OWASP Boston

Example

Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.

BASC 2025 is now on!

Event date: April 5th, 2025 Location: Microsoft, Burlington MA Website: www.basconf.org

Another year of OWASP BASC is now on! Call for Papers and Call for Workshops closes on Mar 1st 2025 Midnight! Check out our website for the link to submission!

OWASP Boston Chapter Meetings

Chapter Meetings are on pause until May 2025. Check out our meetup page and social media to get notifed about the next meeting

Boston Chapter Leaders

• Mark Arnold
• Tom Conner
• Mike Perez
• Jeremiah Salamon
• Nivedita Murthy

Also see past events on Meetup.

November 2024 Chapter Meetup

OWASP ASVS & Cheat Sheet Series . Jim Manico

This month we will be welcoming Jim Manico, a form OWASP Global Board Member and long time project contributor, to our meetup. Doors open at 6:30pm and the presentation starts at 7pm. Pizza and soda will be provided.

Jim will be presenting as part of our “Learn about OWASP Projects” series on his project team’s project, the OWASP ASVS & Cheat Sheet Series . In this session you will learn:

How was the project started? About the project and goals How can one help, volunteer /sponsor? Existing Team Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. He is also an investor/advisor for 10Security, Aiya, MergeBase, Nucleus Security, KSOC, and Inspectiv. Jim is a frequent speaker on secure software practices, is a member of the Java Champion community, and is the author of “Iron-Clad Java: Building Secure Web Applications” from Oracle Press. Jim also volunteers for the OWASP foundation as the project lead for the OWASP Application Security Verification Standard and the OWASP Cheatsheet Series. For more information, see https://www.linkedin.com/in/jmanico.

October 2024 Chapter Meetup

Threat modeling fundamentals with Star Wars . Audrey Long

This month we will be welcoming Audrey Long, Senior Security Software Engineer at Microsoft, to our meetup. Doors open at 6:30pm and the presentation starts at 7pm. Pizza and soda will be provided.

This talk will walk through threat modeling fundamentals with a fun Star Wars twist! Even what may seem the most impenetrable will always have a secret way in that can be exploited. Be it an error in code, an unaccounted-for perspective, or a convenient airshaft leading to the center of a giant, black, round spacecraft, a developer must be aware of potential weaknesses. Using threat models is like getting the blueprint to the Death Star. They allow you to plan for potential scenarios or ambush attacks from stormtroopers with impossibly bad aim. Understanding the possible risks ensures your entire team will make it back to the Millennium Falcon. In this talk, Audrey Long will walk you through understanding threats in a cloud system and how to protect yourself from the dark side.

Audrey Long is a highly qualified Senior Security Software Engineer at Microsoft, holding a Master of Science degree in Cybersecurity from Johns Hopkins University. Audrey is passionate about building secure solutions with customers and ensuring that security practices and considerations are built into products from the very beginning. Her expertise includes creating secure coding solutions, performing security risk assessments with threat modeling activities, evaluating security in architecture, and implementing security practices at the development level.

September 2024 Chapter Meetup

2024 Application Threat Report . Daniel Shugrue

This month we will be welcoming Daniel Shugrue, security product marketing from Digital.ai, to our meetup.

Daniel will be speaking to us about the 2024 Application Threat Report, and will illuminate and quantify threats to apps in 2024 by categorizing threats according to the OWASP MASVS, and will end with some advice on specific actions security teams can take to stay a step ahead of threat actors. The advice Daniel will share is based on aggregated and anonymized threat data from some of the largest game makers and financial services, and media companies.

Daniel Shugrue has over 20 years of experience working in security and communications. Prior to working at Digital.ai, Daniel worked in Confidential Computing at Microsoft, IoT Security at CyberX, Web App Firewall security at Akamai, and authentication at RSA. Daniel is a father of 2 boys, enjoys bicycling and playing guitar, and holds a degree in Mandarin Chinese from Washington University in St. Louis and an MBA from Babson College.

August 2024 Chapter Meetup

CISA RSAA portal . Dick Brooks

This month we will be welcoming Dick Brooks, co-founder and lead software engineer at Business Cyber Guardian.

