[Owasp-cambridge] Future Cambridge OWASP Chapter Meetings Tuesday 16th April & OWASP EU Roadshow 13/14 May

Adrian Winckles adrian.winckles at owasp.org
Mon Apr 1 08:31:33 UTC 2013

Dear All

We are proposing our next OWASP Cambridge Roadshow on the 16th April, initial speaker biography and details below.  Additional speakers, room details and times to follow.

Another heads up for a proposed event on the 13/14 May when the OWASP EU Roadshow is hopefully coming to town for two days of speakers and training activities.  Please put the dates in your diary.

More details to follow.

Many thanks


Adrian Winckles MSc BEng CEng CITP MBCS
Senior Lecturer in Information Security and Forensic Computing
(OWASP Cambridge Chapter Leader)
Anglia Ruskin University
East Road 

Topic: "Everything we know is Wrong" Cambridge OWASP Chapter Meeting 16th April

Eoin has recently devliered this at RSA (Feb 2013) in San Fransisco and Semafor (March 2013) in Poland to great effect.

The premise behind this talk is to challenge both the technical controls we recommend to developers and also out actual approach to testing. This talk is sure to challenge the status quo of web security today.

"Insanity is doing the same thing over and over and expecting different results." - Albert Einstein

We continue to rely on a “pentest” to secure our applications.

Why do we think it is acceptable to perform a time-limited test of an application to help ensure security when a determined attacker may spend 10-100 times longer attempting to find a suitable vulnerability?

Our testing methodologies are non-consistent and rely on the individual and the tools they use.
Some carpenters use glue and some use nails when building a wooden house. Which is best and why do we accept poor inconsistent quality.

Fire and forget scanners won’t solve security issues. Attackers take time and skill but our industry accepts the output of a software programme to help ensure security?
How can we expect developers to listen to security consultants when the consultant has never written a line of code? Why don’t we ask ‘How much code development have you done, seen as you are assessing my code for security bugs?"

Currently we treat vulnerabilities like XSS and SQLI as different issues but the root causes it the same. – it’s all code injection theory!! Why do we do this and make security bugs over complex?

Why are we still happy with “Testing security out” rather than the more superior “building security in”?


Eoin is international board member and vice chair of OWASP, The Open Web Application Security Project (owasp.org). During his time in OWASP he has lead the OWASP Testing and Security Code Review Guides and also contributed to OWASP SAMM, and the OWASP Cheat Sheet Series.

Eoin Keary is the CTO and founder of BCC Risk Advisory Ltd. (www.bccriskadvisory.com) an Irish company who specialise in secure application development, advisory, penetration testing, Mobile & Cloud security and training.

Eoin has led global security engagements for some of the world’s largest financial services and consumer products companies. He is a well-known technical leader in industry in the area of software security and penetration testing. 
Sent from my iPad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cambridge/attachments/20130401/887d4e10/attachment.html>

More information about the Owasp-cambridge mailing list