OWASP Helsinki chapter meeting #38

Time: 17:30-21:00
Agenda
17:30 Welcome coffee
18:00 Opening words, Petteri Arola, Chapter leader - OWASP Helsinki
18:05 Words from the sponsor, Juho Ranta, CTO - Second Nature Security (2NS)
18:15 What's new in the ASVS 4.0, Josh Grossman, OWASP ASVS Project co-leader, Head of Security Services, AppSec Labs
19:15 Break
19:30 How to determine the security of a mobile authentication app, Petteri Ihalainen, Senior Specialist, Traficom
20:15 If you like it then you shoulda put a TPM on it 🎵, Gabriela Limonta, Security Researcher, Nokia
21:00 Snacks/BBQ, Refreshments, Sauna & Jacuzzi

Abstracts:

What’s new in the ASVS 4.0 - Josh Grossman, OWASP ASVS project co-leader, Head Of Security Services at AppSec Labs

OWASP’s Application Security Verification Standard (ASVS) is one of the few comprehensive guides of security requirements for applications. The 4.0 version, released in March 2019 represents a significant update with many new features as well as structural changes. In this talk, Josh, one of the project co-leaders, will go through what the ASVS is and how it is put together with a particular focus on what has changed in this new version. He will also talk through some of the more interesting new requirements and show how you can help shape the future of this important standard.

More about OWASP ASVS: https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

Josh Grossman was then main contributor to the just released OWASP ASVS 4.0

---

How to determine the security of a mobile authentication app - Petteri Ihalainen, Senior Specialist, Traficom

The market is littered with mobile authentication apps from simple OTP generators to sophisticated PKI & biometrics applications. But they all share the same challenge - how can they prove that they are actually secure? This presentation takes a look at the unique challenge in evaluating the security of mobile authentication apps in the context of national regulation and eIDAS. We will present a global proposal for proving the security of a mobile authentication app. The proposal can be adopted by e.g. governments, organisations deploying app based authentication solutions or by app vendors to evaluate their systems on how they can resist various type of attacks.

---

If you like it then you shoulda put a TPM on it 🎵, Gabriela Limonta, Security Researcher, Nokia

Abstract: Due to the growth in cloud computing, many industries are deploying their system in virtualized environments. One concern in virtualized environments is to guarantee the integrity of the hardware platform which runs the virtual workload. Trusted Computing denotes a set of technologies that can be used to provide trustworthy platforms by leveraging the use of the Trusted Platform Module (TPM) chip, available in most modern computing platforms.

The TPM provides secure storage of keys, confidential data, certificates, cryptographic measurements of system components, as well as cryptographic functions and key generation. We can use this device to guarantee the integrity of the software running on a platform, from the BIOS up to run-time components.

Free of charge, welcome!