Security BSides Dublin 2019

I am very pleased to see Security BSides Dublin 2019 (www.bsidesdub.ie) @BSidesDublin becoming a reality and running for the first time this year. It was a very well organised event that brought together approximately 300 people from around the world in the beautiful city of Dublin. I have traveled numerous times in Dublin and have made many good friends there. This time however, it became a visit to remember!

Talk title: 
Cyber Security in evolutionary terms (food-for-thought), by Dr. Grigorios Fragkos

Abstract:
The Red Queen hypothesis, also referred to as the Red Queen effect, is an evolutionary hypothesis which proposes that organisms must constantly adapt, evolve, and proliferate not merely to gain a reproductive advantage, but also simply to survive while pitted against ever-evolving rival organisms in a continuously changing environment. 

Let's explore under a Cyber lens this evolutionary hypothesis in contrast to the evolving (cyber)threats and our adaptation (as professionals) to equally evolve our Cyber Resiliency capabilities (as an industry). This presentation is an opportunity to explore as professionals our security mindset and draw some personal conclusions on our Cyber Security culture in order to better ourselves.

From user awareness all the way to Cyber Resilience, from developing by writing secure code to the effort it takes in breaking it, from gaps in hiring talents to hiring for the right reasons, this brief session is intended to spark a personal "eureka" moment in the mindmap of each security professional inside and outside the room.

Looking forward to next year's event! 

Guest Speaker at the University of South Wales

Invited by USW Cyber Security Society and Information Security Research Group in University of South Wales to present my talk "A holistic view on Cyber Security in evolutionary terms (food-for-thought)". This is also part of our OWASP (OWASP London Chapter) initiative to reach out to Universities and share expert knowledge in the security and cybersecurity space. 

"Thank you very much for all your sharing today at USW. Just wanted to say you are such an inspiration to me and many others" Maria Peng Wang

See Talk Details --->

Guest Speaker at Cardiff University

Invited by Complex Systems Research Group in University of Cardiff to present my talk "A holistic view on Cyber Security in evolutionary terms (food-for-thought)". This is also part of our OWASP (OWASP London Chapter) initiative to reach out to Universities and share expert knowledge in the security and cybersecurity space.

Feedback:
"The talk was one of the most useful I have attended during my PhD because it is unusual to speak to someone who can relate between research and industry in cyber security. It was really encouraging and made me look forward to working in the space after my PhD" Matilda Rhode 

"Very Inspiring and a Great Talk" Irene Anthi

See Talk Details --->

OWASP Cambridge at Anglia Ruskin

I was invited by OWASP Cambridge and Adrian Winckles to present my talk "A holistic view on Cyber Security in evolutionary terms" hosted by the Cyber Security Networking & Big Data Research Group, Anglia Ruskin University. 

This evening is part of a series of evening events on raising awareness for local businesses & organisations on the issues of cyber security and cybercrime, what regulations and legislation do organisations need to be aware to protect themselves and what is considered best practice in these challenging times. read more

“Greg is an extremely motivational speaker in the cyber security sector who speaks with a passion accentuating the key messages and issues that the community needs to hear and understand” Adrian Winckles

Adrian Winckles
MSc BEng CEng CITP MBCS
Cyber Lead & Director of Cyber Security & Networking Research Group
(OWASP Cambridge Chapter Leader)
(UK Cyber Security Forum - Cambridge Cluster Chair)
(BCS Cybercrime Forensics Vice Chair)
Anglia Ruskin University
Twitter:  @botflowking

See Talk Details --->

OWASP London at JP Morgan (NCSAM 2018)

Due to the fact October is considered National Cyber Security Awareness Month (aka NCSAM) we were planing an OWASP London Chapter meetup. The meetup was hosted by JP Morgan at Canary Wharf, and it was an opportunity to deliver a talk around Cyber Security and how (cyber)threats have been evolving over the years. 

This time our lineup of talk included:

• "If You Liked It, You Should Have Put Security On It" - Zoë Rose (@5683Monkey)
• "Lessons From The Legion (The OWASP London Remix)" - Nick Drage (@SonOfSunTzu)
• "A holistic view on Cyber Security in evolutionary terms (food-for-thought)" - Dr. Grigorios Fragkos (@drgfragkos)

OWASP London Chapter at 44CON

Yes, we are here once again this year, leading the #CyberLondon scene. Information Security, Application Security, Cyber Security, Cyber Defence at #44CON with #OWASP and global Security BSides (London, Athens, Manchester, Amsterdam, Tel Aviv, Lisbon, Cape Town).
#respect #collaboration #inclusion #community #InfoSec #AppSec #CyberSecurity #EthicalHacking #CyberRisk #ThoughtLeadership #CyberSecurityAwareness

@44CON is a well-established security conference in London, with hackers coming to attend and present from all over the world.

The OWASP London Chapter was there.

