OWASP Netherlands Chapter Meeting
November 15th, 2012
"WEB-SRA and SQL Cipher"
This chaptermeeting will be about (web) application security and iOS security.
18:00 - 18:30 Registration
18:30 - 19:30 WEB-SRA: Single Request Authorisation Web Knocking - Yiannis Pavlosoglou
19:30 - 19:45 Break
19:45 - 20:45 Addressing Insecure Data Storage with SQLCipher on iOS - Markus Maria Miedaner
WEB-SRA: Single Request Authorisation Web Knocking
Port knocking has been around for a long time. In this presentation we demonstrate the novel concept of web knocking. WEB-SRA is a Java client/server implementation for sending a single HTTP request in order to authorise a system command to be executed server-side for a particular user. This can be used as an additional layer of security for masking the existence of a the Secure Shell (SSH) on a particular host. In this talk we will demonstrate this solution as implemented on a mobile device in order to enable and give us access to SSH over the internet.
Yiannis spends a lot of time implementing and assisting put together security controls, while weighing up the risk, on application systems. Currently he works within a financial institution, based in London, UK. He is an OWASP member, sits on the Application Security Advisory Board of the (ISC)2, holds a PhD in IT security and is CISSP certified.
Addressing Insecure Data Storage with SQLCipher on iOS
The first mobile risk listed in the OWASP mobile security project is insecure data storage. This talk demonstrates how to address that risk on iPhone and iPad devices using SQLCipher. By requiring a user input to be entered when an app is launched, an encrypted database can be created for storing data locally on the device in an offline mode. In this talk we will examine the footprint of a demo application on a jailbroken iPhone and see the feasibility around brute-forcing the key that unlocks such a database.
Markus Maria Miedaner
Markus grew up on linux systems. He works as a consultant and an IT-Architect for Syracom Consulting AG. For OWASP, he has worked on JBroFuzz, reviewed ZAP and participated in 2012 in the "Webbaustein" given to the German Chapter by the BSI. With Yiannis, they have worked together on several security projects over the years. Currently, Markus is developing a methodology for agile -secure- software development on the the Confluence Jira from Atlassian. He holds a PhD in Geosciences and is CISSP certified.
NCSC is housed in the Beatrixpark building of the Ministry of Social Affairs and Employment (SZW). Located on the left-hand side, diagonally opposite the train station, Laan van Nieuw Oost Indië (NOI).
The building can be easily accessed by public transport. There are direct rail links from and to Den Haag HS, Zoetermeer, Amsterdam and Rotterdam Hofplein. From and to Utrecht via Den Haag CS.
Randstadrail 3 (direction Zoetermeer centrum-west (city centre-west))
Tram 2 (direction Leidschendam Noord (North))
Bus stop: Train station Laan van Nieuw Oost-Indië (NOI)
From Rotterdam: A13 - A4 - A12
From Amsterdam: A4 – A12
From Utrecht: A12
Take exit 3, Bezuidenhout/Mariahoeve. At the end of the exit turn right onto the Schenkkade. Turn right at the second set of traffic lights and the entrance to our office is located on the right hand side after 200 metres.
From Leiden: A44 – N44
Follow the boards for Den Haag, in the direction of Voorburg/Leidschendam. Take a right before the railway bridge and the entrance to our office is located in the bend after 500 metres on the left hand side.
Reserve a parking place via your contact person. There is only a limited number of parking places and buildings are located in a paid parking zone. Which is why we recommend using public transport when visiting NCSC.
The entrance to the parking garage under the Beatrixpark is on the railway side of the building.
When & Where
OWASP Netherlands Chapter
OWASP Foundation is a professional association of global members and is open to anyone interested in learning more about application security. Local chapters are run independently and governed by the Chapter Leader Handbook. As a 501(c)(3) non-profit professional association.