OWASP Newcastle (UK)
Welcome to the official chapter page of the OWASP Newcastle-Upon-Tyne (UK) Chapter. We meet four times a year, usually on the last Tuesday of the month when we arrange meet-ups. Some of our previous talks are on our Utreon channel.
We’re always looking for speakers, we welcome anyone who is interested in presenting a talk. Whether you are new to the chapter or an existing member, we encourage you to reach out to one of our chapter leaders for more information on how to get involved. To help you along the way, we can also provide support with the preparation and delivery of your talk.
As we encourage knowledge sharing and raising awareness of our events and the topics covered, we also make the presentations available on our previous events page after each event.
Check our Upcoming Meetup Events:
Previous Events
Here are the details from previous OWASP Newcastle meetups. Often there are links to presentations available.
2021
23/02/2021
Title: Detect complex code patterns using semantic grep
Speaker: Colleen Dai
Bio: Colleen Dai is a security software engineer at r2c, a startup working on building static analysis tools that focus on precision and being custom-fit to the consumer. At r2c, Colleen has worked on the language parsing along with AST matching. She is also writing rules to find security vulnerabilities in open source code. Colleen recently received her B.S. in Computer Science and M.S. in Statistics from Stanford. She regularly enjoys Brazilian Jiujitsu, drawing, and trying (and failing) not to eat everything in her fridge.
Description: We’ll discuss a program analysis tool we’re developing called Semgrep. It’s a multilingual semantic tool for writing security and correctness queries on source code (for Python, Java, Go, C, and JS) with a simple “grep-like” interface. The original author, Yoann Padioleau, worked on Semgrep’s predecessor, Coccinelle, for Linux kernel refactoring, and later developed Semgrep while at Facebook. He’s now full time with us at r2c.
Semgrep is a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. Semgrep is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.
For example, find subprocess calls with shell=True in Python using the query:
subprocess.open(..., shell=True)
This will even find snippets like:
import subprocess as s
s.open(f'rm {args}', shell=True)
Or find hardcoded credentials using the query:
boto3.client(..., aws_secret_access_key=”...”, aws_access_key_id=”...” )
Source code: https://github.com/returntocorp/semgrep
Test in your browser: https://semgrep.dev/
Title: Wham, bam, thank you scam!
Speaker: Adam Pickering
Description: A glance at how GDPR fines risk breeding laziness in Cyber security Management
2020
03/11/2020
Title: iOS Encryption State Handling And Your Sensitive Personal Data
Speaker: James Duffy
Bio*: I’m James - a 19-year-old Cyber Security student. I spend my time researching and expanding my knowledge in the area of Mobile Forensics and iOS Security Research. I enjoy creating free resources for the community, and developing software solutions to aid the research and data extraction process.
Description: From the bootloader to the user-facing interface, we’ll learn how Apple implements data security and encryption state handling on a basic level and how we can take advantage of Apple’s current implementation for forensic purposes
Title: How to setup a new Red Team in a FTSE 100 (and what I learned doing it)
Speaker: Robin Fewster
Bio: Robin currently manages a global internal red team at Sage, which is a fintech company listed in the FTSE 100 having 13,000 employees and hundreds of cloud-hosted services across a variety of cloud service providers. An experienced former CHECK Team Leader / CREST Certified Tester, CREST Registered Intrusion Analyst, PCI QSA and PA-QSA, Robin also spends some of his personal time to co-lead OWASP Newcastle and (ISC)2 North East England security meetups. With a strong interest in offensive security testing, Robin is involved with bug bounty programme management, red teaming and penetration testing but also maintains an interest in blue teams having previously worked in the application security team at Sage in an Agile development environment.
Description:
- Why setup a red team inside your company?
