OWASP Manchester
Welcome
Welcome to the official page of OWASP Manchester. We’ll be running multiple events throughout the year so join our Meetup page to stay informed!
If you wish to talk at or sponsor a future event please feel free to reach out on Twitter, Meetup, or email one of the chapter leaders from the sidebar.
Participation
The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. All of our projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security.
Chapters are led by local leaders in accordance with the Chapters Policy. Financial contributions should only be made online using the authorized online donation button.
Everyone is welcome and encouraged to participate in our Projects, Local Chapters, Events, Online Groups, and Community Slack Channel. We especially encourage diversity in all our initiatives. OWASP is a fantastic place to learn about application security, to network, and even to build your reputation as an expert. We also encourage you to be become a member or consider a donation to support our ongoing work.
Next Meeting/Event
Code of Conduct
OWASP Manchester meetings and events are an inclusive environment where all people should feel safe and respected. We welcome diversity in age, race, ethnicity, national origin, range of abilities, sexual orientation, gender identity, financial means, education, and political perspective.
OWASP Manchester will not tolerate any form of violence, harassment, hate speech or trolling either off or online, or any overly drunken, intimidating or heckling behaviour.
Please respect the presenters, don’t talk amongst yourselves during their presentations and ensure your mobile phones are muted or switched off.
We want you to have fun, in a safe and respectful environment.
If you have any issues or concerns relating to the code of conduct please contact one or the Chapter Leads either in person, though the Meetup page or via email.
Chapter Leaders:
As this is a private event we withhold the right to remove and ultimately ban anyone who violates this code of conduct and will report any incidents to the appropriate authorities if necessary.
Polite note to Vendors/Recruiters/Internal Recruiters/Business Development people
Vendors and Recruiters are welcome at OWASP Manchester, however we ask that you remember this is a user group, not a networking event, and tapping people up for jobs or business unprompted is not encouraged.
2024
OOOOOOWASP - Ghosts in the Machine: A Halloween Cybersecurity Spooktacular - 24 October 2024
Details
In this spooky session we be discussing AI & it's impact on the different aspects of cyber security.Talks
Alsa Tibbit - Digital Fossils: Bones of APTs
Talk recording coming soonThis talk takes the audience on a captivating journey through the speaker’s explorations in cybersecurity research. It highlights how a blend of critical thinking and Explainable Artificial Intelligence (XAI) has paved the way for an innovative approach to addressing complex cyber threats. Focusing on Advanced Persistent Threats (APTs) as a prime example, the speaker illustrates how a solution-driven mindset, enhanced by XAI, has led to groundbreaking cybersecurity advancements. This novel methodology garnered substantial support from Sheffield Hallam University and La Trobe University in Australia, creating new avenues to detect and counter cyber threats.
About Alsa Tibbit
As a seasoned cybersecurity professional with extensive experience in academia and industry, Alsa has excelled in teaching, research, and leadership. Her notable accomplishments include authoring a £100k technical proposal and leading an Innovate project focused on machine learning, malware analysis, and data mining. In 2023, she was involved in a research project for DSIT addressing the cybersecurity skills gap in the UK, further underscoring her dedication to advancing the field. Alsa is currently involved in two key projects: one focusing on Advanced Persistent Threats (APTs) and Explainable Artificial Intelligence (XAI), and another tackling ARM architecture and Java vulnerability research. These endeavours highlight her commitment to personal and professional development as she continues contributing to the ever-evolving cybersecurity world.
Leum Dunn - AI AIEEEE (the revenge - re-deux)
Talk recording coming soonA fusion of mischievous ideas, distilled from presentations at B-Sides Leeds and Lancs, exploring the playful and slightly chaotic potential of AI tools. Buckle up, it’s going to be a wild ride!
About Leum Dunn
Leum Dunn has been lurking in the shadows of the tech world for over 20 years, with the last decade spent fortifying defenses in the cybersecurity realm. His expertise shines brightest in the betting and gaming industry, though he’s also dabbled in critical national infrastructure and print manufacturing, just for fun. When he’s not safeguarding digital kingdoms, Leum can be found playing bass guitar (badly, by his own admission) or immersing himself in gothic rock and jazz noir. His talk today is a fusion of mischievous ideas, distilled from presentations at B-Sides Leeds and Lancs, exploring the playful and slightly chaotic potential of AI tools. Buckle up, it’s going to be a wild ride! Yes, I asked ChatGPT to write that. No, I'm not ashamed. I'm not even going to correct the spelling!
