OWASP Manchester

NOTOC

Chapter Sponsors

Thank you to our Silver Chapter sponsor: AutoTrader.jpg

Category:OWASP Chapter Category:United Kingdom

Code of Conduct

OWASP Manchester meetings and events are an inclusive environment where all people should feel safe and respected. We welcome diversity in age, race, ethnicity, national origin, range of abilities, sexual orientation, gender identity, financial means, education, and political perspective.

OWASP Manchester will not tolerate any form of violence, harassment, hate speech or trolling either off or online, or any overly drunken, intimidating or heckling behaviour.

Please respect the presenters, don’t talk amongst yourselves during their presentations and ensure your mobile phones are muted or switched off.

We want you to have fun, in a safe and respectful environment.

If you have any issues or concerns relating to the code of conduct please contact one or the Chapter Leads either in person, though the Meetup page or via email.

Chapter Leaders:

As this is a private event we withhold the right to remove and ultimately ban anyone who violates this code of conduct and will report any incidents to the appropriate authorities if necessary.

Polite note to Vendors/Recruiters/Internal Recruiters/Business Development people

Vendors and Recruiters are welcome at OWASP Manchester, however we ask that you remember this is a user group, not a networking event, and tapping people up for jobs or business unprompted is not encouraged.

2024

Forward or Reverse Engineering - Get your app security into gear - 18 April 2024

Details

In this session we discussed security operations and reverse engineering of Flutter applications.

Talks

Eliza-May Austin - DRACOEYE the browser-based freebie that’s going to streamline your SOC teams.

Talk recording coming soon

In this session, we'll delve into the origins of DRACOEYE, discussing why it was created and the driving forces behind its development. We'll explore the motivations behind making it freely available and the importance of accessibility in the realm of cybersecurity. Discover how DRACOEYE's intuitive design makes it ridiculously easy to use, so much so that even your granny could navigate it with ease – we even have a YouTube series in the pipeline to demonstrate this claim! Through a quick demo, you'll see firsthand just how simple and effective DRACOEYE is in bolstering your online security. Whether you're a seasoned cybersecurity professional or a curious beginner, this talk is for you. Learn who should be using DRACOEYE and how it can benefit individuals and organizations alike. Stick around for a lively Q&A session where you can ask anything about DRACOEYE, from its features to its development journey.

About Eliza-May Austin
Eliza knew she wanted to work in tech from the moment she saw Sandra Bullock order Pizza over dial-up in her favourite film, 1995's 'The Net'. Eliza has a degree in Digital Forensics, is SANS-trained in Network Forensics, PurpleTeaming and Penetration Testing. She has previously worked in cyber defence in a number of FTSE100 companies and was the original founder of the Ladies Hacking Society. Despite her fascination with tech she has taken on a more business-centric role and guided the company through impressive growth, won a slew of awards, and was voted one of the most inspirational voices in cybersecurity.

Jay Harris - Putting Flutter in the Gutter: how to reverse engineer flutter applications

Talk recording coming soon

In the ever-evolving landscape of mobile application development, Flutter has emerged as a powerful framework, enabling developers to create cross-platform applications with a single codebase. However, with innovation comes the need for robust security measures. This talk aims to delve into the realm of reverse engineering and security assessment specific to Flutter mobile applications. Reverse engineering, the process of dissecting and understanding the inner workings of an application, is a double-edged sword. While developers leverage it for debugging and optimization, adversaries exploit it to identify vulnerabilities and potential security weaknesses. In this presentation, we will explore various reverse engineering techniques tailored to Flutter apps, shedding light on the underlying architecture and highlighting potential attack vectors.

About Jahmel Harris
Jahmel Harris is a seasoned security researcher, hacker, and co-founder of Digital Interruption, a Manchester based cyber security consultancy. His expertise lies in securing organizations through a blend of penetration testing and integrating security practices into application development pipelines. Jahmel’s impactful work has garnered international recognition, with media coverage of his research and widespread attendance at his workshops on mobile hacking. His contributions extend beyond the technical realm, as he actively participates in cyber security advisory groups and tech conferences, including 44Con, Hacklu and leHACK. Jahmel’s dedication to advancing security practices has led to the release of multiple public disclosures, further enhancing software protection. His commitment to the field is evident through open-source contributions and free online and in person security workshops and training. Jahmel’s impact on the cybersecurity landscape continues to grow, making him an invaluable asset in the realm of mobile application reverse engineering and security assessments.

Sponsors

We'd like to say a big THANK YOU to the companies who helped make this event possible:
Cytix - Venue Sponsor
ReportURI - Food & Drink Sponsor
Assembly and Disassembly, an OWASP guide to application security - 15 January 2024

Details

In this session we discussed application security and the basics of assembly.