Dick will describe and demonstrate the CISA RSAA portal that is used by the US Federal Government to collect secure software attestations, SBOM’s and other relevant artifacts that government SCRM teams will use during software risk assessments, now required under Executive Order 14028 and OMB M-22-18.

Dick Brooks is a contributor to the CISA ICT_SCRM Task Force responsible for developing the CISA Secure Software Acquisition Buyers Guide this is used by both software producers and federal procurement teams working to approve software products as “Secure by Design”. Dick also serves on the CISA Sector Risk Management Agency (SRMA) Coordinating Councils for the Critical Manufacturing (CMSCC) and Healthcare (HSCC) Sectors as a C-SCRM subject matter expert.

July 2024 Chapter Meetup

Be a Better Robert Oppenheimer . Thomas Gleason

This month we will be welcoming Thomas Gleason as our presenter. Thomas will be giving his presentation Be a Better Robert Oppenheimer.

In the tech world, developers, likened to modern Oppenheimers, innovate quickly but may overlook security. This presentation proposes a unified language for AppSec, balancing development and security priorities. It emphasizes understanding open-source usage, risks in tooling practices, and contextualizing vulnerabilities. Join us to align security with development goals, fostering rapid innovation while ensuring security.

Thomas Gleason is an AppSec enthusiast who enjoys building teams and tools to enhance security. He has hands-on experience with the pros and cons of DevSecOps. Outside of work, he cherishes his Rhode Island home and has a penchant for a well-cooked risotto. His professional expertise and personal interests make him a well-rounded individual in the field.

June 2024 Chapter Meetup

Overview of the PROXYLIB Campaign . Lindsay Kaye

This month we will be welcoming Lindsay Kaye as our presenter. Lindsay will be giving her presentation an Overview of the PROXYLIB Campaign.

In May 2023, we identified a cluster of VPN apps available on the Google Play Store that transformed the user’s device into a proxy node without their knowledge. We’ve dubbed this operation PROXYLIB. Other researchers identified this malicious behavior in a single free VPN application—Oko VPN— which resulted in the app’s removal from the Play Store. Based on further analysis of Oko VPN, Satori researchers uncovered 27 additional applications related to PROXYLIB. These apps shared a common native library, written in Golang, that enrolls the device as a proxy node. This talk will provide a high-level overview of the PROXYLIB Android malware and take the listener through the changes we observed in response to defenders’ actions.

Lindsay Kaye is the Vice President of Threat Intelligence at HUMAN Security. Her technical specialty spans the fields of malware analysis and reverse engineering, with a keen interest in dissecting custom cryptographic systems. Lindsay is an internationally-recognized cybersecurity speaker and author. Lindsay holds a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.

Dec 2023 Chapter Meetup

OAuth2.0 redirection URIs . Tomasso Innocenti

Please join us for OWASP Boston’s December meetup! For those attending in-person, the doors open at 6pm, and those joining us virtually the presentation will start at 6:30pm.

This month we will be welcoming Tommaso Innocenti to talk about his research on OAuth2.0 redirection URIs.

ABOUT THE SPEAKER Tommaso is a fourth-year Ph.D. student advised by Engin Kirda, working as a Secure Systems Lab (SecLab) member at Northeastern University. His interests revolve around Privacy and Security, with particular attention to increasing final users’ security. His works reflect his passion and tenacity in exploring complex security topics. His most recent work focuses on the security of the OAuth protocol.

ABSTRACT OAuth 2.0 requires a complex redirection trail between websites and Identity Providers (IdPs). In particular, the “redirect URI” parameter included in the popular Authorization Grant Code flow governs the callback endpoint to which users are routed, together with their security tokens.

In this talk, I will present recent attack trends in conjunction with the research trends to identify the source of the problem that allowed us to generate our hypothesis.

Based on this observation, I will present novel attack techniques and the experiment that allowed us to verify that the OAuth 2.0 security guidance is under-specified empirically. Finally, I will explain end-to-end attack scenarios that combine our attack techniques with common web application vulnerabilities, ultimately resulting in a complete compromise of the secure delegated access that OAuth 2.0 promises.

Nov 2023 Chapter Meetup

Hands-On Lessons in IAST . Pranoy De & Tony Quadros

Join us at the OWASP Boston Meetup this month to get a hands-on lesson about IAST from Pranoy De and Tony Quadros. During the session Pranoy and Tony, will answer the questions, what is IAST, and how can it make your developer’s lives easier.

