OWASP San Antonio

Welcome

Welcome to OWASP San Antonio Chapter, a regional city chapter within OWASP. Our Chapter serves San Antonio region as a platform to discuss and share topics all around information and application security.

Anyone with an interested and enthusiastic about application security is welcome. All meetings are free and open. You do not have to be an OWASP member.

Referrals to this website or to individual meetings to colleagues or acquaintances are welcome.

What’s going to happen?

To be announced via our OWASP San Antonio Chapter Meetup Group. We usually have talks related to information and application security.

Further Notes

Please join our OWASP San Antonio Chapter Meetup Group for timely updates on our OWASP Chapter San Antonio Meetup.

Upcoming Events

🎉OWASP San Antonio Supply Chain Security Summit (and Happy Hour after)🎉

Presentations and Security Panel: Supply Chain Security and AI-Enabled Threats

Featured presentations and speakers have been finalized. Sponsorship inquiries are still welcome and may be directed to [email protected].

> When: Friday, Jun 12 · 11:00 AM to 3:00 PM CDT

> Presentation Session: 11:00am - 3:00pm

> Happy Hour: 3:00pm - 4:30pm

> Where: Hybrid Event

• On-site: Scuzzi’s Italian Restaurant – 4035 N Loop 1604 W #102, San Antonio, TX 78257
• Virtual: Zoom details below

Event Overview

Join us for a deep dive into one of the most critical and rapidly evolving fronts in cybersecurity: supply chain security. From compromised vendors and poisoned dependencies to AI-enabled attack campaigns, today’s threat landscape is no longer isolated — it is interconnected, automated, and operating at unprecedented scale.

This summit brings together real-world threat intelligence, incident-driven insights, and practitioner-led discussions to examine how modern supply chain attacks actually unfold and what it takes to defend against them. We will explore how adversaries are leveraging AI to accelerate reconnaissance, impersonate trusted entities, and exploit gaps across software, hardware, and third-party ecosystems.

Whether you’re responsible for application security, third-party risk, detection engineering, or incident response, this session will provide actionable strategies to better understand, detect, and reduce supply chain exposure in an era of continuous, intelligent attack.

Featured Presentations

The Supply Chain Threat We’re Not Ready For: Where Are the Real Gaps?

Speaker: Dima Gorbonos, Global Director of Sales Engineering, Mend.io

Supply chain security has become a boardroom priority, yet many organizations continue to focus on the wrong risks. While visibility into software dependencies has improved, significant gaps remain across open-source ecosystems, transitive dependencies, third-party integrations, and emerging AI-driven development workflows.

This session explores where organizations are still vulnerable despite increased investment in supply chain security. Attendees will gain practical insights into the challenges of identifying, prioritizing, and mitigating risk across increasingly complex software delivery environments.

Topics include:

• The most overlooked supply chain security risks facing organizations today
• Hidden exposure within open-source and transitive dependencies
• Challenges introduced by AI-assisted software development
• Strategies for prioritizing and reducing software supply chain risk
• Practical recommendations for building a more resilient security program

How to Engineer Supply Chain Controls

Speaker: Tim Gowan, Success Architect, Endor Labs

Modern software supply chains generate more findings than security and engineering teams can realistically address. As organizations scale, dependency sprawl, version fragmentation, and decentralized package management create hidden operational costs that make vulnerability remediation increasingly difficult.

This session explores practical approaches for engineering supply chain controls that improve both security outcomes and developer productivity. Attendees will learn how concepts such as version cardinality, controlled package ingestion, dependency standardization, and large-scale change management can help organizations reduce risk while accelerating remediation efforts.

Attendees will gain insights into:

• Understanding version cardinality and its impact on remediation cost and engineering velocity
• Reducing dependency sprawl through standardization and version-flattening strategies
• Implementing controlled package ingestion and software supply chain governance
• Building scalable controls that align security objectives with engineering workflows
• Leveraging supply chain visibility and dependency intelligence to prioritize risk more effectively

Threat-Informed Defense: Prioritizing What Actually Matters

Speaker: J Fridley, Solutions Engineer, Oligo

Security teams are inundated with alerts, vulnerabilities, and findings, yet many organizations still struggle to determine which risks truly matter. As software ecosystems become increasingly interconnected through open-source components, third-party services, cloud-native architectures, and AI-powered applications, defenders must move beyond vulnerability counts and focus on the techniques and attack paths adversaries are most likely to exploit.

This session explores how a threat-informed defense strategy can help organizations better understand real-world risk, prioritize remediation efforts, and focus security investments where they have the greatest impact. Attendees will learn practical approaches for aligning vulnerability management, application security, and threat intelligence programs to defend against modern attack techniques.

Topics include:

• Applying threat intelligence to prioritize vulnerabilities and security findings
• Identifying exploitable attack paths across applications and software supply chains
• Moving beyond CVE-centric security programs toward attacker-focused defenses
• Understanding risks introduced by third-party software, open-source dependencies, and AI-enabled applications
• Building a threat-informed security strategy that improves resilience and operational efficiency

The AI Attack Storm: Security at Machine Speed

Speaker: Eric Pedersen, Solutions Engineer, Black Duck

Artificial intelligence has fundamentally changed the economics of cyber attacks. While AI has not created entirely new attack techniques, it has dramatically reduced the cost, time, and expertise required to discover vulnerabilities, develop exploits, and scale attacks across software ecosystems. As attackers increasingly operate at machine speed, organizations must rethink how they approach application security, vulnerability management, and supply chain defense.