Talks

Stuart Crawford - AppSec in the Enterprise: in-flight testing and Shifting Left

Talk recording

In a world where web-based applications are ubiquitous, penetration testing is well-established as a way of verifying those applications are secure, but how do we stop finding ourselves falling into an endless cycle of 'deploy, test, fix'? The answer is by paying closer attention to security in the development lifecycle, and I'll provide an example of how we're doing this at one of, if not the largest Independent Software Vendors in the UK

About Stuart Crawford
Stuart is Appsec program manager at one of the largest SaaS companies in the UK

Tom Blue - Basic Assembly and Memory

Talk recording

This talk would be an overview of how basic assembly and memory works, the structure of programs compiled in C and how to follow the logic of disassembled programs. I’ll show how to use tools such as ghidra to decompile code and to make the reverse engineering process more efficient and cover things such as buffer overflows, patching code and return oriented programming.

About Tom Blue
Tom is a second year student at Lancaster University studying computer science. He’s passionate about cybersecurity, having worked in the industry for two years, as well as helping run LUHack and LUCompSoc, Lancaster University's hacking and computing societies. He works the university as a casual researcher and is currently looking at embedded systems security and I'm helping write the Cyber Physical Systems module for the cybersecurity masters degree. He also worked as an intern for Digital Interruption, a Manchester based cyber security consultancy.

Sponsors

We'd like to say a big THANK YOU to the companies who helped make this event possible:
Amazon - Venue Sponsor
Pentest - Food & Drink Sponsor


2023

Breaking Yourselves, But In The Best Way Possible - 21 September 2023

Details

In this session we'll be discussing various ways to improve your offensive security testing. Using these offensive security techniques, your teams will find new ways to break applications, and test your defenses.

Talks

Dr Katie Paxton-Fear: Go Hack Yourself: API hacking for beginners

Talk recording

Over the past few years, we've really seen API hacking take off as a field of its own, diverging from typical web app security, but yet parallel to it. Often we point to the amorphous blob that is web security and go: "here you go, now you can be a hacker too", with top 10 lists, write-ups, conference talks and whitepapers smiling as we do. This creates a major challenge for developers who want to test their APIs for security or just people who want to get into API hacking, how on earth do you wade through all the general web security to get to the meat of API hacking, what do you even need to know? This talk is going to break down API hacking from a developer point of view, teaching you everything you need to know about API hacking, from the bugs you can find and to the impact you can cause, to how you can easily test your own work or review your peers. So what are you waiting for join me and go hack yourself!

About Dr Katie Paxton-Fear
A lecturer in Cyber Security at Manchester Metropolitan University and a cyber security researcher, but she's far more well known for her hobby. In her free time, she's a hacker, specialising in API hacking teaching others through her YouTube videos. A former developer turned hacker, she used to make RESTful APIs and now she breaks them. She found her first API vulnerability in 2019 which affected Uber and since then she has been hacking APIs ever since, creating hours of content to help others follow in her footsteps. With her PhD in cyber security and machine learning, she loves to introduce a data-driven approach to hacking combining new tools with manual testing to ensure an impactful bug report every time.

Gerald Benischke - Application DoS vulnerabilities

Talk recording

This AppSec-focussed talk demonstrates how denial of service attacks can be carried out without throwing lots and lots of traffic at a system and effectively stop services. This uses a couple of vulnerabilities in the play framework as an example and describes the impact. This approach can be likened to using precision guided missiles rather than the carpet bombing of DDoS attacks. I will explore the role that convenience for developers in frameworks combined with unexpected payloads and how this can be exploited. I also draw on how the service mesh can amplify this attack such that multiple instances can be killed with a single request. Furthermore, we look at how Web Application Firewalls (WAFs) offer no protection against this type of attack. Lastly, I will look at what can be done to protect applications against this type of attack.

About Gerald Benischke
I tend to describe myself as both an Agile Fundamentalist and an AppSec Snooper. What does this mean? On the one hand my software development experience has led me to think that the principles of the agile manifesto form the basis of good practices. It boils down to lots of common sense, small steps, learning along the way, not writing code that nobody will want or need and taking processes and procedures with a pinch of salt.

Sponsors

We'd like to say THANK YOU to the companies who helped make this event possible:
Booking.com - Venue Sponsor
Booking.com - Food & Drink Sponsor
Security Tools - Proving your applications are as secure as possible - 7 June 2023

Details

In this session we'll be discussing various Tools used within Security. By using these tools, your teams will be able to truly show that your products are as secure as they can be.

Talks

Simon Bennetts: An Introduction to OWASP ZAP

Talk recording

In this talk Simon (the ZAP founder and project lead) will give you an overview of the worlds most popular web security scanner. He will also talk about the most recent changes and whats coming next.

