OWASP Boston

March 2022 Chapter Meeting

Fixing OSS Security Vulnerabilities at Scale with CodeQL · Jonathan Leitschuh

You know what’s cooler than finding one vulnerability? Finding thousands of vulnerabilities all at once! You know what’s even cooler than that, fixing them all at once!

Through the power of your good code you can find other people’s bad code and make the world a safer place. Be the darling of bug bounty managers and the envy of security researchers.

We’ll introduce the 3 solutions that powered this massive fix: CodeQL, GitHub’s code query language that finds security vulnerability patterns at scale, and OpenRewrite, a style-preserving refactoring tool used at Netflix that makes the changes to these problems you found, and a custom built bot for generating these thousands of pull requests.

This talk will take you on a journey through what it means to be an “Open Source Security Researcher” and how CodeQL + Rewrite are serious game changers from the solutions that existed before.

Jonathan Leitschuh (LinkedIn, Twitter @JLLeitschuh) is a Software Engineer and Security Researcher. He was awarded the first-ever Dan Kaminsky Fellowship. His research focuses on Open Source Software (OSS), build infrastructure, and software supply chain security. He’s best known for his July 2019 bombshell Zoom 0-day vulnerability disclosure. He also championed an industry-wide initiative to get all major artifact servers in the JVM ecosystem to formally decommission the support of HTTP in favor of HTTPS only. To-date he has the most GitHub Security Advisory credits to his name of any OSS contributor on GitHub.

Speaking at OWASP Boston Chapter Events

If you would like to present a talk on Application Security at future OWASP Boston Chapter events - please review and agree with the OWASP Speaker Agreement and send the proposed talk title, abstract and speaker bio to the Boston Chapter leaders via e-mail: boston-leaders (at) owasp.org

OWASP Boston Chapter meetings are posted on our MeetUp Page

Please visit our Meetup for all chapter event information.

Please follow the OWASP Boston Chapter on Twitter & Meetup and sign up for our mailing list to be notified when the details of the next event are be published.


Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.

February 2023 Chapter Meeting

OWASP Boston’s first hybrid meetup of 2023 will have an exciting guest speaker, Matt Cheung (https://www.linkedin.com/in/mattcheung1/). Matt is currently an Application Security Consultant at Veracode and is best known for his expertise in cryptograph having spoken at major conference such as DefCon, BsidesSF and many others. Matt will be sharing his experience researching and developing Cryptosploit (https://github.com/nullpsifer/cryptosploit), “a Metasploit-like tool designed to streamline the exploitation of vulnerable cryptosystems”.

Register: https://www.meetup.com/owaspboston/events/290724616/

Boston Chapter Leaders

Also see past events on Meetup.

February 2022 Chapter Meeting

Insider’s Guide to Mobile AppSec with OWASP MASVS · Brian Reed

From the birth of the Mobile Application Security Verification Standard (MASVS) and Mobile Security Testing Guide (MSTG) in January 2018 to the most recent updates, the OWASP Mobile Security Project has advanced the state of mobile app security testing dramatically. As supporters and contributors to the Mobile Security Project at OWASP, we have pen tested thousands of mobile apps and scanned millions of commercial apps in the app stores over the years… and have identified the most common security issues that plague developers and security teams. Whether you are new to mobile pen testing or a veteran looking for the latest tools and tactics, join this session to learn 10 keys to mobile appsec leveraging OWASP MASVS and practical real-world experience.

As Chief Mobility Officer, Brian Reed leads the mobile standards and mobile DevSecOps charge at NowSecure helping orgs deliver secure mobile apps faster. He brings decades of experience in mobile, apps, security, dev, and testing helping Fortune 2000 global customers, federal agencies and mobile innovators. Brian is a compelling storyteller, speaker and writer including OWASP, AllDayDevOps, DevOpsWorld, DevOps Days, RSA, Droidcon, Mobile World Congress, FS-ISAC, and more. Brian is a graduate of Duke University.

January 2022 Chapter Meeting

Analyzing Source Code For Vulnerabilities: A How-To Workshop · Vickie Li

Writing code is hard. Writing secure code is even harder. Serious security vulnerabilities often stem from small programming mistakes. As developers, we can safeguard our applications by catching these mistakes in our own code. Performing a source code review is one of the best ways to find security issues in code. But how do you do it? In this workshop, we will first go through the basics of how to review your code for vulnerabilities and some tactics for performing an effective security code review on your application. But the process of manually analyzing code for vulnerabilities can be very time-consuming. In the second part of this talk, we will also talk about how to use the interactive code analysis tool Joern to make code analysis more efficient. How do you effectively trace user input in code? How can you efficiently link bug sources to sensitive sink functions?

April 2021 Chapter Meeting

State of Botnets · Ilia Bromberg

Time & Place: April 13, 2021 - Meetup - Zoom

  • OWASP Boston leadership changes, what’s ahead for the chapter
  • AppSec & open source news updates and discussion
  • State of Botnets with Ilia Bromberg, Sr solutions engineer Akamai Technologies

Some additional information on Ilia’s talk The state of botnets, from good bots (crawlers) to bad bots (credential stuffing) and various shades of bots in between how to detect them, how to act against them – techniques that work and common misconceptions.