OWASP Singapore

Welcome to OWASP Singapore Chapter

Welcome to the Singapore chapter homepage. The chapter leaders are Wong Onn Chee and Cecil Su

Click here to join the local chapter mailing list.

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Policy. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Upcoming Meetup

We schedule our meetings on the OWASP Singapore Meetup Group

Our meetings are open to the public, and you do not need to be a member to attend. Please do consider joining OWASP if you find our community, projects, and meetings valuable, or sponsoring this chapter.

2024

Coming soon.

Past Meetups

2024

February 2024 Meetup: 2 topics - “Understanding Server-Side Request Forgery – The new kid on the OWASP Top 10” and “Cracks in the pipeline - Breaking down Software Integrity failures in the wild”

Date: 27 February 2024 7pm to 9pm

Venue: Zuhlke Engineering Pte Ltd, 80 Robinson Road #22-04, Singapore 068898

We have 2 awesome speakers for our first meetup of 2024 and many thanks to Zühlke Singapore for sponsoring the venue and food!

Session 1: Understanding Server-Side Request Forgery – The new kid on the OWASP Top 10.

Join our OWASP meetup for a critical exploration of Server-Side Request Forgery (SSRF), the latest addition to the OWASP Top 10. This talk will introduce SSRF, explaining its 2 flavours and impact on web applications. Gian-Luca will cover its emergence in the security landscape, analyze real-world case studies, and discuss mitigation strategies. For newcomers we’ll do a short practical demo and for app sec experts we are looking forward to a fruitful discussion about potential mitigation strategies.

1st Presenter: Gian-Luca Frei, Zuhlke

Gian-Luca Frei is an experienced Application Security Consultant based in Singapore, currently working at Zühlke. With a passion for security, Gian-Luca has a proven track record of securing systems with the highest security standards, including e-banking portals and health applications. He brings a wealth of knowledge and expertise in the field of application security, having worked in the industry for several years. Gian-Luca is also the founder and co-leader of the OWASP Application Gateway Project, which focuses on developing open-source tools to help secure web applications. In addition to his professional engagements, Gian-Luca is a researcher at heart. He has a keen interest in modern cryptographic protocols and has conducted extensive research in this field. His contributions have been recognized with the ISSS Excellence Award in 2019.

Session 2: Cracks in the pipeline - Breaking down Software Integrity failures in the wild

Open-source libraries and packages have long been invaluable resources for developers of all skill levels. However, is this dynamic about to shift? Shockingly, between 2022 and 2023, there was a staggering 11,973% surge in reported malicious packages in the wild. Despite this alarming trend, there’s a tendency to overlook A08:2021 – Software and Data Integrity Failures in the OWASP Top 10.

Join us as we delve into the unprecedented rise of malicious packages, explore their inner workings, ingenious tactics, and discuss proactive measures we can adopt to counter these threats.

2nd Presenter: Vinoth, Softscheck

Vinoth leads the Cyber Offensive consulting team in Singapore at softScheck APAC. His insatiable curiosity led him into the world of hacking, where he dedicates his time to uncovering vulnerabilities and safeguarding clients across various industries. Vinoth maintains an avid interest in security research, and a particular passion for low-level systems engineering and exploit development.

Many thanks to Zühlke Singapore for sponsoring the venue and food! Come early, enjoy free food and inter-mingle with AppSec enthusiasts.

Please RSVP your attendance at OWASP SG meetup page.

Presos can be downloaded from here for the 1st session and here for the 2nd session.

2023

November 2023 Meetup: 2 topics - “Fortifying the Front Lines: Safeguarding Mobile Applications Against Layer 7 Threats and Exploits.” and “Understanding API Security problems”

Date: 28 November 2023 7pm to 9pm

Venue: Akamai Singapore office, 1 Raffles Place, #17-61, One Raffles Place Tower 2, Singapore 048616

We have 2 awesome speakers for our last meetup of 2023!

Session 1: Fortifying the Front Lines: Safeguarding Mobile Applications Against Layer 7 Threats and Exploits.

In an era dominated by mobile technology, the security of mobile applications is paramount. With the banking industry implementing new measures, such that restricting users from having certain applications on their devices which they use for sensitive transactions, we explore if these are viable solutions or just a stop-gap measure until the next round of attacks show up on victim’s devices.

This presentation delves into the intricate landscape of advanced mobile security attacks that pose significant risks to mobile platforms. We explore the evolving nature of mobile malware, emphasizing the need for proactive measures to fortify applications against advanced attacks.

1st Presenter: Pishu Mahtani, Ex-DART

Session 2: Understanding API Security problems

It’s no surprise that API adoption is growing rapidly. The reality is that new business innovation and services are powered by APIs. But the rush to innovate is leaving security teams struggling to understand the very real security risks that APIs pose. Today, APIs carry vast amounts of data and are increasingly targets in data breaches.

This talk delves into common API security concerns and the importance of API Discovery. It highlights the key needs for an API security tool to detect API abuses and the importance of having a data lake for threat hunting.

Speaker: Chao Yin Loong, Senior Solutions Engineer at Akamai Technologies

Many thanks to Akamai for sponsoring the venue and pizzas! Come early, enjoy free pizzas and inter-mingle with AppSec enthusiasts.

Please RSVP your attendance at OWASP SG meetup page.

September 2023 Meetup: APIs Unveiled: A Deep Dive into OWASP Top 10 and Zero Trust Access.

Date: 6 Sep 2023 630pm to 9pm

Venue: F5 Office, Level 8, Suntec Tower 5, Temasek Boulevard, Singapore 038985

F5 is hosting our next OWASP SG hybrid meetup - online and in person - on API Security that you won’t want to miss.

We have a distinguished speaker lined up: James Lee from F5. The topics covered in this meetup will be highly relevant for individuals engaged in both AppSec within App Development and AppSec within Cyber Security.

Join us as we gather to share knowledge over delectable pizza and refreshing drinks!

Limited in-person seats are available at the venue @ F5 Office, so be sure to secure your spot now. If you can’t attend in person, no worries! Register to access the live stream.

Stay tuned for the meeting URL – we’ll send it your way once you’re registered.

This is an opportunity you won’t want to miss to enhance your understanding of API Security. See you there!

Session 1: The new OWASP Top 10 API Security 2023

Join us for an insightful session where we delve into the evolving landscape of API security. In this engaging event, we will uncover the advancements made in the OWASP API Top 10 from 2019 to 2023, highlighting the key changes and emerging threats.

The core focus will be on two crucial aspects of API security – tackling the challenges posed by API10:2023 - Unsafe Consumption of APIs and addressing API8:2023 - Security Misconfiguration

We’ll also address lessons learned from the Log4J vulnerability, aiming to better equip you for future situations.

Session 2: Zero Trust API Access based on OAuth

In today’s hybrid and multi-cloud environments, API communications play a pivotal role, forming a critical foundation for various organizational operations. As many organizations embrace the Zero Trust model as their core security principle, it’s essential to recognize that API security holds significant importance within the context of Zero Trust design.However, API security often tends to be underestimated in Zero Trust implementation.

Join us in this session to learn how F5 Distributed Cloud solutions bridge this gap, offering Zero Trust-based API access by leveraging the standard OAuth framework and its App Segmentation integration.

To register for this event, please do so at https://www.f5.com/c/apcj-2023/event/owasp-singapore-meet-up-api-unveiled

Speaker: James Jinwon Lee, Security Solutions Architect, F5 APCJ

James Lee joined F5 in Feb 2019 and is currently responsible for supporting F5’s strategic customers and alliance partners in APCJ to design and implement the application delivery network and consulting customers to secure their Web App and APIs. He was involved in API security projects for enterprises in different industries. He serves as the technical subject expert for cybersecurity topics of F5 solutions

Please RSVP your attendance at F5 registration page

Presos can be downloaded from here for the 1st session and here for the 2nd session.

May 2023 Meetup: Hands-on walkthrough of API Security and Automating Testing for Complex API Scenarios.

Date: 10 May 2023 7pm to 9pm

Venue: Akamai Singapore office, 1 Raffles Place, #17-61, One Raffles Place Tower 2, Singapore 048616

Ashwath (co-author of ATOR Burp Plugin) and Avneesh (employee of Akto) will be doing a hands-on walkthrough of API security and talk about automating testing for complex API scenarios. They will cover the following topics:

1. What is API Security
 
2. Why is it important? 

3. Why do BB hunters find more bugs than appsec/internal folks?

4. Common problems with API Security 

5. Automated tools that are in the market:

    a. Burp native scanning

    b. Burp plugins - ATOR 

    c. Akto open source 

6. Running ATOR against some basic scenarios - Demo & Hands on

7. Running Akto against a test setup - Demo & Hands on

8. Q&A 

9. Wrap-up

ATOR - ATOR Github
Akto - Akto Homepage

Target Audience: Appsec engineers, Developers who work on APIs, Bug Bounty Hunters

What will they gain at end of session:

1. Why is API security important?

2. How do misconfigurations happen?

3. How to build an inventory of APIs? 

4. How to automate testing for complex scenarios (chained login, multi-step API request etc.)

Speaker: Ashwath

Ashwath currently works as a Principal Engineer at Razorpay. He has previously worked at Synopsys and Microsoft Corp. His interests are in Cloud Security, Red teaming, Application security (Web Applications) and Threat Modeling. He has released plugins for Burp to handle complex authentication mechanisms . He has presented at Rootconf, FS-Isac, Nullcon, Cocon, Bright Talk, 50p (HasGeek) and technical conferences conducted by SAP, IAF, Infosys, NetApp amongst others.

Speaker: Avneesh

Avneesh started as the first employee at akto.io (an api security company). His interests lie in the area of API security, understanding misconfigurations in API setup and variants of API architectures like GraphQL, JSONP, gRPC. While working on the tool, he has shared his experiences in multiple forums such as Accel CTO & CISO summit.

Please RSVP your attendance at OWASP SG Meetup page

Preso can be downloaded from here.

The accompanying runbook can be downloaded from here.

2022

December 2022 Meetup: Lessons Learnt from Past Data Breaches in Singapore & Defence in depth for APIs

Date: 1 December 2022 630pm to 900pm

Venue: F5 Office Level 8, Suntec Tower 5, 5 Temasek Blvd, Singapore 038985

In this meetup, we have 2 speakers – Onn Chee from OWASP SG and Shahnawaz Backer (Shahn) from F5. This will be OWASP Singapore first hybrid meetup where we will be meeting in-person and will be streaming live for friends who cannot attend in person. The online meeting URL will only be provided once the in-person RSVP is filled up.

As the venue is in F5 office, for corporate security reasons, please register your attendance too at https://www.f5.com/c/apcj-2022/event/owasp-singapore-meet-up

Many thank to F5 for sponsoring the venue and F&B!

Session 1: Lessons Learnt from Past Data Breaches in Singapore

In this session, Onn Chee will cover 3 PDPC published decisions - one on ransomware and 2 on API insecurity - and lessons we can draw from such cases. In addition, Onn Chee will highlight a common mistake what cloud users make in managing credentials and/or access keys on cloud. OWASP API Top 10 will be touched on too.

Session 2: Defence In Depth for APIs

Effective security comes in layers. In this session, Shahn will cover wide range of controls needed to build layers of API defense. We will study the kill chain for an API breach and share design approaches to meet these challenges and cover for OWASP API security Top 10.