About Simon Bennetts
The OWASP Zed Attack Proxy (ZAP) Founder and Project Leader, and a Distinguished Engineer at Jit. He has talked about and demonstrated ZAP at conferences all over the world, including Blackhat, JavaOne, FOSDEM and OWASP AppSec EU, USA & AsiaPac. Prior to making the move into security he was a developer for 25 years and strongly believes that you cannot build secure web applications without knowing how to attack them.

Anthony Harrison - SBOMs and why they can help make your software more secure

Talk recording

This talk will explain what a SBOM (Software Bill of Material) is, how and when they should be produced / some of the challenges that need to be overcome, and demonstrate how they should form part of a DevSecOPs lifecycle. I will try and supplement the talk with some demonstrations using a number of open source applications.

About Anthony Harrison
An independent systems/software/cyber consultant. I am part of the SPDX community developing the forthcoming security profile, and a member of the OpenSSF SBOM Everywhere working group and SBOM Forum. I have presented on SBOMs at FOSDEM (2002 and 2023), EuroPython 2022 and will be presenting at PyCascades (Vancouver) in March.

Sponsors

We'd like to say THANK YOU to the companies who helped make this event possible:
Bruntwood - Venue Sponsor
Cytix - Food & Drink Sponsor
Proactive Security - How do you prevent vulnerabilities? - 7 March 2023

Details

In this session we'll be discussing Proactive Security. Meaning, how do you empower and enable engineering teams to own their own security to prevent the release of vulnerable code... What would secure coding practices look like, what is security by design, what security testing can teams do during the test & release process. More importantly, what can we put in place to really make the security teams work for their money.

Talks

Threat Modelling - Robin Fewster

Talk recording

Drawing on some client experiences, Robin will discuss different threat modelling approaches and tools available, and how they went down with development teams.

About Robin Fewster
Robin has 20 years experience in cyber security, and is particularly interested in helping companies to improve their security posture. A current area of focus is to assist software development teams with improving their secure software development practices. This includes work ranging from implementing security strategy, security champions programmes and threat modeling. Robin is also a former OWASP Newcastle chapter leader.

SAST, DAST, IAST, RASP - Daniel Oates-Lee

Talk recording

Daniel will give us an introduction to DevSecOps and share their experience enabling secure development for clients.

About Daniel Oates-Lee
Daniel is one of the Punk Security Co-Founders and has over 21 years of commercial IT experience, with 15 years focused on cyber security.

Sponsors

We'd like to say THANK YOU to the companies who helped make this event possible:
Barclays DiSH - Thank you so much for sponsoring the venue.
BeyondTrust - Thank you so much for sponsoring the food & drink.
Cytix - Special thanks for making introductions.


2019

Secure Code Warrior - 8 August 2019 Hosted by BBC
28 May 2019

Simon Bennetts

OWASP ZAPs lead hacker, Simon Bennetts will be taking us through the new User Interface for ZAP - the ZAP Heads Up Display (or HUD).

Gerald Benischke

Slides

XML is Evil: This talk describes several common XML security vulnerabilities, how they can be found and mitigated against. Real life examples (though anonymised) are used to illustrate how these issues can be exploited.

Sponsors

RentalCars - Venue sponsor
Distil Networks - Food & drink


2018

OWASP Manchester CTF - 13 November 2018 Manchester OWASP will be running it’s first annual CTF on November 13th in partnership with Manchester Grey Hats who will be running the challenges. The CTF will be hosted by the Manchester Technology Centre on Oxford Road and is aimed at people working in the tech industry who have an interest in security. The CTF itself will be a jeopardy style challenge aimed at a range of technical capabilities, with some low or non tech challenges. So, if you're a developer, software tester, system architect, infosec professional, or just have an interest in security sign up. We'll be running teams of 4, so you can either enter a full team or we can help you put one together on the day! Manchester Grey Hats will be running a series of short workshops on the same topics as the CTF on October 24th, so keep an eye on their Meetup page! Thanks to our community sponsors; Manchester Grey Hats, North West Testers Gathering, Manchester Girl Geeks, Techs and the City, Tech Leaders of the North West and PowerShell Manchester.
4 September 2018

Scott Helme

Catherine Chapman

Sponsors

Booking Go (Rentalcars)
SureCloud
17 July 2018

Mike Thompson

Talk recording

Liz Bell

Talk recording

Sponsors

Mad Lab - Venue
ReportUri
NCC
3 May 2018

Daniel Dresner

Will be taking us through his experience of careers in the IT industry and academia.

John Denneny

Founder of Pen Test Limited, will be talking about his experience of setting up and running a successful IT Security company.

Sponsors

University of Manchester - Venue
NCC Group
Watch Star