Sponsors
We'd like to say a big THANK YOU to the companies who helped make this event possible:Booking.com - Venue and Food & Drink Sponsor
Forward or Reverse Engineering - Get your app security into gear - 18 April 2024
Details
In this session we discussed security operations and reverse engineering of Flutter applications.Talks
Eliza-May Austin - DRACOEYE the browser-based freebie that’s going to streamline your SOC teams.
Talk recording coming soonIn this session, we'll delve into the origins of DRACOEYE, discussing why it was created and the driving forces behind its development. We'll explore the motivations behind making it freely available and the importance of accessibility in the realm of cybersecurity. Discover how DRACOEYE's intuitive design makes it ridiculously easy to use, so much so that even your granny could navigate it with ease – we even have a YouTube series in the pipeline to demonstrate this claim! Through a quick demo, you'll see firsthand just how simple and effective DRACOEYE is in bolstering your online security. Whether you're a seasoned cybersecurity professional or a curious beginner, this talk is for you. Learn who should be using DRACOEYE and how it can benefit individuals and organizations alike. Stick around for a lively Q&A session where you can ask anything about DRACOEYE, from its features to its development journey.
About Eliza-May Austin
Eliza knew she wanted to work in tech from the moment she saw Sandra Bullock order Pizza over dial-up in her favourite film, 1995's 'The Net'. Eliza has a degree in Digital Forensics, is SANS-trained in Network Forensics, PurpleTeaming and Penetration Testing. She has previously worked in cyber defence in a number of FTSE100 companies and was the original founder of the Ladies Hacking Society. Despite her fascination with tech she has taken on a more business-centric role and guided the company through impressive growth, won a slew of awards, and was voted one of the most inspirational voices in cybersecurity.
Jay Harris - Putting Flutter in the Gutter: how to reverse engineer flutter applications
Talk recording coming soonIn the ever-evolving landscape of mobile application development, Flutter has emerged as a powerful framework, enabling developers to create cross-platform applications with a single codebase. However, with innovation comes the need for robust security measures. This talk aims to delve into the realm of reverse engineering and security assessment specific to Flutter mobile applications. Reverse engineering, the process of dissecting and understanding the inner workings of an application, is a double-edged sword. While developers leverage it for debugging and optimization, adversaries exploit it to identify vulnerabilities and potential security weaknesses. In this presentation, we will explore various reverse engineering techniques tailored to Flutter apps, shedding light on the underlying architecture and highlighting potential attack vectors.
About Jahmel Harris
Jahmel Harris is a seasoned security researcher, hacker, and co-founder of Digital Interruption, a Manchester based cyber security consultancy. His expertise lies in securing organizations through a blend of penetration testing and integrating security practices into application development pipelines. Jahmel’s impactful work has garnered international recognition, with media coverage of his research and widespread attendance at his workshops on mobile hacking. His contributions extend beyond the technical realm, as he actively participates in cyber security advisory groups and tech conferences, including 44Con, Hacklu and leHACK. Jahmel’s dedication to advancing security practices has led to the release of multiple public disclosures, further enhancing software protection. His commitment to the field is evident through open-source contributions and free online and in person security workshops and training. Jahmel’s impact on the cybersecurity landscape continues to grow, making him an invaluable asset in the realm of mobile application reverse engineering and security assessments.
Sponsors
We'd like to say a big THANK YOU to the companies who helped make this event possible:Cytix - Venue Sponsor
ReportURI - Food & Drink Sponsor
Assembly and Disassembly, an OWASP guide to application security - 15 January 2024
Details
In this session we discussed application security and the basics of assembly.Talks
Stuart Crawford - AppSec in the Enterprise: in-flight testing and Shifting Left
Talk recordingIn a world where web-based applications are ubiquitous, penetration testing is well-established as a way of verifying those applications are secure, but how do we stop finding ourselves falling into an endless cycle of 'deploy, test, fix'? The answer is by paying closer attention to security in the development lifecycle, and I'll provide an example of how we're doing this at one of, if not the largest Independent Software Vendors in the UK
About Stuart Crawford
Stuart is Appsec program manager at one of the largest SaaS companies in the UK
Tom Blue - Basic Assembly and Memory
Talk recordingThis talk would be an overview of how basic assembly and memory works, the structure of programs compiled in C and how to follow the logic of disassembled programs. I’ll show how to use tools such as ghidra to decompile code and to make the reverse engineering process more efficient and cover things such as buffer overflows, patching code and return oriented programming.