Schedule

6:30 - 7:00 PM - Attendees arrive, networking over pizza, snacks, and drinks

7.00 – 7.05 PM - Webinar starts for online Attendees - Welcome

7.05 – 7.50 PM - Lessons Learnt from Past Data Breaches in Singapore from Onn Chee

7.50 – 8.00 PM - Break

8.00 – 8.45 PM - Defence In Depth for APIs from Shahn

8.45 – 9.00 PM - Q&A & Wrap - Up

Speaker: Wong Onn Chee

Onn Chee is a n00b in infosec for more than 22 years ;-). He is the current chapter co-lead of OWASP Singapore.

Preso can be downloaded from here.

Many thanks to F5, the recording of this presentation is available from here.

Speaker: Shahnawaz Backer

Shahn has over a decade experience in Information Security, practicing in the Asia Pacific. With keen interest in modern application security, digital identity, and multi-cloud security, he focuses on building security intelligence into solutions and firmly believes in automated proactive defense. He writes on IT security at f5labs.com and has co-authored a Redbook on access management deployment patterns.

Preso can be downloaded from here.

Many thanks to F5, the recording of this presentation is available from here.

Please RSVP your attendance at OWASP SG Meetup page. For corporate security reasons, please register your attendance too at https://www.f5.com/c/apcj-2022/event/owasp-singapore-meet-up

July 2022 Online Meetup: AWSGoat : A Damn Vulnerable AWS Infrastructure

Date: 13 July 2022 700pm to 830pm

Venue: Google Meet - get the Google Meet URL from OWASP SG Meetup page

Compromising an organization’s cloud infrastructure is like sitting on a gold mine for attackers. And sometimes, a simple misconfiguration or a vulnerability in web applications, is all an attacker needs to compromise the entire infrastructure. Since cloud is relatively new, many developers are not fully aware of the threatscape and they end up deploying a vulnerable cloud infrastructure. When it comes to web application pentesting on traditional infrastructure, deliberately vulnerable applications such as DVWA and bWAPP have helped the infosec community in understanding the popular web attack vectors. However, at this point in time, we do not have a similar framework for the cloud environment.

In this talk, we will be introducing AWSGoat, a vulnerable by design infrastructure on AWS featuring the latest released OWASP Top 10 web application security risks (2021) and other misconfiguration based on services such as IAM, S3, API Gateway, Lambda, EC2, and ECS. AWSGoat mimics real-world infrastructure but with added vulnerabilities. The idea behind AWSGoat is to provide security enthusiasts and pen-testers with an easy to deploy/destroy vulnerable infrastructure where they can learn how to enumerate cloud applications, identify vulnerabilities, and chain various attacks to compromise the AWS account. The deployment scripts will be open-source and made available after the talk.

The nice thing is that Jeswin will be early-releasing AWSGoat even before his actual release at Blackhat USA this year! Woot!

Speaker: Jeswin Mathai

Jeswin Mathai is the Chief Architect (Lab Platform) at INE. He leads the team responsible for managing the lab infrastructure, Prior to joining INE, He was working as a senior security researcher at Pentester Academy (Acquired by INE). He has published his work at DEFCON China, RootCon, Blackhat Arsenal, and Demo labs (DEFCON). He has also been a co-trainer in classroom trainings conducted at Black Hat Asia, HITB, RootCon, and OWASP NZ Day. He has a Bachelor degree from IIIT Bhubaneswar. He was the team lead at InfoSec Society IIIT Bhubaneswar in association with CDAC and ISEA, which performed security auditing of government portals, conducted awareness workshops for government institutions. His area of interest includes Cloud Security, Container Security, and Web Application Security.

Please RSVP your attendance at OWASP SG Meetup page

Preso can be downloaded from here.

January 2022 Online Meetup: Effective Approaches for Shift Left Security

Date: 13 January 2022 730pm to 900pm

Venue: Google Meet - get the Google Meet URL from OWASP SG Meetup page

The concept of shift left is not new, but it is more possible today thanks to how cloud native applications are designed and deployed. This session will look at some key threats associated with cloud native applications and examples of how shifting security left can greatly help an organization’s security posture.

Speaker: Siddharth Deshpande

With over 15 years of experience in the technology and cybersecurity domains, Siddharth Deshpande is Palo Alto Networks’ CTO for the APAC region, focussed on the emerging areas of cloud native application security and security for the hybrid workforce.

In this role, he leads both business and technical focussed advisory engagements around cloud security to the largest corporations and government agencies in the region.

He joined Palo Alto Networks from Akamai where he was a key technology leader focussed on emerging cybersecurity domains across Asia-Pacific and Japan. Prior to Akamai, Siddharth spent almost a decade at Gartner where he was a strategic advisor to organizations across the Asia-Pacific and Japan region as well as globally around a variety of emerging and established cybersecurity domains. Siddharth holds a Bachelor in Electronics Engineering from Mumbai University in India

Please RSVP your attendance at OWASP SG Meetup page

2021

November 2021 Online Meetup: Tools and Guidelines to Secure Software Packages, Dependencies (NPM, PyPI, Maven, NuGet, Crates and RubyGems) to Guard against Supply Chain Attacks. How to setup Guardrails and not Roadblocks or Gates: Shift Left with Gitops plus integrating Fuzzing into DevSecOps. The importance of having Cloud Infrastructure Entitlements Management (CIEM) to enforce permissions and security identities across workloads and clouds.

Date: 16 November 2021 730pm to 900pm

Venue: Google Meet - get the Google Meet URL from OWASP SG Meetup page

In this meetup, we will explore some tools and understand guidelines that can secure popular software packages and dependencies such as NPM, PyPI, Maven, NuGet, Crates and RubyGems.

We will also learn how Gitops play a critical role in “shifting left” and learn how to set up guardrails, not roadblocks, to help developers.

We will also look at how fuzzing can be incorporated into DevSecOps.

Finally we will learn the importance of having Cloud Infrastructure Entitlements Management (CIEM) to enforce permissions and security identities across workloads and clouds. Demo will be included in this meetup.

Speaker: Nathan Aw

With over 9 years of experience as a software developer and application (security) architect, Nathan Aw is a firm believer-practitioner of zero trust and advocate of secure coding practices. His passion is in designing, building and rolling out asynchronous, polyglot-based microservices that are both zero-trust, performant which can securely run anywhere (multi-cloud and/or on-premise) that scale without limits.

Through hands-on setup of a Secure Software Factory (SSF), he understands the importance of setting up a first-class secure software factory that is able to industralise “shift left” practises that translates to quicker delivery of trusted and secure digital services to its customers.

Other Nathan’s interests include emerging technology frameworks and frontier technologies such as WebAssembly, metaverse, quantum computing, cybersecurity for 5G Cloud Infrastructure and ICS/OT.

More on Nathan can be found at https://nathanawmk.github.io/ and https://sg.linkedin.com/in/awnathan

Please RSVP your attendance at OWASP SG Meetup page

Preso can be downloaded from here.

October 2021 Online Meetup: Enabling Zero Trust Architecture (ZTA) with Identity-Based Micro-segmentation using Service Mesh and Securing Production Identity Framework for Everyone (SPIFFE) (Demo) & Building Secure Software Factory (SSF) to Defend the Digital Cloud-Native Software Supply Chain against attacks: Helpful Cloud-Native Security Checklists and Notary (The Update Framework) (Demo)

Date: 19 October 2021 730pm to 900pm

Venue: Google Meet - get the Google Meet URL from OWASP SG Meetup page

With the significant increased adoption in cloud-native technologies and against the backdrop of supply chain attacks (Solarwinds hack), what can all of us do to ensure what we build and deploy to Production is indeed secure? In this session, Nathan Aw will expound on the need for a Secure Software Factory (SSF), share some useful cloud-native security checklists and finally demo some security and compliance tools that can help to secure our cloud-native supply chain.

Speaker: Nathan Aw

A hands-on microservices developer turned AppSec architect and practitioner, Nathan Aw unyielding passion lies in building and deploying secure and scalable software that can run anywhere. Through the actual hands-on setup of a Secure Software Factory (SSF), Nathan understands intimately the importance of setting up a first-class secure software factory that is able to quickly deliver trusted and secure digital services to its customers. More on Nathan can be found at https://sg.linkedin.com/in/awnathan

Please RSVP your attendance at OWASP SG Meetup page

Preso can be downloaded from here.

September 2021 Online Meetup: Developing secure software with OWASP tools and guides

Date: 2 September 2021 730pm to 900pm

Venue: Google Meet - get the Google Meet URL from OWASP SG Meetup page

All know the OWASP Top 10 and some other OWASP projects. The problem is that it is hard to find anything if you don’t know what you are looking for. This presentation is an OWASP project showcase, highlighting various OWASP projects, their usage and how they fit into your application development pipeline.

Speaker: Martin Knobloch

Martin Knobloch, Global AppSec Strategist at Micro Focus, is a long-time information security leader with more than 15 years of experience in the field. With a background in software development and architecture, his focus is on software security. Martin is actively involved in OWASP where he is a frequent contributor to various projects and initiatives, as well as a member of the Board of Directors. During his career, Martin has been a recognized teacher, guest lecturer at various universities and invited speaker and trainer at local and international software development, testing and security conferences throughout the world.

Please RSVP your attendance at OWASP SG Meetup page

Preso can be downloaded from here.

August 2021 Online Meetup: Securing the Multi-cloud, Portable, *-Tier Microservice Application: A live demo on Cloud-Native Application Security Platforms: Curiefense, Deepfense, Sysdig, Snyk Code, and Aqua Security Trivy & tfsec

Date: 5 August 2021 730pm to 900pm

Venue: Google Meet - get the Google Meet URL from OWASP SG Meetup page

Securing the Multi-cloud, Portable, *-Tier Microservice Application that potentially run anywhere such as an on-premise K8S, or on multiple cloud (AKS, EKS, GKE, etc) can truly be a real challenge to microservices developers (yours truly!) and security folks alike.

In this session, we will see how some open-source cloud-native platforms can make developers’ lives a little easier (phew!). There will be a live demo on Curiefense, an open source, Envoy-Based cloud native security platform. Envoy is an open source edge and service proxy, designed for cloud-native applications.

There will also be a demo on Snyk Code and Sysdig.

Finally we will see how developers can integrate Aqua Security Trivy into their CI tool to scan for vulnerabilities in docker images and learn how to secure IAC with tfsec, a static analysis security scanner for Terraform.

Speaker: Nathan Aw

Nathan Aw is first and foremost a microservices developer then turned AppSec architect working in an end-user environment in a financial institution. His passion is for building secure, scalable polyglot microservices that can run anywhere and scale limitlessly.

Please RSVP your attendance at OWASP SG Meetup page

Preso can be downloaded from here.

July 2021 Online Meetup: API Security and the OWASP API Security Top 10

Date: 13 July 2021 730pm to 900pm

Venue: Google Meet - get the Google Meet URL from OWASP SG Meetup page

Today’s software-driven world is built on APIs, which are increasingly becoming the heartbeat of every modern mobile, B2B, IoT, and web application. APIs enable developers to write data-driven and flexible applications that all end-users and organizations require and desire. However, while APIs have clear and obvious benefits, they also create a rapidly-growing attack surface that isn’t widely understood and sometimes completely overlooked by developers. Recent reports suggest that by 2022, API abuses will be the most responsible vector for data breaches within enterprise web applications. Therefore, securing them is a top challenge and must be a top priority. In this talk, we will highlight the security risks presented by the naive use of APIs and why an increased level of awareness is required to mitigate the risks. Next, we will dive into the top 10 API security risks presented in the OWASP API Top 10 list. From API-specific issues like broken object-level authorization and excessive data exposure to more familiar issues like injection risks. The list rounds up the most critical API threats while also providing explanations and example attack scenarios

Speaker: Erez Yalon

Erez Yalon, Head of Security Research, oversees Checkmarx’s research team comprising analysts, pen-testers, secure developers, and bug bounty hunters. He brings vast experience to his position, and his efforts empower today’s developers and organizations to deliver more secure software, applications, and devices. Erez is the co-founder of the DEF CON AppSec Village and co-led the development of the OWASP API Security Top 10 list. Over the years, Erez has been invited to speak at prominent events, including RSA Conference, Infosecurity Europe, Black Hat, and DEF CON, while also being featured in news outlets such as Fortune, Forbes, WIRED, TechCrunch, and Dark Reading.

