OWASP Scotland
Welcome to the OWASP Scotland Chapter page. The chapter is lead by Rob Jansson, Jim Slaughter and Sean Wright. Please follow us on Twitter for our latest updates as well as Meetup for notifications of upcoming events (as well as obtaining tickets for those events). Alternatively signup to our OWASP Scotland Google Group.
Events
Upcoming Events
Thursday, 24 October 2024
Time: 17:45 - 20:00 BST
Location: Hays 7 Castle St, Edinburgh EH2 3AH
Tickets: Tickets are available on Meetup: https://www.meetup.com/owasp-scotland-chapter/events/303941386.
Join us at the OWASP Scotland Chapter Meeting where we have an exciting talk lined up focusing on mainframe hacking alongside a brief update from the OWASP Scotland Chapter leaders on OWASP flagship projects and global events.
This event is perfect for software developers, ethical hackers, and cybersecurity enthusiasts interested in learning about the latest trends in cyber security.
Talk 1 - A tale of two Fortiinets
Speaker: Jim Slaughter
Most large organizations monitor their brand space for infringement from things like typosquating. This can turn up interesting results at different times. In July 2024, FortiGuard Labs came across one such typosquatted domain, Fortiinet.com. The domain was registered a few months prior and did an excellent job impersonating our trade dress. In addition to being an excellent facsimile, the site was also dropping an infostealer, Lumma. The goal of this presentation is to detail the efforts we took to find and investigate the domain and infostealer.
Speaker bio:
Who Am I? I’m Canadian, eh! Currently a Senior Threat Intel Engineer at Fortinet Day-to-day responsibility for looking for “interesting samples”, reversing them and then passing the results on to our customers and government partners. Prior to Fortinet: 8 years at NatWest as the Cyber Threat Hunting and Analytics Tech Lead 10 years at BlackBerry as a Dev My hobbies match my vocation. You can usually find me tinkering with malware or code that I stick up on GitHub - https://github.com/slaughterjames
Talk 2 – Global Insights from Security Leaders across the Globe
Speaker: James Walsh
Explanation of findings from Hays Global Cyber Survey, looking at Talent, AI, Cyber Budgets and Risks.
Speaker bio:
James Walsh CISMP- Director of Cyber Security Practice UK&I has over 14 years of experience working specifically within the Cyber Security sector supporting a variety of industries with there Talent and Project Requirements.
Talk 3 – Cross-Site Scripting Beyond Alert(1)
Speaker: Paul Johnston
XSS is one of the most common web application vulnerabilities. Most proof-of-concept exploits simply display an alert box, proving that JavaScript code has been executed. This talk explores what an attacker can do beyond an alert box, to maliciously exploit an XSS flaw. We investigate how browser security features such as HttpOnly cookies and Content-Security-Policy can be bypassed, in certain circumstances. And we look some difficult XSS scenarios, that are not detected by leading scanners, but can be exploited with a carefully crafted payload.
Speaker bio:
Paul is a security consultant at Pentest, specialising in web applications, and particularly in securing cloud-native, multi-tenant, SaaS platforms. He has worked in security for a number of year, and previously was a software developer and sys-admin.
List of our past chapter events.
Tursday, 23 November 2023
Time: 20:00 - 21:00 BST
Location: Online (details will be provide from EventBrite)
Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-summer-session-tickets-658038349417
Talk 1 - Active Directory Security
During this event, industry professionals will share their insights on enhancing your Active Directory security posture. Learn how to protect against unauthorized access, prevent data breaches, and strengthen your overall cybersecurity defenses.
Whether you’re an IT professional, system administrator, or simply interested in bolstering your organization’s security, this event is a must-attend. Connect with like-minded individuals, exchange ideas, and gain valuable knowledge to safeguard your Active Directory infrastructure.
Don’t miss out on this opportunity to stay ahead of the ever-evolving threat landscape. Register now to secure your spot and take proactive steps towards a more secure Active Directory environment.
