Joint meeting with ISSA-UK Bristol at our sponsor: Grant Thornton Bristol
Explore the many ways we can hack an (intentionally) insecure website and how to fix the problems.
Learn about threat modelling used in Secure Development Lifecycles and how to use Threat Dragon modelling tool.
Agenda:
• 6:30 pm - Social
• 6:55 pm - OWASP update
• 7:00 pm - Presentation 1: Let's hack a website - Craig Francis
• 8:00 pm - Presentation 2: A short introduction to Threat Modelling - Jon Gadsden
Presentation 1: Let's hack a website
Abstract: We will look at the most (intentionally) insecure website ever created, and work out how many ways we can hack it - discussing each approach, with a quick demo, along with ways to fix the problems.
Bio: I'm Craig Francis, and I've been creating websites for a while (let's just say that I once considered IE6 a good thing). Those websites help businesses operate on a daily basis (invoices, diaries, reports, etc), and operate with Security, Performance, and Accessibility in mind. From a security point of view, I created the first website to gain 130 points on the Mozilla Observatory.
Presentation 2: "A short introduction to Threat Modelling
Abstract: This short introduction will provide an overview of threat modelling used in Secure Development Lifecycles, and covers:
• Threat Models
• The tools used to create them
• Why they are useful
• Open source Threat Dragon
• How to get involved
Bio: Jon is an embedded C/C++ engineer who specialises in product security and secure development lifecycle activities. For the last few years he has been a security advocate at Cisco, a role which requires interest and knowledge of secure development along with a hefty dose of tact. Jon tends to enjoy threat modeling more than static analysis, and penetration testing more than security baselines ... but it is all good.
In his spare time he likes to help organise security conferences and contribute to open source projects - the latest being the OWASP Threat Dragon modelling tool.