18:00 - Intro and Welcome by the OWASP Porto chapter
18:15 - Lightning Recap: Highlights from BSides Lisbon 2024 by Celfocus Appsec Team, hosted by Pedro Tarrinho
19:00 - Do not Live in the Shadows (APIs) by Teresa Pereira
20:00 - Drinks & Dinner by Celfocus.
Lightning Recap: Highlights from BSides Lisbon 2024
Host: Pedro Tarrinho; Speakers: Mariana Bento, José Neves, Ruben Silva, Samuel Azriel, Diogo Gomes
In this rapid-fire session, dive into key insights and breakthroughs from BSides Lisbon 2024. Hosted by Pedro Tarrinho, this panel will bring key topics and discussions from one of Portugal’s major security conferences. Join the Celfocus AppSec team as they deliver presentations highlighting innovative strategies, emerging threats, and practical takeaways that resonated throughout the conference. Whether you missed the event or want a condensed recap, join us in this session to catch up on the latest developments from BSides Lisbon, where we will go over the following selection of talks:
- AI will take our job + GenAI Cybercrime Armageddon by Mariana Bento and José Neves.
- Weaponized Ads - Malvertising by Ruben Silva
- Enhancing Secrets Management by Samuel Azriel
- Advanced Android Detection Evasion Tactics by Diogo Gomes
Do not Live in the Shadows (APIs)
Speaker: Teresa Pereira
Shadow APIs — undocumented, unmanaged, or hidden APIs within an organization’s ecosystem — pose a significant risk to security, compliance, and operational resilience. These APIs often emerge due to rapid development cycles, decentralized practices, or legacy systems, creating critical blind spots for development and security teams. This talk explores the concept of Shadow APIs, starting with a clear definition and their origins, and examines the multifaceted risks they introduce to software development. Through real-world examples, we will highlight the potential consequences of ignoring these “hidden doors” and discuss strategies for their identification, management, and mitigation. By the end of this session, you will gain actionable insights and strategies to reduce the risks posed by Shadow APIs and build more resilient, secure, and compliant systems.
**Bio: ** I’m currently working as a Cyber Threat Hunter at Siemens Energy. Before this, I worked as a Pentester at KPMG Portugal for nearly three years. My journey into API Security began in 2022, and by 2023, I was speaking at apidays Paris. In 2024, I was a speaker at apidays London and apidays Paris.
18:00 - Intro and Welcome by the OWASP Porto chapter leadership
18:15 - Hacking Embedded Devices - From Black Box to UID 0 by Zezadas and David Silva
19:00 - Lessons Learned and How Not to Choose Your Next Drive by Paulo Silva
20:00 - Drinks & Dinner by Critical Techworks.
Hacking Embedded Devices - From Black Box to UID 0
Speaker: Zezadas and David Silva
Prepare to bend the rules of time and uncover the secrets of an embedded device in a way that even the most adventurous time traveler wouldn’t even dream to explore. In this enlightening presentation, Zezadas, a security researcher, leads you through the remarkable process of gaining root access in an unsuspecting video converter embedded device. Witness the fusion of expertise and creative problem-solving as Zezadas shares a step-by-step account of their exploits. Discover firsthand that hacking embedded devices, often perceived as daunting, can be accessible, enjoyable, and, most importantly, a journey through time. Whether you’re a security aficionado or simply curious about the intersection of technology and time-travel, this talk promises to entertain, educate, and inspire.
Bios Zezadas is a dedicated security researcher with a strong passion for exploring the intricacies of hardware hacking. With a wide-ranging skill set and an unyielding curiosity. As a committed advocate for cybersecurity education, Zezadas frequently shares knowledge and experiences at renowned cybersecurity conferences worldwide. These include events such as BsidesLisbon, BsidesBangalore, BerlinSides, AlligatorCon, WarCon, 0xOPOSEC, and many others.
Linkedin: https://www.linkedin.com/in/zezadas/
David Silva is a Software Engineer with professional experience in full-stack software development, project management, and cloud deployments in Kubernetes, AWS, Google Cloud, and Azure. His professional experience, combined with a strong interest in most technology-related fields, including cyber security, is reflected in his problem-solving skills and interest in understanding how things work and how one can give new uses to existing technology.
LinkedIn: https://www.linkedin.com/in/dmpasilva/
Lessons Learned and How Not to Choose Your Next Drive
Speaker: Paulo Silva
Don’t worry, we can (also) hear your thoughts—”No, the car manufacturers’ security talk again. No!” But fear not, this time we’re shifting gears. Instead of focusing on cars, we’ll use lessons from our research to highlight security pitfalls that plague organizations across industries. From cloud bucket misconfigurations to BOLA bugs giving users more power than a valet with your Ferrari keys, we’ll share real-world lessons learned, laugh at the chaos, and discuss how to avoid these traps. Anyway, those fancy PoCs may strike again: the best way to prove impact and get rid of annoying web flaws. Buckle up—it’s a wild ride!