Note: Virtual meeting link will be emailed to registered attendees on the day of the event.
Tursday, 29 June 2023
Time: 18:00 - 20:00 BST
Location: Hays, 7 Castle Street, Edinburgh, EH2 3AH
Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-summer-session-tickets-658038349417
Talk 1 - Insights from the Hays Global Cyber Report
Insights from the Hays Global Cyber Report on talent and demand across the Cyber Security Market. Exploring the areas that Cyber Leaders have concerns alongside domains for likely investment.
Speaker Bio - James Walsh
James is a specialist Cyber/InfoSec recruiter with over 10 years of experience in the sector. He is has worked with multiple sectors from National Government, FS, Defence, Professional Services, Logistics, Heath Care, Pub Sec and Pharmaceuticals placing CISOs, Directors of Cyber and more. He is CISMP certified and was the first recruiter in the UK to hold the certification. James leads the Hays UK&I Cyber Practice that works across Cyber/InfoSec roles from entry level to the board providing perm, interim and consultancy services.
Talk 2 - Clean Rooms, Nuclear Missiles and SideCopy, Oh My!
Occasionally, FortiGuard Labs researchers come across a file name or e-mail subject that makes us sit up and take notice. Of course, it may turn out to be nothing. But every once in a while, one of these turns out to be incredibly interesting.
We recently came across one such file that referenced an Indian state military research organization and an in-development nuclear missile. The file was meant to deploy malware with characteristics matching the APT group “SideCopy”. With activities dating back to at least 2019, this group has aligned its targeting with the goals and objectives of the Pakistani government.
Speaker Bio - James Slaughter
Who Am I? I’m Canadian, eh!
Currently a Senior Threat Intel Engineer at Fortinet. Day-to-day responsible for looking for “interesting samples”, reversing them and then blogging the results. Some recent examples - https://www.fortinet.com/blog/search?author=James+Slaughter
Prior to Fortinet:
8 years at NatWest as the Cyber Threat Hunting and Analytics Tech Lead
10 years at BlackBerry as a Dev
My hobbies match my vocation. You can usually find me tinkering with malware or code that I stick up on GitHub - https://github.com/slaughterjames
Tursday, 6 April 2023
Time: 18:00 - 20:00 BST
Location: PwC, 144 Morrison Street, Edinburgh, EH3 8EX
Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-april-tickets-597182307357
Talk 1 - Cyber as a Science
In this talk, I discuss the importance of the scientific method within the Cybersecurity industry and the challenges created by pseudoscience and guff. I will also examine the issues with current efforts in this space, such as: the limited relevance of academia, the challenges of getting access to relevant data, the rapidly changing threat landscape and persistence in creating analogues to military doctrine.
Speaker Bio - Lawrence Munro
Lawrence is the Group CISO at NCC Group and has a background in penetration testing and social engineering. He’s currently an expert advisor to the UK Government via the ‘College of experts’ within DCMS and is a former member of the CREST executive and B-Sides London Director. Lawrence has previously presented his ideas at BlackHat USA, RSA, 44Con and a number of other conferences.
Talk 2 - Can’t you keep a secret? Cloud-Native Secrets Management with OWASP WrongSecrets
In this talk, Dan will dive into cloud secrets management best practices and show you all the things that can go terribly wrong with secrets management in the cloud through using OWASP WrongSecrets. Dan will also walk you through some example challenges related to exposed secrets in codes and misconfigured Kubernetes clusters.
Speaker Bio - Dan Gora
Dan Gora is a Lead Cloud Security Architect at Cloudreach (An ATOS Company) specialising in Cloud-Native Security, DevSecOps and Application Security. He is also an OWASP Frankfurt Chapter Lead and an avid Scottish Munro-bagger, having conquered half of all Scottish munros.
Tursday, 29 December 2022
Time: 20:00 - 21:00 GMT
Location: Virtual (Details to be announced)
Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-dec-tickets-475144398687
End of Year
OWASP Scotland will be hosting an informal chapter meeting. Join in to discuss the year ending.