If you didn't know, there is a whole bus in the venue, that serves drinks. The happy hour is when it is #Gin o’clock at @44CON! View from the top of the bus!

OWASP London Chapter at Facebook

Yes, this whole surface is a screen at the headquarters of Facebook in London. We have been invited by Facebook to host the OWASP London Chapter meet-up at this amazing space. 

T1: "Bug Hunting Beyond facebook.com" - Jack Whitton
Facebook's Whitehat bug bounty program receives 1000's of security bug reports annually, covering a wide range of issues and products. Come listen to some of the interesting bugs Facebook's Whitehat program team handled over the past year, and some pro-tips when looking for bugs outside of "facebook.com".

L1: "Open Source for Young Coders" - Hackerfemo
Inspirational 12 year old Hackerfemo will tell us all about how open source helps him run coding and robot workshops for 10-16 year olds throughout the world.

T2: "Reviewing and Securing React Applications" - Amanvir Sangha
As developers start using front-end frameworks such as React they must be made aware of any related security issues. Whilst React provides developers with proactive measures such as output encoding, there still exist edge cases which can lead to cross-site scripting issues. This talk explores common security issues in the framework and how to defend against them

L2: - "Introducing OWASP Amass Project" - Jeff Foley (remote)
Jeff will introduce the OWASP Amass project - a tool which obtains subdomain names by scraping data sources, recursive brute forcing, crawling web archives, permuting/altering names and reverse DNS sweeping. All the information is then used to build maps of the target networks.

The video recordings of the OWASP London Chapter talks: 
OWASP London Chapter Youtube channel

More Information, presentations, and upcoming events: 
OWASP London Chapter wiki

OWASP London Chapter at Microsoft Reactor

We had the pleasure of having one of our OWASP London Chapter events hosted by Microsoft, at its community space called Reactor London. 

T1: "From zero to hero: building security from scratch" - Anthi Gilligan

Breaches mean financial, regulatory, legal, and above all reputational repercussions. Organisations are quick to react, however with security professionals in high demand and low supply, there has been an increase in individuals jumping on the “cybersecurity” bandwagon. In this talk, we discuss the pitfalls of the inadequately qualified “cybersecurity expert”, and examine the building blocks of a solid information security management system

T2: "Smart Contract Security" - Evangelos Deirmentzoglou 

Dapps and many Initial Coin Offerings (ICOs) run on smart contracts and tend to process a substantial amount of funds. This makes them a target, and therefore they often undergo attacks. Combined with the blockchain immutability, vulnerabilities undiscovered during development will exist forever in the blockchain. This talk will dive into the most common smart contract security vulnerabilities and provide in-depth knowledge on how these issues occur and their mitigation. Real world examples will be discussed and vulnerabilities like re-entrancy, overflows, gas limit attacks etc. will be demonstrated

L1: "Driving OWASP ZAP using Selenium" - Mark Torrens 

OWASP ZAP is great tool but it's not magic! When used in a CI/CD pipeline, ZAP needs some help to discover the routes through a web application. Basic authentication, user logins and form validation can all stop ZAP in its tracks. I show how to drive ZAP using Selenium scripts and increase the security coverage of a web application.

The video recording of the talks from this event: 
OWASP London Chapter Youtube channel

More Information, presentations, and upcoming events: 
OWASP London Chapter wiki

Global OWASP AppSec EU 2018

The OWASP Global Application Security Conference took place this week in the heart of London. see: OWASP AppSecEU 2018

The QEII conference centre, just across the Westminster Abbey was packed with brilliant minds from all over the world, dedicated in advancing security across all technologies. 

The premier application security conference for European developers and security experts. AppSec EU provides attendees with insight into leading speakers for application security and cyber security, training sessions on various applications, networking, connections and exposure to the best practices in cybersecurity.

As an OWASP London Chapter leader, (@OWASPLondon) it was an honor to be part of the team that delivered this amazing 1 week event. 

The OWASP foundation staff and board did an amazing job and we all enjoyed working together. We reached out to all OWASP chapters across the globe and we are dedicating ourselves in amazing things to come. 

Security BSides Amsterdam 2017

My passion for contributing to the information security community as much as possible, led me into getting myself involved with the formation of another information security conference. After a number of discussions, I decided to help out with putting together a Security BSides conference in the Netherlands. More specifically, the first ever Security BSides Amsterdam 2017 (www.bsidesams.nl) took place on Friday, 1/Sep/2017 in the heart of Amsterdam, at Zalen Pakhuis de Zwijger B.V. (dezwijger.nl). 

We tried to engage the Dutch information security community as much as possible as this was  our first attempt to make this conference a reality. We were very pleased to have so many speakers submitting a talk to the conference, and the support of OWASP and especially OWASP Netherlands. 

On our account on peerlyst you will find a list of all the talks of the day, along with their respective YouTube video. 

