OWASP Newcastle (UK)

Previous Events

Here are the details from previous OWASP Newcastle meetups. Often there are links to presentations available.

2024

13/03/2024

Title: Subdomain Hijacking & The CISO Simulator

Speaker: Simon Gurney

Speaker Bio: Simon is one of the Punk Security Co-Founders and has over 15 years experience working within IT, primarily focused on automation and InfoSec. Simon has a wealth of experience and approaches DevOps from an infrastructure background, but is a keen Python and .NET CORE developer. He has authored two open source projects, pwnSpoof and SMBeagle.

Talk Synopsis: Subdomain hijacking (great for infosec, devs and devops pros)

• what is it?
• why was it in the news recently?
• how do you prevent it?
• a sneak peak at some new additions to dnsReaper, the tool we built at Punk Security Limited to squash this issue for free!

Title: First 90 days of a CISO, tens of vCISO engagements later.

Speaker: Dr Zibby Kwecka

Speaker Bio: Author and presenter on cyber security topics, holding a PhD in Applied Cryptography and Privacy with seventeen years of experience protecting organisations of all sizes and shapes from digital threats.

2023

21/12/2023

Title: Running the Microsoft Cyber Defence Operations Centre (CDOC)

Speaker: John Dellinger

Speaker Bio: John is a Chief Security Advisor working within the Microsoft Cyber Defence Operations Center. John has extensive multi-national experience in both the public and private sectors. Expertise across a variety of functions and disciplines including policy formulation and implementation, training, operations, strategic planning, risk management and cyber security. He is a dual U.S. and Australian citizen with twenty years of military experience as an officer, first in the United States Marine Corps and later in the Royal Australian Navy.

Talk Synopsis: The Cyber Defense Operations Center brings together security response experts from across the company to help protect, detect, and respond to threats in real-time. Staffed with dedicated teams 24x7, the Center has direct access to thousands of security professionals, data scientists, and product engineers throughout Microsoft to ensure rapid response and resolution to security threats. Informed by trillions of data points across an extensive network of sensors, devices, authentications, and communications, the Center employs automated software, machine learning, behavioral analysis, and forensics to create an intelligent security graph. This threat intelligence insight helps the teams connect the dots, then counter with strong containment and coordinated remediation.

In this presentation John will detail some of the inner workings of the CDOC both in terms of protecting internal Microsoft assets but also the Microsoft platforms it offers to cutomers.

Title: Cybersecurity in the Space Industry: Safeguarding the Final Frontier

Speaker: Ros Grindrod

Speaker Bio: Ros is currently Head of Security Services at Opencast Software and has over 6 years of experience working within information security including experience delivering cyber transformation work across a variety of industries. Ros’s previous experience includes ethical hacking, social engineering, incident response preparedness, OSINT/threat modelling and all things GRC.

Talk Synopsis: In this presentation, Ros will share her views on considerations for Cyber Security in the Space Industry.

21/09/2023 - Joint meetup with DevOpsNorthEast

Title: Driving the most out of DAST

Speaker: Simon Gurney

Speaker Bio: Simon is one of the Punk Security Co-Founders and has over 15 years experience working within IT, primarily focused on automation and InfoSec.

Simon has a wealth of experience and approaches DevOps from an infrastructure background, but is a keen Python and .NET CORE developer. He has authored two open source projects, pwnSpoof and SMBeagle.

Talk Synopsis: Unlike SAST and IAST, DAST can be a difficult tool to implement and configure in DevSecOps pipelines. In this session, we will explore why this is and what the real prerequisites are to getting meaningful results from DAST tooling.

Simon will explore a few different DAST tools, including ZAP, and discuss how using functional testing scripts can help navigate your apps and drive out DAST findings.

Title: A Security Engineer’s job is to make SOC life interesting

Speaker: Ben Docherty

Speaker Bio: Ben is currently a Security Engineering Specialist at Adarma ​but has over a decade of security experience with around 4 years of experience in deploying Microsoft Sentinel at scale.

