han tror at bedre sikkerhet kan oppnås gjennom bedre brukervennlighet.

https://godpraksis.no/ https://linkedin.com/in/thorsheim

With a little help from my friends, …. en tilnærming til fullskala krise og beredskapsøvelser Case : Øvelse “Beneth the cover, høst 2014” Ingress: Raymond Hagen, 36 år. Sikkerhetsansvarlig for Altinn hos Brønnøysundregistrene. Er også stabsoffiser i lokalt Heimevernsområde. Har en akademisk bakgrunn fra sikkerhet knyttet til infrastruktur og utvikling, men arbeider mye for tiden hendelseshåndtering, dokumentasjon og beredskap. Har sterke interesser for kultur og historie, samt benytter mye tid til å reise litt utenfor «allfarvei»

Paneldebatt Ordstyrer: Erlend Oftedal Deltakere: Runa Sandvik, Per Thorsheim, Raymond Hagen Vi benytter Slido til å sende inn spørsmål til paneldebatte. Dette er et verktøy hvor man kan sende inn spørsmål til panelet og stemme opp eksisterende spørsmål man ønsker debatt om. Det er lurt å tenke igjennom spørsmål til panelet på forhånd. Pin kode til Slido blir gitt på oppmøte.

Runa A. Sandvik is a privacy and security researcher, working at the intersection of technology, law and policy. When she is not hacking rifles (https://www.wired.com/2015/07/hackers-can-disable-sniper-rifleor-change-target/) or writing articles for Forbes (https://www.forbes.com/sites/runasandvik/), she teaches digital security to journalists and helps media organizations improve their security posture.

19. november 2015 kl 17:00 - 19:00

Sted: Rom Alfa & Omega, ved Norsk Regnesentral, NR ligger i 4. etasje av Kristen Nygaards hus, Gaustadalleen 23a, 0373 Oslo - også kjent som “det gamle IFI-bygget” på OiU

Påmelding: http://www.meetup.com/OWASP-Norway/events/226703923/ eller send epost til [email protected]

Agenda: http://www.meetup.com/OWASP-Norway/events/226703923/

16. september 2015 kl 17:00 - 19:30

Sted: Teknologihuset Pilestredet 56, Oslo, store salen

Påmelding: http://www.meetup.com/OWASP-Norway/events/225200078/ eller send epost til [email protected]

Agenda: http://www.meetup.com/OWASP-Norway/events/225200078/

7. mai 2015 kl 17:30 - D-Fens

Sted: Forskningsveien 3b, Oslo

Påmelding: http://www.meetup.com/OWASP-Norway/events/221907724/ eller send epost til erlend.oftedal(æt)owasp.org

Agenda: http://www.meetup.com/OWASP-Norway/events/221907724/

Slides: Defender Economics

Generalforsamling

Tid: Mandag 13.04.2015 Sted: Mnemonic, Wergelandsveien 23

1. Valg av nytt styre for OWASP Norway

Følgende styre ble valgt ved akklamasjon:

• Styreleder: Erlend Oftedal [email protected] (Gjenvalg)
• Kasserer: Kåre Presttun [email protected] (Gjenvalg)
• Styremedlem: Audun Dragland [email protected] (Ny)
• Styremedlem: Jostein Tveit [email protected] (Ny)
• Styremedlem: Asbjørn Thorsen [email protected] (Ny)
• Styremedlem: Jon Are Rakvåg [email protected] (Ny)
• Styremedlem: Åsmund Skomedal [email protected] (Ny)

Valgkomite:

• Bjarte Østvold [email protected] (Ny)
• Jøran Vanby Lillesand [email protected] (Ny)
• Markus Harboe [email protected] (Gjenvalg)

1. Eventuelt

Erlend presenterte Trello som et verktøy for styremedlemmene å organisere fremtidige medlemsmøter og foreslo Teknologihuset som fast møtested.

26. juni 2014 kl 17:00

Ansvarlig: Erlend Oftedal, tel: 98219335

Sponsor: N/A

Adresse: Teknologihuset, Pilestredet 56

Agenda: Hacking with Unicode

Tweetdeck was XSSed using unicode in June 2014. If you want to understand how these kinds of attacks work, you should really come see this talk.

If you think you know how unicode is handled in JavaScript, server-side code and databases, you should come see this talk.

If you don’t care about unicode, you really need to see this talk.