Twitter: @ErezYalon LinkedIn: https://www.linkedin.com/in/erezyalon/

Please RSVP your attendance at OWASP SG Meetup page

Preso can be downloaded from here.

June 2021 Online Meetup: A hacker’s mindset

Date: 24 June 2021 730pm to 900pm

Venue: Google Meet - get the Google Meet URL from OWASP SG Meetup page

A security awareness presentation, helping you to learn looking at your applications functionality from the abuse perspective.

We write software to enable information sharing and business functionality with the best intentions. Considering usability, initiative design, availability, continuity, time-to-market and all those business driven aspects of modern software development. Unfortunately, security (secure architecture, design and secure development) are hardly considered. This is no wonder, as it is not always clear for developers or business what is meant by security. How to test for security if the context is not clear?

To help you design and build (more) security software in the future, this talk will guide you towards understanding how a hacker works, what is a hacker’s gain? This presentation will help you to look differently at your applications functionality. To see it from a hacker’s perspective!

Speaker: Martin Knobloch

Martin Knobloch, Global AppSec Strategist at Micro Focus, is a long-time information security leader with more than 15 years of experience in the field. With a background in software development and architecture, his focus is on software security. Martin is actively involved in OWASP where he is a frequent contributor to various projects and initiatives, as well as a member of the Board of Directors. During his career, Martin has been a recognized teacher, guest lecturer at various universities and invited speaker and trainer at local and international software development, testing and security conferences throughout the world.

Please RSVP your attendance at OWASP SG Meetup page

Preso can be downloaded from here.

April 2021 Online Meetup: JavaScript SAST from Mayhem to Order

Date: 28 April 2021 730pm to 900pm

Venue: Google Meet - get the Google Meet URL from OWASP SG Meetup page

Software developers were always left with two hard choices, either use security tools that are not built for them, or use free/open-source tools that generate too many false positives and have poor coverage. One of the prime reasons for this dilemma is that traditionally the security workload was managed by application security teams who would find vulnerabilities and filter through false positives. Now with agile development and DevOps workflows, now there is no option for developers to opt out of secure development.

New technology called DataLog solves that problem in a fundamentally different way, giving developers new hope. During this presentation we will go over:

  • how static code analysis has changed over the years
  • how DataLog technology solves some of the inherent problems of static code analysis such as speed, accuracy and coverage
  • how concepts like treating code as data, and partial evaluations are changing the game completely
  • what developers can do today to get accuracy, speed, and coverage with SAST

Speaker: Sherif Koussa

Sherif Koussa is OWASP Ottawa Chapter Co-Leader, Software Developer, Hacker, and founder and CEO of Software Secured (https://www.softwaresecured.com) and Reshift (https://www.reshiftsecurity.com). In addition to contributing to OWASP Ottawa for over 14 years, Sherif contributed to WebGoat, and OWASP Cheat Sheets. Sherif also helped the SANS and GIAC organizations launch their GSSP-Java and GSSP-NET exams and contributed to a few of their courses. After switching from software development to the field of security, Sherif took on the mission of supporting developers shift security left, and ship more secure code organically. Whether through training, penetration testing as a service or coaching development teams through shifting security, Sherif believes that any AppSec without the developer wouldn’t yield the best results. Sherif’s current venture, Reshift Security, is a static code analysis tool that is built for developers with an experience from the IDE, over to the code review and CI phases.

Please RSVP your attendance at OWASP SG Meetup page

March 2021 Online Meetup: Scale Your Security by Embracing Secure Defaults & Eliminating Bug Classes

Date: 11 March 2021 730pm to 900pm

Venue: Google Meet - get the Google Meet URL from OWASP SG Meetup page

We’re in the middle of a significant shift in how security teams operate and prioritize their limited budget and person-time. Historically, as an industry, we’ve focused on building tools to identify vulnerabilities. While we’ve built impressive tools, these approaches have failed to address the challenges of modern engineering teams. Specifically, these tools often are too slow, require a prohibitive amount of security engineer time and domain expertise to tune, overwhelm users with false positives, and most importantly, do not ultimately raise a company’s security bar. But there’s another way. Rather than investing in finding more bugs, some modern security teams are instead focusing on providing developers with frameworks and services with secure defaults (“guard rails”) so that developers can build features quickly and securely. When done correctly, combining secure defaults and lightweight checks that enforce invariants (properties that must always hold), organizations can solve classes of vulnerabilities by construction, preventing bug whack-a-mole. In this talk, we’ll present a practical step-by-step methodology for:

Choosing what to focus your AppSec resources on

  • How to combine secure defaults + lightweight invariant enforcement to eradicate entire vulnerability classes
  • How to integrate continuous code scanning into your CI/CD processes in a way that’s fast, high signal, and low friction for developers
  • How to use an open source, lightweight security linting tool to find bugs and anti-patterns specific to your company

Speaker: Grayson Hardaway

Grayson Hardaway is a security researcher at r2c, a startup working on static analysis tools purpose-built for the modern workflow. At r2c, Grayson authors static analysis tailored for finding security vulnerabilities in open source code. Previously, Grayson worked for the US Department of Defense fuzzing and exploiting obscure protocols. When not submitting patches, Grayson is hefting a heavy pack uphill, crafting guitar solos, or learning something new: currently woodworking.

Please RSVP your attendance at OWASP SG Meetup page

Preso can be downloaded from here.

February 2021 Online Meetup: Deconstructing the Solarwinds Supply Chain Attack and Deterring it: Honing in on the Golden SAML Attack Technique

Date: 24 February 2021 730pm to 900pm

Venue: Google Meet - get the Google Meet URL from https://www.meetup.com/SGSecurityMG/events/276259206

Each passing day brings new and fresh revelations about the Solarwinds attack. Supply chain attacks are not new to us yet such attacks are fiendishly difficult to defend against.

With the attack’s far-reaching impact, many are asking: what happened? How can I deter against such future attacks?

In this meetup, we will examine the Solarwinds kill chain, the Attacker Tactics Techniques and Procedures (TTPs) and in particular explore how the Golden SAML Attack played a crucial role. Finally, we will quickly look at how we can detect post-compromise threat activity, remediation and some ways on minimising supply chain attacks.

Speaker: Nathan Aw

Working in the financial services industry (FSI), as a cloud-native, microservices and devsecops developer/architect with a particular interest in countering ever-evolving emerging threats, Nathan Aw spends his time tinkering with code and making them secure regardless of where they are deployed: on premise or multi-cloud. A firm believer and practitioner of holistic cyber risk–management paradigm, he believes that an identity-based, zer0-trust security paradigm is the only way forward in an increasingly multi-cloud, hybrid cloud environment.

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

Preso can be downloaded from here.

Jan 2021 Partner Conference: Infosec In the City, SINCON Conference

Date: 2 - 3 January 2021

Venue: Virtual Conference

Dear fellow OWASP SG members,

Singapore’s homegrown techno-centric cybersecurity conference — Infosec In the City, SINCON Conference is back for the 3rd year. The SINCON 2020 Conference (https://www.infosec-city.com/sin20-con) will be taking place virtually on 2-3 Jan 2021.

With the conference tagline “2020 Is Cancelled, SINCON 2020 Is Not”, SINCON 2020 Conference is set to be held at the beginning of 2021 with the aim to encourage the cybersecurity community to put 2020 behind us, push forward and do better for the new year.

The conference will start off with 2 heavyweight keynote speakers — Eugene Kaspersky (CEO & Founder, Kaspersky Lab) and Alex Rice (CTO & Co-Founder, HackerOne). Followed by many “Deep Tech” and “Insights” talks, and workshops — including:

  • Tracking BlackTech Activities: Attacks to what you trust & Blind your defense
  • Who stole my $100,000’s worth bitcoin wallets: Catch them all with new deceptive bait
  • Confirming Red Alerts: Taking Over & Compromising ICS & SCADA
  • Business OSINT & OPSEC/Privacy Crash Course
  • Writing Wireshark Plugins for Security Analysis
  • Automated Bug Hunting Workshop
  • Reverse Engineering Malware Workshop
  • Hunting Malicious Using DNS The line-up is available at https://www.infosec-city.com/sin20-con-schedule (with more to-be-announced).

Use discount code “friendofsincon2020” to get the Standard Ticket for FREE! Hurry and get your tickets soon (https://www.infosec-city.com/sin-tickets).

P.S. Don’t forget to spread the word and share with your friends and colleagues.

2020

November 2020 Online Meetup: A pentester’s guide to Kubernetes Security

Date: 11 November 2020 730pm to 900pm

Venue: Google Meet - get the Google Meet URL from https://www.meetup.com/SGSecurityMG/events/273202471/

Pentesters often find it hard to understand Kubenetes Security and attacks possible against Kubernetes clusters. One of the reasons for this, is the complex nature of Kubernetes clusters and the amount of components involved in these clusters. One must understand Kubernetes fundamentals to be able to assess the security of it. This talk provides an overview of Kubernetes Security from a pentester’s view point. We will discuss various Kubernetes foundational concepts that can be helpful in understanding various potential entry points and misconfigurations, which can eventually lead to a full cluster compromise.

Speaker: Srinivasarao Kotipalli

Srinivas is part of UOB’s Group Information Security/Red Team and he carries 7 years of cyber security experience in pentesting Web Applications, Mobile Applications(Android & iOS) and IoT devices.

His primary responsibilities include, conducting Red Team engagements and security assessments of UOB assets.

He spoke at international conferences such as Defcon USA and Bsides Singapore. He authored a book titled “Hacking Android”, published by Packt Publishers. He also holds the certifications - Offensive Security Certified Professional and Offensive Security Certified Expert.

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

Preso can be downloaded from here.

October 2020 Online Meetup: Finding the needle in a needle stack - Next-Generation Analytics in Cyber Security Using ML & AI

Date: 21 October 2020 730pm to 900pm

Venue: Google Meet - get the Google Meet URL from https://www.meetup.com/SGSecurityMG/events/273202440/

In Cyber Security “analytics” is an evolving area, security analytics has their own challenges due to high volume of discrete data feeds and the requirement for faster detections, we have several security products which helps is finding “needle in a haystack” however attackers are already leveraging advanced machine learning techniques for sophisticated cyber-attacks and hence to detect advanced threats we need to take holistic approach by using advanced techniques and new technologies which will helped us in finding the “needle in a needlestack” which will be more actionable and tangible.

Speaker: Manas Paikray

Manas is currently the Head of Group Security Operation Center Engineering Team under Group Information Security (GIS) in UOB. He has over 17 years of experience in designing and operationalizing large scale high impact enterprise Infrastructure and Systems Integration using new and advanced technologies (on-premises, hybrid or SaaS).

• A practitioner for building Next-Generation Advanced Analytics platform and solution in Cyber Security.

• Experienced Big Data solution Architect and practicing ML and AI deployment pipeline for Cyber Security custom models for advanced analytics.

• Experienced in leading multiple Insider Threat Program, Security Data Lake Projects and Cyber Security Advanced Analytics Projects.

• Immense experience in designing complex architecture framework, delivering high performance, highly resilient enterprise infrastructure solutions.

• Complex problem solving skills, especially in crisis situations.

