OWASP San Antonio

Welcome

Welcome to OWASP San Antonio Chapter, a regional city chapter within OWASP. Our Chapter serves San Antonio region as a platform to discuss and share topics all around information and application security.

Anyone with an interested and enthusiastic about application security is welcome. All meetings are free and open. You do not have to be an OWASP member.

Referrals to this website or to individual meetings to colleagues or acquaintances are welcome.

What’s going to happen?

To be announced via our OWASP San Antonio Chapter Meetup Group. We usually have a talks that related to information and application security.

Further Notes

Please join our OWASP San Antonio Chapter Meetup Group for timely updates on our OWASP Chapter San Antonio Meetup.

Upcoming Events

OWASP San Antonio Quarterly Chapter Meeting Friday April 11th, 2025 11an-2pm happy Hour after

When: OWASP San Antonio Chapter Qtrly Meeting-April 11th, 2025 11am-2pm (Friday)

**Presentation: AI Use Cases for AppSec - A discussion of AppSec Best Practices**

Details

Topics- See abstracts below

Lunch Provided Scuzzi’s Italian Restaurant - 4035 N Loop 1604 W #102, San Antonio, TX 78257

ZOOM link provided for remote attendees- see Meetup for Zoom link

We encourage everyone to attend in person. We will have door prizes and excellent food for all to enjoy, as you take advantage of this excellent learning and networking opportunity!
Please feel free to pass this information on to your peers and team members.+
Please reply “ONSITE” in MEETUP registration page if you plan on attending in person so we can finalize headcount for food and room attendance 😊
Social Hour after

Presentations will include:

Topics- See abstracts below

Host Intro-Potential AI use cases for Application Security
Leveraging AI for Vulnerability Identification-NowSecure
AI coding agents -Risks and Benefits-Endor Lab
AppSec for AI AND NHI (Non Human Identity) -GrayLog
Shadow AI and AppSec: What You Don’t Know Will Get You!-ByteWhisper

Host Intro-Potential AI use cases for Application Security Joseph Gregario-VP Frost Bank

In this talk, Joe will share his experience with building and scaling AI in an Application Security program.

1. Leveraging AI for Vulnerability Identification-NowSecure

Artificial intelligence (AI) language models are emerging as valuable tools for mobile security analysts and developers, offering significant benefits such as aiding in structured vulnerability assessments or generating code. However, limitations such as “hallucinations” in which the model generates inaccurate or misleading outputs highlight the importance of human oversight in managing risk posed by AI. This talk covers a novel approach for recovering application source code, leveraging AI language models to transform pseudo-disassembly into high-level source code. This method is able to handle complex abstractions introduced in high-level languages SwiftUI or Dart and generates output in popular programming languages like Swift, C#, Kotlin, Java, Python or even Bash

II. AI coding agents -Risks and Benefits-Endor Lab

The proliferation of AI coding agents will accelerate the production of code, but what are the risks associated with this acceleration? In many ways the core challenge to securing these outputs will be the familiar fundamental challenges that appsec has always faced: maintaining an understanding of your inventory and risk-posture, conducting security assessments at scale, and managing processes for risk acceptance and remediation. Good appsec fundamentals will be critical in the new era of AI generated code. But coding agents also introduce novel concerns born from the inherent differences between these agents and human developers, as well the additional layers of abstraction which will become intrinsic to AI development: understanding how to vet and validate non-human agents, identifying the operational risks posed by agents trained on open-source, and the complexity of managing code developed through natural language will all require the development of new practices in appsec. This talk will look at some of the new risks that will arise in the era of large scale AI code development, and discuss possible paths forward for deploying such agents in a secure way.