- How to put the business case together
- Getting the buy in and executing the business case
- Lessons learned
05/05/2020
Title: Malware Threat Analysis and Intelligence Recon – Trickbot
Speaker: Chris Young
Bio: Chris is an information security consultant with Pentest Ltd. Despite his youthful looks, Chris is old enough to remember the birth of Internet, dialling into AOL and running amok in #IRC Channels. Late to Infosec party - Chris changed career from Learning Technology to Security in 2016 after completing a MSc in Information & Network Security.
Description: This presentation will provide you with some information on each of the Malware threats that I like to call “the 3 amigos” – Emotet, Trickbot and RYUK. I then focus in on Trickbot and the different types of modules that it uses. I also examine the ecosystems that attackers use to spread their malware. Additionally, I will provide some useful links for anyone thinking of getting started in malware analysis. Not a super technical talk so no reverse engineering skills required! 😊
Title: Alice Through the Cyber Looking Glass
Speaker: Rick Trotter
Bio: Rick Trotter is one of the last Generation-X geeks who grew up in a time of Microcomputers, IRC and BBS systems, becoming a digital pioneer in a new wild west web and falling through time one platform at a time. Join me gazing through the looking glass of an adventure spanning 40 years as we look to a new dawn of computing.
Description: “Living backwards!” Alice repeated in great astonishment. “I never heard of such a thing!” “—but there’s one great advantage in it, that one’s memory works both ways.” “I’m sure mine only works one way,” Alice remarked. “I can’t remember things before they happen.” “It’s a poor sort of memory that only works backwards,” the Queen remarked. Rattling around in my rusty cranium are memories of computing years past; a million lines of code and mistakes aplenty across a varied career that prelude to a dozen possible futures. If there’s one thing that I’ve learned it’s that humans have a tendency to make the same mistakes over and over in new and interesting ways. I’ve lived through a few of the major events in recent computing history: from the dawn of the Internet, the rise of the Microcomputer, the invention of the world-wide-web, the dot-com bubble and the explosion of social media; but what lessons can we learn as a new generation takes over the console while the rest of us shuffle off into the end of line character?
Title : A High Level Overview of the UK Smart Metering Programme
Speaker: Zach Anucha
Description: This presentation will provide you with a high level overview of the UK Smart Metering Programme, its timelines, what the government is looking to achieve through the programme and the role CGI its implementation. Also, an overview of the intended impact on the UK, issues of privacy – personal and personal sensitive data, and critical national security data will be explored. CGI’s role in securing the infrastructure, the data and assurance regime covering Independent Competent Organisation, SOC2, ISO27001 Certification, CHECK Pen Tests will be discussed at high level. Finally the core Security Services that CGI provides - (DCCKI (PKI), Federated IDM, Anomaly Detection, Access Control Broker, will be covered at high level.
Title: 5G and LTE security
Speaker: Matt Summers
Bio: Matt is an accomplished security consultant with over 2 decades of experience. A former Army Captain within the British Army’s Information Assurance unit and former HMG Science Advisor specialising in research and development of secure hardware and software solutions. A co-founder of the BSides London security conference, co-founder and director of the BSides Manchester security conference and chief cat herder for the DefCon Aerospace Village Matt has a passion for knowledge sharing and community engagement. He was recently appointed to the executive at CREST.
Description: This presentation is about 5G and LTE security and an adaption of his 44Con talk from 2019 which wasn’t recorded. We will initially get an overview of the technology followed by a deep dive into LTE flaws and misconceptions. Followed on by a look at 5G security and how most security experts are getting it wrong with 5G.
Title: What I learned from running a honeypot
Speaker: Andi
Description: Towards the end of 2019 I ran several honeypots for around a week. This talk aims to walk through how to set up your own, learning from my mistakes, and then examines the data about what attacks are really taking place.
2019
03/12/2019
Capture the flag event
Following on from the success of their recent Avalanche CTF, we’ve asked Pentest to build a brand new CTF for everyone to tackle at OWASP Newcastle. Avalanche 2, as they’re calling it, will still be based on a petition/campaign website like 38 degrees or the UK.gov, but promises to be bigger and better than the original, with a host of new challenges.