Bio: ** **Paulo is a security practitioner with a solid background in software development, who has spent the last decade focused on identifying critical vulnerabilities and breaking software. He is a long-time OWASP volunteer and co-leader of the OWASP API Security Project, where he advocates for secure API practices and contributes significantly to mitigating security risks in the API landscape.
18:00 - Intro and Welcome by the OWASP Porto chapter leadership
18:15 - Applying Threat Modelling in modern development environments by Gonçalo Matias
19:00 - Jedi^WGenAI Mind Tricks - Are these the secure chatbots you’re looking for? by Bruno Morisson
19:45 - Drinks & Dinner by OERN.
Applying Threat Modelling in modern development environments
Speaker: Gonçalo Matias
In today’s fast-paced software development, understanding and mitigating security risk is paramount. Adopting security activities early in the software development lifecycle is crucial for the efficient management of resources and for controlling development costs. Threat modelling stands out as one of the most impactful ways to “shift left”. This session will leverage the fact that every person is already consistently applying some form of threat modeling in their day-to-day activities, and expand that existing capability into a more structured skill. We will explore various approaches, including how Ocado Technology applies its own methodology to threat modeling. Whether developing simple plugins or large-scale systems, securing serverless apps or complex microservice architectures, working within agile sprints or traditional waterfall methodologies, this session will equip participants with strategies for analyzing the risk profile of an app and applying threat modeling processes suitable to that profile.
Bio: ** **Gonçalo Matias is a Senior Application Security Engineer at Ocado Technology, bringing over 20 years of software development experience across diverse platforms, languages, and frameworks. A security enthusiast since his earliest projects, his career evolved from software development to specialised security roles, including research and penetration testing. Gonçalo is deeply interested in the interplay between security and business objectives, with threat modelling as his favorite security activity. He plays electric guitar and is an instructor of “Haidong Gumdo”, a Korean sword martial art.
Jedi^MGenAI Mind Tricks - Are these the secure chatbots you’re looking for?
Speaker: Bruno Morisson
After experimenting with various public challenges on LLM chatbots—like Gandalf, PromptAirlines, and more—I decided to build my own. Not just to understand how LLMs work, but to see how easily I could break them. In this talk, I’ll dive into the security risks of Generative AI, particularly LLM chatbots, and explore vulnerabilities that are often overlooked. From sensitive information disclosure to prompt injections and jailbreaking, I’ll walk you through real-world examples that demonstrate just how these systems can be manipulated. No tinfoil hat required.
Bio: ** **Bruno Morisson is a seasoned cybersecurity expert with over two decades of experience in offensive security, penetration testing, and red teaming. As the Partner and Offensive Security Services Director at Devoteam Cyber Trust, he leads world-class security testing across web and mobile applications, IoT, OT/SCADA, and threat-led penetration testing frameworks like TIBER-EU and DORA. Beyond his professional work, Bruno is a driving force in the cybersecurity community. He is the founder and organizer of BSidesLisbon, Portugal’s top security conference, and serves as a member of the CREST Europe Council, helping shape industry standards. His research contributions include multiple CVE disclosures, Metasploit modules, and publications on SAP security, honeypots, and Linux audit systems. Bruno holds an MSc in Information Security from Royal Holloway, University of London, alongside an impressive list of certifications, including OSCP, CISSP, CISA, and GIAC GPEN. And in case you were wondering—yes, this entire bio was generated by GenAI.
LinkedIn: https://www.linkedin.com/in/morisson/
18:00 - Intro and Welcome by the OWASP Porto chapter leadership
18:15 - HAL 9000: a Risk Manager for ITSs by Tadeu Freitas
19:00 - Bringing DevOps into IAM by Fabrizio Di Carlo
19:45 - Social, Drinks and Dinner.
HAL 9000: a Risk Manager for ITSs
Speaker: Tadeu Freitas
HAL 9000 is an Intrusion Tolerant Systems (ITSs) Risk Manager, which assesses configuration risks against potential intrusions. It utilizes gathered threat knowledge and remains operational, even in the absence of updated information. Based on its advice, the ITSs can dynamically and proactively adapt to recent threats to minimize and mitigate future intrusions from malicious adversaries. Our goal is to mitigate the risk associated with the exploitation of recently discovered vulnerabilities that have not been classified or do not have a script to reproduce the exploit, given the potential that they may have already been exploited as zero-day vulnerabilities. Our experiments demonstrate that the proposed solution can effectively learn and replicate the National Vulnerability Database’s evaluation process with 99% accuracy.
