[Owasp-cambridge] OWASP Cambridge Chapter “Goats, Droids and Software Chains” Seminar - Tuesday 4th April 2017

Adrian Winckles adrian.winckles at owasp.org
Sat Mar 18 10:08:27 UTC 2017

*OWASP Cambridge Chapter **“**Goats, Droids and Software Chains**”**

Tuesday 4th April 2017 17:30 – 20:30, Lord Ashcroft Building (LAB003),
Anglia Ruskin Università, Cambridge.

Hosted by the Department of Computing & Technology, Anglia Ruskin
University & OWASP (Open Web Application Security Project) Cambridge

Buffet & Refreshments kindly sponsored by Sonatype.


*Guest speaker: Bruce Mayhew, **OWASP Webgoat Project Leader & Director of
Security Research, Sonatype.*

*Biography - Bruce Mayhew*

Bruce is the OWASP Project Lead for Webgoat, one of the authors of the SANS
GIAC Java Security Certification Exam, and is Director of Security Research
and Development at Sonatype with over 20 years of software development
experience, 13 years of which have been focused on application security. He
has performed code-level security assessments for hundreds of applications,
created application security programs and training curriculums for large
institutions, and has been a Web Application Security Course instructor for
the SANS Institute. Previous roles include IBM with a focus on Static
Analysis following the acquisition of Ounce Labs where he was Director for
Advanced Security Research.

*Abstract – “Webgoat”*

In Depth Technical overview of OWASP WebGoat, a deliberately insecure web
application designed to teach web application security and provide an
understanding of security issues by exploiting real vulnerabilities,
including Open Source libraries - the project started 10 years ago and has
had over 1,000,000 downloads. There are currently over 30 lessons,
including those dealing with issues such as Cross-site Scripting (XSS),
Access Control, Thread Safety, Hidden Form Field Manipulation, Parameter
Manipulation, Weak Session Cookies, Blind SQL Injection, Numeric SQL
Injection, String SQL Injection, Web Services and Fail Open Authentication.

*Guest Speaker:  Leum Dunn CISSP C|EH CISMP MBCS, Redacted*

*Biography:* Leum Dunn

Leum specialises in endpoint security and works for REDACTED in the East of

*Abstract: “A day in the life of a script kiddie – pwning Android for the

This informal talk aims to demonstrate the sort of access an attacker of
only modest skill could get to an Android device. Useful to anyone with an
interest in security or who is considering a BYOD policy for their company.
Very little technical knowledge is required and Leum encourages questions

*Guest Speaker: **Brian Fox, Chief Technical Officer, Sonatype*

*Biography: **Brian Fox*

Brian is Chief Technical Officer at Sonatype. He has extensive open source
experience as a member of the Apache Software Foundation and former Chair
of the Apache Maven project. Brian was a direct contributor to the Maven
ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin.
He has over 15 years of experience driving the vision behind, as well as
developing and leading the development of software for organisations
ranging from startups to large enterprises. Brian is a frequent speaker at
national and regional events including Java User Groups and other
development related conferences.

*Abstract – “Secure Supply Chains”*

Today, more and more open source is consumed by developers. We saw last
week when Apache disclosed the latest Struts2 vulnerability with a CVSS
score of 9.8, that we need to ensure that we are consuming secure open
source libraries in our software development processes - we should treat it
as a supply chain. We studied the patterns and practices exhibited by 3,000
high-performance software development organisations, teams around the world
are consuming BILLIONS of open source and third-party components. The good
news: they are accelerating time to market. The bad news: 1 in 17
components they are using include known security vulnerabilities. This
session aims to enlighten application security and development
professionals by sharing results from the State of the Software Supply
Chain Report -- a blend of public and proprietary data with expert research
and analysis, specifically:

·      What our analysis of 25,000 applications reveals about the quality
and security of software built with open source components?

·      How organizations like Exxon, Capital One and Intuit are utilising
the principles of software supply chain automation to improve application

·      Why avoiding open source components over 3 years old might be a
really good idea?

·      How to balance the need for speed with quality and security -- early
in the development lifecycle?

Also listen to Brian talk about the struts 2 vulnerability announcement,
how you can determine if you're affected, what you can do about it and how
a secure supply chain would mitigate the risk.


OWASP (Open Web Application Security Project is a 501(c)(3) not-for-profit
worldwide charitable organisation focused on improving the security of
application software. Their mission is to make application security
visible, so that people and organisations can make informed decisions about
true application security risks.

The Department of Computing & Technology at Anglia Ruskin University is
enhancing its curricula and capabilities in information security following
its successful BSc(Hons) Information Security and Forensic Computing
pathway. Establishing a joint professional networking group with OWASP
concentrating on aspects of computing and application security is a key
part of this enhancement. A key aim the department is working towards is
developing a MSc Information Security specialising in Application Security
and as part of this activity looking to develop and a local Information
Security Student Society.


17:30 – 17:45 Welcome from the OWASP Cambridge Chapter Leader, Adrian
Winckles, Course Leader in Information Security & Forensic Computing,
Anglia Ruskin University

17:45 - 18:30 Talk from Bruce Mayhew, Sonatype & OWASP Project Leader “

18:30 - 19:15 Talk from Leum Dunn, Redacted, “A day in the life of a script
kiddie – pwning Android for the lulz”

19:15 – 20:00 Talk from Brian Fox, Sonatype, “*Secure Supply Chains”*

20:00 – 20:30 Refreshments & Networking in LAB006 (Kindly sponsored by


To register for this free event, please register online at


The meeting will be held in the Lord Ashcroft Building, Room LAB003
(Breakout Room LAB006 for networking & refreshments).

Please enter through the Helmore Building and ask at reception.

Anglia Ruskin University, Cambridge Campus
East Road
Cambridge CB1 1PT

Get further information on travelling to the university.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cambridge/attachments/20170318/fc0ecede/attachment-0001.html>

More information about the Owasp-cambridge mailing list