**Attendees must bring their own laptop and be in-person to participate in the hands-on workshop portion of this event

**Attendees must provide their name and email addresses (please place in “Current Role” box) information at time of registration to participate in the hands-on workshop portion of this event.

This session will give you a foundational understanding of IAST (Interactive Application Security Testing), what it is, how it works, and provide you, as a security engineer or software developer, with the knowledge of how it can make your lives easier when it comes to doing security analysis of your applications and code. You will then be able to get hands on experience with IAST, using it to find vulnerabilities in a sample application then be able to go in and actually remediate the findings.

After attending this session, you will understand the fundamentals of IAST (Interactive Application Security Testing) and have actual hands-on experience with the testing methodology.

Tony Quadros based in southern New Hampshire is a 10+ year veteran of the cyber security vendor landscape and specifically focused on the application security side of Cyber Security and software development. Having experience helping numerous enterprises from the largest social media companies in the world to the largest insurance companies with ever improving their application security programs to ensure the software we use every day is as secure as possible. More recently Tony has helped lead and revive OWASP Maine, a OWASP chapter focused on rallying the software development and security community in northern New England with providing great educational talks, networking events, and a safe outlet for sharing new job opportunities for northern New Englanders interested in advancing their software development and security careers.

Pranoy De is a 10+ year veteran of software engineering and application security based in Toronto Canada, getting his start as a DB2 Software Developer for IBM, full stack python developer, and more recently working with enterprises worldwide with ever improving their application security programs with a focus on threat modeling and now runtime application security testing. Pranoy has a deep passion for helping with establishing critical integrations for his customers to ensure all solutions work seamlessly within their application security stack and ensuring seamless workflows for software developers looking to ever improve their DevSecOps and appsec processes.

Oct 2023 Chapter Meeting

The Dark Side of Open Source Productivity . Matt Brown

Hybrid Attendance: Join us in person at 5:30pm or online at 6:30pm (link to be provided to attendees).

Join us for discussion, food, appsec news, and an OWASP-related talk.

This month Matt Brown from Endor Labs will be joining us to discuss, The Dark Side of Open Source Productivity: There is a dark side to productivity with open source. In modern applications, the majority of code on which an application is built isn’t code written by your team. Modern applications are built on the backs of volunteer communities and open-source software. These volunteers and their software delivery practices all become potential attack vectors. The truth is that most organizations do not factor open-source supply chain attacks into their organization’s threat models today. Security incidents such as the CodeCov bash uploader script, the npm colors, and faker intentionally introduced malicious commits, and the recent PyPi backdoors targeting AWS credentials highlight the impact of supply chain attacks as a scalable attack pattern. To spread awareness on supply chain attacks so that organizations can scalably handle them we propose baking supply chain attacks into existing threat modeling procedures and software development culture so that organizations can champion supply chain management of open source in the places where they are most impactful, at development time. We will present a comprehensive, comprehensible, and technology-agnostic taxonomy of attack vectors, created on the basis of hundreds of real-world incidents and validated by experts in the domain. Following, we will discuss the types of defenses you can put in place to detect and respond to such modern day attacks and how you can work these defenses in based on your program’s maturity.

Matt Brown (https://www.linkedin.com/in/matthewbrown7/) is a Solutions Architect at Endor Labs. In his various roles in AppSec and CloudSec, Matt has had the opportunity to help Enterprises with their DevSecOps strategies, particularly within the Application Security (SCA, SAST, DAST, etc.), Cloud Security (Containers, IaC, CSPM, CNAPP, etc.), and Vulnerability Management domains. With a background in software development, Matt is passionate about helping security teams work with and support their software engineering organizations to take a developer-first approach to secure the SDLC. Matt holds his Master’s in Computer Science and enjoys spending time with his family, woodworking/carpentry, and playing golf.

Sept 2023 Chapter Meeting

The art of keeping secrets - Strategies for next-gen secrets security . Itzik Alvas

Hybrid Attendance: Join us in person at 5:30pm or online at 6:30pm (link to be provided to attendees).

Join us for discussion, food, appsec news, and an OWASP-related talk.