Hacking with Unicode

This presentation explores common mistakes made by programmers when dealing with Unicode support and character encodings on the Web. Foreach mistake, I will explain how to fix/prevent it, but also how it could possibly be exploited.

Speaker: Mathias Bynens is a Belgian web standards freak. He likes HTML, CSS, JavaScript, Unicode, performance, and security. At Opera Software he’s a member of the Developer Relations team.

3. mars 2014 kl 16:00

Ansvarlig: Erlend Oftedal, tel: 98219335 Sponsor: N/A Adresse: Teknologihuset, Pilestredet 56

Agenda: Internet of Things

Overordnet tema for møtet er “internet of things”

Einar Otto Stangvik kommer for å snakke om usikkert.no som er en søkemotor for norske IP-adresser. Du kan lese mer om den her: https://usikkert.no/about

Full agenda og beskrivelse kommer litt senere.

7. februar 2013 kl 17:00

Ansvarlig: Erlend Oftedal, tel: 98219335

Sponsor: Bouvet og Secode

Adresse: Bouvet, Sandakerveien 24

Agenda: Crossing Origins by Crossing Platforms

Vi får storfint besøk av Jonas Magazinius ( @internot_ )

Agenda:

• A lanugage based approach to securing mashups
• Mat
• Crossing origins by crossing formats

“A language based approach to securing mashups”

15 years have passed since the “same-origin policy” (SOP) was introduces, with the purpose to control the interaction between web sites. Web sites of today, in particular so called mashups, differ radically in how they interact compared to 15 years ago, and the SOP has become an obstacle that needs to be circumvented. Despite numerous hacks and efforts to control interactions in a secure manner, this problem continues to be challenging. On-going research at Chalmers investigates using language-based techniques to control the flow of information, and by doing so maintaining the hich level of interaction without making compromises in security.

“Crossing Origins by Crossing Formats”

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. We identify the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretations of the content, providing a new space of attack vectors. We characterize of what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins.

Jonas Magazinius is a PhD student in the Language-based Security group at Chalmers University of Technology. The focus of his research is information-flow in mash-up web applications. Jonas is specialized in web application security, but is interested in most aspects of security. When not immersed in JavaScript, Jonas helps organize events in the OWASP Gothenburg chapter.”

Mandag 18. oktober 2012 kl 17:00

Ansvarlig: Erlend Oftedal, tel: 98219335

Sponsor: Bekk

Adresse: Bekk Consulting AS

• 17:00-17:45 - Secure electronic voting? - Security assessment of the E-valg system - Emilie og Fredrik fra Combitech

In the autumn of 2011, electronic voting took place in Norway for the first time. The system used for voting is named E-valg and was developed by EDB ErgoGroup and Scytl during 2010 and 2011.

The security of an electronic voting system is crucial for a fair, free and transparent election process. In addition, people must be able to trust the system enough to use it. Security has been an important part of the E-valg project from the design phase to the implementation of the final production system. Combitech had the role of independent security assessor and has been performing design review, code review and penetration tests of the E-valg system. We will present the security assessment process, the design of the security solution and some details about the tests and the results.

This presentation will be in English

• 17:45-18:15 - Mat
• 18:15-18: - Avinstaller Java nå! - Jostein Tveit**

Utnyttelse av sårbarheter i Java er i ferd med å bli blant de vanligste metodene for en angriper å ta over en PC. Samtidig surfer de fleste av oss på nettet med Java-applets aktivert i nettleseren. Kan man stole på at sandkasseteknologien gjør nettsurfing trygt? Denne lyntalen prøver å gi svar på hvorfor utnytting av Java-sårbarheter nå er i vinden, og du vil få se både angrepskode og en demonstasjon på hvordan et sikkerhetshull i Java kan utnyttes.

24. april 2012, kl 19:30

Ansvarlig: Erlend Oftedal

Sponsor: -

Adresse: Mesh Norway, Tordenskiolds gate 3

Tema denne gang er sikkerhet i mobile applikasjoner. Det blir først en introduksjon, deretter kommer Martin Knobloch fra OWASP Nederland for å snakke om iGoat og GoatDroid, for så å dele erfaringer fra en code review.