About Tom Blue
Tom is a second year student studying computer science.
Sponsors
We'd like to say a big THANK YOU to the companies who helped make this event possible:Amazon - Venue Sponsor
Pentest - Food & Drink Sponsor
2023
Breaking Yourselves, But In The Best Way Possible - 21 September 2023
Details
In this session we'll be discussing various ways to improve your offensive security testing. Using these offensive security techniques, your teams will find new ways to break applications, and test your defenses.Talks
Dr Katie Paxton-Fear: Go Hack Yourself: API hacking for beginners
Talk recordingOver the past few years, we've really seen API hacking take off as a field of its own, diverging from typical web app security, but yet parallel to it. Often we point to the amorphous blob that is web security and go: "here you go, now you can be a hacker too", with top 10 lists, write-ups, conference talks and whitepapers smiling as we do. This creates a major challenge for developers who want to test their APIs for security or just people who want to get into API hacking, how on earth do you wade through all the general web security to get to the meat of API hacking, what do you even need to know? This talk is going to break down API hacking from a developer point of view, teaching you everything you need to know about API hacking, from the bugs you can find and to the impact you can cause, to how you can easily test your own work or review your peers. So what are you waiting for join me and go hack yourself!
About Dr Katie Paxton-Fear
A lecturer in Cyber Security at Manchester Metropolitan University and a cyber security researcher, but she's far more well known for her hobby. In her free time, she's a hacker, specialising in API hacking teaching others through her YouTube videos. A former developer turned hacker, she used to make RESTful APIs and now she breaks them. She found her first API vulnerability in 2019 which affected Uber and since then she has been hacking APIs ever since, creating hours of content to help others follow in her footsteps. With her PhD in cyber security and machine learning, she loves to introduce a data-driven approach to hacking combining new tools with manual testing to ensure an impactful bug report every time.
Gerald Benischke - Application DoS vulnerabilities
Talk recordingThis AppSec-focussed talk demonstrates how denial of service attacks can be carried out without throwing lots and lots of traffic at a system and effectively stop services. This uses a couple of vulnerabilities in the play framework as an example and describes the impact. This approach can be likened to using precision guided missiles rather than the carpet bombing of DDoS attacks. I will explore the role that convenience for developers in frameworks combined with unexpected payloads and how this can be exploited. I also draw on how the service mesh can amplify this attack such that multiple instances can be killed with a single request. Furthermore, we look at how Web Application Firewalls (WAFs) offer no protection against this type of attack. Lastly, I will look at what can be done to protect applications against this type of attack.
About Gerald Benischke
I tend to describe myself as both an Agile Fundamentalist and an AppSec Snooper. What does this mean? On the one hand my software development experience has led me to think that the principles of the agile manifesto form the basis of good practices. It boils down to lots of common sense, small steps, learning along the way, not writing code that nobody will want or need and taking processes and procedures with a pinch of salt.
Sponsors
We'd like to say THANK YOU to the companies who helped make this event possible:Booking.com - Venue Sponsor
Booking.com - Food & Drink Sponsor
Security Tools - Proving your applications are as secure as possible - 7 June 2023
Details
In this session we'll be discussing various Tools used within Security. By using these tools, your teams will be able to truly show that your products are as secure as they can be.Talks
Simon Bennetts: An Introduction to OWASP ZAP
Talk recordingIn this talk Simon (the ZAP founder and project lead) will give you an overview of the worlds most popular web security scanner. He will also talk about the most recent changes and whats coming next.
About Simon Bennetts
The OWASP Zed Attack Proxy (ZAP) Founder and Project Leader, and a Distinguished Engineer at Jit. He has talked about and demonstrated ZAP at conferences all over the world, including Blackhat, JavaOne, FOSDEM and OWASP AppSec EU, USA & AsiaPac. Prior to making the move into security he was a developer for 25 years and strongly believes that you cannot build secure web applications without knowing how to attack them.
