OWASP Manchester

Welcome

Welcome to the official page of OWASP Manchester. We’ll be running multiple events throughout the year so join our Meetup page to stay informed!

If you wish to talk at or sponsor a future event please feel free to reach out on Twitter, Meetup, or email one of the chapter leaders from the sidebar.

Participation

The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. All of our projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

Chapters are led by local leaders in accordance with the Chapters Policy. Financial contributions should only be made online using the authorized online donation button.

Everyone is welcome and encouraged to participate in our Projects, Local Chapters, Events, Online Groups, and Community Slack Channel. We especially encourage diversity in all our initiatives. OWASP is a fantastic place to learn about application security, to network, and even to build your reputation as an expert. We also encourage you to be become a member or consider a donation to support our ongoing work.

Next Meeting/Event


Code of Conduct

OWASP Manchester meetings and events are an inclusive environment where all people should feel safe and respected. We welcome diversity in age, race, ethnicity, national origin, range of abilities, sexual orientation, gender identity, financial means, education, and political perspective.

OWASP Manchester will not tolerate any form of violence, harassment, hate speech or trolling either off or online, or any overly drunken, intimidating or heckling behaviour.

Please respect the presenters, don’t talk amongst yourselves during their presentations and ensure your mobile phones are muted or switched off.

We want you to have fun, in a safe and respectful environment.

If you have any issues or concerns relating to the code of conduct please contact one or the Chapter Leads either in person, though the Meetup page or via email.

Chapter Leaders:

As this is a private event we withhold the right to remove and ultimately ban anyone who violates this code of conduct and will report any incidents to the appropriate authorities if necessary.

Polite note to Vendors/Recruiters/Internal Recruiters/Business Development people

Vendors and Recruiters are welcome at OWASP Manchester, however we ask that you remember this is a user group, not a networking event, and tapping people up for jobs or business unprompted is not encouraged.



2024


Assembly and Disassembly, an OWASP guide to application security - 15 January 2024

Details

In this session we discussed application security and the basics of assembly.

Talks

Stuart Crawford - AppSec in the Enterprise: in-flight testing and Shifting Left

Talk recording coming soon

In a world where web-based applications are ubiquitous, penetration testing is well-established as a way of verifying those applications are secure, but how do we stop finding ourselves falling into an endless cycle of 'deploy, test, fix'? The answer is by paying closer attention to security in the development lifecycle, and I'll provide an example of how we're doing this at one of, if not the largest Independent Software Vendors in the UK

About Stuart Crawford
Stuart is Appsec program manager at one of the largest SaaS companies in the UK

Tom Blue - Basic Assembly and Memory

Talk recording coming soon

This talk would be an overview of how basic assembly and memory works, the structure of programs compiled in C and how to follow the logic of disassembled programs. I’ll show how to use tools such as ghidra to decompile code and to make the reverse engineering process more efficient and cover things such as buffer overflows, patching code and return oriented programming.

About Tom Blue
Tom is a second year student at Lancaster University studying computer science. He’s passionate about cybersecurity, having worked in the industry for two years, as well as helping run LUHack and LUCompSoc, Lancaster University's hacking and computing societies. He works the university as a casual researcher and is currently looking at embedded systems security and I'm helping write the Cyber Physical Systems module for the cybersecurity masters degree. He also worked as an intern for Digital Interruption, a Manchester based cyber security consultancy.

Sponsors

We'd like to say a big THANK YOU to the companies who helped make this event possible:
Amazon - Venue Sponsor
Pentest - Food & Drink Sponsor



2023


Breaking Yourselves, But In The Best Way Possible - 21 September 2023

Details

In this session we'll be discussing various ways to improve your offensive security testing. Using these offensive security techniques, your teams will find new ways to break applications, and test your defenses.

Talks

Dr Katie Paxton-Fear: Go Hack Yourself: API hacking for beginners

Talk recording

Over the past few years, we've really seen API hacking take off as a field of its own, diverging from typical web app security, but yet parallel to it. Often we point to the amorphous blob that is web security and go: "here you go, now you can be a hacker too", with top 10 lists, write-ups, conference talks and whitepapers smiling as we do. This creates a major challenge for developers who want to test their APIs for security or just people who want to get into API hacking, how on earth do you wade through all the general web security to get to the meat of API hacking, what do you even need to know? This talk is going to break down API hacking from a developer point of view, teaching you everything you need to know about API hacking, from the bugs you can find and to the impact you can cause, to how you can easily test your own work or review your peers. So what are you waiting for join me and go hack yourself!

About Dr Katie Paxton-Fear
A lecturer in Cyber Security at Manchester Metropolitan University and a cyber security researcher, but she's far more well known for her hobby. In her free time, she's a hacker, specialising in API hacking teaching others through her YouTube videos. A former developer turned hacker, she used to make RESTful APIs and now she breaks them. She found her first API vulnerability in 2019 which affected Uber and since then she has been hacking APIs ever since, creating hours of content to help others follow in her footsteps. With her PhD in cyber security and machine learning, she loves to introduce a data-driven approach to hacking combining new tools with manual testing to ensure an impactful bug report every time.

Gerald Benischke - Application DoS vulnerabilities

Talk recording

This AppSec-focussed talk demonstrates how denial of service attacks can be carried out without throwing lots and lots of traffic at a system and effectively stop services. This uses a couple of vulnerabilities in the play framework as an example and describes the impact. This approach can be likened to using precision guided missiles rather than the carpet bombing of DDoS attacks. I will explore the role that convenience for developers in frameworks combined with unexpected payloads and how this can be exploited. I also draw on how the service mesh can amplify this attack such that multiple instances can be killed with a single request. Furthermore, we look at how Web Application Firewalls (WAFs) offer no protection against this type of attack. Lastly, I will look at what can be done to protect applications against this type of attack.