With assistance from our friends at Pentest Limited, we present to you Avalanche 2.
All levels of experience are welcome, starting from zero knowledge right up to experienced red teamer. All you need to do is bring yourself plus a laptop. You will learn something new, and if you don’t you will have fun anyway! You can work alone or in a team.
If you’d like to have a go at the original Avalanche CTF you still can by visiting https://pentest.co.uk/labs/avalanche-ctf/
As always, we will be providing pizza and drinks courtesy of our sponsors at Sage. If you have any dietary requirements please just message one of the organisers and we can make sure you’re catered for.
Schedule:
- 1800 - 1815 - Arrival and networking
- 1815 - 2100 - Avalanche 2 CTF
- 2100 - onwards Pub?
23/09/2019
Title: Stalk Awareness
Speaker: Cian
Description: We often focus on nation states and corporation’s role in eroding our privacy and expanding omnipresent surveillance worldwide, meanwhile an entire niche industry that caters to regular consumers who want similar spying capabilities has slipped largely under the radar. Mobile apps that are designed to enable toxic and abusive behavior are being openly sold on the internet, marketed directly to abusers, these apps have come to be termed “stalkerware”.
This talk will present analysis of the stalkerware industry, its products, marketing and the scope of the problem it represents, as well as potential solutions. I’ll be examining these topics from both a technical and non-technical standpoint, based on many months of personal research.
Title: Rethinking Threat Intelligence - a quick glance at intelligence led risk management - Slides
Speaker: Adam Pickering
Description: 45 min chat about rethinking how we use threat intelligence capabilities within enterprise to bring about changes to the way we deploy countermeasures against threat actors
13/06/2019
Red Team versus Blue Team event
Title: Red Teaming a view from the field
Speakers: Andi Pannell and Gavin Johnson-Lynn
Description: A talk about what red teaming is, how it is different from a penetration test, and then we’ll reveal some hardware we use during red team engagements and some success stories.
Title: Protecting the museum – HIPS
Speaker: Marek Banas
Description: How you can minimise the manual labour with increasing the security on legacy servers, plus some issues we hit while choosing the solutions, challenges we had.
26/02/2019
The talk will be three smaller talks, covering:
- Remote online social engineering (how attackers use catfishing techniques)
- Hacking with light and sound (using infrared, ultrasound, and lasers to exfiltrate data and disrupt sensors)
- Attack linkage (using granular attack behaviours to link different cyber attacks)
Speaker: Matt Wixey
Title: Getting stakeholders on board”
Speaker: Kathryn Cardose
Description: So you’ve nailed the tech, you’ve found the controls, you’ve requested remediation…..how do you get stakeholders of all levels to buy in and support security?
2018
25/09/2018
Title: Don’t tell your Big Brother
Speaker: Andy Ferguson
Description: Encryption tips and tricks.
Title: My Path to CSSLP
Speaker: Gavin Johnson-Lynn
Description: Join me on a journey from a vague knowledge of security to gaining a valued security certification. For anyone considering certification as a route to success, self-improvement, or even just some thoughts on how I approached it. We’ll look at what I learned and how I learned it, including some tricks I picked up along the way to help cram information into my brain (and keep it there).
26/06/2018
We held our first CTF (Capture The Flag) event.
The CTF event was facilitated by Secarma. The attendees were split into groups, each group had their own sandboxed environment to connect into, and prizes were offered to the teams who captured the most flags.
27/03/2018
Title: The Internet of (broken) things.
Speaker: Andi Pannell
Description: This talk will focus on the internet of things, how we’re connecting everything to the internet now, because why not add a WiFi connection to your Fridge? And how security is unlikely to be a consideration when making these products. I’ll also talk about DefCon, as last year my company sent a team of us to DefCon 25 in Las Vegas, explaining what DefCon is, what happens there, and how we won the IoT Village 0-day contest and I’ll conclude with a live hacking demo.