Past roles include MSSP/MSP consultant, Head of Engineering, Lead Engineer, more things with engineer in the title.

As a founder of BSidesNCL and creator of BattleBots, being part of an active cyber community is in his DNA. On the subject of DNA, ask Ben about bio hacking?

Dome building technowomble / that odd guy with a wheelbarrow walking round the industrial estates “scavenging”.

Talk Synopsis: A badly engineered SIEM / SOAR solution can break a SOC. In this talk Ben will discuss planning and automation to better manage either a single tenant or MSSP setup within Azure Sentinel. Ben deeply believes an engineer’s job is to make SOC life interesting, avoid ticket fatigue and decrease response times.

05/07/2023 - Joint meetup with NELHS

Speaker: Katie McMillan

Speaker Bio: Katie is a Cybersecurity enthusiast, strategist and an advocate for Women in Technology. Katie was one of the winners of TechWomen100 in 2021.

Title: Look at me! I’m the manager now: Becoming a Security Engineer Manager, common pitfalls, lessons and more.

Speaker: Marcus Tenorio

Speaker Bio: Marcus Tenorio, A.K.A MART He is a Brazilian who didn’t cost 40 million and has been working with security in recent years from research projects, to small hacks, to the pleasure of managing a team of security engineers and software engineers.

Description: This session dives into transitioning from a security engineer to a security engineering manager, addressing common pitfalls, valuable lessons, and critical errors to avoid. We will have some insights into the challenges faced during this transition and learn practical strategies to overcome them. The talk emphasizes the importance of effective communication, stakeholder management, and cultivating a collaborative team culture by sharing real-world examples and providing guidance on navigating potential errors (that I did, again oh dear so many)

15/05/2023

Title: Threat Modelling

Speaker: Robin Fewster

Speaker Bio: Robin has over 20 years experience in cyber security, and is particularly interested in helping companies to improve their security posture. A recent area of focus has been to assist development teams with improving their security practices. This has included implementing security strategy, security champions programmes and threat modeling as a new process. Robin is also a former OWASP Newcastle chapter leader.

Description: Drawing on some client experiences, Robin will discuss different threat modeling approaches and tools available, and how they went down with development teams.

Title: An Intro to DevSecOps, Devs like carrots not sticks

Speaker: Simon Gurney

Speaker Bio: Simon is one of the Punk Security Co-Founders and has over 15 years experience working within IT, primarily focused on automation and InfoSec. Simon has a wealth of experience and approaches DevOps from an infrastructure background, but is a keen Python and .NET CORE developer. He has authored two open source projects, pwnSpoof and SMBeagle.

Description: In this talk, we will discuss how security tools and practices can be layered into DevOps to ensure that risk is managed but the flow of work is not unnecessarily constrained. We will talk about how you can automatically scan applications and environments for vulnerabilities, enforce robust frameworks and build better processes so security doesn’t fall between the gaps.

2022

25/10/2022

Title: Anti-Anti-Virus: An Introduction to Evasion

Speaker: Ben Harvey

Speaker Bio: Ben is a specialist within Sage’s Offensive Security team. His role is to emulate attackers in order to highlight vulnerabilities within Sage’s products or infrastructure. This may involve penetration tests of web applications, creating convincing phishing emails or deploying ‘ransomware’ across Sage’s network – all to inform and improve defences.

Description: OK so you’ve taken the bait. You’ve been convinced by the email; you’ve opened the attachment and you’ve enabled the macros. Then, nothing. Nothing happened. Until three hours later, when you receive an MFA alert, but you didn’t log in… We know what phishing looks like, and we know it’s dangerous, but what happens when you enable those macros? Join us as we look ‘under the hood’ of a phishing payload. We’ll look at how attackers get their code to run and techniques they’ll use to evade defences. Finally, we’ll ask ourselves the question – what’s the point in Anti-Virus then?