You can also find all of the videos on our YouTube channel, all combined in one playlist here. 

OWASP London chapter meeting (Guest Speaker)

It is a great honour to have been invited to speak at the OWASP London Chapter meeting this May. (Thursday, 18 May 2017 - Central London)
More importantly, as this meeting is sponsored by WorldPay, it is a fantastic opportunity to share previous work I have done on payment systems over the past few years.   

Allow me to say a big Thank You to the OWASP London Chapter organisers for the work they put in to keep the London chapter so live & active, and of course to WorldPay, for supporting this meeting, and for being so kind to host it at their premises. If you are interested to find out more OWASP, make sure you attend the OWASP Summit 2017.

Given the opportunity for this blog-post, I would also like to thank you all for your messages about my talk. I am very pleased to hear that the tickets for OWASP London Chapter meeting this month were sold-out that fast and that the organisers had to activate the waiting list. The organisers also mentioned that due to the high demand, they will consider live streaming. So, stay tuned for updates on that as I am planning to schedule a number of tweets to go out before and during the talk. Thus, for updates you can follow me on Twitter: @drgfragkos

30 days to go for the OWASP Summit 2017

Owasp will host its 2017 Global Summit in London where hundreds of participants will join forces in Working Sessions focused on solving hard Application and Cyber Security problems.

This is not a conference with unidirectional presentations. Using the same model as the past two OWASP Summits in Portugal, this 5-day event will be a high-energy experience, during which attendees get the chance to work and collaborate intensively. Every thoroughly prepared working session is geared towards a specific application security challenge and will be focused on actionable outcomes.

With participants flying from all over the world and from major security/development teams, service/product providers and research organizations, this is the place to be to learn and collaborate with industry peers (and even competitors).

The event is split over the following tracks, each focusing on a specific set of challenges:

• Threat Modeling - This is one of the strongest tracks, with most of the core Threat Modeling talent in the world joining forces and collaborating
• OwaspSAMM - This is another track where we have the main contributors and users of this Owasp project participating at the Summit
• DevSecOps - This track has been generating quite a buzz among participants, since it is addressing real pain points and problems that companies face today
• Education - Always strong in OWASP, this track ranges from University master degree to how to create the next generation of AppSec professionals
• Mobile Security - Another track where the key Owasp leaders of Mobile-related Owasp projects are participating
• CISO - This track reaches a wide audience of CISOs and covers a wide range of CISO-related topics
• Research - This track covers really important and interesting research topics (it’s important to look at the future and work on the next generation of Application Security)
• Agile AppSec - This is a track driven by a couple participants who really care about Agile and want to find better ways to integrate it with AppSec practices
• Security Crowdsourcing - This is a track that is focused on scaling AppSec activities via internal and external crowdsourcing
• Owasp Project’s Summit - Last but not least, this track has 31x Working Sessions directly related to an Owasp Project (with most having the Project Leader participating)

OWASP Top 10 (2017 Release Candidate) - Thoughts

OWASP Top 10 2017 Release Candidate - PDF

I understand the importance of highlighting the Underprotected APIs (A10), and I do agree with the importance of it. However, to my eyes this is another stage during a security assessment, while the penetration tester is engaging into testing for different types of Injections (A1). 

I believe Injections (A1) should include the Underprotected APIs.
(especially based on the example attack scenarios given in the PDF page 17 for the Top 10 RC)

From what I have seen on several real-world projects, Unvalidated Redirects and Forwards, is a very common security issue (when you manage to identify where it is hiding) but it is not highlighted in security reports (and penetration testing reports) that often. Thus, it seems and fills like, it is not that popular as a finding. 

One of the main reasons this particular security issue is not mentioned that often, is because businesses (the business perspective) see this highlighted risk as a "two-step attack", so, instead of addressing it, they simply "accept the risk".

From what I have seen in different real-life projects, dropping "A10 – Unvalidated Redirects and Forwards" will be mistakenly perceived (misunderstood) as an "insignificant" security issue, while, it can be used to spawn a number of attacks. 

If an attacker manages to redirect/forward a user to a fraudulent website (that looks exactly like the legitimate one), then it is game-over for that user. How many of you remember the issues with the Unicode URLs back in the day? In one case, two companies lost a significant amount of money because of a fraudster, due to this "insignificant" issue.

Just to mention a couple very recent examples: 
punicode https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/
or the unvalidated redirect on linkedin, which allowed to download malware from linkedin redirects (even though they were hashing the urls).
https://gfragkos.blogspot.co.uk/2015/06/linkedin-security-issue-unvalidated.html

So, in my humble opinion, A1 should be Injections that include calls to Underprotected APIs: 
A1 - Injections, including Underprotected APIs

and keep:
A10 - Unvalidated Redirects and Forwards. 

This blog post is intended to be perceived as food-for-thought.