Slides:

• OWASP Mobile Top 10 - Ståle Pettersen
• OWASP Mobile - Martin Knobloch

19. mars 2012, kl 17:00

Ansvarlig: Erlend Oftedal

Sponsor: F5

Adresse: The Dubliner

“Web Application Access Control Design Excellence”, Jim Manico

Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and “fail open” access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

30. november 2011 kl 18:30

Ansvarlig: Erlend Oftedal

Sponsor: TBA

Adresse: Hackeriet at Hausmannsgate 34, Oslo

Agenda: Shodan

Felles medlemsmøte med [http://www.meetup.com/hackeriet/ Hackeriet]! “Let me Shodan that for you…“, Eireann Leverett Workshops are fun. Let’s have one.

Bring your laptop and willingness to write ten simple lines of code in Perl, Python, or Ruby. Even if you can’t code, come by and learn to use Shodan the computer search engine through the web interface. While the speaker will share a tiny bit of what he did with this tool, the focus will be on what you could be using it for…this is a interactive workshop, not a boring seminar.

Keywords for interest: banner grabbing, network scanning, application deployment profiling, security research, geolocation, security visualisation, network exploration, open source intelligence, fun.

Eireann Leverett spent six months working with ‘Shodan the computer search engine’. It’s an under-rated tool that was developed by John Matherly. John has given you a surprisingly big gift, why not learn to use it?

27. oktober 2011 kl 17:00 - 19:00

Ansvarlig: Erlend Oftedal, tel: 98219335

Sponsor: Universitetet i Oslo

Adresse: Universitetet i Oslo Forskningsveien 3B

Agenda:

• 17:00-17:15 Next Generation Clickjacking demo - Geir Harald Hansen
• 17:15-17:45 Erfaringer som pentestere. 2 spennende demoer til slutt om det blir tid. Stikkord: Brute-forcing og Burp Suite - Asbjørn Reglund Thorsen
• 17:45-18:15 Pause m pizza
• 18:15-19:00 AppSensor - Jøran Lillesand - Hvordan kan man gjøre applikasjonen selv i stand til å skjønne når den er under angrep? Og hva kan den gjøre med det?

21. juni 2011 kl 17:00 - 19:00

Ansvarlig: Erlend Oftedal, tel: 98219335

Sponsor: BEKK

Adresse: Akershusstranda 21, Vippetangen

Agenda:

• 17:00-17:45 Utvalgte tema fra OWASP AppSecEU
• 17:45-18:15 Pause m pizza
• 18:15-19:00 “Endpoint security & mobility” - Carsten Maartmann-Moe “An adversary’s physical access to a mobile device often makes existing security controls fail - why? This speaking session will demonstrate creative methods to exploit endpoints - that is, mobile units. It will include hands-on demonstrations of coldboot attacks, hacking through FireWire and how to locate encryption keys in mobile device RAM. Potential countermeasures are outlined, and we’ll focus on why end point security is important - and difficult.”

Generalforsamling: 12. mai 2011 kl 17:00 - 17:15

Ansvarlig: Kåre Presttun, tel: 4100 4908

Sponsor: mnemonic as

Adresse: Wergelandsveien 25

Agenda:

• Godkjenning av innkalling
• Årsberetning 2010/2011
• Eventuelt
• Valg

Årsberetning 2010/2011

Etter generalforsamlingen 8. april 2010 har vi hatt 5 medlemsmøter inkludert det i kveld og det har stort sett vært mellom 10 og 25 deltakere på møtene. Ett møte, torsdag 3. juni 2010, bla avlyst. Mandag 10. mai 2010 og tirsdag 22. mars 2011 var det møte sammen med med andre ”Communities” under navnet Communities in Action på Radisson Blu Hotel.

Styret i perioden har bestått av:

• Kåre Presttun (leder)
• Erlend Oftedal (kasserer)
• Harald Øygard (styremedlem)
• Knut Vidar Siem (styremedlem)
• Jøran Lillesand (varamedlem)

og valgkomiteen har bestått av:

• Åsmund Skomedal
• Markus Harboe

Det har ikke vært aktiviteter som har krevd egen økonomi i lokalavdelingen så det ikke noe å rapportere økonomisk. All aktivitet så langt har vært sponset av vertskapet for de forskjellige møtene. Annen aktivitet har det ikke vært. Vi har USD 3808 på konto hos Kate Hartmann som kan benyttes til forskjellige prosjekter. Et eksempel på et slikt prosjekt er kveldens foredragsholder som betales via OWASP Norway sin konto hos Kate gjennom prosjektet OWASP on the Move.