About Gerald Benischke
I tend to describe myself as both an Agile Fundamentalist and an AppSec Snooper. What does this mean? On the one hand my software development experience has led me to think that the principles of the agile manifesto form the basis of good practices. It boils down to lots of common sense, small steps, learning along the way, not writing code that nobody will want or need and taking processes and procedures with a pinch of salt.

Sponsors

We'd like to say THANK YOU to the companies who helped make this event possible:
Booking.com - Venue Sponsor
Booking.com - Food & Drink Sponsor
Security Tools - Proving your applications are as secure as possible - 7 June 2023

Details

In this session we'll be discussing various Tools used within Security. By using these tools, your teams will be able to truly show that your products are as secure as they can be.

Talks

Simon Bennetts: An Introduction to OWASP ZAP

Talk recording

In this talk Simon (the ZAP founder and project lead) will give you an overview of the worlds most popular web security scanner. He will also talk about the most recent changes and whats coming next.

About Simon Bennetts
The OWASP Zed Attack Proxy (ZAP) Founder and Project Leader, and a Distinguished Engineer at Jit. He has talked about and demonstrated ZAP at conferences all over the world, including Blackhat, JavaOne, FOSDEM and OWASP AppSec EU, USA & AsiaPac. Prior to making the move into security he was a developer for 25 years and strongly believes that you cannot build secure web applications without knowing how to attack them.

Anthony Harrison - SBOMs and why they can help make your software more secure

Talk recording

This talk will explain what a SBOM (Software Bill of Material) is, how and when they should be produced / some of the challenges that need to be overcome, and demonstrate how they should form part of a DevSecOPs lifecycle. I will try and supplement the talk with some demonstrations using a number of open source applications.

About Anthony Harrison
An independent systems/software/cyber consultant. I am part of the SPDX community developing the forthcoming security profile, and a member of the OpenSSF SBOM Everywhere working group and SBOM Forum. I have presented on SBOMs at FOSDEM (2002 and 2023), EuroPython 2022 and will be presenting at PyCascades (Vancouver) in March.

Sponsors

We'd like to say THANK YOU to the companies who helped make this event possible:
Bruntwood - Venue Sponsor
Cytix - Food & Drink Sponsor
Proactive Security - How do you prevent vulnerabilities? - 7 March 2023

Details

In this session we'll be discussing Proactive Security. Meaning, how do you empower and enable engineering teams to own their own security to prevent the release of vulnerable code... What would secure coding practices look like, what is security by design, what security testing can teams do during the test & release process. More importantly, what can we put in place to really make the security teams work for their money.

Talks

Threat Modelling - Robin Fewster

Talk recording

Drawing on some client experiences, Robin will discuss different threat modelling approaches and tools available, and how they went down with development teams.

About Robin Fewster
Robin has 20 years experience in cyber security, and is particularly interested in helping companies to improve their security posture. A current area of focus is to assist software development teams with improving their secure software development practices. This includes work ranging from implementing security strategy, security champions programmes and threat modeling. Robin is also a former OWASP Newcastle chapter leader.

SAST, DAST, IAST, RASP - Daniel Oates-Lee

Talk recording

Daniel will give us an introduction to DevSecOps and share their experience enabling secure development for clients.

About Daniel Oates-Lee
Daniel is one of the Punk Security Co-Founders and has over 21 years of commercial IT experience, with 15 years focused on cyber security.

Sponsors

We'd like to say THANK YOU to the companies who helped make this event possible:
Barclays DiSH - Thank you so much for sponsoring the venue.
BeyondTrust - Thank you so much for sponsoring the food & drink.
Cytix - Special thanks for making introductions.



2019


Secure Code Warrior - 8 August 2019 Hosted by BBC
28 May 2019

Simon Bennetts

OWASP ZAPs lead hacker, Simon Bennetts will be taking us through the new User Interface for ZAP - the ZAP Heads Up Display (or HUD).

Gerald Benischke

Slides

XML is Evil: This talk describes several common XML security vulnerabilities, how they can be found and mitigated against. Real life examples (though anonymised) are used to illustrate how these issues can be exploited.

Sponsors

RentalCars - Venue sponsor
Distil Networks - Food & drink



2018


OWASP Manchester CTF - 13 November 2018 Manchester OWASP will be running it’s first annual CTF on November 13th in partnership with Manchester Grey Hats who will be running the challenges. The CTF will be hosted by the Manchester Technology Centre on Oxford Road and is aimed at people working in the tech industry who have an interest in security. The CTF itself will be a jeopardy style challenge aimed at a range of technical capabilities, with some low or non tech challenges. So, if you're a developer, software tester, system architect, infosec professional, or just have an interest in security sign up. We'll be running teams of 4, so you can either enter a full team or we can help you put one together on the day! Manchester Grey Hats will be running a series of short workshops on the same topics as the CTF on October 24th, so keep an eye on their Meetup page! Thanks to our community sponsors; Manchester Grey Hats, North West Testers Gathering, Manchester Girl Geeks, Techs and the City, Tech Leaders of the North West and PowerShell Manchester.
4 September 2018

Scott Helme

Catherine Chapman

Sponsors

Booking Go (Rentalcars)
SureCloud
17 July 2018

Mike Thompson

Talk recording

Liz Bell

Talk recording

Sponsors

Mad Lab - Venue
ReportUri
NCC
3 May 2018

Daniel Dresner

Will be taking us through his experience of careers in the IT industry and academia.

John Denneny

Founder of Pen Test Limited, will be talking about his experience of setting up and running a successful IT Security company.

Sponsors

University of Manchester - Venue
NCC Group