Title: An Unorthodox Method Of Achieving Persistence On iOS

Speaker: James Duffy

Speaker Bio: James is a security researcher, reverse engineer and author. His main platform of interest is iOS.

Description: In this talk we’ll discuss techniques that will result in persistent code execution on iOS without any requirement for a jailbreak subsystem.

19/05/2022

Title: Vehicle Cybersecurity: Every cloud has a silver lining..

Speaker: Dani Walsh

Speaker Bio: Dani led the class of 2015 achieving a first-class degree in Ethical Hacking for Computer Security from Northumbria University; where she also attained the Certified Ethical Hacker professional security status. The door opened into a software engineering role with Sevcon, later acquired by BorgWarner. Traversing through a career in embedded software engineering she has returned to her natural habitat of product cyber security management and engineering. She has progressed from Software Intern through to Global Cybersecurity Manager developing the foundation for Product Cybersecurity and the secure development within Borgwarner. For Dani, it’s not all about work - she is a leading light in STEM for the Northeast England helping to inspire the younger generation into pursuing STEM careers by running local code clubs.

Description: Pre-warming seats, remote keyless entry, heated steering wheels, refrigerated glove boxes… we’ve come a long way in the automotive industry to bring the best experience for road users however gimmicky they may seem. These features come at a price and we’re not just talking about money. The cybersecurity demands are now increasing exponentially for the vehicle OEMS and their suppliers because of today’s feature-rich vehicles. A typical new vehicle has on average 100 million lines of code and with it brings potential zero-day and accidental vulnerabilities. The cybersecurity challenge in the modern vehicle is proportional to the size of the codebase- cybersecurity management is a daunting task. Cybersecurity is a major topic for almost every digital domain and with this, we can look to our fellow cybersecurity practitioners for guidance and inspiration for our own challenges. This presentation investigates the cross-over of web security lessons learnt and embedded security. What can we leverage? What should we ignore? OWASP Top 10 in an ECU? Well let’s find out…

Title: Attack mitigation and incident response

Speaker: Adam Bell

Speaker Bio: My name is Adam Bell, I live in Washington, Tyne & Wear with my fiancée and 4 children. I’m a mature student at Northumbria University, Newcastle just about to finish my final year in Computer & Digital Forensics. I’m very passionate about data security and computer forensics. I’ve previously worked for large organizations in sales backgrounds. I worked for T-Mobile / EE for 9 years before leaving that job to go to university in 2015 starting a foundation degree then leading onto this degree. In the middle of my degree I’ve gone through a separation and divorce resulting in having to repeat first and second year. On the bright side I’ve learned more than a student doing 3 years would learn due to the course I study evolving over the years. I’m also a course rep for my course representing the students at faculty meetings. I’ve recently completed an accreditation with Microsoft in AI Fundamentals. I’m currently working towards my CHFI (Computer Hacker Forensics Investigator) accreditation with EC council. In my spare time in studies, I’m studying penetration testing. In my spare time I love to spend the time with my family, I play football once a week and train in Japanese jujitsu twice a week. I enjoy going to the cinema with my friends. I regularly play on my PS5 on any free evenings I have. I absolutely love technology also wanting the latest gadgets.

Description: Cyber security is a rather large area within data security, that and digital forensics are two sides of the same coin. Although I do study digital forensics, I’m still very interested in the cyber security side and preventing a breach rather than needing to investigate it. The area I will be talking and presenting about is incident response.

• Preparation
• Detection & Analysis
• Containment, eradication, and recovery
• Post incident activity.

I will also be covering the methods to reduce the likelihood of attack also.

2021

18/11/2021

OWASP Newcastle Chapter is proud to present our CTF event for 2021 in collaboration with OWASP Diversity and Inclusion Committee and many OWASP UK Chapters (including Bristol, Cambridge, Dorset, London, Reading and Suffolk).