Friday, 13 December 2022
Time: 18:00 - 20:00 BST
Location: Hays, 7 Castle Street, Edinburgh, EH2 3AH
Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-dec-tickets-475144398687
Meeting the Ministrer
Things not always being as they seem is a common adage that lends itself well to the cyber world. Phishing tries explicitly to convince an email recipient that a message is legitimate and trustworthy when it is not. This applies equally to cases where the sender is interested in criminal exploits or nation-state activity.
FortiGuard Labs recently came across an unassuming phishing email that proved to be far more than it initially seemed. Written in Russian, it attempts to lure the recipient into deploying malware on their system. This talk will cover the analysis of that malware which happens to have been Konni - a remote administration tool (RAT) that has been tied to the group APT 37 (aka: Ricochet Chollima, InkySquid, ScarCruft, Reaper, and Group123). This group has been known to align its targeting and objectives with those of the government of the Democratic People’s Republic of Korea (DPRK), commonly known as North Korea.
Speaker Bio - James Slaughter
Who Am I?
I’m Canadian, eh!
Currently a Senior Threat Intel Engineer at FortinetDay-to-day responsible for looking for “interesting samples”, reversing them and then blogging the results. Some recent examples -https://www.fortinet.com/blog/search?author=James+Slaughter
Prior to Fortinet:8 years at NatWest as the Cyber Threat Hunting and Analytics Tech Lead10 years at BlackBerry as a Dev
My hobbies match my vocation. You can usually find me tinkering with malware or code that I stick up on GitHub - https://github.com/slaughterjames
Friday, 30 June 2022
Time: 18:00 - 20:00 BST
Location: PwC, 144 Morrison Street, Edinburgh, EH3 8EX
Tickets: Tickets are available on eventbrite: <https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-december-tickets-224828597387>
Elevate your AppSec Program with the OWASP JuiceShop Project
Dan Gora will give an introduction to the OWASP JuiceShop, the German OWASP flagship project and one of the most likely sophisticated insecure web applications. Dan demonstrates how to get started with hands-on application security learning by walking through OWASP Top 10 vulnerabilities in the JuiceShop. This includes vulnerabilities such as cross-site scripting and code injection. Furthermore, it will be shown how the OWASP Juice Shop can be used for security training, awareness demos, CTFs and as a guinea pig for testing your security tooling.
Speaker Bio
Dan Gora is a Cloud Security Architect at Cloudreach (ATOS) specialising in Cloud-Native Security, DevSecOps and Application Security. Dan is also an OWASP Frankfurt Stammtisch co-organiser and regularly commutes between Edinburgh and Frankfurt, Germany. Dan is also Leading the OWASP Frankfurt Regular Table and is a Board Member of the German OWASP Chapter. If Dan is not shifting security left, you can find him with his head in the cloud on top of Scottish Highland Munros, which he very much enjoys bagging.
Friday, 31 December 2021
Time: 16:00 - 17:00 BST
Location: Virtual, details will be emailed closer to the time to those who have registered to the event below.
Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-december-tickets-224828597387
Informal chapter meeting - join in to discuss the year ending
Join us for an informal discussion rounding up the year. This will be an open discussion, for which we would love as much input as possible.
Note: Participants are limited for this virtual meetup and sign-in details will be provided closer to the time.
Thursday, 16 December 2021
Time: 20:00 - 21:30 BST
Location: Virtual, details will be emailed closer to the time to those who have registered to the event below.
Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-december-tickets-224828597387
Open Source Software Supply Chains
As modern software development evolves; we no longer build things from the ground up. Extensive use is made of open source software such as libraries and frameworks. While this is fantastic from a development point of view (allowing for faster development of applications and features), it does present a potential drawback if not done correctly, an increased risk. Often, we see libraries being used and seldom updated, also we see several libraries being blindly with little to not inspections and reviews. This is gold mine for attackers, there are many ways that they have will continue to use this to their advantage. The purpose of this talk is to cover some of the techniques which attackers could use to exploit open source supply chains. This will include a live demonstration of one such technique which an attacker could used. The talk will then focus on the excellent OWASP Dependency Track tool, showing how this can help reduce the risk to organizations when it comes to dealing with open source packages in software.