This month we will welcome Itzik Alvas, CEO & Co-founder at Entro to present to our chapter their talk: The art of keeping secrets - Strategies for next-gen secrets security. Itzik will share with us his experiences and teams research on the complexities of secrets management in modern application development and highlight the risk they pose.

Itzik started his cybersecurity journey 17 years ago when he was selected to join the elite cyber security unit of the IDF (Israel Defense Forces). He was introduced to the cyber security ecosystem there and gained enormous knowledge and experience on a nation-state level. After serving for five years, He moved to the ‘real world’ where he held various positions in the industry, including developer, DevOps, cybersecurity researcher, and CISO of a major healthcare organization, before becoming the Head of Security and SRE at Microsoft.

In 2022, Itzik Co-founded Entro Security where he serves as the CEO.

June 2023 Chapter Meeting

The Risks of Hardcoding Secrets in AI-Generated Code . Julie Peterson

Hybrid Attendance: Join us in person or online (link to be provided).

Join us for discussion, food, appsec news, and an OWASP-related talk.

For our June meeting, Julie Peterson, Senior Product Marketing Manager at Cycode, will be speaking to the chapter about The Risks of Hardcoding Secrets in AI-Generated Code.

Machine learning, particularly Language Learning Models (LLMs), has paved the way for groundbreaking advancements in many fields, including code generation. However, this innovation is not without inherent risks. One potential issue is that these models generate code with hardcoded secrets, such as API keys or database credentials. This practice stands in stark contrast to the recommended way of managing these secrets – through a secrets manager.

In this presentation, we consider the following:

• What are hardcoded secrets and how to prevent them
• The importance of secrets management
• The impact of LLMs in generating code
• How to mitigate the risk of hardcoded secrets in code generated by LLM

This will be an exciting session, RSVP now!

May 2023 Chapter Meeting

OWASP Kubernetes Top 10 . Andrew Josephides

Hybrid Attendance: Join us in person or online (link to be provided).

Join us for discussion, food, appsec news, and an OWASP-related talk.

For our May meeting, Andrew Josephides, Director of Security Research at KSOC, will give a talk introducing the OWASP Kubernetes Top 10.

Given the growth and adoption of Kubernetes, a number of projects have been published in the OWASP community to help practitioners assess and secure the security of their containerized infrastructure including the recently released Top Ten for Kubernetes (https://owasp.org/www-project-kubernetes-top-ten/). This OSS project is a community-curated list of the most common Kubernetes risks backed by data collected from organizations varying in maturity and complexity. This session will discuss the project in detail, examples for each of the risks in the list, and how to get involved.

March 2023 Chapter Meeting

Defending the Attack Surface of the Software Supply Chain · Pete Morgan

This month OWASP Boston will be welcoming Pete Morgan, CSO & Co-founder of Phylum, as our presenter. Pete will be presenting to the group on defending the complete attack surface of the software supply chain. The presentation will include research findings from the Phylum team and their insights on how to counteract them. For more details about Pete and the talk please see the details below.

This month’s meetup with be a hybrid meeting, feel free to join us in person at the Broad Institute in Cambridge or via Zoom (link provided to all registered attendees ahead of the event).

Title: Defending the complete attack surface of the software supply chain

Abstract: As attacks have shown, soft targets in the software supply chain are now the path of least resistance for attackers. This session will review the TTPs of recent attacks and areas of software supply chain risk to focus on.

Speaker: Pete Morgan, CSO & Co-Founder at Phylum (photo attached)

Bio: Pete Morgan is a co-founder and CSO of Phylum. He is a recognized security researcher and entrepreneur with more than 20 years of experience in information security, software development and executive leadership. Pete’s background in offensive security drives his passion for creating and sharing the best defenses against the growing number of software supply chain attacks originating in the open-source ecosystem.

February 2023 Chapter Meeting

Cryptosploit · Matt Cheung

OWASP Boston’s first hybrid meetup of 2023 will have an exciting guest speaker, Matt Cheung (https://www.linkedin.com/in/mattcheung1/). Matt is currently an Application Security Consultant at Veracode and is best known for his expertise in cryptography having spoken at major conference such as DefCon, BsidesSF and many others. Matt will be sharing his experience researching and developing Cryptosploit (https://github.com/nullpsifer/cryptosploit), “a Metasploit-like tool designed to streamline the exploitation of vulnerable cryptosystems”.

