Next OWASP meetup in Krakow will be hosted by Ocado Technology.
Two Ocado specialists will share their knowledge and experience with application security issues in global organization.
Please RSVP, save the date and spread the word!
1. The Slower the Stronger: A Story of Password Hash Migration
(Tomasz Borowiec, Senior Software Engineer, Ocado Technology)
Did you know that a single modern GPU is able to compute almost 20 billion MD5 hashes in a second? That’s why we need SLOW hashing algorithms!
This talk is a case study of a successful migration of www.ocado.com customer password hashes. I will not only show you the “why”, “what” and “how”, but also what was problematic, what went wrong and how we dealt with it.
I will talk about slow hashing algorithms - such as Argon2, PBKDF2, BCrypt or SCrypt - and compare them to other popular hashing algorithms - like MD5 or SHA1. Next, I will tell you a story of hashes which took about 80 ms to compute - not slow enough, fairly easy to crack. I will show you what our password hashing code looks like and I will guide you through our migration plan, describing in detail how we executed it, and what problems we encountered on the way.
I have been working as a Java programmer for almost 10 years now. I like good design, clean code and tests, but most of all I like code that works. I am interested in software security, both on the offensive and the defensive side.
2. Threat Modeling: Report from the Trenches
(Mateusz Niezabitowski, Application Security Engineer, Ocado Technology)
You might’ve heard about Threat Modeling - you know, the thing everyone is saying you should be doing, but you aren’t? We’ve actually started company-wide Threat Modeling effort in Ocado a while ago, and we were surprised by quite a lot of things. So today I want to share with you why we are very committed to Threat Modeling anyway, how we’ve built the internal Thread Modeling process using OWASP Cornucopia, and all the lessons we’ve learned so far.
Former Software Developer who has discovered that while building applications is fun, breaking them - even more so! He currently uses acquired knowledge to help his colleagues write more secure applications.