Det konkluderer lederens beretning.

Oslo 12/5-2011

Kåre Presttun Leder OWASP Norway Chapter

12. mai 2011 kl 17:15 - 19:15

Ansvarlig: Kåre Presttun, tel: 4100 4908

Sponsor: mnemonic as

Adresse: Wergelandsveien 25

Slides:

• The_image_that_called_me.pdf
• Locking_the_throneroom.pdf

Agenda:

• 17.15 - 18.00 The Image that called me - Security impact of Scalable Vector Graphics on the WWW - Mario Heiderich

Scalable Vector Graphics are about to conquer the web. Unlike most of their raster based companions from the GIF, PNG and JPEG family, their vector based structure allows to display them on many different devices with various screen sizes without losing visual information. The open XML based SVG sources permit addition of meta data, helping even the visually impaired and blind to get the most out of these images. Additional modules, such as animations, events, SVG fonts, several scripting APIs and inclusion of hyper-links, other images and documents and even arbitrary content from cross-domain sources make SVG the perfect image format for the future WWW.

Nevertheless, a powerful standard such as SVG certainly poses a lot of risks. This presentation provides a close look at SVG from a security perspective. How can attackers abuse this mighty image format, which ways exist to execute script code and worse, and what should web developers and browser vendors consider when dealing with SVG. How will HTML5 change the way to work with SVGs and why does it matter for security professionals to know about things like SVG Tiny, in-line SVG, SVGz and other acronyms from a world where imaging and scripting collide? Besides many examples of malicious SVGs the talk will shed light on a novel filtering tool capable of filtering and sanitizing SVG images without loss of important content.

• 18.00 - 18.30 Mat

• 18.30 - 19.15 Locking the Throne Room - ECMA Script 5, a frozen DOM and the eradication of XSS - Mario Heiderich

Cross Site Scripting has been a topic in countless presentations over the last decade. That easy to grasp but hard to solve problem has been shaking the web and caused major trouble on hundreds to thousands of high traffic and commercial and well as governmental websites. Mitigation techniques have been developed and discussed in depth - starting with restrictive content filters, educational programs and trainings, programmer’s best practices and guidelines, proxy filters and many more. Still XSS remains a major problem far from being solved. The multilayer model on which the web relies causes too much reciprocity to find an easy cure - and the DOM as the actually affected layer is still lying unprotected open for the attacker.

This presentation introduces and discusses a novel approach of encountering XSS and similar attack techniques by making use of several new features included in the ECMA Script 5 specification draft. It will be shown how to create a simple JavaScript to seal important DOM properties, and take away the attackers ability to read and modify sensitive data in a tamper resistant and light-weighted way - without being “too loud”. Modern browsers, such as Chrome 8 and Firefox 4, for the first time provide the possibility of creating and using client side IDS/IPS systems, written in JavaScript and running without special execution privileges. The presentation will show how these work, what the implications are, and what the future of XSS mitigation and eradication might look like.

Speaker: Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany as well as Microsoft, Redmond and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft while finishing his PhD thesis. Mario invoked the HTML5 security cheat-sheet and maintains the PHPIDS filter rules. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of Web Application Obfuscation: ‘-/WAFs..Evasion..Filters/

22. mars 2011 kl 16:00

Ansvarlig: Kåre Presttun

Sponsor: Communities in Action 2011

Adresse: Radisson Blu Hotel, Holbergsgt. 30

Dette møtet er i samarbeid med Communities in Action 2011. OWASP Norway Chapter deltar sammen med javaBin, Kode kata, XP meetup, Framsia, Makers, Cocoaheads, NNUG og Oslo Lean Meetup. Dette er en spennende anledning til å mingle med andre “communities”.

Program:

• 16:00 - 17:30 Enkel bevertning
• 17:30 - 19:30 Parallellsesjoner
• 20:00 - 21:00 Paneldebatt
• 21:00 –> Mingling i Skybar

Detaljert program for CiA 2011 her

1. september 2010 kl 17:00 - 19:00

Ansvarlig: Knut Vidar Siem Sponsor: Itera Consulting (tidl. Objectware) Adresse: Sognsveien 77 A-B, 0806 Oslo

• Securing Web Services with OpenSSO — Mario Aparicio
• Security by clarity — Knut Vidar Siem

Det vil bli servert mat på møtet.