Title: An introduction to the OWASP automated threats to web applications
Speaker: Colin Watson
Description: Web applications are subjected to unwanted automated usage – day in, day out. The vast majority of these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is often mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the attacker’s primary intent.
30/01/2018
Title: Code that fights back
Speaker: Neil Dixley
Description: Lessons from the gaming world on detecting and responding to attacks on software assets. An introduction to proactive software security including a philosophical look at how far we should go to protect our apps.
Title: Practical demonstration of mobile software penetration
Speaker: Luke Sadler
Description: Luke Sadler walks us through hands on examples of cracking mobile technology.
2017
21/11/2017
Title: Explain hacking in ten minutes
Speaker: Lorenzo Grespan
Description: Recently I had to show a 10-minute “live hack” to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go “aha!” turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users.
Title: Building a Development Environment That’s ‘Secure Enough’
Speaker: Robin Sillem
Description: This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data. Media:Modern_DevOps_and_security.pptx
19/09/2017
Title: Running a security event using OWASP Security Shepherd
Speaker: Gareth Dixon
Description: In this talk I will cover running a security event using OWASP Security Shepherd. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective.
Title: Enter the (Threat) Dragon
Speaker: Mike Goodwin
Description: Threat Modeling with OWASP Threat Dragon. Threat modelling is a great technique for hardening your application designs, but current tooling is a bit “crashy”, limited to Windows or not free. OWASP Threat Dragon is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it’s future road map and a look under it’s hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you.
2016
23/08/2016
Title: 50 Million Downloads and All I Got Was Malware
Speaker: Andi Pannell
Description: How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too.
Title: OWASP Cornucopia
Speaker: Colin Watson
Description: OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal).
2015
24/11/2015
Title: The problems with proving identity
Speakers: Ben Lee and Ross Dargan
Description: In this talk Ross and Ben will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren’t. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don’t have all the answers. The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…* (*Talk may not be historically accurate! ;))
Title: Think about the Top 10 Controls, not the Top 10 Risks
Speaker: Colin Watson
Description: The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities. Take a copy of the game away with you - it is suitable for developers of all sizes.
Title: Automated Security Testing Using The ZAP API
Speaker: Michael Haselhurst
Description: This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi.
Title: Real world defence in depth (part 1)
Speaker: Mike Goodwin
Description: Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality.
29/09/2015
Title: Securing Real-Time Networks
Speaker: John Beddard
Title: Content Security Policy
Speaker: Ian Oxley
Title: Threat Dragon - a new threat modelling tool project from OWASP
Speaker: Mike Goodwin
Title: OWASP Top 10 Mobile Risks
Speaker: Neil Dixley
28/07/2015
Title: Honeypots; from research to the Enterprise
Speaker: Andrew Waite
Title: Security in the World of Containerisation
Speaker: George Chlapoutakis
29/05/2015
Title: An introduction to basic application penetration testing
Speaker: Robin Fewster
Description: An introduction to penetration testing, using several OWASP projects as well as other open source and free programs.
Title: The Elevation of Privilege Threat Modelling Tool
Speaker: Neil Dixley
Description: An introduction to threat modelling and using the ‘Elevation of Privilege’ card game to facilitate and improve team threat modelling exercises.
24/03/2015
Title: Cognitive Bias and Security Vulnerabilities
Speaker: Neil Dixley
Description: The psychology of software engineering. An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security.
Title: Security Compliance for Developers - Are we Certified… or Certifiable?
Speaker: Andy Ward
Description: Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it’s never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning ‘banking grade encryption’! After a quick reminder of “what’s the worst that can happen…”, Andy will introduce some of the security Compliance and Certification systems that help you ‘walk the walk’, and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams.
Thanks!
Over the years we’ve had some great leaders help run the chapter. On here we’d like to give thanks to them for helping run the chapter and grow it to what it has become today.
- Connor Carr
- Robin Fewster
- Mike Goodwin
- Adam Pickering