Chapter Meeting #14: 1st of February, 2018

You are invited to the next OWASP Bucharest Chapter meeting, on 1st of February 2018, from 19.00.
https://www.owasp.org/index.php/Bucharest#tab=Upcoming_events

19:00 - 19:15 Introduction and OWASP news
19:15 - 20:00 Handling of Security Requirements in Software Development Lifecycle - Daniel Kefer - Head of Application Security, 1&1 Mail & Media Development & Techhnology GmbH

The bigger the company you're working in, the more technologies and methodologies used by development teams you are going to face. At the same time, you want to address security risks in an appropriate, reliable and traceable way for all of them.
After a short introduction of a unified process for handling security requirements in a large company, the main part of the talk is going to focus on a tool called SecurityRAT which we developed in order to support and accelerate this process.
The goal of the tool is first to provide a list of relevant security requirements according to properties of the developed software (e.g. type of software, criticality), and afterwards to handle these in a mostly automated way - integration with an issue tracker being used as a core feature.
Work in progress (currently targeting mainly integration to other systems, automated testing of requirements and reporting) as well as future plans will form the last part of the talk.

20:00 - 20:45 Presentation: Less Known Web Application Vulnerabilities - part 2 - Ionut Popescu - Senior Application Security Engineer, 1&1 Internet Development Romania

Many application programs (including their testing strategies) rely on rather simple standards, sometimes even as simple as OWASP Top Ten. This often leads to a false sense of security – developers tend to believe that if they have worked their way through ready-made checklists and took proper care of the well-known topics like authentication, authorization or using parameterized queries, there should be no big surprises ahead.
Nevertheless, the real world of application security is way more complicated than this. New attack vectors are being found on a regular basis and security standards and vulnerability libraries tend to get obsolete pretty fast. It’s nearly impossible to keep on track regarding all vulnerabilities which an application can be vulnerable to.
The goal of this talk is to raise awareness about this topic. Several less known security vulnerabilities will be explained, shown in practice and mitigation strategies will be proposed.

See you soon!