3. juni 2010 kl 17:00 - 19:00 - AVLYST

Ansvarlig: Kåre Presttun Sponsor: mnemonic as Adresse: Wergelandsveien 25, 0167 Oslo

• 17.00 - 17.45
• 17.45 - 18.15 Mat
• 18.15 - 19.00

10. mai 2010 kl 18:00 - 23:00

Sponsor: Communities in Action 2010, Adresse: Radisson Blu Hotel, Holbergsgt. 30

Dette møtet er i samarbeid med Communities in Action 2010.

Generalforsamling: 8. april 2010 kl 16:30 - 17:00

Agenda:

• Godkjenning av innkalling
• Årsberetning 2009/2010
• Eventuelt
• Valg

Årsberetning 2009/2010

Det har vært et jamt stigende antall medlemmer på vår mailing-liste og i skrivende stund er det 134 medlemmer med 19 på sammendrag og 115 på direkte-mail.

Etter generalforsamlingen 4. juni 2009 har vi hatt 7 medlemsmøter inkludert det i kveld og det har stort sett vært mellom 10 og 25 deltakere på møtene. I tillegg hadde vi en sosial runde med OWASPils 3. desember 2009.

Styret i perioden har bestått av:

• Kåre Presttun (leder)
• Erlend Oftedal (kasserer)
• Harald Øygard (styremedlem)
• Knut Vidar Siem (varamedlem)

og valgkomiteen har bestått av:

• Åsmund Skomedal
• Markus Harboe

Det har ikke vært aktiviteter som har krevd egen økonomi i lokalavdelingen så det ikke noe å rapportere økonomisk. All aktivitet så langt har vært sponset av vertskapet for de forskjellige møtene. Annen aktivitet har det ikke vært. Vi har USD 2020 på konto hos Kate Hartmann som kan benyttes til forskjellige prosjekter.

1. mai blir det møte sammen med andre ”Communities” under navnet Communities in Action. I den forbindelse er det bestilt roll up og stand for å ha en informasjonsstand i fellesområdet. Det er også bestilt to komplette sett med OWASP bøker til å ha på standen. Noe av dette vil trekkes fra vår konto sentralt.

OWASP Norway Chapter er representert med Kåre Presttun i organisasjonskomiteen til AppSec Europe 2010 som blir i Aula Magna, Stockholm University 21-24 juni 2010. I denne sammenheng har Kåre vært involvert i å plukke ut kurs til de to første dagene og foredrag til selve konferansen.

Det konkluderer lederens beretning.

Oslo 6/4-2010

Kåre Presttun Leder OWASP Norway Chapter

8. april 2010 kl 17:00 - 19:00

Ansvarlig: Erlend Oftedal Sponsor: BEKK Adresse: Skur 39, Vippetangen

Agenda:

• 17.00 - 17.45 Web Security Dojo, last ned og installer på forhånd
• 17.45 - 18.15 Mat
• 18.15 - 19.00 Web Security Dojo

Kontaktperson: Erlend Oftedal, 98219335

4. mars 2010 kl 17:00 - 19:00

Ansvarlig: Knut Vidar Siem Sponsor: Objectware Adresse: Sognsveien 75z, 0806 Oslo

Agenda:

• 17.00 - 17.45 Communities in Action 2010 Planlegging
• 17.45 - 18.15 Mat
• 18.15 - 19.00 Møteplanlegging - mars 2010

4. februar 2010 kl 17:00 - 19:00

Ansvarlig: Kåre Presttun Sponsor: Bouvet ASA Adresse: Sandakerveien 24C D11, Oslo

Agenda:

• 17.00 - 17.45 Sikkerhet i flash, Erlend Oftedal
• 17.45 - 18.15 Mat
• 18.15 - 19.00 Åpen diskusjon. Knut Vidar og eventuelle andre interesserte vil bruke litt tid på sikkerheten i Springs web-demoapplikasjon: Petclinic.

