OWASP Meetup at FOI - bits and bytesby Nikola Strahija on February 28th, 2016 We bring you a short recap of the OWASP meetup that was held at FOI - Varadzin, Croatia this past Friday (Feb 26th 2016).
The meetup started with a short presentation by Jasna Bencic about DORS/CLUC (Days of Open Systems / Croatian Linux users' Conference) conference. We learned that DORS has been going on for 23 years, attendees are from all around the world and it takes place at the Faculty of electrical engineering (FER) in Zagreb, Croatia. She informmed us about some of the talks that were given during previous conferences and what to expect this year in May 11-13th. DORS is growing every year in quality and quantity, is the largest conference of it's kind in Eastern Europe and you should definitely check it out.
The organizer, Tonimir Kisasondi then gave an hour-long talk on Developing (reasonably) secure applications. The talk started by explaining why planning is important, how security has to be one of the requirements and continued to OWASP ASVS - Application Security Verification Standard. He then went through the top 10 vulnerabilities and ESAPI implementation (with some source code) followed by several real-life examples.
btw. during his presentation every 5 minutes his computer kept locking the screen - I haven't checked if his webcam has a sticker on it or not.
After a short break Bernard Toplak gave a talk titled "Post-Password Era - safe(er) methods of authentification".
He compared passwords with PKI, token-generators, old and net authentication methods. We learned about the differences between token generators that are commonly used in Croatia, their pros and cons and Java+browser requirements from Banks and Croatian IRS. The latter gives IT departments a huge headache in the OS+Browser+Java version realm just to be able to sign a document digitally instead of using a token generator. Bernard finished the talk by answering quite a few question from the attendees.
Last but not least was a presentation by Miroslav Stampar from Croatian Goverment's CERT on his concept "ABcD" which is a browser plugin for Automated Bug (cruised) Discovery. ABcD is stil a concept and basically it would test for vulnerabilities while you browse the web. The first prototype might see the light of day in about 2 months and could be the start of a whole new era of script kiddies.
As a long-time developer of sqlmap Miroslav probably gave over 50 talks and presentations in his career. I can't wait to see ABcD in action.