Join us in person at the Broad Institute in Cambridge, on on Zoom (link provided to all registered attendees ahead of the event).

March 2022 Chapter Meeting

Fixing OSS Security Vulnerabilities at Scale with CodeQL · Jonathan Leitschuh

You know what’s cooler than finding one vulnerability? Finding thousands of vulnerabilities all at once! You know what’s even cooler than that, fixing them all at once!

Through the power of your good code you can find other people’s bad code and make the world a safer place. Be the darling of bug bounty managers and the envy of security researchers.

We’ll introduce the 3 solutions that powered this massive fix: CodeQL, GitHub’s code query language that finds security vulnerability patterns at scale, and OpenRewrite, a style-preserving refactoring tool used at Netflix that makes the changes to these problems you found, and a custom built bot for generating these thousands of pull requests.

This talk will take you on a journey through what it means to be an “Open Source Security Researcher” and how CodeQL + Rewrite are serious game changers from the solutions that existed before.

Jonathan Leitschuh (LinkedIn, Twitter @JLLeitschuh) is a Software Engineer and Security Researcher. He was awarded the first-ever Dan Kaminsky Fellowship. His research focuses on Open Source Software (OSS), build infrastructure, and software supply chain security. He’s best known for his July 2019 bombshell Zoom 0-day vulnerability disclosure. He also championed an industry-wide initiative to get all major artifact servers in the JVM ecosystem to formally decommission the support of HTTP in favor of HTTPS only. To-date he has the most GitHub Security Advisory credits to his name of any OSS contributor on GitHub.

February 2022 Chapter Meeting

Insider’s Guide to Mobile AppSec with OWASP MASVS · Brian Reed

From the birth of the Mobile Application Security Verification Standard (MASVS) and Mobile Security Testing Guide (MSTG) in January 2018 to the most recent updates, the OWASP Mobile Security Project has advanced the state of mobile app security testing dramatically. As supporters and contributors to the Mobile Security Project at OWASP, we have pen tested thousands of mobile apps and scanned millions of commercial apps in the app stores over the years… and have identified the most common security issues that plague developers and security teams. Whether you are new to mobile pen testing or a veteran looking for the latest tools and tactics, join this session to learn 10 keys to mobile appsec leveraging OWASP MASVS and practical real-world experience.

As Chief Mobility Officer, Brian Reed leads the mobile standards and mobile DevSecOps charge at NowSecure helping orgs deliver secure mobile apps faster. He brings decades of experience in mobile, apps, security, dev, and testing helping Fortune 2000 global customers, federal agencies and mobile innovators. Brian is a compelling storyteller, speaker and writer including OWASP, AllDayDevOps, DevOpsWorld, DevOps Days, RSA, Droidcon, Mobile World Congress, FS-ISAC, and more. Brian is a graduate of Duke University.

January 2022 Chapter Meeting

Analyzing Source Code For Vulnerabilities: A How-To Workshop · Vickie Li

Writing code is hard. Writing secure code is even harder. Serious security vulnerabilities often stem from small programming mistakes. As developers, we can safeguard our applications by catching these mistakes in our own code. Performing a source code review is one of the best ways to find security issues in code. But how do you do it? In this workshop, we will first go through the basics of how to review your code for vulnerabilities and some tactics for performing an effective security code review on your application. But the process of manually analyzing code for vulnerabilities can be very time-consuming. In the second part of this talk, we will also talk about how to use the interactive code analysis tool Joern to make code analysis more efficient. How do you effectively trace user input in code? How can you efficiently link bug sources to sensitive sink functions?

April 2021 Chapter Meeting

State of Botnets · Ilia Bromberg

Time & Place: April 13, 2021 - Meetup - Zoom

• OWASP Boston leadership changes, what’s ahead for the chapter
• AppSec & open source news updates and discussion
• State of Botnets with Ilia Bromberg, Sr solutions engineer Akamai Technologies

Some additional information on Ilia’s talk The state of botnets, from good bots (crawlers) to bad bots (credential stuffing) and various shades of bots in between how to detect them, how to act against them – techniques that work and common misconceptions.