• Experience in doing pre-sales support and giving solution presentation to senior leadership and project committees for any new project initiatives and budget approval.

• Experience building, leading and coaching technical teams in the area of new technologies.

• A passionate technologist who is a true business partner, highly focused on customer success.

• Worked in the Singapore, US, UK and India, with large enterprises (Banking and non-Banking) which includes several Fortune 100 companies.

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

September 2020 Online Meetup: Big Data – Advanced Security Analytics

Date: 29 September 2020 730pm to 900pm

Venue: Google Meet - get the Google Meet URL from https://www.meetup.com/SGSecurityMG/events/273202418/

In Cyber Security we have several hundreds of data feeds, different log types, high volume logs and need faster detections using advanced techniques.

To do this, we need to build a platform which will address performance, scalability and stability requirements first and then where security team can do threat hunting, historical data search, implement advanced use cases or rules by using advanced analytics techniques to meet the requirements of information security, audit, regulatory and compliance.

We will discuss about Big Data platform and related components which we are leveraging to perform Advanced Security Analytics.

Speaker: Manas Paikray

Manas is currently the Head of Group Security Operation Center Engineering Team under Group Information Security (GIS) in UOB. He has over 17 years of experience in designing and operationalizing large scale high impact enterprise Infrastructure and Systems Integration using new and advanced technologies (on-premises, hybrid or SaaS).

• A practitioner for building Next-Generation Advanced Analytics platform and solution in Cyber Security.

• Experienced Big Data solution Architect and practicing ML and AI deployment pipeline for Cyber Security custom models for advanced analytics.

• Experienced in leading multiple Insider Threat Program, Security Data Lake Projects and Cyber Security Advanced Analytics Projects.

• Immense experience in designing complex architecture framework, delivering high performance, highly resilient enterprise infrastructure solutions.

• Complex problem solving skills, especially in crisis situations.

• Experience in doing pre-sales support and giving solution presentation to senior leadership and project committees for any new project initiatives and budget approval.

• Experience building, leading and coaching technical teams in the area of new technologies.

• A passionate technologist who is a true business partner, highly focused on customer success.

• Worked in the Singapore, US, UK and India, with large enterprises (Banking and non-Banking) which includes several Fortune 100 companies.

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

August 2020 Online Meetup: DevSecBots: Bot the Gap

Date: 26 August 2020 800pm to 930pm

Venue: Google Meet - get the Google Meet URL from https://www.meetup.com/SGSecurityMG/events/272160770

Cybersecurity has become a major priority for organizations looking to protect themselves against the massive cost of data breaches — but there’s an international problem hindering that goal.

There are 2.93 million cybersecurity positions open and unfilled around the world, according to non-profit IT security organization (ISC)².

Without trained security staff, organizations don’t have the capability to deploy the right controls or develop security processes to detect and prevent cyberattacks, an expert explains.

But does this mean that you will be secured then?

The Answer unfortunately is NO. Attackers attack weak spots in the organisation and the user remains the easiest target.

So do we send the user for more training, do we engaged more security professionals, do we implement more controls, do we implement more security software? Are there any other Strategies?

Andy brings to the table the idea of “Bot-ing” the gaps and how Bots have helped organisations bridge the gaps.

Speaker: Andy Huang

Andy Huang is a Cybersecurity practitioner with more than 20 years of experience, He has global experience having worked in Australia, Israel, United States, and Europe. He last worked in Intelligence for Interpol in Brussels before returning to Singapore where he founded SecureArk.

Andy is concurrently holding Advisory roles with EC-Council (Global Advisory Board Member), TUViT (Advisory Member), and The Cyber Market Hub (Ambassador)

Andy has a Masters of Science in Electrical and Computer Engineering (Cryptography) and holds multiple patents in Random Number Generators. Andy is a BS7799 Lead Auditor and a Certified Identity Theft Risk Management Specialist since 1999.

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

Preso can be downloaded from here.

July 2020 Online Meetup: Microservices Security, Container Runtime Security, MITRE ATT&CK® for Kubernetes (K8S) and Service Mesh for Security

Date: 15 July 2020 800pm to 930pm

Venue: Google Meet - get the Google Meet URL from https://www.meetup.com/SGSecurityMG/events/271544329

APIs are the gate to your microservices. In the last meetup, we discussed and learned how to secure our APIs with OWASP API 2019 as a reference. In the upcoming session, we will take a look at how to secure our microservices, from Container Runtime Security to Kubernetes (K8S). We will also look at MITRE ATT&CK® for Kubernetes.

Speaker: Nathan Aw

Nathan Aw is a hands-on, AppDevSec digital solution architect working in the Financial Services Industry (FSI). With a dedicated focus on the Customer Journey Experience (CJX) Layer, he designs, build and scale secure experience APIs, Microservices on a Hybrid Cloud/Multi-Cloud (Cloud-Native) platforms that enables a truly delightful, end-to-end CJX. More on Nathan Aw can be found at https://sg.linkedin.com/in/awnathan

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

Preso can be downloaded from here.

June 2020 Online Meetup: How Secure are you APIs? Securing your APIs: OWASP API Top 10 2019, Case Study and Demo

Date: 24 June 2020 800pm to 930pm

Venue: Google Meet - get the Google Meet URL from https://www.meetup.com/SGSecurityMG/events/271270966/

Application programming interfaces (APIs) are a key element of technology modernization and transformation at many enterprises. With APIs ability to link systems and data, APIs play a crucial role in making the technology landscape more responsive and adaptable. However, API Security is often a secondary thought. A coherent API security needs to be adopted. The OWASP API Top 10 is a good starting point. In this meetup session, both theory and real life case studies will be presented. A demo will also be presented.

Speaker: Nathan Aw

Nathan Aw is a hands-on, AppDevSec digital solution architect working in the Financial Services Industry (FSI). With a dedicated focus on the Customer Journey Experience (CJX) Layer, he designs, build and scale secure experience APIs, Microservices on a Hybrid Cloud/Multi-Cloud (Cloud-Native) platforms that enables a truly delightful, end-to-end CJX. More on Nathan Aw can be found at https://sg.linkedin.com/in/awnathan

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

Preso can be downloaded from here.

January 2020 Meetup: Current state of DevOps Security

Date: 13 January 2020 730pm to 900pm

Venue: Trend Micro office, 6 Temasek Boulevard #16-01 to 05 Suntec Tower Four · Singapore 038986

DevOps security is tough, come listen to how NTUC is tackling application security through the secure pipeline and environment controls for application development and deployment. Ian will cover the what and how and also share some limitations in today’s tools to keep up with development changes.

Speaker: Ian Loe

Ian Loe is the current SVP of cybersecurity at NTUC Enterprise Co-operative Limited and an adjunct fellow at the Singapore University of Technology & Design (SUTD). He had been active in DevOps security and application security especially in containers and serverless applications.

Many thanks to Trend Micro for sponsoring the venue!

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

2019

November 2019 Meetup: Basic Pentesting on Ethereum Blockchain

Date: 14 November 2019 730pm to 900pm

Venue: F5 Singapore office, 5 Temasek Boulevard, #08-01/02 Suntec Tower 5, Singapore 038985

One of the double edged swords of blockchain software, compared to typical enterprise software stack, is that smart contracts are immutable once deployed. This talk will cover some of the basics of typical security vulnerabilities and mitigation methods on the Ethereum blockchain stack.

Speaker: Dr. Chun Hui

Dr. Chun Hui (former Hyperledger research scientist at IBM & Hyperledger Adjunct Lecturer at NUS) is currently developing both distributed software on both public & private blockchains in finance use cases at Kommerce. He has a strong interest in system infrastructure and blockchain, with a focus on design, devops and social-development impact.

Many thanks to F5 for sponsoring food and drinks!

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

Preso can be downloaded from here.

September 2019 Meetup: Introduction to CVSSv3.1 - Minor Release

Date: 19 September 2019 730pm to 900pm

Venue: Akamai Singapore office, 1 Raffles Place, #17-61, One Raffles Place Tower 2, Singapore 048616

Come and listen to Christian share on the new CVSS 3.1. The “Common Vulnerability Scoring System” (CVSSv3.1) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

Speaker: Christian Heinrich

Christian Heinrich has presented at the OWASP Conferences in Australia, Europe and USA and OWASP Chapters in the Netherlands, London and Sydney and Melbourne, Australia, ToorCon (USA), Shmoocon (USA), BlackHat (Asia and USA), SecTor (Canada), CONFidence (Europe), Hack In The Box (Europe), SyScan (Singapore), B-Sides (Australia), RUXCON (Australia), and AusCERT (Australia)

cmlh has a Public Profile on LinkedIn at http://www.linkedin.com/in/ChristianHeinrich

Many thanks to Akamai for sponsoring food and drinks!

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

June 2019 Meetup: Understanding Bad Bots

Date: 26 June 2019 730pm to 900pm

Venue: F5 Singapore office, Suntec City Tower Five, 5 Temasek Boulevard #08-01/02, Singapore 038985, Singapore

Bots form a significant chunk of modern day traffic. The talk and demo will show some bot attacks, how it impacts business and user and the need of a layered defence mechanism..

Speaker: Shahnawaz Backer

Shahnawaz Backer is a Security Specialist at F5 Networks. With keen interest in Financial Malware and Identity Security. He has been a Consulting Engineer for over a decade and started his career as a Security Product Development Engineer. His noticeable works include designing a Financial Malware Strategy for multiple Tier 1 Banks in APAC, designing a Nation Level Authentication Framework and identity management strategy for multiple Financial and Government Organizations.

In his spare time he loves code and automate.

Many thanks to F5 for sponsoring food and drinks!

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

Mar 2019 Meetup: HTTP2

Date: 20 March 2019 730pm to 830pm

Venue: Akamai Singapore office, 1 Raffles Place, #17-61, One Raffles Place Tower 2, Singapore 048616, Singapore

The presentation will discuss the relatively new HTTP2 protocol that has been recently adopted as a standard and widely adopted. Most browsers and web servers can support it, however relatively little security research has been done on the new protocol. There are very few tools to perform security testing, and penetration testing is challenging. There will be a demo of a vulnerability being exploited over HTTP2.

Speaker: Adrien de Beaupre

Adrien de Beaupre is a Principal SANS instructor and works as an independent consultant in beautiful Ottawa, Ontario. His work experience includes course development, technical instruction, vulnerability assessment, and penetration testing. He is a member of the SANS Internet Storm Center (isc.sans.edu) and is actively involved with the information security community. He is the lead author and lead instructor of two SANS courses; SEC642 Advanced Web Applicication Penetration Testing, Ethical Hacking, and Exploitation Techniques as well as SEC460 Enterprise Threat and Vulnerability Assessment.

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

Many thanks to Akamai for their kind sponsorship of venue and F\&B (no beer though)!

Mar 2019 Meetup #2: ReDTunnel: Explore Internal Networks via DNS Rebinding Tunnel

Date: 28 March 2019 730pm to 830pm

Venue: F5 Singapore office, Suntec City Tower Five, 5 Temasek Boulevard #08-01/02, Singapore 038985, Singapore

Did you wonder how you could browse target’s internal network without deploying anything on the victim machine? Sounds like magic, right? Imagine that you could have a one-click setup that will provide you a magic tunnel from the outside world. That’s when we came up with the “ReD Tunnel” idea. The design goal was to use tools that exist on the victim’s device, like the browser, rather than rely on 0days to stay below the radar of the most advanced AV. To create this new capability, we decided to combine two concepts: JavaScript reconnaissance techniques and the DNS rebinding attack. Open your browser, wait until the victim visits your website and start browsing the internal websites in their network. Now, when red-teaming you could really “be a guest, but feel at home”.