This session examines how AI is transforming both offensive and defensive security practices, the challenges facing traditional AppSec programs, and what organizations can do today to prepare for an era of AI-powered vulnerability discovery and exploitation. Attendees will learn practical strategies for building security programs capable of responding at the speed of modern threats.

What you’ll learn:

• How AI is accelerating vulnerability discovery, exploitation, and attack automation
• Why traditional vulnerability management and patching processes struggle to keep pace
• The evolving role of automated application security testing, software composition analysis, and supply chain security
• Key considerations for securing AI-assisted and agentic software development workflows
• Practical steps for building an AppSec program that can operate at machine speed

Security Panel Discussion: The Supply Chain Threat We’re Not Ready For

This panel brings together practitioners to discuss the most under-addressed risks in today’s supply chain landscape. From open source dependencies to AI model supply chains, panelists will explore where organizations remain vulnerable and what needs to change.

Discussion themes:

• Gaps in current supply chain security practices
• Accountability between vendors and customers
• Regulatory and governance challenges
• Emerging risks across AI and critical infrastructure dependencies

Facilitator: Joseph Gregorio, President OWASP San Antonio, VP Application Security Frost Bank

Additional Meeting Details

Lunch: Optional ($20 paid in person or via our Square account). Attendees are welcome to attend without purchasing lunch.

Square payment link:
https://square.link/u/W21TqLWD

Location:
Scuzzi’s Italian Restaurant
4035 N Loop 1604 W #102
San Antonio, TX 78257

HAPPY HOUR & NETWORKING after session!!!

Happy Hour Sponsors:
To Be Announced

Virtual Meeting Details

Join Zoom Meeting
https://us06web.zoom.us/j/84639739238?pwd=yiq0jJXgneT1pec1yV837nzNk3Eczu.1

Meeting ID: 846 3973 9238

Passcode: 934605

We encourage everyone to attend in person. We will have door prizes and excellent food for all to enjoy, along with a great opportunity to connect with fellow security professionals.

Please feel free to pass this information on to your peers and team members. 😊

Featured Speakers

J Fridley – Solutions Engineer, Oligo

J Fridley is a Solutions Engineer at Oligo, where he works with security and engineering teams to better understand and prioritize real-world application risk. His work focuses heavily on issues that don’t fit neatly into traditional vulnerability management — including third-party and open-source risk, security concerns introduced by embedded and agentic AI, and why defending against attack techniques is often more effective than focusing solely on individual CVEs.

Prior to joining Oligo, J supported application security programs and developer security tooling initiatives across a variety of environments. He is particularly interested in the practical realities of modern software security: how teams actually build applications, how security findings are communicated to developers, and why risk prioritization in cloud-native environments remains such a difficult challenge.

Tim Gowan – Success Architect, Endor Labs

Tim Gowan spent the early part of his career believing security teams were simply professional blockers to engineering velocity. A decade, a U.S. patent, and millions of vulnerability alerts later, he has thoroughly unlearned that assumption.

Today, Tim serves as a Success Architect at Endor Labs, where he focuses on post-sales architecture and helping organizations operationalize secure development practices at scale. With more than ten years of experience designing carrier-grade infrastructure at Verizon and developer security platforms at Snyk, he specializes in transforming chaotic enterprise environments into secure, developer-friendly engineering workflows.

Tim holds an M.S. in Computer Science with an NSA CyberOps designation and is passionate about designing systems that help organizations minimize risk without sacrificing productivity.

Dima Gorbonos – Global Director of Sales Engineering, Mend.io

Dima Gorbonos is a cybersecurity and application security leader with extensive experience helping enterprises secure modern software development at scale. As Global Director of Sales Engineering at Mend.io, he leads go-to-market initiatives focused on software supply chain security, AI security, open-source risk management, and DevSecOps.

Dima works closely with organizations to strengthen application security programs while enabling development teams to move quickly and securely in increasingly complex environments.

Eric Pedersen – Solutions Engineer, Black Duck

Eric Pedersen is a Solutions Engineer at Black Duck, where he works with organizations to strengthen application security programs and manage risk across modern software development environments. His areas of focus include application security testing, software supply chain security, open-source governance, and helping teams integrate security practices into fast-paced development workflows.

Eric works closely with security and engineering teams to address emerging challenges introduced by AI-assisted development, increasingly complex software ecosystems, and the growing need for automated security controls throughout the SDLC. He is particularly interested in helping organizations modernize their application security programs to keep pace with evolving threats while enabling developers to build and deliver software securely at scale.

Future Presentation Topics To Vote On

• Post-Quantum Computing
• ASPM
• Pentest
• Ransomware
• DevSecOps - Security as Code
• Security Controls for AI