Bio: ** **Tadeu Freitas Ph.D. student at the Faculty of Sciences, University of Porto, specializing in Fault and Intrusion-Tolerant Systems. His research focuses on developing resilient distributed systems that maintain operational integrity under adversarial conditions. He earned his Integrated Master’s degree in Network and Informatics Systems from the Faculty of Sciences, University of Porto, where he researched “Privacy-Preserving Crowdsourcing of Photos in Edge-Cloud Environments.” His academic interests include distributed computing, cybersecurity, privacy-enhancing technologies, and resilience engineering. LinkedIn: https://www.linkedin.com/in/tadeu-freitas-inesctec-cracs/
Bringing DevOps into IAM
Speaker: Fabrizio Di Carlo
Traditional identity and access management (IAM) in Entra ID (Azure AD) often relies on manual reviews or expensive premium tiers for automated security checks. This session introduces Maester, an open-source framework that brings DevOps principles to IAM, enabling teams to automate security posture validation, enforce least privilege at scale, and maintain continuous compliance without costly license upgrades. The core problem addressed is that traditional Entra ID management relies on manual reviews or expensive P2 premium licenses for security automation. Maester offers an alternative by allowing teams to automate access reviews, implement custom security guardrails, and integrate DevOps practices. Key functionalities include pre-deployment validation of changes, drift detection for unauthorized modifications, and automated compliance reporting for frameworks like ISO 27001 and NIST. This session bridges (Governance, Risk, and Compliance) GRC strategy and technical execution, showing how DevOps methodologies can transform IAM from a compliance checkbox into a dynamic, self-healing system. Perfect for security engineers, cloud architects, and GRC teams working in Microsoft environments, this talk provides actionable insights to harden IAM security posture while reducing operational overhead.
Bio: ** **Fabrizio Di Carlo is a cybersecurity strategist with over a decade of experience advising companies across Europe. He currently splits his time as CISO for Cyber Monks and Managing Director of ContrailRisks, a boutique consultancy based in Berlin, where he helps startups and enterprises navigate the complexities of risk, compliance, and security governance. His work focuses on aligning security with business outcomes through pragmatic, risk-based approaches, and he’s an advocate for modernizing security leadership through “GRC Engineering,” inspired by Site Reliability Engineering. Beyond client work, Fabrizio is a regular speaker at industry events, sharing insights on digital identity, cyber resilience, and vCISO operations.
18:00 - Intro and Welcome by the OWASP Porto chapter leadership
18:15 - FiberGateway GR241AG - Full Exploit Chain by João Domingos
19:00 - Vesta Admin Takeover - Exploiting reduced seed entropy in bash $RANDOM by
Adrian Tiron
19:45 - Dinner and Drinks sponsored by NOS
FiberGateway GR241AG - Full Exploit Chain
Speaker: João Domingos
During the year of 2023 it was identified that it was possible to obtain full control of the FiberGateway GR241AG router (root access), provided by a Portuguese ISP (Meo), via the public wifi network “MEO WiFi”. This wifi network is enabled by default and can only be disabled by contacting the ISP support. More than 1.600.000 households were affected by the identified vulnerabilities.
Bio: ** **João Domingos Ph.D. student at the Faculty of Sciences, University of Porto, specializing in Fault and João Domingos is a penetration Tester with over 8 years of experience in offensive security, specialized in the assessment of web applications and thick client environments. In his free time, Joao is a passionate researcher who enjoys exploring any topic that piques his curiosity. Also, he holds several offensive security certifications along with the CISSP LinkedIn: https://www.linkedin.com/in/joao-domingos-pt/
Vesta Admin Takeover - Exploiting reduced seed entropy in bash $RANDOM
Speaker: Adrian Tiron
Vesta is a lightweight, web-based control panel that simplifies Linux server management, appealing to users seeking an intuitive alternative to traditional platforms like cPanel and Plesk. This presentation will examine a critical flaw in Vesta: an admin takeover exploit resulting from reduced seed entropy in the Bash $RANDOM variable. By transforming what was once a theoretical attack into a practical one, we successfully reduced the brute force domain of the seed by over 98%. This allows attackers to generate predictable random values, compromising the security of passwords and tokens. We will discuss the implications of this vulnerability and highlight best practices for enhancing server security in real-world applications.
Bio: ** **Adrian Tiron is a cybersecurity strategist with over a decade of experience advising companies across Europe. Adrian Tiron is a Co-Founder and Principal Pentester/Red Teamer at FORTBRIDGE with 20 years of experience in cybersecurity. He has a proven track record of success working with top companies in the UK, US, and Europe. As a dedicated researcher and pentester, Adrian has uncovered multiple critical vulnerabilities in open-source and commercial software, contributing significantly to improving online security.
LinkedIn: https://www.linkedin.com/in/tironadrian/