Speaker: Tomar Zait

Tomer Zait (Principal Security Researcher at F5Networks) worked in a range of professions in the security industry (Web Application Firewall Integrator, Penetration Tester, Application Security Engineer, Security Researcher, Etc.). During this time, he developed open-source projects (most of them are security tools). His projects include: x64dbgpy; PyMultitor (Presented In BlackHat Arsenal ASIA/US/EU 2017); SubDomain-Analyzer; AutoBrowser; phantom-requests, and more. Tomer writes regularly for online security magazines and is a 4-time winner of the Israeli Cyber Challenge (CTF).

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

Feb 2019 Meetup: How to make your software security program successful

Date: 20 February 2019 730pm to 830pm

Venue: Akamai Singapore office, 1 Raffles Place, #17-61, One Raffles Place Tower 2, Singapore 048616, Singapore

What is the common between mobile applications, Web application, IOT devices, OS client applications?

They are all developed from software.

As new software deployment accelerate through wider adoption of DevOps methodology, maintaining software security is crucial to you and your organization. Is your software security program up to the challenge? If you’re not getting the most out of your software security program, come and join this session which will provide the recommendations on how to improve your program for better, faster results.

Speaker: Jason Khoo, CISSP, CSSLP, CISA

Jason is the Technical Account Manager from Checkmarx. He has extensive experience in application security consulting services and focusing on secure software analysis.

He works with organizations that consist of internal and external development teams as well as the security team who are mostly driven by audits and compliance. He is passionate about the software security and the different software testing methodologies, and will share his ideas and workflow with the audience.

Please RSVP your attendance at https://www.meetup.com/SGSecurityMG/

Many thanks to Akamai for their kind sponsorship of venue and F\&B (no beer though)!

Jan 2019 Meetup: Security is everybody’s job

Date: 16 January 2018 730pm to 830pm

Venue: Akamai Singapore office, 1 Raffles Place, #17-61, One Raffles Place Tower 2, Singapore 048616, Singapore

In DevOps everyone performs security work, whether they like it or not.  With a ratio of 100/10/1 for Development, Operations, and Security, it’s impossible for the security team alone to get it all done. We must build security into each of “the three ways”; automating and/or improving efficiency of all security activities, speeding up feedback loops for security related activities, and providing continuous learning opportunities in relation to security. While it may sound like the security team needs to learn to sprint, give feedback, and teach at the same time, the real challenge is creating a culture that embodies the mindset that security is everybody’s job.

Speaker: Tanya Janca

Tanya Janca is a senior cloud security advocate for Microsoft, specializing in application and cloud security; evangelizing software security and advocating for developers and operations folks alike through public speaking, her open source project OWASP DevSlop, and various forms of teaching via workshops, blogs and community events. As an ethical hacker, OWASP Project and Chapter Leader, Women in Security and Technology (WIST) chapter leader, software developer and professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.

Pertinent links:

https://medium.com/@shehackspurple

https://DevSlop.co

https://twitter.com/shehackspurple

Many thanks to Akamai for their kind sponsorship of venue and F\&B (no beer though)!

2018

Oct 2018 Meetup: Lessons from Protecting a Major Conference: What You Do Not Know Will Haunt You

Date: 17 October 2018 730pm to 830pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

In this session, lessons drawn from protecting a major security conference will be shared. (Identity of the conference will be hidden for confidentiality). These lessons can be easily adopted in most organisations at zero to low costs, so there is no excuse for infosec pros not to implement.

Besides looking at IoC or IoA, a new indicator will be proposed for security monitoring with more advance notice and more cost efficient protection.

Lastly, on a side note with no relation to the major security conference, common mistakes made during onboarding of CDNs will also be shared and appropriate suitable controls will be shared with the attendees. Hopefully, we will not see any exposed luncheon meat or seaweed when we onboard CDNs. ;-)

Download the presentation here.

Speaker: Onn Chee

Onn Chee is a n00b in infosec for more than 18 years.

Sep 2018 Meetup: The Three Ways Of Software Security; Revolutionizing AppSec Using DevOps methods

Date: 19 September 2018 700pm to 830pm

Venue: JP Morgan Singapore office, JP Morgan, 168 Robinson Rd, Capital Tower, Singapore 068912

Just as DevOps was a new way of thinking that forever changed software development, application security is in the midst of its own transformation. Taking a page from an IT best seller Gene Kim’s “The Phoenix Project,” this session will provide a new definition of DevSecOps as we explore the “Three Ways of Software Security:”

1. Establish security work flow with a direct line-of-sight to business value

2. Ensure instant security feedback with continuous assessment and visibility

3. Encourage a security culture by reducing builder-breaker cycle time

Audience members will leave with a refreshed way of thinking about AppSec and DevOps, as well as an understanding for how to apply redefined DevSecOps within their own organizations.

Speaker: Jeff Williams

A pioneer in application security, Jeff Williams has over 20 years of security leadership experience. He speaks frequently on cutting-edge AppSec technologies and has helped secure code at hundreds of major enterprises. Jeff was the Co-Founder and Global Chair of OWASP Foundation for eight years, creating the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet and etc. In recent years, Jeff founded Contrast Security and Aspect Security which deliver innovative AppSec solutions and services throughout the world. Aspect Security was acquired by E\&Y in early 2018. He has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

Many thanks to JP Morgan and Thomas for agreeing to be our venue sponsor in such short notice.

You can download the presentation slides from </www-pdf-archive/OWASP-SG-Sep-2018-Meetup.pdf.pdf>

Jul 2018 Meetup: IoT Security Research

Date: 23 July 2018 730pm to 900pm

Venue: NUSS Suntec City Guild House, 3 Temasek Boulevard, #02- 401/402 Suntec City Mall, Singapore 038983

Come and learn about the findings from F5 Lab’s extensive original research into mapping IoT Thingbots such as Mirai, Persirai and Reaper. The research also tracks which countries appear to be attacking which other countries. Lots of rich discussion around IoT DDOS, the new IoT security legislation and some promising long term protocols that may fix all of this.

F\&B will be provided with thanks to F5!

Speaker: David Holmes

Based in Asia Pacific, David Holmes is the Global Security Evangelist for F5 Networks. In this role, Holmes is spokesman, researcher and evangelist for F5’s threat intelligence division, with an emphasis on cryptography, distributed denial of service attacks, and the Internet of Things. He speaks at conferences such as RSA, InfoSec and Gartner Data Center.

Holmes authors white papers on security topics such as global cryptography trends and modern DDoS threat spectrum. He has also written for industry magazines such as the SCMagazine and Network World. These days,he writes regularly about vulnerabilities, technical solutions and the security industry for SecurityWeek.com and F5 Labs.

He joined F5 Networks in 2001, and, as a Principal Software Engineer, where he designed many of the system and core security features. Holmes has 20 years of experience in security and product engineering.

Prior to F5, Holmes was a Vice President of Engineering at Dvorak Development (in Boulder, CO) and a Senior Software Engineer (Security) at CyberSafe, Inc.

Holmes majored in Computer Science and Engineering Physics at the University of Colorado at Boulder. For public speaking, Holmes has a Competent Communicator award from Toastmasters International and other public speaking awards.

Many thanks to F5 for their sponsorship.

May 2018 Meetup: Introduction to CVSS

Date: 21 May 2018 730pm to 900pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

The “Common Vulnerability Scoring System” (CVSSv3) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

Speaker: Christian Heinrich

Christian Heinrich has presented at the OWASP Conferences in Australia, Europe and USA and OWASP Chapters in the Netherlands, London and Sydney and Melbourne, Australia, ToorCon (USA), Shmoocon (USA), BlackHat (Asia and USA), SecTor (Canada), CONFidence (Europe), Hack In The Box (Europe), SyScan (Singapore), B-Sides (Australia), RUXCON (Australia), and AusCERT (Australia)

cmlh has a Public Profile on LinkedIn at http://www.linkedin.com/in/ChristianHeinrich

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

Apr 2018 Meetup: DevSecOps In Practice

Date: 18 April 2018 730pm to 900pm (changed from 17 April)

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

Software development is pressed for faster and faster release cycles with acceptable quality, budget and security. As movements like CI, CD and Devops aim to cut down on release cycles, it’s security’s job to help control the risk. The risk landscape is complex as modern development practices increasingly consume more and more third party code. Traditional methods do not cut it anymore - it’s time for DevSecOps. This session gives an overview of how companies have implemented DevSecOps practices in their own delivery pipelines and how this can help increase developer awareness of risks affecting them. We’ll walk an example CICD Pipeline and explore how security has been embedded as a part of it, how the movement is shaping up and how standards are starting to follow suite.

Speaker: Cameron Townsend

Cameron Townshend Bsc, MSysDev, MCP CP Snr, MCSD - has extensive experience building large mission critical applications. Initial project lead on NSW Biosecurity Information System. Developed the WeatherChannel.com.au website. This site won 2010 Kentico site of the year for Integration and 2011 Astra award for Most Outstanding Use of Technology. He is both a hands-on developer and a skilled communicator and leader of project teams.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

Jan 2018 Meetup: “Accuracy will set you free” - The New Era of AppSec with Interactive Application Security Testing (IAST) and Runtime Application Self Protection (RASP)” and “Hunt for Cold War-like Sleeper Malware”

Date: 25 January 2018 730 pm to 900 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

Topic A: "Accuracy will set you free" - The New Era of AppSec with Interactive Application Security Testing (IAST) and Runtime Application Self Protection (RASP)

Application attacks continue to be the #1 source of data breaches; why after decades of efforts and billion dollars security investments it is still the #1 source of data breaches?

What are the discrepancies and inadequacies in the current security postures and AppSec technologies?

Limited context and visibility of the application under test or under protection produces inaccurate and erroneous results which dramatically diminishes the effectiveness of current AppSec solutions and dev team productivities. Sharing the insights of the innovative AppSec technologies such as IAST and RASP which are delivering unprecedented accuracy and speed for both application security testing and application runtime protection.

See how these revolutionary AppSec technologies are freeing scarce and valuable technical resources to be better allocated.

Speaker: Jeff Chen

Jeff is the VP of Contrast Security APAC. He started Parasoft Asia/Pacific in 2003 and manage the Parasoft APAC operation until 2012. He has extensive experience in Static Analysis, Unit Testing, Service Virtualization, Test Automation and SDLC processes. Prior to Parasoft; Jeff was involved with multiple Cyber Defense projects with Taiwan MND; representing Northrop Grumman’s Network Early Warning Systems (NEWS) and etc.

Topic B: "Hunt for Cold War-like Sleeper Malware"

In a short, 30mins presentation, Onn Chee will walk through a case study of a Cold War-like malware which had masqueraded as a “goodware” and was actively used by users for more than a year without any adverse impact. Learn why the organisation’s enterprise-grade sandbox and EDR solutions were not able to detect the sleeper malware. Just like the Cold Ware sleeper agents who browsed the newspapers’ classifieds every day for activation code, the sleeper malware came on live after more than 1 year of usage and wiped off all user data in the users’ endpoint. In the end, it is still the manual grunt work of investigation that helps to identify this sleeper malware. A demo version of the malware was recreated and will be used to demo the MO of the sleeper malware.

(All identities - organisation, security products and malware - will be anonymised due to NDA)

You can download the slides here https://www.owasp.org/images/e/e2/OWASP_SG_Jan_2018_-_Hunt_for_a_Cold_War-like_Sleeper_Malware.pdf

Speaker: Onn Chee

Onn Chee has been a n00b in infosec for 18 years.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

2017

Aug 2017 Meetup: APNIC Security Engagement in the AP Region

Date: 16 August 2017 730 pm to 930 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

APNIC Security Engagement in the AP region

APNIC is one of the 5 regional internet registries responsible for allocating and registration of Internet number resources (IP addresses & AS Number). In the last 3 years APNIC has been working with different stakeholders in the AP region to promoting security best practices in areas like security incident handling &  response. In addition to sharing his experience, Adli will also highlight some of the opportunities and challenges AP region.