Speaker Bio - Sean Wright
Lead Application Security SME at Immersive Labs with an origin as a software developer. Primarily focused on web-based application security with a special interest in TLS related subjects. Experienced in providing technical leadership in relation to application security, as well as engaging with teams to improve the security of systems that they develop. Passionate to be a part of the community and giving back to the community. Additionally, enjoy spending personal time performing personal security-related research.
Note: Participants are limited for this virtual meetup and sign-in details will be provided closer to the time.
Thursday, 1 April 2021
Time: 20:00 - 21:30 BST
Location: Virtual, details will be emailed closer to the time to those who have registered to the event below.
Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-april-virtual-chapter-meeting-tickets-148263727801
Scale Your Security by Embracing Secure Defaults & Eliminating Bug Classes
We’re in the middle of a significant shift in how security teams operate and prioritize their limited budget and person-time. Historically, as an industry, we’ve focused on building tools to identify vulnerabilities. While we’ve built impressive tools, these approaches have failed to address the challenges of modern engineering teams. Specifically, these tools often are too slow, require a prohibitive amount of security engineer time and domain expertise to tune, overwhelm users with false positives, and most importantly, do not ultimately raise a company’s security bar. But there’s another way. Rather than investing in finding more bugs, some modern security teams are instead focusing on providing developers with frameworks and services with secure defaults (“guard rails”) so that developers can build features quickly and securely. When done correctly, combining secure defaults and lightweight checks that enforce invariants (properties that must always hold), organizations can solve classes of vulnerabilities by construction, preventing bug whack-a-mole. In this talk, we’ll present a practical step-by-step methodology for:
- Choosing what to focus your AppSec resources on
- How to combine secure defaults + lightweight invariant enforcement to eradicate entire vulnerability classes
- How to integrate continuous code scanning into your CI/CD processes in a way that’s fast, high signal, and low friction for developers
- How to use an open source, lightweight security linting tool to find bugs and anti-patterns specific to your company
Speaker Bio
Grayson Hardaway is a security researcher at r2c, a startup working on static analysis tools purpose-built for the modern workflow. At r2c, Grayson authors static analysis tailored for finding security vulnerabilities in open source code. Previously, Grayson worked for the US Department of Defense fuzzing and exploiting obscure protocols. When not submitting patches, Grayson is hefting a heavy pack uphill, crafting guitar solos, or learning something new: currently woodworking.
Note: Participants are limited for this virtual meetup and sign-in details will be provided closer to the time.
Thursday, 10 December 2020 (December Xmas Special)
Time: 20:00 - 21:30 BST
Location: Virtual, details will be emailed closer to the time to those who have registered to the event below.
Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-december-xmas-special-virtual-chapter-meeting-tickets-131521886503
Description
Join the OWASP Scotland community in this final Xmas Special chapter meeting 0f 2020 where we will talk about some of the worst hacks and breaches of the year. If you have a story you’d like to share drop us a line and we’ll fit you in. Bring yourself, bring your favourite tipple and we will see you there. Note: Participants are limited for this virtual meetup and sign-in details will be provided closer to the time.
Thursday, 24 September 2020
Time: 20:00 - 21:30 BST
Location: Virtual, details will be emailed closer to the time to those who have registered to the event below.
Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-virtual-chapter-meeting-sept-tickets-119944656697
Description
We are pleased to announce that the second OWASP Scotland Chapter meeting of 2020 will take place on Thursday the 28th of May.
