[Owasp-ireland] OWASP Ireland News - July 27th, 2010

fabio.e.cerullo at aib.ie fabio.e.cerullo at aib.ie
Tue Jul 27 06:39:57 EDT 2010


*****************************************************
OWASP Ireland News                      July 27th, 2010
*****************************************************

1. OWASP Ireland 2010 Conference: Register Early to win an Ipod Touch!

2. OWASP Ireland August Event: Additional Speaker Announced & Updated 
Agenda

3. Citibank admits Iphone App Security Flaw

4. web2py - A Framework That Cares About Security

5. Timing Attacks Explained

6. Taint Mode for Python

------------------------------------------------------------------------

1. OWASP Ireland 2010 Conference: Register Early to win an Ipod Touch!

We are approaching fast to the biggest Application Security Conference in 
Ireland.

And just to make it more exciting we are going to raffle TWO Ipod Touch 
among those who register for the conference before our next chapter 
meeting on 11th August (more details below).

So grab your ticket in the URL below and be in a chance to win one of 
these great gadgets!

https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=679c382d-35c2-4815-a399-c2c3a95ebfd7


You could get all the details about this event including updated agenda, 
keynote speakers, training available, etc in the URL below:

http://www.owasp.org/index.php/OWASP_IRELAND_2010

2. OWASP Ireland August Event: New Speaker Announced & Updated Agenda

We are slightly modifying the agenda to include another speaker to the 
August Event.

The event will kick-off at 6pm and the updated agenda looks as follows:

6pm: ESAPI Swingset: Introduction & Demo by Cathal Courtney
6:30pm: Security Implications for Web Applications based on SOA
7:30pm: Ipod Touch Raffle (only open to OWASP Ireland 2010 ticket holders)

OWASP ESAPI Swingset: Introduction & Demo by Cathal Courtney

The ESAPI Swingset is a web application which demonstrates common security 
vulnerabilities and asks users to secure the application against these 
vulnerabilities using the ESAPI library.

The application is intended for Java Developers. The goal of the 
application is to teach developers about the functionality of the ESAPI 
library and give users a practical understanding of how it can be used to 
protect web applications against common security vulnerabilities.

During the talk, Cathal will demonstrate how to install and use ESAPI 
Swingset in your organization. A copy of the latest version will be also 
provided to the attendees.

Cathal is an experienced developer working at AIB and is currently the 
ESAPI Swingset project leader.

More information about this project could be found here: 
http://www.owasp.org/index.php/ESAPI_Swingset

Security Implications for Web Applications based on SOA

The main point of SOA (in this context) is combining systems and 
applications to make new applications, or a big 'overall' application.

This higher inter-operability does (by default) lower security. For a 
start, a request originating from a web user might end up at several back 
end systems, which do not know who or what the request came from.

Each back end system might have no access to the customer data, have a 
different security models, and serve serveral front end. Each of the above 
systems could be under different ownership, thus the owners have different 
concerns and priorities. Also, the basic solution at a technical level 
include single sign on, or security as a service. This can be costly, give 
limited coverage and have a performance hit. But is pretty much the only 
way to do it. The other thing to do (probably in tandem) is strict 
management, and delegation of authority.

John has about 13 years in IT. Most of this in distributed systems and 
'Middleware' integration software. Including BEA (now owned by Oracle). 
Mainly working on Enterprise Java and more recently on Microsoft BizTalk. 
Various industries, incuding financials, public services, and a fish farm.

As usual our location are the Ernst & Young offices in Dublin who kindly 
agreed to host our event:

- Ernst & Young, Harcourt Street, Dublin 2, Opposite the Odeon Pub, 
Dublin, Ireland

As last time, we should have plenty of time to have a talk and a few 
drinks afterwards.

If you are planning to attend you must RSVP at

http://owasp-ireland-august.eventbrite.com.

Note, please enter your real name, as this will be given to Ernst & Young 
building security.

If you don't RSVP, you may not be let into the building.

A certificate of participation will be provided to those attending the 
event.

Further details and schedule for the night will be available on the 
chapter page:

https://www.owasp.org/index.php/Ireland.


3. Citibank admits Iphone App Security Flaw 

Citi is advising customers to install an upgrade for its iPhone m-banking 
application after admitting a flaw in the previous version resulted in it 
improperly storing customer account information.

More on this story: 
http://www.finextra.com/news/fullstory.aspx?newsitemid=21644

4. web2py - A Framework That Cares About Security

The web2py creators clearly kept security in mind from the design phase, 
and it shows in the end result. web2py is immune to many attacks on 
session management and routing because those components were designed with 
security in mind.

Check out web2py’s page on http://www.pythonsecurity.org for more details.

5. Timing Attacks Explained

Probably the most interesting bit of security research that happened this 
week was the dropping of this little bombshell by Taylor Nelson of Root 
Labs:

Every OpenID implementation I have checked this far has contained timing 
dependent compares in the HMAC verification, allowing a remote attacker to 
forge valid tokens.

You could find the full article here: 
http://www.emerose.com/timing-attacks-explained

6. Taint Mode for Python

Juanjo Conti has done some fantastic work for OWASP implementing a taint 
mode in Python through a library. Taint mode is a language feature which 
can highlight injection flaws by tracing untrusted user input through the 
code by tracking the “taintedness” of variables.

You could find the full article here: 
http://pythonsecurity.tumblr.com/post/857505579/taint-mode-for-python

************************************************************************************************************************************
The professional association of OWASP Foundation Inc., is always free and 
open to anyone interested in learning more about application security. 
Prior to participating with OWASP please review the Chapter Rules and the 
OWASP overview for some background. As a 501(3)c non-profit professional 
association your support and sponsorship of a meeting venue and/or 
refreshments is tax-deductible and all financial contributions can be made 
online using the online chapter donation button. We encourage organization 
and individual supporters of our ethics & principals to become a voting 
MEMBER. More information on how to become a member could be found here: 
http://www.owasp.org/Membership
************************************************************************************************************************************

******************************************************
This document is strictly confidential and is intended for use by the addressee unless otherwise indicated.

This email has been scanned by an external email security system.

Allied Irish Banks

AIB and AIB Group are registered business names of Allied Irish Banks p.l.c. Allied Irish Banks, p.l.c. is regulated by the Financial Regulator.  Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311; Registered in Ireland: Registered No. 24173

Please consider the environment before printing this e-mail. 
******************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20100727/9fa10ed3/attachment.html 


More information about the Owasp-ireland mailing list