Speaker: Adli Wahid

Adli Wahid is a Senior Internet Security Specialist at the Asia Pacific Network Information Centre (APNIC) based in Brisbane, Australia.  He is responsible APNIC’s cyber security engagement and capacity building activities in the region.  Adli is also a board member of the Forum of Incident Response and Security Teams (FIRST.org). Prior to joining APNIC, he was the Head of Malaysia CERT (MyCERT) and a member of Bank of Tokyo Mitsubishi-UFJ CERT (MUFG-CERT).

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

Jun 2017 Meetup: “Cyber Technical Surveillance & Counter Measures (TSCM) – Looking at the physical attacks on IT Infrastructure using covert data taps and transmission devices” and “Singapore Threat Brief”

Date: 14 June 2017 730 pm to 930 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

Topic A: Cyber Technical Surveillance & Counter Measures (TSCM) Looking at the physical attacks on IT Infrastructure using covert data taps and transmission devices

Traditional Technical Surveillance has changed from large audio and video eavesdropping devices heavily reliant on Radio Frequency to miniaturised devices that use cellular & wifi. No longer do you need a static listening post nearby but you can access the covert feeds anywhere in world through cheap readily available technology.

This talk will look at how the world of technical surveillance has changed, why it uses cellular & wifi, what is a cyber TSCM, gaps in current IT Pen tests and how 5G will accelerate the threat.

Speaker: Jason Wells

Jason is the CEO of QCC Global (Asia), a company that specialises in Technical Surveillance and Counter Measures (TSCM) and Digital Forensics.

His 30 years of experience spans public and private sector from leading the: 

- Global team for Business Risk & Control Management within HSBC Financial Crime & Regulatory Compliance, 

- Corporate Security & Anti Illicit Trade Manager in British American Tobacco in the Middle East, 

- UK military attaché in Damascus, Syria or the Head of Overseas Intelligence team for the British SAS, special forces

Having a honours degree in IT, was qualified as a CISSP and holds post graduate diplomas in Security & Risk Management and Anti Money Laundering Jason has both extensive experience and technical expertise.

Topic B: Singapore Threat Brief

The threat environment on the Internet is a constantly evolving arms race, and the activities of adversaries vary greatly by geography, industry, and even individual websites. As a result, security managers often seek the latest attack information that is relevant to their specific country and industry in order to predict what they should look for in the present and how attacks will evolve in the future. The Singapore threat report serves to inform approaches for security professionals to improve their defensive posture.

2nd Speaker: Dawson Sewo (CISSP, ITIL, CCSK) – Senior Enterprise Security Architect, Akamai Technologies Asia-Pacific & Japan

As an Enterprise Security Architect in Akamai, Dawson focuses on network security and application security.  He has more than 16 years of IT and security experience working in telco, managed hosting and cloud security companies. He has also obtained numerous certifications around areas of network, hosting and security.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

Mar 2017 Meetup: “Have I been pwned?” and “Your Arsenal to bypass restrictions”

Date: 28 March 2017 730 pm to 930 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

Topic A: Have I been pwned?

“Have I been pwned?” allows you to search across multiple data breaches to see if your email addresses or aliases has been compromised by Duowan, Taobao, Tianya, etc. Maltego is a link analysis application of technical infrastructure and/or social media networks from disparate sources of Open Source INTelligence (OSINT). Maltego is listed on the Top 10 Security Tools for Kali Linux by Network World and Top 125 Network Security Tools by the Nmap Project.

The integration of “Have I been pwned?” with Maltego presents these breaches in an easy to understand graph format that can be enriched with other sources of data.

Speaker: Christian Heinrich

Christian Heinrich has presented at the OWASP Conferences in Australia, Europe and USA and OWASP Chapters in the Netherlands, London and Sydney and Melbourne, Australia, ToorCon (USA), Shmoocon (USA), BlackHat (Asia and USA), SecTor (Canada), CONFidence (Europe), Hack In The Box (Europe), SyScan (Singapore), B-Sides (Australia), RUXCON (Australia), and AusCERT (Australia)

cmlh has a Public Profile on LinkedIn at http://www.linkedin.com/in/ChristianHeinrich

Topic B: Your Arsenal to bypass restrictions based on IP counters

PyMultiTor tool – Many mitigation devices (FW, WAF, Anti-DoS) are detecting attacks based on certain IP address that sends many requests. The tools showcases that it’s not enough to have such protection. It is unique because it is easily integrated in any attacking tool (written in python programming language).

Speaker: Tomer Zait

Tomer Zait, from F5 Labs (part of F5 Network), has worked in a range of professions in the security industry (W.A.F Integrator, Penetration Tester, Application Security Engineer, Security Researcher, Etc.). During this time he developed open source projects (most of them are security tools). Tomer is a 3 Times Winner of the Israeli Cyber Challenge (CTF). His projects include: x64dbgpy; PyMultitor; SubDomain-Analyzer; AutoBrowser; phantom-requests.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

Feb 2017 Meetup: Attacker’s Perspective of Active Directory

Date: 28 Feb 2017 730 pm to 930 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

This talk is a compilation of Red Team’s Tactics, Techniques and Procedures to fully compromise an Active Directory environment. The emphasis will be on post-exploitation techniques that attackers/red teamers have been abusing for years, however they were not well documented until recent years. Apart from offensive techniques, mitigation and detection methods will be covered as well.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Speaker: Sunny Neo Sunny is a Penetration Tester with BT Security, Ethical Hacking Centre of Excellence, a global team that performs security testing for various industries. Besides his day job, he teaches Ethical Hacking at Temasek Polytechnic as an Adjunct Lecturer, and is one of the CREST Assessors in Singapore. He is certified with CCT APP, OSCE, OSCP and GXPN. He has 1 year plus of working experience.

2016

Dec 2016 Meetup 2: Conducting Threat Modeling in Agile Development

Date: 14 Dec 2016 730 pm to 930 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

With the increasing demand for continuous application delivery in the fast pace application development methodologies, we see the rapid change in security verification & validation activities also. On the same way, traditional threat modelling has to be adapted to fit into agile development culture. This session will focus on how we can introduce automaticity and repeatability in the threat modeling process and identify the threats in the application. Also how we can map the threat modeling outputs to security requirements to give better visibility to release manager or product owner about the possible business risk.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Speaker: Suman Sourav Suman has more than a decade experience in designing software security defense programs and is passionate about integrating security into the development life-cycle. He has worked with various financial and non-financial institutions to implement software security life-cycle.

Suman believes in a purpose driven life, acting with integrity, honesty, and honour. Professionally he looks to add value to his skills by reaching out, learning, and building relationships with those in his community, as well as promoting those he believes in.

His complete profile is available on http://www.sumansourav.com

Dec 2016 Meetup: Ransomware in Web Apps

Date: 5 Dec 2016 730 pm to 930 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616, Singapore

In recent years, ransomware has become a major problem for individuals and enterprises alike. A large attack surface, low barriers to entry and good rewards make it a very attractive option for attackers. We are already seeing hackers try out new infection vectors like social media (http://www.digitaltrends.com/computing/locky-ransomware-self-downloading-image-files/) and targets like IoT and PoS systems (http://www.theverge.com/2016/11/27/13758412/hackers-san-francisco-light-rail-system-ransomware-cybersecurity-muni). In this talk, we will demonstrate and show PoC exploits on how ransomware can move up the stack from desktop apps to enterprise apps using a novel attack vector of library dependencies and package managers. Protecting and securing your software supply toolchain is going to be of paramount importance against such threats.

Food and drinks are provided, courtesy of Akamai!

Speaker: Mark Curphey Mark Curphey is CEO of SourceClear, the security company for software developers. He founded OWASP (http://www.owasp.org) when he ran software security at Charles Schwab and has written chapters on software security in books published by O’Reilly.

Jul 2018 Meetup: Data Exfiltration over DNS

Date: 12 July 2016 7 pm to 9 pm

Venue: BridgingMinds Network, 190 Middle Road, #12-10/11 Fortune Centre, Singapore 188979

Come and join us to learn how data can be leaked via DNS. Learn how such techniques can bypass NGFW and watch a live demo of how such attack can occur. The speaker will also walk through actual case studies of past incidents.

Food and drinks are provided. ;-)

Speaker: Starting off as a military based SOC operator, Yeo Deng Jie (DJ) carries with him over 10 years of network security experiences working with leading companies like AlgoSec, Palo Alto Networks and Infoblox. With cyber defense always at the top of his mind, he provided network security assessment workshops for many organizations in ASEAN, reviewed their network security posture for vulnerabilities. In a few occasions, DJ was called back by the organization when the security gaps he highlighted were subsequently exploited by the attackers. In Infoblox, DJ focuses on data leakage over DNS, defense against DNS DDoS and exploits, which are some of the least addressed security gaps in many organizations today.

2015

Dec 2015 Meetup: Learn Web Attacks using OWASP WebGoat, A Demo

Date: 15 Dec 2015 7:30 pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616

A lot of us talk about various security attacks on the web, but do we actually know how they are done in real time and where’s the problem in coding? This demo will showcase how attackers are misusing the web application to bypass security controls. Following attacks will be covered in the demo: 1. Path Traversal attack 2. Bypassing functional access control 3. Bypassing data access control 4. AJAX security loopholes (DOM injection, XML Injection, JSON injection, Silent transaction attacks) 5. Cross Site Scripting (Reflected, Stored and DOM based) 6. SQL Injection (numeric and string based) 7. Malicious file uploads and impact on back-end servers This is purely a demo and doesn’t involve any PPT. So, this is only for technical people.

Speaker: Viswanath S Chirravuri has over 10 years of experience in Software Security. Currently he is a senior Security Architect at a leading digital security company, GEMALTO. He actively holds industry certifications like CISSP, CEH, GWAPT, Security+, PMP and SCJP. Viswanath is accredited by CA Technologies on Identity and Access management suite of products. Over the past few years, he has been giving training’s on various SAST and DAST tools to application security engineers across different industries.

Nov 2015 Meetup: Security In The World Of CI-CD

Date: 26 Nov 2015 730pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616

Continuous Delivery (CD) is a set of practices and principles in software engineering aimed at, building, testing, and releasing software, faster and more frequently. These principles help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.

Continuous integration (CI) is the practice, in software engineering, of merging all developer working copies to a shared mainline several times a day.

In the same vein, the practice of continuous delivery further extends CI by making sure the software checked in on the mainline is always in a state that can be deployed to users and makes the actual deployment process very rapid.

So, in this rapid and fast world of CI-CD, focusing on highly scalable & highly portable software landscape, which offers high usage oriented web apps, the security landscape has really reached to cutting edge point.

This talk, will focus on how to posturize security with this fast pace world, covering most of all security verticals.

Speaker: Aniket Kulkarni, carries decade+ of software security experience flowing from QA, Development & Architecture. Currently he works as Software Security Architect (Bigdata\Cloud\Mobile\Web), in Autodesk Singapore R\&D, one of world class design software developing companies across the globe.

For more information about Aniket, kindly get connected with him on linkedin: https://sg.linkedin.com/pub/aniket-kulkarni/10/653/202 , and he will be happy to interact with you for various security related discussions.

