OWASP Scotland

Welcome to the OWASP Scotland Chapter page. The chapter is lead by Sean Wright and Rob Jansson. Please follow us on Twitter for our latest updates as well as Eventbrite. Alternatively signup to our OWASP Scotland Google Group.

Events

Acknowledgements

A big thank you to PwC for hosting our upcoming February 2020 event. As well as providing the beer and pizza!

Upcoming Events

Please follow us on Twitter, OWASP Scotland Google Group or Eventbrite to find out about new upcoming events. Future events will also be added to this page closer to the time.

Tuesday, 11 Febraury 2020

Time: 18:00 - 20:00 BST

Location: PwC, 144 Morrison Street, Edinburgh, EH3 8EX

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-2020-tickets-90016877905

Description

We are pleased to announce that the first OWASP Scotland Chapter meeting of 2020 will take place on Tuesday the 11th of Feb. Many thanks to PwC, who has kindly offered to host this event for us. They will also be providing pizza and refreshments on the evening.

Security Culture and Behaviour - security is still often seen as a technology problem

Speaker: Louise MacDougall

This presentation will focus on the culture and behaviours surrounding cyber security and explore the ‘People layer’ of defence. Louise will discuss how organisations should be approaching cyber security leadership and how they can drive the right security behaviours within their staff. Particular focus will be on the role of senior leadership and behavioural models that can be applied to cyber security.

Nothing Rhymes with Purple

Speaker: Lawrence Munro

In this talk, I discuss the need for collaborative strategies between blue and red teams. I dive deep into the concepts of ‘always-on’ red teaming and the processes of generating use cases from TI through threat hunting to validation. I also discuss the use of point-in-time purple teaming and maximising the value to the SOC. Moreover, I will discuss the direction of travel within the professional services industry and open the floor to discussion.

Bio: Lawrence Munro is Technical Director at NCC Group, a Post-Graduate Student at Oxford University, a CREST Executive member and Director for B-Sides London. His research (and presentation topics) are varied, but often include: red teaming, education in InfoSec and weird side-projects. Lawrence has previously presented his ideas and research at: Black Hat USA, DEFCON, 44CON, RootCon, B-Sides (Various), ToorCon.

For attending this event you will be able to claim 2 CPE points.

Code of Conduct

We hope you enjoy our events, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of the chapter leaders if you have any feedback or would like to speak to us, we take these matters very seriously. You can find out more about our policies here: https://owasp.org/www-policy/operational/conferences-events.html.


List of our past chapter events.

Thursday, 21 November 2019

Time: 18:00 - 20:00 BST

Location: Deloitte Offices, Saltire Court, 20 Castle Terrace, Edinburgh, EH1 2DB

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-november-tickets-78186324401

Description

The final OWASP Scotland Chapter meeting of 2019 will take place on Thursday the 21st of November. Many thanks to Deloitte, who has kindly offered to host this event for us. They will also be providing pizza and refreshments on the evening.

We have two great talks lined up for the OWASP Scotland community with Rob McElvanney on “Red Teaming: Simply the BEST” and Colin Cassidy giving us an insight into the “Adventures in the wacky world of control systems”.

For attending this event you will be able to claim 2 CPE points.

Red Teaming: Simply the BEST

Speaker: Rob McElvanney, Deloitte

Using examples of real world attacks, Associate Director Rob McElvanney will discuss lessons learned from recent Red Team exercises, particularly within the CBEST and GBEST frameworks. This session will illustrate some of the methods used by advanced actors to achieve access, allowing them a foothold for lateral movement and privilege escalation. The session will also explore how organisations can improve their chances of defending against such adversaries.

Adventures in the wacky world of control systems

Speaker: Colin Cassidy

This talk is a grab bag of different ICS topics to give people a flavours of the challenges being faced. The focus will be primarily on the energy industry, but other ICS and critical infrastructure faces similar issues. We will briefly discuss control system changes over time, what caused those changes, what improvements (or not) that they brought. We will cover some real life findings and thoughts from the field, this will include some odd findings, commonly seen issues, and how mistakes can cause surprisingly kinetic problems!

More positively there are solutions and improvements, but a one-size-fits-all solution does not tend to work, even when dealing with very similar sites.

Bio: Colin Cassidy (@parttimesecguy) used to be a software engineer at GE for 15 years working on their Distribution Management System (DMS). He is currently atoning for all his software development sin as a senior security consultant with IOActive. Colin has performed a number of security audits for ICS operators including one of the UKs largest Distribution Network Operators, several windfarms, container ships, shipping terminals, and AMI/smart meter infrastructure. Colin has also presented and Blackhat and Defcon on vulnerabilities found in Industrial Ethernet Switches. In his spare time, he searches for spare time.


Thursday, 12 September 2019

Time: 18:00 – 20:00 BST

Location: Ernst & Young, 144 Morrison Street, Edinburgh, EH3 8EX

Tickets: Tickets are available on EventBrite (https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-september-tickets-66503743487)

Weaknesses in Software Supply Chains

Speaker: Sean Wright

Software development today is a far cry from software development from yesteryear. Gone are the days of developing something from the ground up. Software development now involves “stitching together” numerous libraries and frameworks together to develop the desired system/application. We are now dependent on 3rd party vendors and providers now, more than ever before. This has greatly help to aid the generation of rapid development. However, this helped to introduce a new, and often overlooked problem, weakness introduced by these libraries. Why would an attacker spend significant effort and time trying to break through the front door of an organisation, when they can instead open a backdoor for themselves?