The CTF will be hosted by Security Innovation and will be instructor lead. It combines with Security Innovation’s CMD+CTRL Bootcamp and they are extending an offer to all participants for 4 weeks’ FREE access to the self-paced training courses.

Although the event is online, as this is a live participatory event it will not be recorded.

03/08/2021

Title: North East Cyber Crime Unit - Overview

Speaker: Claire Vandenbroecke

Speaker Bio: Since joining the Northumbria Police Specialist Cyber Crime Investigation Team in December 2018 I have completed training in CISMP, CompTIA Security+and Cyber Essentials. My primary role is to engage with businesses and communities in the Northumbria Police area, providing advice and guidance in the form of presentations, workshops and webinars. In addition, I provide personalised, one-to-one support to victims of cyber crime and am the Lead Coordinator of the free Vulnerability Assessment Service which the North East Protect Network provides to businesses in the Northumbria, Durham and Cleveland Police areas.

Description:

• Introduction to the team and the National Cyber Security Project
• The current threat landscape – Ransomware & current stats
• An overview of the free services we offer, the service catalogue and the new North East Region Cyber Crime Unit website
• The Shodan Project
• Signposting to free resources on the NCSC website.

Title: SIEM Engineering

Speaker: Kimberley Hendry

Speaker Bio: Kimberley Hendry is a Cybersecurity Engineer at Th4ts3cur1ty.company and the co-lead of the North-East chapter of the Ladies Hacking Society. She works with SME’s to improve their cyber defence through visibility and monitoring and is passionate about simplifying cybersecurity with the aim to make everyone safer.

Description: What is a SIEM and what analysts do with them to help protect a business.

25/05/2021

Title: B@ck 2 BaS!c5: OWASP Top 10

Speaker: Security Queens

Speaker Bios:

Sarah: Hey! I’m Sarah, a recent graduate from Bournemouth University. I studied Forensic Computing and Security and graduated last year. During my final year I was Vice President of the cyber security society, however also got stuck into the security community by attending conferences (my first one was with Sophia, and I got to watch her talk in 2018), where I ended up speaking on and winning the rookie track in 2019. From there I went on to run my first workshop at G3C, run the Bournemouth 2600 chapter and then become a content creator for Security Queens! I am now a junior security consultant at NCC.

Sophia: Hello! I’m Sophia, also a recent graduate from Bournemouth University. I studied a BSc in Cyber Security Management and graduated at the same time as Sarah! I was President of the cyber security society, with Sarah as my trusty VP. Since my security journey started circum-2017, I’ve done a few bits and bobs… I’ve represented the UK three times at the European Cyber Security Challenge, and was appointed Team Captain in 2019. I was also on the Channel 4 TV show Hunted as a cyber hunter, and similar to Sarah have dabbled in the conference circuit delivering a few talks here and there! I’ve also (somehow) bagged a few awards, such as Cybersecurity Student of the Year and Highly Acclaimed Rising Star - but most importantly, I now run Security Queens with Sarah and have started my first industry job as a security consultant and penetration tester at NCC.

Description: Be it an OWASP meet, we wanted to go back to basics and run through the OWASP top 10 vulnerabilities. Since we are both new to the industry we wanted to talk about something we have currently been learning about! For this talk we have decided to explain each vulnerability and walkthrough a challenge for each one. (Please pray to the demo gods for us). Since we are still newbies we wanted to finish off our talk with some time to open up the floor to questions and or discussions, so feel free to pitch in with neat tricks, techniques or tools you might use when faced up against these vulns yourself. We hope you enjoy! The Queens.

Title: Adventures in Out-of-Band Exploitation

Speaker: Holly Grace

Bio: Holly Grace has fourteen years of experience in leading information security teams. She holds a Master’s degree in Information Security from Cardiff University. Her early career was spent in the military working in roles such as Site Security Officer, although she now works with a wide range of organisations delivering information security testing. She is the Founder and technical lead for Akimbo Core, leading both the development of the software platform as well as leading the security testing capability. She is also the Managing Director of Secarma, a cybersecurity consultancy focused on Penetration Testing.