Sep 2015 Meetup: OWASP Zed Attack Proxy Advanced Features - A Demo

Date: 29 Sep 2015 7pm

Venue: Akamai Singapore office, 1 Raffles Place, #16-61, One Raffles Place Tower 2, Singapore 048616

OWASP Zed Attack Proxy (ZAP) is an integrated penetration testing tool for finding vulnerabilities in web applications. Over the past few years, it has significantly grown its popularity, features and contributions from WW engineers, as it comes straight out of the OWASP community, absolutely free of cost and most of all, easy to use! This demo-based training session covers the basics and advanced features of ZAP, which will enable application developers to understand and automate the tool usage, application testers to perform security tests and security engineers to provide consultation on best-practices of using the tool.

Speaker: Viswanath S Chirravuri has over 10 years of experience in IT Security space. Currently he is a Software Security Architect for Asia region at a leading digital security company, GEMALTO. He actively holds industry certifications like CISSP, CEH, GWAPT, Security+, PMP and SCJP. Viswanath is accredited by CA Technologies on Identity and Access management suite of products. Over the past 3 years, he has been giving training’s on various SAST and DAST tools to application security engineers in financial services and telecommunications industries.

Jan 2015 Meetup: Introducing Application Security in Your Organization - Think Like a Developer

Date: 22 Jan 2015 7pm

Venue: SR10 (Seminar room 10), COM1 Building #02-10, 13 Computing Drive, NUS, Singapore 117417

In this session, the speaker, Sandeep Nain, from HP Australia and a former co-lead from OWASP Melbourne Chapter, will cover the following topics:

1. How to build secure development lifecycle for development teams using modern software development methodologies

2. Challenges of enforcing secure development lifecycle at an enterprise scale

3. Reasons why most application security programmes fail and how we can collaborate with development teams for easier enterprise adoption

Come join us for our 1st 2015 meetup which comes with free pizzas and soft drinks, courtesy of HP Fortify.

PS: Please take note of our new meeting place in NUS.

2014

Oct 2014 Meetup: Mobile Security

Date: 21 October 2014 7pm

Venue: Cavenagh Room, UOB Conference Suite, Basement 1 Tower 2, One Raffles Place, Singapore 048616

In this session, our fellow OWASP member, Cecil Su, will share the current mobile security threat landscape. Coupled with this, he will also share some of the challenges in the mobile application assessment process, as well as address some of the existing methodologies and frameworks for secure coding and security testing of mobile applications.

Cecil is 24-by-7 OWASP Evangelist. However, Mondays to Fridays, he works with the Professional Security Services team in a pure-play local InfoComm Security firm. Extra-curricular activities include the Honeynet Project, OWASP and AISP.

PS: Please take note of our new meeting place and the shortened meetup duration due to venue constraints.

Information Security Seminar (ISS) 2014

Date: 26-27 August 2014

Venue: Marina Bay Sands Convention Centre

The Information Security Seminar is an annual event held since 2008 to provide thought leadership on infocomm security as well as to promote greater understanding of the key infocomm security issues and challenges faced by public and private sector organisations. This event is jointly organised by the Infocomm Development Authority (IDA), the Association of Information Security Professionals (AiSP) and the Cyber Security Awareness Alliance (CSAA) to amalgamate expertise, resources and communication channels in reaching out to both the public and private sector organisations.

The theme for the 2014 Seminar is “Security of Our Cyber Environment – Challenges of the Mobile Workspace”, which centres on sensitising the Public and Private sectors on the need to heighten vigilance in securing organisations’ digital information, and to build capabilities to prepare against ever evolving infocomm security threats. With the advent and adoption of new technology trends such as mobility, cloud computing and big data management, organisations need to be guarded against their inherent security risks, such as data loss, that may result due to improper infocomm security management. The seminar will discuss on the areas of security considerations and means to secure these technologies from exploits.

The seminar, comprising a main plenary as well as breakout tracks, is expected to draw about 500 infocomm security decision makers and practitioners from the Public and Private sectors, as well as students from institutes of higher learning. On the second day of the seminar, workshops which aim to provide an in-depth and hands-on approach to managing infocomm security challenges will be held for security professionals and students from institutes of higher learning.

For paid OWASP members, you are entitled to two complimentary seminar passes on a first-come-first-serve basis. Thereafter, you are entitled to a 10% discount off the list prices.

Please email me to register.

Do sign up soon and see you at ISS 2014!

Jul 2014 Meetup 2: “A technical introduction to FIDO - Is the age of of simple consumer-oriented strong-authentication finally arriving?” and “Source code review with focus on technical resolution challenges”

Date: 21 July 2014

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

Come and hear from 2 great speakers in this meetup, which comes with free pizzas and soft drinks, courtesy of Checkmarx.

Our first speaker is a familiar to us - Arshad Noor. He will be presenting on “A technical introduction to FIDO - Is the age of of simple consumer-oriented strong-authentication finally arriving?”

The 2nd speaker is Kobi Tzruya, Director of Pre/Post Sales in Checkmarx. He will be sharing on 2 case studies on source code review with focus on technical resolution challenges.

Many thanks to Dick and Prudential for providing the venue for our chapter evening again!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 20 July 2014 730pm.

See ya!

Jul 2014 Meetup: OWASP Top 10 Proactive Controls

Date: 4 July 2014

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

You have heard of the OWASP Top 10 Web Application Risks. Now, hear about OWASP Top 10 Proactive Controls to learn about active steps you can take to avoid the common web application risks.

The speaker is Jim Manico, a member of OWASP Global Board. He is the lead behind the excellent OWASP Cheat Sheets on top of many other OWASP projects that he is leading. He is a frequent speaker on secure software practices and is a member of the JavaOne “rockstar hall of fame”. He has a 18+ year history building software as a developer and architect.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings! In such short notice too!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 4 July 2014 1230pm.

See ya!

Jun 2014 Meetup: Covert Redirect Vulnerability

Date: 18 June 2014

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

In this presentation, the speaker, Wang Jing, will share on the following:

Unvalidated Redirects and Forwards, also known as Open Redirect, is on the OWASP top 10 list in 2010 and 2013. One repercussion of the vulnerability is that it can be used for phishing attacks. According to Kaspersky, in 2012-2013, 37.3 million users around the world were subjected to phishing attacks — up 87% from 2011-2012. This presentation introduces a new kind of attack, Covert Redirect. The name is derived from and to contrast with Open Redirect. Covert Redirect could affect those who use OAuth 2.0 and OpenID to “login” websites such as Facebook, Google, Yahoo, LinkedIn, Microsoft, Paypal and many others. We will then simulate a Covert Redirect attack and provide some precautionary steps that companies can take to ensure security.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 17 June 2014.

See ya!

Apr 2014 Meetup: OWASP Cornucopia

Date: 23 April 2014

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

In this presentation, the speaker, Tobias Gondrom, will share on the following:

Bringing fun into threat modelling. Based on Microsoft’s Escalation of Privilege (EoP) threat modelling card game, OWASP has designed this card game into a new version more suitable for common web applications, and aligned with OWASP advice and guides. “OWASP Cornucopia - Ecommerce Web Application Edition” will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide and other sources. We will also have a few card decks to show and share.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings!

Speaker Profile: Tobias Gondrom, OWASP Global Board Member Tobias Gondrom has over 15 years of experience leading global teams in information security, software development, application security, cryptography, electronic signatures and global standardization organizations working for independent software vendors and large global corporations in the financial, technology and government sector. And he holds the most senior business degree from London Business School, the Sloan Masters in Leadership and Strategy.

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 22 April 2014.

See ya!

Mar 2014 Meetup: HTML5 Security

Date: 12 March 2014

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

In this presentation, the speaker, Aatif Khan, will share on the following:

HTML5 has several new components like XHR-Level2, DOM, Storage, App Cache, WebSQL etc. All these components are making underlying backbone for HTML5applications and by nature they look very silent. It allows crafting stealth attack vectors and adding risk to end client. Here is a list of top 10 attack vectors. Structured layers as mentioned in the above section provide more clarity on a possible enhanced attack surface. This exposes browser components of an application to a set of possible threat which can be exploited. Listed below are possible top 10 threats where new HTML5 features along with emerging software developing patterns, have significant impact.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings!

Speaker Profile: Aatif Khan Aatif Khan, Application Security Evangelist, has delivered highly technical security training for conferences, universities, and corporate clients like Bank of America, Verizon,Amazon, Google, Yahoo, etc. to excellent reviews. He is also one of the main founding member of HDCRB (Hack Defense Certification Review Board). Aatif consults for application security, and is having specialization in security assessments/penetration testing, infosec training’s, and reverse engineering/malware analysis.

Apart from his stupendous exposure in application security consulting from seven years, he has also worked with Defense Personnel, Cyber Crime Police Officials and has also delivered over more than 2000 hours of Information Security training to IT Security Professional’s & Government Agencies. He has authored Books entitled “Ethical Hacking”, “Advance Penetration Testing”, “Backtrack Starter Manual” published by Packt Publications, UK.

He is popularly known for designing the most advance course on “Advance Penetration Testing” with his Lab Book & Lab Exam, and has received stupendous feedback from top notch security experts. You can find more about him here - facebook.com/thenapsterkhan

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 11 March 2014.

See ya!

2013

Jul 2013 Meetup: Managing Web & Application Security with OWASP – bringing it all together

Date: 18 July 2013

Venue: Prudential Assurance Company Singapore (Pte) Ltd (at Prudential Towers) 30 Cecil Street #13-01 Prudential Tower (S) 049712

In this presentation, the speaker, Tobias Gundrum, will share on the following:

Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. A journey through different organisational stages and how OWASP tools help organisations moving forward improving their web and application security. This talk will discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation.

Many thanks to Prudential for providing the venue for our chapter evenings!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 17 July 2013.

See ya!

May 203 Meetup: Wordpress (In)Security: How hackers bypassed manual defacement monitoring

Date: 30 May 2013

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

In this presentation, the speaker, Onn Chee, will share on the following:

Onn Chee will walk through a case of web defacement of Wordpress by hackers which outwitted the manual defacement services offered by managed security services providers.

He will also share some tips on how to better secure Wordpress deployments.

If you are running Wordpress, come and share your experiences and security tips too.

Many thanks to Prudential for providing the venue for our chapter evenings!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 29 May 2013.

See ya!

Feb 2013 Meetup: Bypassing Local Microsoft Security Policies

Date: 28 Feb 2013

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 1st meetup of 2013!

In this presentation, the speaker, Paul Craig, will share on the following:

Local Microsoft security policies are one of the few areas of security that are rarely researched or focused on by the security community. These policies are designed to prevent local users from accessing functionality which has been “Disabled By Your Administrator”. From Local Group Policy, Software Restriction Policies, App Locker to Internet Explorer, each Microsoft technology has its own way of restricting what you can and cannot do. For local exploitation attempt these technologies can be troublesome, frustrating and restrict the true potential of your attack. This talk will cover a broad view of the current attacks against Microsoft local policies and the underlying issues affecting this form of security.

Speaker Profile

Paul is the Principal Security Consultant at Security-Assessment.com Singapore. Labeled “A malicious hacker” by the media in his native New Zealand, Paul is now based in sunny Singapore where he leads the SE Asian Penetration Testing Team. Paul has been an avid security researcher and all-round advocate for security from a young age with a passion for exploitation and finding creative methods of getting shell.

Many thanks to Prudential for providing the venue for our chapter evenings!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 28 Feb 2013.

See ya!

2012

Nov 2012 Meetup 2: AISP-OWASP: Hacking Techniques

Date: 14 Nov 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 7th session of the joint AISP-OWASP series of chapter evenings!

In this presentation, the speaker, Ryan Baxendale will share on these topics:

- Tips and tricks for hacking Microsoft SharePoint sites.

