[Owasp-ireland] OWASP Ireland News - June 15th, 2010

fabio.e.cerullo at aib.ie fabio.e.cerullo at aib.ie
Tue Jun 15 11:52:55 EDT 2010

OWASP Ireland News                        June 15th, 2010  

1. OWASP Ireland June Event: Define Security Requirements - SOLD OUT!
2. OWASP AppSec Ireland 2010: Registration for event & training now OPEN 
3. OWASP ESAPI: NSA to perform an in-depth security review on Java ESAPI
4. Security Best Practices For Developing Windows Azure Applications
5. Cross-Site Tracing (XST): The misunderstood vulnerability

1. OWASP Ireland June Event: Define Security Requirements - SOLD OUT!

This is a reminder for the forthcoming OWASP Ireland chapter meeting to be 
held on June 30th at 6:30pm-7:30pm (show up at venue between 

As usual our location are the Ernst & Young offices in Dublin who kindly 
agreed to host our event: 
- Ernst & Young, Harcourt Street, Dublin 2, Opposite the Odeon Pub, 
Dublin, Ireland 

Please note the event is SOLD OUT. If you are no longer able to attend, 
please email anyone below so your space can be released for someone else. 

Fabio at fcerullo at owasp.org 
Eoin at eoin.keary at owasp.org 
Rahim at rahim.jina at owasp.org  

A certificate of participation will be provided to those attending the 

** If you would like to be a sponsor of this or a future event please 
contact Fabio directly by mail for further details. 

Further details and schedule for the night will be available on the 
chapter page (https://www.owasp.org/index.php/Ireland). 

== Talk == 

Title: Define Security Requirements - A practical approach 


The Data Protection Act states that "appropriate security measures" must 
be taken to protect personal data. How do you specify the appropriate 
security measures for a website which processes personal data? It is an 
important step in a development project, but is often neglected. In this 
talk, Alexis will descibe his own experiences of assessing web 
application, and will also look in more detail at what the Data Protection 
Commissioner says. He will then take a fictional website and look at a 
practical approach to specifying the security requirements that the 
fictional application should meet. This will use the kind of risk-based 
techniques outlined by OWASP or the Microsoft Secure Development Lifecycle 
(SDL). Issues discussed will include encryption, authentication, access 
control, audit, etc. The result will be a list of security requirements 
that can be carried into the design and development phases. Attendees 
should be able to apply the ideas to their own development projects. 

== Presenters == 

Alexis FitzGerald 

For the last six years Alexis has worked for Rits Information Security 
Group, where he performs application penetration testing assignments as 
well as advising clients on application security issues. Before that, he 
spent many years as a developer (mainly in the financial sector), and he 
continues to be involved in development. Alexis holds an MSc in 
Information Security from the University of London, Royal Holloway. 

Further details and schedule for the night will be available on the 
chapter page ( https://www.owasp.org/index.php/Ireland ). 

2. OWASP AppSec Ireland 2010: Registration for event & training now OPEN

OWASP will hold its annual Ireland Application Security conference in 
Trinity College, Dublin on September 17 2010. 

The Conference will consist of one day of training sessions, followed by a 
one-day conference with 2 tracks. 
In 2009, we attracted a large number of delegates from across Europe, 
Middle East and the USA and expect even greater international 
representation in 2010.
== Call for Presentations == 

Reception of synopis of presentations is now closed and we will announce 
the conference speakers in the upcoming weeks.
== Registration NOW Open == 

We open registration for the conference TODAY so grab your ticket fast at 
the following URL:


== Training == 

We intend to hold some application security training on the 16/09/2010 the 
day prior to the event.

Secure Application Development: Writing secure code (and testing it)

Eoin Keary  Senior Manager, Ernst & Young, OWASP Board Member 
Rahim Jina Senior Consultant, Ernst & Young, OWASP Ireland chapter board. 

Writing Secure code is the most effective method to securing your web 
applications. Writing secure code takes skill and know-how but results in 
a more stable and robust application and assists in protecting an 
organisations brand. 

Application security is not commonly a part of many computer science 
curricula today and most organizations have not focused on instituting a 
culture that includes application security as a core part of their 
software development training efforts. This intensive one-day course 
focuses on the most common web application security problems, including 
aspects of both the OWASP Top Ten (2010) and the MITRE Top 25.  The course 
will introduce and demonstrate application assessment techniques, 
illustrating how application vulnerabilities can be exploited so students 
really understand how to avoid introducing such vulnerabilities in their 

This training can be booked when getting a ticket to the event.