Description: Out-of-Band exploitation is an often-overlooked method of exploiting vulnerabilities, speeding up exploitation of blind issues, and bypassing protection mechanisms. It’s a useful technique for attackers to improve their exploitation capability, but there are also some key “your logs are lying to you” lessons for defenders. In this talk we’ll look at it as an exploitation method for web vulnerabilities, as well as give an example of where it can be used to exfiltrate data from hardened internal networks.

23/02/2021

Title: Detect complex code patterns using semantic grep

Speaker: Colleen Dai

Bio: Colleen Dai is a security software engineer at r2c, a startup working on building static analysis tools that focus on precision and being custom-fit to the consumer. At r2c, Colleen has worked on the language parsing along with AST matching. She is also writing rules to find security vulnerabilities in open source code. Colleen recently received her B.S. in Computer Science and M.S. in Statistics from Stanford. She regularly enjoys Brazilian Jiujitsu, drawing, and trying (and failing) not to eat everything in her fridge.

Description: We’ll discuss a program analysis tool we’re developing called Semgrep. It’s a multilingual semantic tool for writing security and correctness queries on source code (for Python, Java, Go, C, and JS) with a simple “grep-like” interface. The original author, Yoann Padioleau, worked on Semgrep’s predecessor, Coccinelle, for Linux kernel refactoring, and later developed Semgrep while at Facebook. He’s now full time with us at r2c.

Semgrep is a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. Semgrep is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.

For example, find subprocess calls with shell=True in Python using the query:

subprocess.open(..., shell=True)

This will even find snippets like:

import subprocess as s s.open(f'rm {args}', shell=True)

Or find hardcoded credentials using the query:

boto3.client(..., aws_secret_access_key=”...”, aws_access_key_id=”...” )

Source code: https://github.com/returntocorp/semgrep

Test in your browser: https://semgrep.dev/

Title: Wham, bam, thank you scam!

Speaker: Adam Pickering

Description: A glance at how GDPR fines risk breeding laziness in Cyber security Management

2020

03/11/2020

Title: iOS Encryption State Handling And Your Sensitive Personal Data

Speaker: James Duffy

Bio*: I’m James - a 19-year-old Cyber Security student. I spend my time researching and expanding my knowledge in the area of Mobile Forensics and iOS Security Research. I enjoy creating free resources for the community, and developing software solutions to aid the research and data extraction process.

Description: From the bootloader to the user-facing interface, we’ll learn how Apple implements data security and encryption state handling on a basic level and how we can take advantage of Apple’s current implementation for forensic purposes

Title: How to setup a new Red Team in a FTSE 100 (and what I learned doing it)

Speaker: Robin Fewster

Bio: Robin currently manages a global internal red team at Sage, which is a fintech company listed in the FTSE 100 having 13,000 employees and hundreds of cloud-hosted services across a variety of cloud service providers. An experienced former CHECK Team Leader / CREST Certified Tester, CREST Registered Intrusion Analyst, PCI QSA and PA-QSA, Robin also spends some of his personal time to co-lead OWASP Newcastle and (ISC)2 North East England security meetups. With a strong interest in offensive security testing, Robin is involved with bug bounty programme management, red teaming and penetration testing but also maintains an interest in blue teams having previously worked in the application security team at Sage in an Agile development environment.

Description:

• Why setup a red team inside your company?
• How to put the business case together
• Getting the buy in and executing the business case
• Lessons learned

05/05/2020

Title: Malware Threat Analysis and Intelligence Recon – Trickbot

Speaker: Chris Young

Bio: Chris is an information security consultant with Pentest Ltd. Despite his youthful looks, Chris is old enough to remember the birth of Internet, dialling into AOL and running amok in #IRC Channels. Late to Infosec party - Chris changed career from Learning Technology to Security in 2016 after completing a MSc in Information & Network Security.