III. AppSec for AI AND NHI -GrayLog

APPSEC FOR AI AND NHI - As we're empowering NHIs (Non Human Identity) to take on greater responsibilities, it's smart to wonder how we'll keep these good bots in bounds. This isn't possible to answer without acknowledging a dirty little secret -- while modern software is already driven by bots, modern security tools fall short in observing and regulating interactions between bots and APIs, whether those bots are trusted NHIs or malicious attackers. This session dispels a few myths about bots and bot detection and shows a few practical considerations and techniques to identify and block high-risk activities.t

IV. The Shadow AI and AppSec: What You Don’t Know Will Get You!-ByteWhisper

The over-the-top headlines about artificial intelligence (AI) have only been outstripped by the breakneck speed by which many are adopting AI to transform their organizations. Shadow AI creates significant security exposures, like development teams processing sensitive customer data through unauthorized AI tools for creating mission-critical solutions using unvetted open-source AI models. This session will focus on where Shadow AI and appsec intersect – the coding co-pilots, the platforms, and the risks that they represent to your organization. This session will provide an overview of Shadow AI, how application development might unknowingly create Shadow AI, and tools to identify and mitigate Shadow AI.

**Speakers:**

Leveraging AI for Vulnerability Identification

Sergi "Pancake" Alvarez- NowSecure Solutions Engineer
Sergi Alvarez is a Mobile Security Research Engineer at NowSecure. Pancake has more than 25 years of experience in the reverse engineering and security fields. Author and maintainer of radare2, r2frida and other plugins around the radare ecosystem, he began working as a forensic analyst, but moved to other roles as embedded system developer, software developer, optimizing codecs in assembly for a variety of architectures.

AI coding agents -Risks and Benefits

Nate Michalov- Endor Labs Solutions Architect

Nate Michalov is a seasoned application security professional with over 12 years of diverse experience. Throughout his career, Nate has contributed to organizations such as Endor Labs, Apiiro, Snyk, Veracode, and Annkissam, where he has focused on securing digital ecosystems while aligning technological strategies with business objectives. In various roles including customer success architect, senior sales engineer, and senior SAST specialist, Nate has consistently tackled complex challenges at the intersection of business and technology. Known for his collaborative approach and dedication to staying informed about emerging trends, Nate is recognized as a trusted advisor in promoting innovation and resilience in application security.

AppSec for AI AND NHI

Bob Dickson-Graylog

Development Team Transformation -Contrast Security

Rob Dickinson: Drawing from his experience at Dell and Intel, as well as several early-stage startups, Rob possesses a unique perspective on big data and API security, coupled with deep empathy for the present and coming challenges of monitoring and securing AI driven and supported technologies. In his latest venture, Rob founded Resurface (now Graylog API Security) to offer a comprehensive first-party solution for API observation, monitoring and alerting, but grounded in open standards Outside of his professional pursuits, Rob diligently balances his responsibilities as a husband to his wife and father to their three children in Boulder, Colorado.

The Shadow AI and AppSec: What You Don’t Know Will Get You!
<br? John Dickson-CEO-ByteWhisper John Dickson is CEO of Bytewhisper Security and an internationally recognized cybersecurity leader who has advised organizations on cybersecurity risk for over 25 years. John was a Principal at Denim Group where he guided that company to a successful acquisition by Coalfire in 2021. A former U.S. Air Force intelligence and cyber officer, Dickson served in the Air Force Information Warfare Center (AFIWC) and was a member of the Air Force Computer Emergency Response Team (AFCERT) in the 1990s. John has been researching and speaking about the convergence of artificial intelligence and cybersecurity and its impact on organizations since 2018.

RSVP:
Meetup (online)

**Location:** Lunch Provided Scuzzi’s Italian Restaurant - 4035 N Loop 1604 W #102, San Antonio, TX 78257 ZOOM link provided for remote attendees

Speaking at OWASP San Antonio Chapter Events -------------------------------------------- Call For Speakers is open - if you would like to present a talk on Application Security at future OWASP San Antonio Chapter events - please review and agree with the [OWASP Speaker Agreement](Speaker_Agreement "wikilink") and send the proposed talk title, abstract and speaker bio to the Chapter Leaders via e-mail.