Thursday, 18 May 2017

OWASP London chapter meeting (Guest Speaker)

It is a great honour to have been invited to speak at the OWASP London Chapter meeting this May(Thursday, 18 May 2017 - Central London)
More importantly, as this meeting is sponsored by WorldPay, it is a fantastic opportunity to share previous work I have done on payment systems over the past few years.   

Allow me to say a big Thank You to the OWASP London Chapter organisers for the work they put in to keep the London chapter so live & active, and of course to WorldPay, for supporting this meeting, and for being so kind to host it at their premises. If you are interested to find out more OWASP, make sure you attend the OWASP Summit 2017.

Given the opportunity for this blog-post, I would also like to thank you all for your messages about my talk. I am very pleased to hear that the tickets for OWASP London Chapter meeting this month were sold-out that fast and that the organisers had to activate the waiting list. The organisers also mentioned that due to the high demand, they will consider live streaming. So, stay tuned for updates on that as I am planning to schedule a number of tweets to go out before and during the talk. Thus, for updates you can follow me on Twitter: @drgfragkos


The title and abstract of the talk can be found here:
Threat Modeling against Payment systemsPayment systems are part of our everyday lives, with most of the transactions performed through the use of a Point-of-Interaction (POI) device or a Virtual Terminal. 
Although payment terminals and virtual terminals make use of strong encryption and a secure communications channel, the Point of Sale (POS) is still a target for cyber-criminals.
The malware affecting point-of-sale systems seen in previous years has demonstrated that criminals continually adapt to find ways to target card payment channels and keep the cycle going.
This presentation however, attempts to go a step further and asses payment systems from a hypothetical attacker's point of view, by undertaking at threat modeling exercise against payment systems. 
The purpose of the threat modeling is to provide defenders with a number of scenarios (attack vectors) that it is possible to be used by attackers, while their activity remain unnoticed.
One of the most important lessons of this Threat Modeling exercise was the discovery of a potential scenario that could allow cyber-criminals to shift from targeting Card Holder Data (CHD) to targeting the money directly, without having to steal a single card number.
Obviously I had to write a few things about my talk first, but the OWASP London meeting has remarkable people that will be there presenting on the day. Apostolos GiannakidisDinis Cruz, and Edwin Aldridge will also be speaking at the chapter meeting. The agenda for the day is full with application security, security testing, security in the SDLC, and many interesting topics regarding information security. You will find all the information below.

Event Invitation and the day's schedule can be found here:
The next OWASP London Chapter meeting will take place on Thursday, 18th May 2017 at 18:30
This event is kindly sponsored and hosted by Worldpay
Location: Worldpay, The Walbrook Building, 25 Walbrook , London EC4N 8AF
Nearest Tubes: Bank (take exit 8 towards Walbrook) and Cannon Street (2-minute walk)
Time: Doors Open at 6pm, the talks start at 6:30pm (we start on time).

Talks:

  • OWASP Introduction, Welcome and News - Sam Stepanyan and Sherif Mansour
Welcome and an Update on OWASP Projects & Conferences from the OWASP London Chapter Leaders.
  • Threat Modeling Against Payment Systems - Dr. Grigorios Fragkos
Payment systems are part of our everyday lives, with most of the transactions performed through the use of a Point-of-Interaction (POI) device or a Virtual Terminal. Although payment terminals and virtual terminals make use of strong encryption and a secure communications channel, the Point of Sale (POS) is still a target for cyber-criminals. The malware affecting point-of-sale systems seen in previous years has demonstrated that criminals continually adapt to find ways to target card payment channels and keep the cycle going. This presentation however, attempts to go a step further and asses payment systems from a hypothetical attacker's point of view, by undertaking at threat modeling exercise against payment systems. The purpose of the threat modeling is to provide defenders with a number of scenarios (attack vectors) that it is possible to be used by attackers, while their activity remain unnoticed. One of the most important lessons of this Threat Modeling exercise was the discovery of a potential scenario that could allow cyber-criminals to shift from targeting Card Holder Data (CHD) to targeting the money directly,
  • Lightning Talk 1: OWASP Top 10 2017 Changes - Dinis Cruz
Dinis will update us on the latest OWASP Top 10 2017 Release Candidate, the proposed changes and the controversy surrounding the new A7.
  • Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM - Apostolos Giannakidis
A great number of Java applications utilize native Object Serialization to transfer or persist objects. Recently it has become popular the fact that the deserialization process in Java is flawed and if not used properly it can be easily abused by attackers. This talk provides an introduction and detailed overview of the problem of Java deserialization. You will understand the basic concepts of how Java deserialization exploits (gadget chains) work. Additionally, you will learn what solutions exist to the problem and the advantages and disadvantages of each. Finally, a new approach will be presented that protects the JVM from these attacks using a completely different approach than any other existing solution.
  • Lightning Talk 2: Security solutions for developers who have no time for security - Edwin Aldridge
Within a large organisation different IT groups support different business areas. They typically use different technology stacks and operate different SDLCs. Small projects in particular have short development cycles and do not always have time to educate new developers in secure coding. This makes targeting of security education difficult and training which is not followed up by practice is quickly forgotten. The OWASP Cheat Sheets provide an concise source of sound advice but they can still leave the development team with a lot to do. They can be more complicated than necessary for a simple project. This lightning talk aims to sound out interest in an even more concise approach compared with OWASP Cheat Sheets.

Speakers:

Dr. Grigorios Fragkos
Dr. Grigorios Fragkos is the Head of Offensive Cybersecurity for DeepRecce. He has a number of publications in the area of Computer Security and Computer Forensics with active research in CyberSecurity and CyberDefence. His R&D background in Information Security, including studies on applied CyberSecurity at MIT, along with his experience in the CyberDefense department of the Greek military, is invaluable when it comes to safeguarding mission critical infrastructures. Written the next generation SIEM as part of his PhD research with “notional understanding” of network event for real-time threat assessment. Grigorios (a.k.a. Greg) has been invited to present in a number of security conferences, workshops and summits over the years, and he is also the main organiser for Security BSides Athens. Thinking ahead and outside-the-box when dealing with information security challenges is one the key characteristics of his talks.
Apostolos Giannakidis
Apostolos Giannakidis is the Security Architect at Waratek. Before joining Waratek in 2014, Apostolos worked in Oracle for 2 years focusing on Destructive Testing on the whole technology stack of Oracle and on Security Testing of the Solaris operating system. Apostolos has more than a decade of experience in the software industry and holds an MSc in Computer Science from the University of Birmingham.
Dinis Cruz
Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to 'Automate Application Security Knowledge and Workflows'. Dinis is also one of the authors of OWASP SAMM - Software Assurance Maturity Model.
Edwin Aldridge
Edwin Aldridge is an IT security consultant with a background in development who has worked for various financial institutions in the City of London and is currently focused on application security and red teaming


1 comment:

  1. Your Post is very useful, I am truly to this blog which is specially design about the cyber security attack scenarios. It helped me with ocean of awareness so I really appreciate your blog.

    ReplyDelete