OWASP Boston

Example

Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.

May 2023 Chapter Meeting

OWASP Kubernetes Top 10 · Andrew Josephides

RSVP on Meetup

Hybrid Attendance: Join us in person or online (link to be provided).

Join us for discussion, food, appsec news, and an OWASP-related talk.

For our May meeting, Andrew Josephides, Director of Security Research at KSOC, will give a talk introducing the OWASP Kubernetes Top 10.

Given the growth and adoption of Kubernetes, a number of projects have been published in the OWASP community to help practitioners assess and secure the security of their containerized infrastructure including the recently released Top Ten for Kubernetes (https://owasp.org/www-project-kubernetes-top-ten/). This OSS project is a community-curated list of the most common Kubernetes risks backed by data collected from organizations varying in maturity and complexity. This session will discuss the project in detail, examples for each of the risks in the list, and how to get involved.

BASC 2023

Tentative date: April

Boston Chapter Leaders

• Mark Arnold
• Tom Conner
• Mike Perez
• Jeremiah Salamon
• Jim Weiler

Also see past events on Meetup.

March 2023 Chapter Meeting

Defending the Attack Surface of the Software Supply Chain · Pete Morgan

This month OWASP Boston will be welcoming Pete Morgan, CSO & Co-founder of Phylum, as our presenter. Pete will be presenting to the group on defending the complete attack surface of the software supply chain. The presentation will include research findings from the Phylum team and their insights on how to counteract them. For more details about Pete and the talk please see the details below.

This month’s meetup with be a hybrid meeting, feel free to join us in person at the Broad Institute in Cambridge or via Zoom (link provided to all registered attendees ahead of the event).

Title: Defending the complete attack surface of the software supply chain

Abstract: As attacks have shown, soft targets in the software supply chain are now the path of least resistance for attackers. This session will review the TTPs of recent attacks and areas of software supply chain risk to focus on.

Speaker: Pete Morgan, CSO & Co-Founder at Phylum (photo attached)

Bio: Pete Morgan is a co-founder and CSO of Phylum. He is a recognized security researcher and entrepreneur with more than 20 years of experience in information security, software development and executive leadership. Pete’s background in offensive security drives his passion for creating and sharing the best defenses against the growing number of software supply chain attacks originating in the open-source ecosystem.

February 2023 Chapter Meeting

Cryptosploit · Matt Cheung

OWASP Boston’s first hybrid meetup of 2023 will have an exciting guest speaker, Matt Cheung (https://www.linkedin.com/in/mattcheung1/). Matt is currently an Application Security Consultant at Veracode and is best known for his expertise in cryptography having spoken at major conference such as DefCon, BsidesSF and many others. Matt will be sharing his experience researching and developing Cryptosploit (https://github.com/nullpsifer/cryptosploit), “a Metasploit-like tool designed to streamline the exploitation of vulnerable cryptosystems”.

Join us in person at the Broad Institute in Cambridge, on on Zoom (link provided to all registered attendees ahead of the event).

March 2022 Chapter Meeting

Fixing OSS Security Vulnerabilities at Scale with CodeQL · Jonathan Leitschuh

You know what’s cooler than finding one vulnerability? Finding thousands of vulnerabilities all at once! You know what’s even cooler than that, fixing them all at once!

Through the power of your good code you can find other people’s bad code and make the world a safer place. Be the darling of bug bounty managers and the envy of security researchers.

We’ll introduce the 3 solutions that powered this massive fix: CodeQL, GitHub’s code query language that finds security vulnerability patterns at scale, and OpenRewrite, a style-preserving refactoring tool used at Netflix that makes the changes to these problems you found, and a custom built bot for generating these thousands of pull requests.

This talk will take you on a journey through what it means to be an “Open Source Security Researcher” and how CodeQL + Rewrite are serious game changers from the solutions that existed before.

Jonathan Leitschuh (LinkedIn, Twitter @JLLeitschuh) is a Software Engineer and Security Researcher. He was awarded the first-ever Dan Kaminsky Fellowship. His research focuses on Open Source Software (OSS), build infrastructure, and software supply chain security. He’s best known for his July 2019 bombshell Zoom 0-day vulnerability disclosure. He also championed an industry-wide initiative to get all major artifact servers in the JVM ecosystem to formally decommission the support of HTTP in favor of HTTPS only. To-date he has the most GitHub Security Advisory credits to his name of any OSS contributor on GitHub.

February 2022 Chapter Meeting

Insider’s Guide to Mobile AppSec with OWASP MASVS · Brian Reed

From the birth of the Mobile Application Security Verification Standard (MASVS) and Mobile Security Testing Guide (MSTG) in January 2018 to the most recent updates, the OWASP Mobile Security Project has advanced the state of mobile app security testing dramatically. As supporters and contributors to the Mobile Security Project at OWASP, we have pen tested thousands of mobile apps and scanned millions of commercial apps in the app stores over the years… and have identified the most common security issues that plague developers and security teams. Whether you are new to mobile pen testing or a veteran looking for the latest tools and tactics, join this session to learn 10 keys to mobile appsec leveraging OWASP MASVS and practical real-world experience.

As Chief Mobility Officer, Brian Reed leads the mobile standards and mobile DevSecOps charge at NowSecure helping orgs deliver secure mobile apps faster. He brings decades of experience in mobile, apps, security, dev, and testing helping Fortune 2000 global customers, federal agencies and mobile innovators. Brian is a compelling storyteller, speaker and writer including OWASP, AllDayDevOps, DevOpsWorld, DevOps Days, RSA, Droidcon, Mobile World Congress, FS-ISAC, and more. Brian is a graduate of Duke University.

January 2022 Chapter Meeting

Analyzing Source Code For Vulnerabilities: A How-To Workshop · Vickie Li

Writing code is hard. Writing secure code is even harder. Serious security vulnerabilities often stem from small programming mistakes. As developers, we can safeguard our applications by catching these mistakes in our own code. Performing a source code review is one of the best ways to find security issues in code. But how do you do it? In this workshop, we will first go through the basics of how to review your code for vulnerabilities and some tactics for performing an effective security code review on your application. But the process of manually analyzing code for vulnerabilities can be very time-consuming. In the second part of this talk, we will also talk about how to use the interactive code analysis tool Joern to make code analysis more efficient. How do you effectively trace user input in code? How can you efficiently link bug sources to sensitive sink functions?

April 2021 Chapter Meeting

State of Botnets · Ilia Bromberg

Time & Place: April 13, 2021 - Meetup - Zoom

• OWASP Boston leadership changes, what’s ahead for the chapter
• AppSec & open source news updates and discussion
• State of Botnets with Ilia Bromberg, Sr solutions engineer Akamai Technologies

Some additional information on Ilia’s talk The state of botnets, from good bots (crawlers) to bad bots (credential stuffing) and various shades of bots in between how to detect them, how to act against them – techniques that work and common misconceptions.