Kontaktperson: Arnar Lundesgaard

7. januar 2010 kl 17:00 - 19:00

Ansvarlig: Kåre Presttun Sponsor: Buypass AS Adresse: Nydalsveien 30A, Oslo

Agenda:

• 17.00 - 17.45 “Sikkerhet i HTML5 og Google Gears off-line applikasjoner”, Anja Svartberg
• 17.45 - 18.15 Mat
• 18.15 - 19.00 “Gjennomgang av Promon Shield”, Lars Egil Sætrang (Promon)

Kontaktperson: John Arild A. Johansen

3. desember 2009 kl 18:00

OWASPils, Oslo Mikrobryggeri

12. november 2009 kl 17:00 - 19:00

Ansvarlig: Kåre Presttun Sponsor: mnemonic as Adresse: Wergelandsveien 23, 0167 Oslo

Agenda:

• 17.00 - 17.45 “Sikkerhet i rike internettapplikasjoner”, Øyvind Mengshoel Reistad
• 17.45 - 18.15 Mat
• 18.15 - 19.00 Open space - diskusjon - tenk gjennom tema du vil diskutere på forhånd

Kontaktperson: Harald Øygard, Tel: 9825 6072

8. oktober 2009 kl 17:00 - 19:00

Ansvarlig: Kåre Presttun Sponsor: Sparebank 1 Adresse: Hammersborggata 2, 0181 Oslo

Agenda:

• 17.00 - 17.45 “Fra funn til sårbarhet”, Carsten Maartmann-Moe (Ernst & Young)
• 17.45 - 18.15 Mat
• 18.15 - 19.00 “Inputvalidering i Spring Web MVC”, Knut Vidar Siem (Objectware)

3. september 2009 kl 17:00 - 19:00

Ansvarlig: Erlend Oftedal Sponsor: BEKK Adresse: Skur 39, Vippetangenkaia, 0150 Oslo

Agenda:

• 17.00 - 17.45 “Analyse av malware”, Einar Oftedal (NSM)
• 17.45 - 18.15 Mat
• 18.15 - 19.00 “Click-jacking”, Torgeir Thoresen

Watchcom kunne dessverre ikke stille allikevel - kommer forhåpentligvis tilbake ved en senere anledning

4. juni 2009 kl 16:30 - 17:00

Generalforsamling

Kåre Presttun ønsket velkommen og presenterte årsberetning 2008/2009. Det var ingen kommenterer til årsberetningen.

Deretter var det valg. Valgkomiteen, ved Markus Harboe og Åsmund Skomedal, foreslo gjenvalg av sittende styre og det ble vedtatt med akklamasjon. Videre foreslo Kåre Presttun gjenvalg av valgkomité som også ble vedtatt med akklamasjon. Derved heves møtet.

Årsberetning 2008/2009

Det har vært et jamt stigende antall medlemmer på vår mailing-liste og i skrivende stund er det 113 medlemmer med 20 på sammendrag og 93 på direkte-mail.

Etter generalforsamlingen 28. april 2008 har vi hatt 7 medlemsmøter (8 med det i kveld) og det har stort sett vært mellom 10 og 25 deltakere på møtene.

Styret i perioden har bestått av:

• Kåre Presttun (leder)
• Erlend Oftedal (kasserer)
• Harald Øygard (styremedlem)
• Knut Vidar Siem (varamedlem)

og valgkomitéen har bestått av:

• Åsmund Skomedal
• Markus Harboe

Det har ikke vært aktiviteter som har krevd egen økonomi i lokalavdelingen så det ikke noe å rapportere økonomisk. All aktivitet så langt har vært sponset av vertskapet for de forskjellige møtene. Annen aktivitet har det ikke vært.

Etter kommunikasjon med John Wilander (OWASP SE) og Ulf Munkedal (OWASP DK) er det enighet om å arrangere AppSec Europe 2010 som en feller OWASP Skandinavisk konferanse. John Wilander har fått godkjent i OWASP at de skal være vert for konferansen som sannsynligvis blir i Aula Magna, Stockholm University 21-24 juni 2010.

Det betyr at OWASP NO og OWASP DK blir involvert i følgende aktiviteter:

• Join the Organizing Committee (OC). Means you’re on the mailing list and share your opinions on issues brought up there.
• Help out in finding sponsors, good talks, research papers, and attendees
• Communicate conference info to your chapters and press releases to media in Norwegian/Danish

Det konkluderer lederens beretning.