The purpose of this talk is to raise awareness for the potential problem, with some recommendations of tools and approaches which could help. Discussing past examples where backdoors have been placed into libraries, as well as discussing some of the difficulties to keeping libraries up to date.

EY Global Information Security Survey Results

Speaker: Shriparna Ghosh

EY runs a Global Information Security Survey (GISS) every year. Responses were collected from over 60 countries representing all industry sectors with more than 1400 participants.

After a year in which organisations have been rocked by a series of large-scale cybersecurity breaches and ongoing recriminations over state-sponsored interventions, EY’s Global Information Security Survey shows which areas were the key areas of focus or areas of investment for various sectors. It also outlines the top trends in the cyber world from a global perspective.


Thursday, 9 May 2019

Time: 18:00 – 20:00 BST

Location: PwC, 144 Morrison Street, Edinburgh, EH3 8EX

Tickets: Tickets are available on EventBrite (https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-may-tickets-59785884189)

Deception, Confusion, Mistrust: Attacks and Defences

Speaker: Matt Wixey

This talk will cover 2 topics. The first focuses on Remote Online Social Engineering (ROSE), an emerging long-term attack vector deployed by threat actors to build trust and rapport with targeted users in order to gain access to business networks. I’ll provide an outline of attackers’ methodologies, why they would want to deploy them, some case studies, and countermeasures. The second is a light-hearted look at ways in which defenders can confuse, deceive, or frustrate attackers on a compromised honeypot or other host, with an emphasis on practical implementation. I’ll examine some historic ways in which this has been done, along with some case studies, and then present some new methods I’ve come up with, with a few demos.

Bio: Matt leads technical research for the PwC Cyber Security practice in the UK, and is a PhD candidate at University College London. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security.

Why Security-as-a-Feature Will Never Happen

Speaker: Lawrence Munro

In a fairly dystopian view of our Cyber future, this talk discusses the reasons why we still haven’t been able to include security as a design feature in applications.This talk goes into detail around the issues with human nature, education, financial requirements and laziness that contribute to the generally grim state of ‘cyber’ security.

As a security community (especially in Penetration testing), we’re very quick to throw mud and laugh at developers who’re not writing secure code. We also like to tell ourselves about new security issues and keep our learning within the community (as that’s where we seek / receive the most praise). We should turn our view externally and reflect on information that we make available and how who we lobby to make positive changes. We simply don’t teach people security early enough and position it as an essential design feature when people learn their trade. The general premise of the topic is that as an industry we know that one of the key challenges is that security needs to be ‘baked in’ at the design level. However, when we are taught the rudiments of Information Technology, security is not inherent or considered. The fundamental lack of security rubrics in education during key learning milestones means that security will always be an afterthought, or the domain of the specialist. If we’re not addressing security at this level and providing the masses with a proper education, we’ll never win the battle, let alone the war. In my opinion, the fault resides with those providing information to those seeking to learn. Specifically: Universities, Colleges, vendors, commercial providers, your friend Dave from school, authors and anyone who showed their friends how to customise their page on MySpace.com in the early 2000’s. In order to validate my assertions, I have audited the occurrence of secure coding learning (at to respective top 25 UK / US universities) in undergraduate software engineering degrees (by module). I have also performed a similar evaluation on commercial offerings and looked at some of the most popular introductory books. I use this secondary data along with my own views to demonstrate the current failures of the industry and propose approaches to remedy this issue.

Bio: Lawrence Munro is the Worldwide VP of SpiderLabs, a Post-Graduate Student at Oxford University and Director for B-Sides London. My research (and presentation topics) are varied, but often include: red teaming, education in InfoSec and weird side-projects. Lawrence has previously presented his thoughts and research at: Black Hat USA 2018, DEFCON 2017, 44CON 2018, RootCon 2017, B-Sides (Various), ToorCon San Diego 2015.


Thursday, 21 February 2019

Time: 18:00 – 20:00

Location: FanDuel, Quartermile One (Level 4), 15 Lauriston Place, Edinburgh, EH39EP

We have two great speakers kicking off 2019 for us.

Tickets available here: https://owasp-scotland-november.eventbrite.co.uk

Many thanks to FanDuel for hosting this event.

Seeing what is not there: searching in Windows paths

Speaker: Margus Lind, Context IS

Windows – designed to make training materials self-improve.

During a recent Windows breakout and privilege escalation training session we stumbled upon several new instances of exploits. While the underlying principles are well known, it is shocking to see such weaknesses exploitable out of the box, even on the latest Windows 10 RS5.

Firstly, the presentation will give a brief overview of the way Windows searches for required commands and DLLs. This will be followed by some practical examples of how it can be exploited to escalate privileges and bypass UAC.

Overall, we’ll see that while Windows makes an ever improving attempt at security features, the spaghetti bowl of legacy features and behaviours remains rather entertaining…

A view of the threat landscape

Speaker: Don Smith, Secureworks

Using examples of real world attacks, Senior Director Don Smith will discuss lessons learned from recent incidents involving determined and persistent adversaries. This session will illustrate the methods used by advanced actors to avoid detection and consolidate their access in compromised environments. The session will also explore how security teams can improve their chances of defending against such adversaries, pragmatic advice with the odd reality check.