[Owasp-ireland] OWASP Ireland News - June 8th, 2010

fabio.e.cerullo at aib.ie fabio.e.cerullo at aib.ie
Tue Jun 8 09:04:41 EDT 2010


**************************************************************************************************
OWASP Ireland News        June 8th, 2010 
************************************************************************************************** 


1. OWASP Ireland June Event: Define Security Requirements - A practical 
approach
2. CSRF Tester Project: How to test your apps for CSRF vulnerabilities 
3. AntiSamy Project: How to prevent malicious input in your apps 
4. HTML5: Security Facts developers should keep in mind

1. OWASP Ireland June Event: Define Security Requirements - A practical 
approach 

This is a reminder for the forthcoming OWASP Ireland chapter meeting to be 
held on June 30th at 6:30pm-7:30pm (show up at venue between 
6:00pm-6:30pm). 

As usual our location are the Ernst & Young offices in Dublin who kindly 
agreed to host our event: 

- Ernst & Young, Harcourt Street, Dublin 2, Opposite the Odeon Pub, 
Dublin, Ireland 

Google Map location here: 

http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=harcourt+street,+dublin&sll=37.0625,-95.677068&sspn=33.160552,79.013672&ie=UTF8&hq=&hnear=Harcourt+St,+Dublin,+County+Dublin+City,+Ireland&ll=53.333417,-6.262588&spn=0.00305,0.009645&t=h&z=17 


As last time, we should have plenty of time to have a talk and a few 
drinks afterwards. 

If you are planning to attend you must RSVP at 
http://owasp-ireland-june.eventbrite.com. Note, please enter your real 
name, as this will be given to Ernst & Young building security. If you 
don't RSVP, you may not be let into the building.   

A certificate of participation will be provided to those attending the 
event. 

== Talk == 

Title: Define Security Requirements - A practical approach 

Abstract:   

The Data Protection Act states that "appropriate security measures" must 
be taken to protect personal data. How do you specify the appropriate 
security measures for a website which processes personal data? It is an 
important step in a development project, but is often neglected. In this 
talk, Alexis will descibe his own experiences of assessing web 
application, and will also look in more detail at what the Data Protection 
Commissioner says. He will then take a fictional website and look at a 
practical approach to specifying the security requirements that the 
fictional application should meet. This will use the kind of risk-based 
techniques outlined by OWASP or the Microsoft Secure Development Lifecycle 
(SDL). Issues discussed will include encryption, authentication, access 
control, audit, etc. The result will be a list of security requirements 
that can be carried into the design and development phases. Attendees 
should be able to apply the ideas to their own development projects. 

== Presenters == 

Alexis FitzGerald 

For the last six years Alexis has worked for Rits Information Security 
Group, where he performs application penetration testing assignments as 
well as advising clients on application security issues. Before that, he 
spent many years as a developer (mainly in the financial sector), and he 
continues to be involved in development. Alexis holds an MSc in 
Information Security from the University of London, Royal Holloway. 

Further details and schedule for the night will be available on the 
chapter page ( https://www.owasp.org/index.php/Ireland ). 

2. OWASP CSRF Tester: How to test your apps for CSRF vulnerabilities

Cross-Site Request Forgery (CSRF) is an attack whereby the victim is 
tricked into loading information from or submitting information to a web 
application for which they are currently authenticated. The problem is 
that the web application has no means of verifying the integrity of the 
request. The OWASP CSRFTester Project attempts to give developers the 
ability to test their applications for CSRF flaws. 

More info here: 
http://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project 

3. OWASP AntiSamy: How to prevent malicious input in your apps 

The OWASP AntiSamy project is a few things. Technically, it is an API for 
ensuring user-supplied HTML/CSS is in compliance within an application's 
rules. Another way of saying that could be: It's an API that helps you 
make sure that clients don't supply malicious cargo code in the HTML they 
supply for their profile, comments, etc. that gets persisted on the 
server. The term malicious code in terms of web applications is usually 
regarded only as JavaScript. Cascading Stylesheets are only considered 
malicious when they invoke the JavaScript engine. However, there are many 
situations where "normal" HTML and CSS can be used in a malicious manner. 

More info here: 
http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project 

4. HTML5: Security Facts developers should keep in mind 

The war on the words between Apple and Adobe Systems has prompted plenty 
of speculation about the fate of HTML5. But while HTML5 remains a work in 
progress, the one thing that is certain is developers who adopt HTML5 will 
have a new set of features to consider as part of the application security 
development life cycle. 

You could find the full article here: 
http://www.eweek.com/c/a/Security/HTML5-Security-Facts-Developers-Should-Keep-in-Mind-551353/ 


**************************************************************************************************************************************************
The professional association of OWASP Foundation Inc., is always free and 
open to anyone interested in learning more about application security. 
Prior to participating with OWASP please review the Chapter Rules and the 
OWASP overview for some background. As a 501(3)c non-profit professional 
association your support and sponsorship of a meeting venue and/or 
refreshments is tax-deductible and all financial contributions can be made 
online using the online chapter donation button. We encourage organization 
and individual supporters of our ethics & principals to become a voting 
MEMBER. More information on how to become a member could be found here: 
http://www.owasp.org/Membership
**************************************************************************************************************************************************

******************************************************
This document is strictly confidential and is intended for use by the addressee unless otherwise indicated.

This email has been scanned by an external email security system.

Allied Irish Banks

AIB and AIB Group are registered business names of Allied Irish Banks p.l.c. Allied Irish Banks, p.l.c. is regulated by the Financial Regulator.  Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311; Registered in Ireland: Registered No. 24173

Please consider the environment before printing this e-mail. 
******************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20100608/b2313190/attachment.html 


More information about the Owasp-ireland mailing list