Oslo 4/6-2009

Kåre Presttun Leder OWASP Norway Chapter

4. juni 2009 kl 17:00 - 19:00

Ansvarlig: Knut Vidar Siem Sponsor: Mnemonic AS Adresse: Wergelandsveien 23, 0167 Oslo

Agenda:

• 17.00 - 17.15 Om OWASP AppSec Europe 2009
• 17.15 - 18.00 Reprise fra AppSec Europe 09: Leveraging agile to gain better security, Erlend
• 18.00 - 18.25 Mat
• 18.30 - 19.00 Referat fra noen av foredragene på OWASP AppSec Europe 2009, Affi/Markus

Avstemning om hvilken dag i måneden vi skal ha møter endte med første torsdag i måneden.

7. mai 2009 kl 17:00 - 19:00

Ansvarlig: Kåre Prestun Sponsor: Mnemonic AS Adresse: Wergelandsveien 25, 0167 Oslo

Agenda:

• 17.00 - 18.00 Diskusjon
• 18.00 - 18.25 Mat
• 18.30 - 19.00 Diskusjon

Diskutert på møtet:

• Utvalgte spørsmål fra [[Sikkerhet_i_hverdagen_1#Ikke_tatt_opp]]
• Notater fra møtet [[Sikkerhet_i_hverdagen_2]]

25. februar 2009 kl 17:00 - 19:00

Ansvarlig: Knut Vidar Siem Sponsor: Objectware Adresse: Sognsveien 75z, 0806 Oslo

Agenda: For dette møtet planlegger vi ingen foredrag. I stedet ønsker vi å få til en mer interaktiv sammenkomst hvor vi diskuterer hvilke utfordringer relatert til sikkerhet som møter oss i hverdagen og hvordan vi kan løse dem. Prøv gjerne å inkludere din rolle i spørsmålet/utfordringen slik at det blir litt enklere å sette seg inn i situasjonen. Ta også med navnet ditt slik at temaet kan utdypes eller oppklares på møtet. Og husk: vi gjør dette for å hjelpe hverandre!

• 17.00 - 17.10 Prioritering
• 17.10 - 18.00 Diskusjon
• 18.00 - 18.25 Mat
• 18.30 - 19.00 Diskusjon

Diskutert på møtet: [[Sikkerhet i hverdagen 1]]

26. november 2008 kl 17:00 - 19:00

mnemonic AS sto for lokale og mat. Stedet var: Litteraturhuset, Wergelandsveien 29, 0167 Oslo

Agenda:

• 17.10 - 17.45 Kåre Presttun - Opplevelser og erfaringer fra OWASP EU Summit i Portugal
• 17.45 - 18.05 Alf-Ivar Holm - Demo av ratproxy
• 18.05 - 18.25 Pause m/mat (Husets lapskaus)
• 18.25 - 18.45 Harald Øygard - Hva kan vi i Norge bidra med til OWASP-prosjekter generelt? Eksempler og diskusjon.
• 18.50 - 19.15 Markus Harboe - Trusselmodelleringserfaringer

29. oktober 2008 kl 17:00 - 19:00

En stor takk til USIT som stiller med lokale og pizza. Adressen er: Forskningsveien 3b, Blindern

Lyntaler

• 17.10 - 17.20 Harald Øygard - “Paros”
• 17.25 - 17.35 Abjørn Thorsen - “IT-sikkerhet ved UiO”
• 17.40 - 17.50 Knut Vidar Siem - “Inputvalidering”
• 17.50 - 18.10 Pause m/pizza
• 18.10 - 18.20 Geir Harald Hansen - “CSRF: angrep og forsvar”
• 18.25 - 18.35 Arne Berner, Visiti - “Personopplysningsloven & Sentralisering og outsourcing av drift”
• 18.40 - 18.50 Alf-Ivar Holm - “Burp Proxy”
• 18.55 - 19.05 Erlend Oftedal - “Virusjakt”

30. september 2008 kl 17:00 - 19:00

Sted: Bouvet, Sandakerveien 24c, Bygning d11, Boks 4430 Nydalen

• 17:00 - 17:45 - PCI DSS - oversikt og websikkerhet, Kåre Presttun
• 17:45 - 18:00 - Pause
• 18:00 - 18:45 - Reprise fra Javazone: Sikkerhet i norske webapplikasjoner - Markus Harboe og Erlend Oftedal

27. august 2008 kl 17:00 - 19:00

Møtet var hos Objectware, som også stilte med pizza.

