OWASP Belgium Chapter Meetings 2013 #1

by admin Email

This chapter meeting on the 5th of March was co-organised with secappdev. For the first time there was a need for the larger lecture hall, there were a lot of people present. One can only hope that this is going to be a trend J

25 Years of Vulnerabilities (by Yves Younan)

Yves presented a large number of slides with figures on vulnerabilities. The data came from the National Vulnerability Database, the Common Vulnerabilities and Exposures Database and vendors like Microsoft. Some of the numbers had to go through manual processing to make them usable and the effort that went into this research was high.

It was clear after the presentation that the numbers could not easily be used to compare for example the different browsers or operating systems. The manner of reporting (or not reporting for that matter) by the vendors and researchers is so different from product to product and vendor to vendor that the numbers cannot be used to compare them. Also the numbers only count vulnerabilities and do not always correctly show how much impact this vulnerability has (e.g. the Chrome web browser user sand boxing techniques that make it hard to exploit any of the vulnerabilities found).

So all in all a nice presentation; but without any conclusions. The full report can be found here (registration required).

Banking Security: Attacks and Defences (by Steven Murdoch)

Steven talked about the security of banking applications, both when using your debit/credit card at a point of sales terminal as when using the online banking. Since Steven is working in the UK his first examples were of course from UK banks. When it comes to online banking it seems there are a lot of different mechanisms being used today, in the Belgian marker (i.e. Belgian banks) this is not really visible, and most banks use more or less the same methods and tools to authenticate users.

Steven showed a movie that was also aired on British television where the copying and/or using of bank cards without knowing the PIN was shown. The reaction of the banking sector was hilarious ?

This was a very technical talk and  a little bit too far from my knowledge from web application security to understand all implications of the differences between all the systems.


So again an interesting OWASP evening session with topics to broaden our knowledge and understanding of security principles in general. Hopefully next time there will be something about web application security J

Trackback address for this post

Trackback URL (right click and copy shortcut/link location)

Feedback awaiting moderation

This post has 356 feedbacks awaiting moderation...