== Keynotes confirmed ==

John Viega: Executive Vice President, Perimeter E-Security 
Keynote: "Application Security in the Real World" - Considerations for 
AppSec in non-security companies. 

Professor Fred Piper: BSc, PhD (London), ARCS, DIC, CEng, CMath, FIEE, 
Keynote: "The changing face of cryptography" 

Damian Gordon: Phd, School of Computing Dublin Institute of Technology
Keynote: "Hackers and Hollywood: The Implications of the Popular Media 
Representation of Computer Hacking" 

== Sponsorship Opportunities == 

OWASP is providing sponsors exclusive access to its audience in Dublin, 
Ireland through a limited number of Expo floor slots, providing a focused 
setting for potential customers. The conference is expected to draw 150 - 
200 technologists who will be looking for ways to spend their remaining 
2010 budget and planning for 2010. Financial Services, Media, 
Pharmaceuticals, Government, Healthcare, Technology, and many other 
verticals will be represented.

Companies and organizations who have confirmed already their participation 
are: Cenzic, IRISS, IISF, IIA. 

If you would like to secure a sponsor slot for this conference please 
contact Eoin directly for further details.

For up-to-date information about this event please visit: 

3. OWASP ESAPI: NSA to perform an in-depth security review on Java ESAPI 

The NSA has offered to perform an in-depth security review of ESAPI and 
make the results available. For those who don’t have much experience with 
the NSA, a major part of their mission is defense.  In the past, they 
supported the National Computer Security Conference, created the Rainbow 
Series, and sponsored the SSE-CMM.  More recently they’ve been involved in 
SCAP and SE-Linux.
They have a team that is very experienced in cryptography and application 
reviews lined up already and they will be starting their work very soon.  
They are going to focus on the Java ESAPI version first, and may support 
other language versions when they’re ready – meaning their crypto is at 
least up to the Java 2.0 level.  Their initial estimate is that the review 
will take several months to complete and I’ll keep you posted on their 

4. Security Best Practices For Developing Windows Azure Applications 

Over the last few months, a small cross-group team within Microsoft, 
including the SDL team, has written a paper that explains how to use the 
security defenses in Windows Azure as well as how to apply practices from 
the SDL to build more secure Windows Azure solutions. 

Michael Howard states: "We wrote this paper because no matter how many 
defenses we add to Windows Azure, it is important that people building 
software or hosting services in “The Cloud” understand that they must also 
build software with security in mind from the start."

The paper also discusses some common threat scenarios, and provides 
mitigation guidance. 

More info and the link to the paper below:


5. Cross-Site Tracing (XST): The misunderstood vulnerability 

In January 2003 Jeremiah Grossman divulged a method to bypass the HttpOnly 
cookie restriction. He named it Cross-Site Tracing (XST), unwittingly 
starting a trend to attach "cross-site" to as many web-related 
vulnerabilities as possible.

Alas, the "XS" in XST evokes similarity to XSS (Cross-Site Scripting) 
which has the consequence of leading people to mistake XST as a method for 
injecting JavaScript. (Thankfully, character encoding attacks have avoided 
the term Cross-Site Unicode, XSU.) Although XST attacks rely on browser 
scripting to exploit the vulnerability, the vulnerability is not the 
injection of JavaScript. XST is a means for accessing headers normally 
restricted from JavaScript.

Confused yet? You could find the full article here: 

The professional association of OWASP Foundation Inc., is always free and 
open to anyone interested in learning more about application security. 
Prior to participating with OWASP please review the Chapter Rules and the 
OWASP overview for some background. As a 501(3)c non-profit professional 
association your support and sponsorship of a meeting venue and/or 
refreshments is tax-deductible and all financial contributions can be made 
online using the online chapter donation button. We encourage organization 
and individual supporters of our ethics & principals to become a voting 
MEMBER. More information on how to become a member could be found here: 

This document is strictly confidential and is intended for use by the addressee unless otherwise indicated.

This email has been scanned by an external email security system.

Allied Irish Banks

AIB and AIB Group are registered business names of Allied Irish Banks p.l.c. Allied Irish Banks, p.l.c. is regulated by the Financial Regulator.  Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311; Registered in Ireland: Registered No. 24173

Please consider the environment before printing this e-mail. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20100615/de5fec58/attachment-0001.html 

More information about the Owasp-ireland mailing list