Description: This presentation will provide you with some information on each of the Malware threats that I like to call “the 3 amigos” – Emotet, Trickbot and RYUK. I then focus in on Trickbot and the different types of modules that it uses. I also examine the ecosystems that attackers use to spread their malware. Additionally, I will provide some useful links for anyone thinking of getting started in malware analysis. Not a super technical talk so no reverse engineering skills required! 😊

Title: Alice Through the Cyber Looking Glass

Speaker: Rick Trotter

Bio: Rick Trotter is one of the last Generation-X geeks who grew up in a time of Microcomputers, IRC and BBS systems, becoming a digital pioneer in a new wild west web and falling through time one platform at a time. Join me gazing through the looking glass of an adventure spanning 40 years as we look to a new dawn of computing.

Description: “Living backwards!” Alice repeated in great astonishment. “I never heard of such a thing!” “—but there’s one great advantage in it, that one’s memory works both ways.” “I’m sure mine only works one way,” Alice remarked. “I can’t remember things before they happen.” “It’s a poor sort of memory that only works backwards,” the Queen remarked. Rattling around in my rusty cranium are memories of computing years past; a million lines of code and mistakes aplenty across a varied career that prelude to a dozen possible futures. If there’s one thing that I’ve learned it’s that humans have a tendency to make the same mistakes over and over in new and interesting ways. I’ve lived through a few of the major events in recent computing history: from the dawn of the Internet, the rise of the Microcomputer, the invention of the world-wide-web, the dot-com bubble and the explosion of social media; but what lessons can we learn as a new generation takes over the console while the rest of us shuffle off into the end of line character?

Title : A High Level Overview of the UK Smart Metering Programme

Speaker: Zach Anucha

Description: This presentation will provide you with a high level overview of the UK Smart Metering Programme, its timelines, what the government is looking to achieve through the programme and the role CGI its implementation. Also, an overview of the intended impact on the UK, issues of privacy – personal and personal sensitive data, and critical national security data will be explored. CGI’s role in securing the infrastructure, the data and assurance regime covering Independent Competent Organisation, SOC2, ISO27001 Certification, CHECK Pen Tests will be discussed at high level. Finally the core Security Services that CGI provides - (DCCKI (PKI), Federated IDM, Anomaly Detection, Access Control Broker, will be covered at high level.

Title: 5G and LTE security

Speaker: Matt Summers

Bio: Matt is an accomplished security consultant with over 2 decades of experience. A former Army Captain within the British Army’s Information Assurance unit and former HMG Science Advisor specialising in research and development of secure hardware and software solutions. A co-founder of the BSides London security conference, co-founder and director of the BSides Manchester security conference and chief cat herder for the DefCon Aerospace Village Matt has a passion for knowledge sharing and community engagement. He was recently appointed to the executive at CREST.

Description: This presentation is about 5G and LTE security and an adaption of his 44Con talk from 2019 which wasn’t recorded. We will initially get an overview of the technology followed by a deep dive into LTE flaws and misconceptions. Followed on by a look at 5G security and how most security experts are getting it wrong with 5G.

Title: What I learned from running a honeypot

Speaker: Andi

Description: Towards the end of 2019 I ran several honeypots for around a week. This talk aims to walk through how to set up your own, learning from my mistakes, and then examines the data about what attacks are really taking place.

2019

03/12/2019

Capture the flag event

Following on from the success of their recent Avalanche CTF, we’ve asked Pentest to build a brand new CTF for everyone to tackle at OWASP Newcastle. Avalanche 2, as they’re calling it, will still be based on a petition/campaign website like 38 degrees or the UK.gov, but promises to be bigger and better than the original, with a host of new challenges.

With assistance from our friends at Pentest Limited, we present to you Avalanche 2.