Anthony Harrison - SBOMs and why they can help make your software more secure
Talk recordingThis talk will explain what a SBOM (Software Bill of Material) is, how and when they should be produced / some of the challenges that need to be overcome, and demonstrate how they should form part of a DevSecOPs lifecycle. I will try and supplement the talk with some demonstrations using a number of open source applications.
About Anthony Harrison
An independent systems/software/cyber consultant. I am part of the SPDX community developing the forthcoming security profile, and a member of the OpenSSF SBOM Everywhere working group and SBOM Forum. I have presented on SBOMs at FOSDEM (2002 and 2023), EuroPython 2022 and will be presenting at PyCascades (Vancouver) in March.
Sponsors
We'd like to say THANK YOU to the companies who helped make this event possible:Bruntwood - Venue Sponsor
Cytix - Food & Drink Sponsor
Proactive Security - How do you prevent vulnerabilities? - 7 March 2023
Details
In this session we'll be discussing Proactive Security. Meaning, how do you empower and enable engineering teams to own their own security to prevent the release of vulnerable code... What would secure coding practices look like, what is security by design, what security testing can teams do during the test & release process. More importantly, what can we put in place to really make the security teams work for their money.Talks
Threat Modelling - Robin Fewster
Talk recordingDrawing on some client experiences, Robin will discuss different threat modelling approaches and tools available, and how they went down with development teams.
About Robin Fewster
Robin has 20 years experience in cyber security, and is particularly interested in helping companies to improve their security posture. A current area of focus is to assist software development teams with improving their secure software development practices. This includes work ranging from implementing security strategy, security champions programmes and threat modeling. Robin is also a former OWASP Newcastle chapter leader.
SAST, DAST, IAST, RASP - Daniel Oates-Lee
Talk recordingDaniel will give us an introduction to DevSecOps and share their experience enabling secure development for clients.
About Daniel Oates-Lee
Daniel is one of the Punk Security Co-Founders and has over 21 years of commercial IT experience, with 15 years focused on cyber security.
Sponsors
We'd like to say THANK YOU to the companies who helped make this event possible:Barclays DiSH - Thank you so much for sponsoring the venue.
BeyondTrust - Thank you so much for sponsoring the food & drink.
Cytix - Special thanks for making introductions.
2019
Secure Code Warrior - 8 August 2019
Hosted by BBC28 May 2019
Simon Bennetts
OWASP ZAPs lead hacker, Simon Bennetts will be taking us through the new User Interface for ZAP - the ZAP Heads Up Display (or HUD).Gerald Benischke
SlidesXML is Evil: This talk describes several common XML security vulnerabilities, how they can be found and mitigated against. Real life examples (though anonymised) are used to illustrate how these issues can be exploited.
Sponsors
RentalCars - Venue sponsorDistil Networks - Food & drink
2018
OWASP Manchester CTF - 13 November 2018
Manchester OWASP will be running it’s first annual CTF on November 13th in partnership with Manchester Grey Hats who will be running the challenges. The CTF will be hosted by the Manchester Technology Centre on Oxford Road and is aimed at people working in the tech industry who have an interest in security. The CTF itself will be a jeopardy style challenge aimed at a range of technical capabilities, with some low or non tech challenges. So, if you're a developer, software tester, system architect, infosec professional, or just have an interest in security sign up. We'll be running teams of 4, so you can either enter a full team or we can help you put one together on the day! Manchester Grey Hats will be running a series of short workshops on the same topics as the CTF on October 24th, so keep an eye on their Meetup page! Thanks to our community sponsors; Manchester Grey Hats, North West Testers Gathering, Manchester Girl Geeks, Techs and the City, Tech Leaders of the North West and PowerShell Manchester.4 September 2018
Scott Helme
Catherine Chapman
Sponsors
Booking Go (Rentalcars)SureCloud
17 July 2018
Mike Thompson
Talk recordingLiz Bell
Talk recordingSponsors
Mad Lab - VenueReportUri
NCC
3 May 2018
Daniel Dresner
Will be taking us through his experience of careers in the IT industry and academia.John Denneny
Founder of Pen Test Limited, will be talking about his experience of setting up and running a successful IT Security company.Sponsors
University of Manchester - VenueNCC Group