I recently had a chance to visit Taiwan, all thanks to OWASP Taiwan Chapter for inviting me as a speaker for OWASP Taiwan Week 2017 and being such wonderful hosts. Here’s a quick sum up of the event in my point of view.
OWASP stands for Open Web Application Security Project. Here’s more in their own words:
The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations are able to make informed decisions. OWASP is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.
It’s popularly known for OWASP Top 10, a list of top 10 urgent issues that developers, managers, and architects should definitely address while assessing the security of their web applications. It’s based on data collected from various organisations, surveys done by experts and vulnerabilities gathered from more than a 100,000 applications. The list is sorted & prioritized based on this data and common consensus across community using metrics like likelihood and impact of each vulnerability.
OWASP recently released a much awaited 2017 version of top 10. We had a lot of discussion around this, last week, I’ll write a separate article on how I and other felt about latest changes introduced to OWASP Top 10 (I’m no security researcher, so expect an engineer’s perspective).
OWASP Taiwan & OWASP Taiwan Week 2017
OWASP Taiwan chapter was recently revived after being idle for a few years. Yi-Lang Tsai is current chairman of the chapter. Tsai is also the chairman of the Taiwan branch of the two other major International Security Organizations: The Honeynet Project and Cloud Security Alliance.
The Taiwan Chapter organized OWASP Taiwan Week 2017: a week long event to spread awareness about OWASP, OWASP Top 10 list, different OWASP Projects and bring together experts, researchers, professionals and students interested in field of information security together at Taiwan. There were sessions at Taipei, Kaohsiung and Tainan.
I was invited to give a talk at Taipei & Kaohsiung on “Mitigating CSRF with 2 lines of code” and participate in a panel discussion on “Latest trends in OWASP Top 10”. Here’s a small snippet from invitation letter:
I arrived at Taipei early morning of 19th of November 2017. I had a chance to visit volunteers, including Ann Hsu,Ching Hsiung Hsu and others working hard to get everything done before the sessions began the next day.
20th November 2017, Taipei
It began with full power with a welcome talk and then talk by Yi-Lang Tsai on what OWASP is, what different popular OWASP Projects looks like etc.
Then Henry Hu (Chief Research Officer at OWASP Taiwan Chapter) gave talk about OWASP Top 10. He introduced to the audience, an interesting notion of Human Augmented Tools vs Tools Augmented Humans in Security Testing with respect to what types of vulnerabilities are found and how they are reported. It was followed by some interesting talks by:
- Disney Cheng (Tenable, Hongkong) – “How’s container will affect Web Security”. With containers like docker heavily in practice now for deploying web applications, a whole new set of question on who take ownership of security of what arise; He expressed some such concerns in his talk.
- Galoget Latorre (OWASP Equador) – “Creating penetration testing tools using python”. He educated the crowd on how penetration testing tools could be created using modules in python; He gave interesting demos for the same;
I took a 40 minutes session on “Mitigating CSRF with 2 lines of code” (find slides attached below). It involved:
- What is Cross Site Request Forgery and how it works
- Live demo of CSRF in practice
- What are popular wrong ways to mitigate CSRF & of course correct ways to mitigate it.
- Why OWASP CSRF Protector? How it works (Design) and live demo for the same;
21st November 2017, Taipei
We (I, Henry, David & Galoget) had a panel discussion on “Latest trends in OWASP Top 10”. Yi-Lang Tsai gave a welcome talk before that. It was very interesting, specifically due to conflicting opinions we had on different topics. Henry took various roles like: expert, moderator and translator. We discussed on couple of questions like:
- Opinions on OWASP Top 10 RC2
- Opinions on #4: XML External Entities, if it’s in correct position
- Similarly, opinions on #8 and #10 (Insecure de-serialization & Insufficient monitoring and logging)
- Process of how OWASP Top 10 are selected
- Expectations in future
- Opinions on OWASP Top 10 for mobile platform
Some interesting questions were raised from audience as well like if we should have different top 10 list for different programming languages and so on.
We had a good day off after this 🙂 (Henry, being one of the best host I have met took us to different places) and introduced us to whole new world of sea food (at least to me).
We took high speed rail to Kaohsiung on 22nd November. It was indeed high speed !!
23rd November 2017, Kaohsiung
We had similar set of talks, but a different location, different crowd, different set of questions and a different WiFi password. This time however, my demo was fully functional :). Learnt my lesson at Taipei (No last minute changes!!, I know rookie mistake).
By the end of the day we were ready to depart.
Overall, it was a great experience:
- I met amazing folks,
- Learned more about work they are doing (Client side testing, creating penetration testing tools using python, web security with docker in place)
- Heard different opinions on OWASP Top 10 (2017 release)
Overall, one big takeaway for me was something around #10 in OWASP Top 10, 2017 – Insufficient Monitoring and Logging. Specifically on how important it is in security domain, how it’s not properly implemented, how it’s a difficult challenge to actually structure the logs and consume it in actionable format. This fall in my research interest and is very well related to work I do at Microsoft.
Once again, I really appreciate OWASP Taiwan Chapter for having me there and wish them best of luck in building an amazing community there. I’ll look forward to visiting again.