- Taking advantage of administrative interfaces to get shell.

- Breaking end to end encryption implemented in JavaScript.

- Weak two factor authentication and how to get around it.

- Abusing poorly designed password reset functions to get admin access.

- Bypassing a web application firewall.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 12 Nov 2012.

See ya!

Nov 2012 Meetup: AISP-OWASP: New web attacks & short intro on IT Impact of SG data privacy law

Date: 7 Nov 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 6th session of the joint AISP-OWASP series of chapter evenings!

In this presentation, the speaker, Onn Chee will share some latest discoveries of web attacks and walk through a short 30-min introduction to the IT impact of the new Singapore Personal Data Protection Act.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 5 Nov 2012.

See ya!

Oct 2012 Meetup 3: AISP-OWASP: WAFs - An attacker’s perspective

Date: 29 Oct 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 5th session of the joint AISP-OWASP series of chapter evenings!

In this presentation, the speaker, Bernhard will look at the effectiveness of WAFs from the perspective of a long-time security tester.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 26 Oct 2012.

See ya!

Oct 2012 Meetup 2: AISP-OWASP: Dynamic Web Defense

Date: 22 Oct 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 4th session of the joint AISP-OWASP series of chapter evenings!

In this presentation, the speaker, Bernard, will share on the latest developments in dynamic web defense techniques used by WAFs.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 20 Oct 2012.

See ya!

Oct 2012 Meetup: AISP-OWASP Joint Series: Learn how Taiwanese organisations defend themselves against constant Chinese cyber attacks

Date: 3 Oct 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd (not Prudential Towers!) 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 3rd session of the joint AISP-OWASP series of chapter evenings!

It has long been rumored that the Chinese government has an army of trained hackers to carry out national level attacks. Taiwan, despite being their closest neighbor in terms of language and culture, become a convenient target and constant victim since they have opposing political stance.

As Taiwan has been moving into e-government since 2005, this phenomenon forced the Taiwanese government to strengthen their IT security, especially on application security.

In this presentation, the speaker, Kae Bin, will share some common attacks that was observed and how does Taiwan react to those constant bombardment from their friendly neighbor.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to our meetup.com site (http://www.meetup.com/SGSecurityMG/) latest by 1 Oct 2012.

See ya!

Sep 2012 Meetup 2: AISP-OWASP Joint Series: Security Testing with OWASP ZAP

Date: 18 Sep 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 2nd session of the joint AISP-OWASP series of chapter evenings!

AISP and OWASP Singapore have lined up a series of speakers to share on interesting security topics related to web security.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to [email protected] latest by 16 Sep 2012.

See ya!

Sep 2012 Meetup: AISP-OWASP Joint Series: Use of OWASP ESAPI to Defend Against OWASP Top 10 Risks

Date: 12 Sep 2012

Venue: Prudential Assurance Company Singapore (Pte) Ltd 156 Cecil Street #10-00, Far Eastern Bank Building, Singapore 069544

Welcome to the 1st session of the joint AISP-OWASP series of chapter evenings!

AISP and OWASP Singapore have lined up a series of speakers to share on interesting security topics related to web security.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Please RSVP to [email protected] latest by 10 Sep 2012.

See ya!

HITBSecConf2012 - Malaysia: #TenYearsInTheBox

![](Hitb2012kul-banner-300-250.jpg "File:Hitb2012kul-banner-300-250.jpg")

Date: 8th - 11th October

Venue: InterContinental, Kuala Lumpur, Malaysia

Website: HITBSecConf2012 Malaysia Portal

To commemorate TEN YEARS of playing host to the brilliant minds that have helped shaped the security landscape to where it is today, HITBSecConf2012 – Malaysia (#HITB2012KUL) will be welcoming back on stage over 42 of our most popular speakers from the last 10 years!

Here’s your chance to meet the legends of the computer security industry including the likes of John ‘Captain Crunch’ Draper, The Founders of The Pirate Bay, Mikko Hypponen, DNS guru and president of ISC, Paul Vixie,OpenBSD creator Theo de Raadt and even members of the LEGENDARY iPhone Dev Team and jailbreak DreamTeam will be on hand for a very very special iOS / OS X panel discussion! Featuring @MuscleNerd @pod2g @planetbeing and joined by non other than Charlie @0xcharlie Miller and Stefan @i0n1c Esser!

The event takes place on the 8th till 11th of October and as always we kick off the first two days with 8 tracks of hands on technical training sessions (8th and 9th October) followed by the 2-day triple track conference with NO KEYNOTES, NO LAB SESSIONS and NO SIGINT slots.

We’re also ramping up this year’s show by expanding on HITB favorites – including an expanded CommSec village with an updated round-the-clock 36 hour nonstop Capture The Flag competition and also an expanded 36 hour HackWEEKDAY hackathon to go with it. Registration for HackWEEKDAY is COMPLETELY FREE and we strongly encourage professional developers and students to sign up.

Do note that there will only be a maximum of 1010 seats for the conference on the 10th and 11th of October and registration is already open. OWASP members are entitled to the conference seats at SGD580 (normal price SGD640) - Discount code is limited to the first 15 sign ups on a first-come, first-serve basis.

Register Online: HITBSecConf2012 Malaysia Registration

Please contact Onn Chee for the discount code. Do note only paid registered OWASP members are eligible for the discounts.

Apr 2012 Meetup: Rethinking web-application architecture for the Cloud

Date: 23 April 2012

Unless your organization is unique, not all your data is sensitive. This raises the question: should scarce security resources be used to protect 100% of your data? The logical approach should be to build your IT infrastructure in a manner that optimizes your investments: protecting what matters while managing non-sensitive data with minimal controls.

This talk presents an architecture for building the next generation of web-applications. This architecture allows you to leverage emerging technologies such as cloud-computing, cloud-storage and enterprise key-management Infrastructure (EKMI) to derive benefits such as lower costs, faster time-to-market and immense scalability with smaller investments – while proving compliance to PCI-DSS, HIPAA/HITECH and similar data-security regulations. We call this “Regulatory Compliant Cloud Computing (RC3)”. Papers describing RC3 can be found on the following websites:

IBM: http://ibm.co/rc3dw

ISSA Journal: http://bit.ly/rc3issa

InfoQ: http://bit.ly/rc3infoq

StrongAuth: http://www.strongauth.com/pdf/RC3-WebAppArch-1.2-2.pdf

Speaker’s Bio

Arshad is the CTO of StrongAuth, Inc., a Silicon Valley-based company focused on encryption and key-management for the last 11 years. He is the architect and lead developer of many open-source cryptographic software including CSRTool, StrongKey, KeyAppliance and the CryptoEngine. He has written many papers and spoken at many conferences

  • most recently at OWASP AppSec 2012 - on the subject of encryption and key-management.

Meetup details

Monday, April 23, 2012 7:00 PM

Prudential Assurance Company Singapore (Pte) Ltd

156 Cecil Street #10-00, Far Eastern Bank Building

Singapore 069544

Please RSVP at http://security.meetup.com/77

See ya!

2011

OWASP Singapore is a Supporting Organisation for Asia Cloud Conference 2011 scheduled to be held the Grand Hyatt Hotel Singapore on 2 Nov 2011

The Asia Cloud 2011 Conference will provide insights and key learning to understand how your organization can take advantage of cloud technologies. Leading industry practitioners will address the emerging cloud technology trends, examine best practices in successfully integrating cloud technologies into the enterprise’s infrastructure and meets various challenges in managing cloud’s performance in the enterprise.

Members Benefits!!

The above event organiser has given two complimentary delegate passes for two registered OWASP SG members (first-come-first-serve basis). Priority will be given to those registered members who did not enjoy free complimentary passes before. Contact me @ [email protected] if you want one of the complimentary delegate passes.

Note: Conference seats at this event are complimentary to senior-level end users of IT solutions. The fee for other professionals to attend this event is US$995. The Organizer reserves the final right to accept or reject any registrations.

![](AsiaCloudForum_100x100.png "File:AsiaCloudForum_100x100.png")

OWASP Singapore is a Supporting Organisation for IDA’s Information Security Seminar 2011 from 13-14 April 2011

Members Benefits!!

The above event organiser has given two complimentary delegate passes for two registered OWASP SG members (first-come-first-serve basis). Contact me @ [email protected] if you want the one of the complimentary delegate passes.

For other members, you too can enjoy discounted affiliate rates when you register.

Click here to know more about Information Security Seminar 2011

![](bg.jpg "File:bg.jpg")

OWASP Singapore is a Supporting Organisation for Info Security Conference 2011 in Singapore on 5 May 2011

Members Benefits!!

The above event organiser has given two complimentary delegate passes for two registered OWASP SG members (first-come-first-serve basis). Contact me @ [email protected] if you want the one of the complimentary delegate passes.

Click here to know more about Info Security Conference Singapore

![](infosec2011_600x100.gif "File:infosec2011_600x100.gif")

News

OWASP Moves to MediaWiki Portal - 11:31, 20 May 2006 (EDT)

OWASP is pleased to announce the arrival of OWASP 2.0!

OWASP 2.0 utilizes the MediaWiki portal to manage and provide the latest OWASP related information. Enjoy!

The chapter leader is Onn Chee.

Contact Information for Onn Chee is as follow:

Mobile: (65) 9838 7930

Skype VOIP: ocwong

Email: [email protected]

OWASP Singapore have combined its activities with Singapore Security Meetup Group (SSMG) since Dec 2007

We are holding our regular joint OWASP-SSMG meetings on the 2nd Thursday of each month.

Do check out http://www.meetup.com/SGSecurityMG/ for the calendar of events.

For our past meetings, please check out http://www.meetup.com/SGSecurityMG/calendar/past_list/

For ease of management, updates on activities will be made on the http://www.meetup.com/SGSecurityMG/, though updates will still be sent to OWASP Singapore mailing list.

OWASP Singapore Get Together on 19:30, 9 Oct 2007 (SGT)

We will meet at Geek Terminal (http://www.geekterminal.com)

Address: 55 Market Street 01-01 Singapore 048941

Telephone No: +65 65570098

Nearest Carpark: Golden Shoe Carpark Nearest MRT: Raffles Place MRT

OWASP Singapore Nov Chapter Meeting on 19:30, 7 Nov 2007 (SGT)

Michael Boman will be presenting “Overcoming USB (In)Security”

Venue : GeekTerminal

OWASP Singapore Dec Chapter Meeting on 19:30, 13 Dec 2007 (SGT)

Venue : GeekTerminal

OWASP Singapore Jan Chapter Meeting on 19:30, 10 Jan 2008 (SGT)

Venue : SODS, 51 Tras Street

OWASP Singapore Feb Chapter Meeting on 19:30, 14 Feb 2008 (SGT)

Venue : SODS, 51 Tras Street (We loved each other so much that we met on Valentine’s Day!)

OWASP Singapore Feb Chapter Meeting on 19:30, 13 Mar 2008 (SGT)

Venue : SODS, 51 Tras Street

OWASP Singapore Apr Chapter Meeting on 19:30, 10 Apr 2008 (SGT)

Venue : JCU, 2 Bukit Merah Central, #03-01, SPRING Singapore Building, S(159835) (http://www.jcu.edu.sg/ContactUs_Location.htm)

Topic : Intro to WebGoat by Onn Chee and a Hacking demo by Johnny.

OWASP Singapore May Chapter Meeting on 19:30, 29 May 2008 (SGT)

Venue : JCU, 2 Bukit Merah Central, #03-01, SPRING Singapore Building, S(159835) (http://www.jcu.edu.sg/ContactUs_Location.htm)

Topic : Intro to WebScarab by Rogan and Burp proxy suite by Rick.

Category:Singapore