All levels of experience are welcome, starting from zero knowledge right up to experienced red teamer. All you need to do is bring yourself plus a laptop. You will learn something new, and if you don’t you will have fun anyway! You can work alone or in a team.

If you’d like to have a go at the original Avalanche CTF you still can by visiting https://pentest.co.uk/labs/avalanche-ctf/

As always, we will be providing pizza and drinks courtesy of our sponsors at Sage. If you have any dietary requirements please just message one of the organisers and we can make sure you’re catered for.

Schedule:

• 1800 - 1815 - Arrival and networking
• 1815 - 2100 - Avalanche 2 CTF
• 2100 - onwards Pub?

23/09/2019

Title: Stalk Awareness

Speaker: Cian

Description: We often focus on nation states and corporation’s role in eroding our privacy and expanding omnipresent surveillance worldwide, meanwhile an entire niche industry that caters to regular consumers who want similar spying capabilities has slipped largely under the radar. Mobile apps that are designed to enable toxic and abusive behavior are being openly sold on the internet, marketed directly to abusers, these apps have come to be termed “stalkerware”.

This talk will present analysis of the stalkerware industry, its products, marketing and the scope of the problem it represents, as well as potential solutions. I’ll be examining these topics from both a technical and non-technical standpoint, based on many months of personal research.

Title: Rethinking Threat Intelligence - a quick glance at intelligence led risk management - Slides

Speaker: Adam Pickering

Description: 45 min chat about rethinking how we use threat intelligence capabilities within enterprise to bring about changes to the way we deploy countermeasures against threat actors

13/06/2019

Red Team versus Blue Team event

Title: Red Teaming a view from the field

Speakers: Andi Pannell and Gavin Johnson-Lynn

Description: A talk about what red teaming is, how it is different from a penetration test, and then we’ll reveal some hardware we use during red team engagements and some success stories.

Title: Protecting the museum – HIPS

Speaker: Marek Banas

Description: How you can minimise the manual labour with increasing the security on legacy servers, plus some issues we hit while choosing the solutions, challenges we had.

26/02/2019

The talk will be three smaller talks, covering:

• Remote online social engineering (how attackers use catfishing techniques)
• Hacking with light and sound (using infrared, ultrasound, and lasers to exfiltrate data and disrupt sensors)
• Attack linkage (using granular attack behaviours to link different cyber attacks)

Speaker: Matt Wixey

Title: Getting stakeholders on board”

Speaker: Kathryn Cardose

Description: So you’ve nailed the tech, you’ve found the controls, you’ve requested remediation…..how do you get stakeholders of all levels to buy in and support security?

2018

25/09/2018

Title: Don’t tell your Big Brother

Speaker: Andy Ferguson

Description: Encryption tips and tricks.

Title: My Path to CSSLP

Speaker: Gavin Johnson-Lynn

Description: Join me on a journey from a vague knowledge of security to gaining a valued security certification. For anyone considering certification as a route to success, self-improvement, or even just some thoughts on how I approached it. We’ll look at what I learned and how I learned it, including some tricks I picked up along the way to help cram information into my brain (and keep it there).

26/06/2018

We held our first CTF (Capture The Flag) event.

The CTF event was facilitated by Secarma. The attendees were split into groups, each group had their own sandboxed environment to connect into, and prizes were offered to the teams who captured the most flags.

27/03/2018

Title: The Internet of (broken) things.

Speaker: Andi Pannell

Description: This talk will focus on the internet of things, how we’re connecting everything to the internet now, because why not add a WiFi connection to your Fridge? And how security is unlikely to be a consideration when making these products. I’ll also talk about DefCon, as last year my company sent a team of us to DefCon 25 in Las Vegas, explaining what DefCon is, what happens there, and how we won the IoT Village 0-day contest and I’ll conclude with a live hacking demo.