• 17:00 - 17:45 - Sikkerhetstesting av AJAX-applikasjoner - Ole Jacob Eriksen
• 17:45 - 18:00 - Pause
• 18:00 - 18:45 - Cross Site Request Forgery - Erlend Oftedal
• 18:45 - 19:00 - Tooltip: Firefox som sikkerhetsverktøy - Erlend Oftedal

28. mai 2008 kl 17:00 - 19:00

Møtet var hos mnemonic as i Wergelandsveien 25 rett ved Slottsparken og to hus ovenfor Kunstnernes Hus. Det er parkering tilgjengelig.

• 17:00 - 17:30 - Hva er OWASP og hva driver de med, Kåre Presttun
• 17:30 - 17:45 - Kort oppsummering fra AppSecEU08 i Ghent, Kåre Presttun
• 17:45 - 18:00 - Pause, (alle)
• 18:00 - 19:00 - Kort introduksjon til applikasjonssikkerhet, Bård Farstad, eZ systems

28. april 2008

Generalforsamling i OWASP Norway Chapter

Erlend Oftedal ønsket velkommen og gjorde en kort introduksjon til hjemmeside og mailingliste. Deretter ble Kåre Presttun valgt til møteleder og Markus Harboe til referent.

Innkallingen ble godkjent.

Kåre gikk gjennom forslaget til Norway Chapter vedtekter. Vedtektene ble vedtatt.

Til foreningens styre ble valgt:

• Kåre Presttun (leder)
• Erlend Oftedal (kasserer)
• Harald Øygard (styremedlem)
• Knut Vidar Siem (varamedlem)

Til valgkomite ble valgt

• Åsmund Skomedal
• Markus Harboe

Bekk sponset generalforsamlingen med lokaler og bevertning.

2. april 2008

OWASP Norway Stiftelsesmøte

Bjørvika Konferansesenter kl 1500-1800 2. april 2008

Kåre Presttun sendte den 6. mars ut invitasjon til 145 potensielle interessenter. 21 personer meldte seg på innen fristen og følgende 16 personer møtte opp.

Agendaen for stiftelsesmøte var:

• 15:00 - Velkommen. Godkjenning av dagsorden. Innkomne forslag
• 15:10 - Om OWASP
• 15:40 - Forslag til vedtekter
• 16:00 - Diskusjon og avklaringer
• 16:45 - Nedsettelse av interimstyre
• 17:00 - Første generalforsamling og arbeidet fremover
• 17:15 - OWASP Guide og OWASP top ten
• 17:50 - Oppsummering kommentarer

Kåre ønsket velkommen og gikk gjennom dagsordenen. Det var ingen innkomne forslag og dagsordenen ble godtkjent uten kommentarer. Kåre ble valgt til ordstyrer og Markus Harboe til referent.

Harald Øygard presenterte OWASP og en oversikt over deres viktigste prosjekter.

Kåre presenterte forslag til vedtekter. Etter noe diskusjon og små endringer endte vi opp med de vedtektene vi inviterer den første generalforsamlingen å vedta.

Til interimstyret ble valgt:

• Kåre Presttun fra mnemonic
• Harald Øygard fra mnemonic
• Erlend Oftedal fra Bekk

Interimstyret har i oppgave å forberede og invitere til generalforsamling.

Veien videre ble deretter diskutert. Målet er å arrangere den første generalforsamlingen innen utgangen av april (forslagsvis onsdag 29/4 kl 16) og senest i løpet av mai. Deltakerene oppfordres til å komme med forslag til endelig styre. Å arrangere medlemsmøter blir en viktig aktivitet. Forslag om relativt hyppige medlemsmøter i starten for å få opp aktiviteten og for å senke terskelen for å presentere interessant fagstoff. Forslag om å arrangere medlemsmøter i andre universitetsbyer i tillegg til Oslo.Deltakerene oppfordres til å rekruttere nye medlemmer og deltakere til generalforsamlingen. Initiativtakerene planlegger å sende ut en pressemelding etter stiftelsesmøtet

Til slutt presenterte Harald OWASP Guide og OWASP top ten.

mnemonic as var sponsor for stiftelsesmøtet og er medlem av OWASP.

OWASP Norway Day

To celebrate OWASP Norway 10 year anniversery, OWASP Norway Day was held in Oslo, November 20th 2018.

More information about the event is available at https://owaspnorwayday.org.