Global OWASP Week 2008 – Switzerland

As some of you might know, during the last week we had the Global OWASP Week 2008. As I’m the actual leader of the OWASP Switzerland Local Chapter, I organized a meeting during this week. Because we needed some more space, we went to the ETH Zurich where we had a room for 46 people. From my point of view it was a huge success for the OWASP in Switzerland because we’ve got about 30 attendees at this meeting (normally we’ve got about 20). For me it was also a little bit of stress because we didn’t received a beamer so we had to organize one and another stress factor for my was, that because of all the OWASP book I put into my bag to give them away, I forgot to put the walkthrough for my demonstration in it which means, that I had to do it out of my mind. Anyway, just as I already said, it was a success for the OWASP and I’m sure that we’ll have some new faces at our next meeting.

For the people who’re interested in what we’ve done, here’s the invitation mail I’ve sent out:

Dear Receiver,
in the name of the OWASP ( I’d like to invite you to
our next event, which is part of the Global OWASP Week 2008. If you’re
interested in web application security, this is something for you.

Date and time:
1.April 2008 -> WebAppSec Is No Joke
18:00 – ca. 21:00

The event takes place at the ETH Zurich, in the main building, room
HG F26.5

As at all of our meetings, everyone is welcome. If you know someone
who could also be interested in this event, ask him/her to come too.

We’ll have three interesting Talks.

– Taking Apache access logs to the next level: Complying to PCI DSS
for fun and profit
(Christian Folini – Technical Consultant at netnea)

The PCI DSS is rather vague, when it comes to logfiles. It does
make clear, that writing logfiles and reading them is a
requirement though. But it leaves it up to you to define your
setup and your processes. Apache brings numerous logging
possibilities, but they are rarely used in practice. Based on a
sample enterprise setup, I will discuss key items of a
revision-proof architecture. System components and methods will be
examined and a few interesting techniques presented.

– Implementing an Application Security Lifecycle programme
(Alessandro Moretti – Executive director for IT security risk
management at UBS Investment Bank)

A case study at UBS Investment Bank – how the Application Security
Lifecycle Programme aims to implement proactive and reactive IT
security management and promote application security across the
global UBS IT community.

Short description:
UBS IT Security Risk Management will provide an overview of the
risk strategy, and an insight into the strategic initiative, based
partly on OWASP, to enhance the application security with each
phase of the software development lifecycle. The presentation will
provide details on the vision, the overall programme approach and
on selected deliverables as part of the programme. Topics include,
security education, risk management, source code testing,
penetration testing and web application firewalls. A question and
answer session will follow.

– WebAppSec the Big Picture
(Sven Vetsch – Security Tester at Dreamlab Technologies)

Most of the actual vulnerabilities which security researchers and
also bad guys (doesn’t) report every day, are related to web
applications. Even if this is the case, the security community
didn’t get the big picture of what security related problems we’ve
got through web applications. In this demonstration, we will show
you an overview of the most important web vulnerabilities like SQL
Injections, XSS, CSRF, Path Traversal, Session Fixation and much
more. The focus in this demonstration is not to show you the
latest research results in webappsec, it’s to show you the big
picture of this topic.

If there are any further questions, don’t hesitate to contact me at:
sven.vetsch _at_

Sven Vetsch
Leader OWASP Switzerland