Title: An introduction to the OWASP automated threats to web applications

Speaker: Colin Watson

Description: Web applications are subjected to unwanted automated usage – day in, day out. The vast majority of these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is often mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the attacker’s primary intent.

• Project page
• Handbook PDF file
• Handbook print version

30/01/2018

Title: Code that fights back

Speaker: Neil Dixley

Description: Lessons from the gaming world on detecting and responding to attacks on software assets. An introduction to proactive software security including a philosophical look at how far we should go to protect our apps.

Title: Practical demonstration of mobile software penetration

Speaker: Luke Sadler

Description: Luke Sadler walks us through hands on examples of cracking mobile technology.

2017

21/11/2017

Title: Explain hacking in ten minutes

Speaker: Lorenzo Grespan

Description: Recently I had to show a 10-minute “live hack” to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go “aha!” turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users.

Title: Building a Development Environment That’s ‘Secure Enough’

Speaker: Robin Sillem

Description: This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data. Media:Modern_DevOps_and_security.pptx

19/09/2017

Title: Running a security event using OWASP Security Shepherd

Speaker: Gareth Dixon

Description: In this talk I will cover running a security event using OWASP Security Shepherd. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective.

Title: Enter the (Threat) Dragon

Speaker: Mike Goodwin

Description: Threat Modeling with OWASP Threat Dragon. Threat modelling is a great technique for hardening your application designs, but current tooling is a bit “crashy”, limited to Windows or not free. OWASP Threat Dragon is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it’s future road map and a look under it’s hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you.

2016

23/08/2016

Title: 50 Million Downloads and All I Got Was Malware

Speaker: Andi Pannell

Description: How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too.

Title: OWASP Cornucopia

Speaker: Colin Watson

Description: OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal).

2015

24/11/2015

Title: The problems with proving identity

Speakers: Ben Lee and Ross Dargan

Description: In this talk Ross and Ben will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren’t. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don’t have all the answers. The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…* (*Talk may not be historically accurate! ;))

Title: Think about the Top 10 Controls, not the Top 10 Risks

Speaker: Colin Watson

Description: The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities. Take a copy of the game away with you - it is suitable for developers of all sizes.

Title: Automated Security Testing Using The ZAP API

Speaker: Michael Haselhurst

Description: This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi.

Title: Real world defence in depth (part 1)

Speaker: Mike Goodwin

Description: Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality.

29/09/2015

Title: Securing Real-Time Networks

Speaker: John Beddard

Title: Content Security Policy

Speaker: Ian Oxley

Title: Threat Dragon - a new threat modelling tool project from OWASP

Speaker: Mike Goodwin

Title: OWASP Top 10 Mobile Risks

Speaker: Neil Dixley

28/07/2015

Title: Honeypots; from research to the Enterprise

Speaker: Andrew Waite

Title: Security in the World of Containerisation

Speaker: George Chlapoutakis

29/05/2015

Title: An introduction to basic application penetration testing

Speaker: Robin Fewster

Description: An introduction to penetration testing, using several OWASP projects as well as other open source and free programs.

Title: The Elevation of Privilege Threat Modelling Tool

Speaker: Neil Dixley

Description: An introduction to threat modelling and using the ‘Elevation of Privilege’ card game to facilitate and improve team threat modelling exercises.

24/03/2015

Title: Cognitive Bias and Security Vulnerabilities

Speaker: Neil Dixley

Description: The psychology of software engineering. An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security.

Title: Security Compliance for Developers - Are we Certified… or Certifiable?

Speaker: Andy Ward

Description: Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it’s never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning ‘banking grade encryption’! After a quick reminder of “what’s the worst that can happen…”, Andy will introduce some of the security Compliance and Certification systems that help you ‘walk the walk’, and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams.

Thanks!

Over the years we’ve had some great leaders help run the chapter. On here we’d like to give thanks to them for helping run the chapter and grow it to what it has become today.

• Adam Pickering
• Connor Carr
• Robin Fewster
• Mike Goodwin