Rory McCune (@raesene)
Abstract – The world of containerization can be a morass of new and odd sounding acronyms and terms. However when you start to dig into what’s really happening with Docker, Kubernetes et al, you will find that there’s a lot of familiar technologies involved which can have existing approaches to security applied to them. This talk aims to demystify the container security world and explain some of the underlying concepts”. Bio - Rory has worked in the Information and IT Security arena for the last 20 years in a variety of roles. These days he spends most of his work time on application, cloud and container security. He’s an active member of the UK information security community having delivered presentations at a variety of IT and Information security conferences. He has also presented at major containerization conferences and is an author of the CIS Benchmarks for Docker and Kubernetes.
Daniel Card (@UK_Daniel_Card)
Panel Discussion - Panel discussion involving Daniel Card, covering topics ranging from the community, common security mistakes, and community based events.
Thursday, 28 May 2020
Time: 20:00 - 21:30 BST
Location: Virtual, details will be emailed closer to the time to those who have registered to the event below.
Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-virtual-chapter-meeting-may-tickets-105453656726
Description
We are pleased to announce that the second OWASP Scotland Chapter meeting of 2020 will take place on Thursday the 28th of May.
STÖK - Bounty curious? How to win at bug bounties in 2020 (and stay sane)
Speaker: STÖK - @stokfredrik, youtube.com/stokfredrik
STÖK will be providing us insight into how to approach bug bounties as a hobby in 2020, what tools most people use, why you need automation, understanding depth vs. breadth, fuzzing vs code review; and how to stay sane whilst competing against 700,000 other hackers.
Context IS - Open Banking Applications
Speaker: Margus Lind & Daniela Schoeffmann, Context IS
Open Banking is the UK implementation for PSD2. On top of the PSD2 regulations, Open Banking provides a detailed specification for banks and third parties to follow when communicating with one another. This allows companies (TPPs) to build their applications and integrate with online services exposed by any bank (ASPSP) in a standardised way.
With an increasing number of banks using APIs to share data, Open Banking promises better business opportunities and more robust security for customers and banks. However, implementation of publicly accessible APIs and introduction of new security models create a myriad of challenges. This makes for a wider attack surface and puts data in the hands of more companies (third party providers) who have differing approaches to customer data protection. In this talk we will cover a brief introduction to Open Banking, our experiences with testing implementations of Open Banking, as well as the technical and project management challenges we have overcome along the way. We will demonstrate the technical complexities encountered, and share some interesting discoveries made during the engagements.
Code of Conduct
We hope you enjoy our events, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of the chapter leaders if you have any feedback or would like to speak to us, we take these matters very seriously. You can find out more about our policies here: https://owasp.org/www-policy/operational/conferences-events.html.
Tuesday, 11 Febraury 2020
Time: 18:00 - 20:00 BST
Location: PwC, 144 Morrison Street, Edinburgh, EH3 8EX
Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-2020-tickets-90016877905
Description
We are pleased to announce that the first OWASP Scotland Chapter meeting of 2020 will take place on Tuesday the 11th of Feb. Many thanks to PwC, who has kindly offered to host this event for us. They will also be providing pizza and refreshments on the evening.
Security Culture and Behaviour - security is still often seen as a technology problem
Speaker: Louise MacDougall
This presentation will focus on the culture and behaviours surrounding cyber security and explore the ‘People layer’ of defence. Louise will discuss how organisations should be approaching cyber security leadership and how they can drive the right security behaviours within their staff. Particular focus will be on the role of senior leadership and behavioural models that can be applied to cyber security.
Nothing Rhymes with Purple
Speaker: Lawrence Munro
In this talk, I discuss the need for collaborative strategies between blue and red teams. I dive deep into the concepts of ‘always-on’ red teaming and the processes of generating use cases from TI through threat hunting to validation. I also discuss the use of point-in-time purple teaming and maximising the value to the SOC. Moreover, I will discuss the direction of travel within the professional services industry and open the floor to discussion.
Bio: Lawrence Munro is Technical Director at NCC Group, a Post-Graduate Student at Oxford University, a CREST Executive member and Director for B-Sides London. His research (and presentation topics) are varied, but often include: red teaming, education in InfoSec and weird side-projects. Lawrence has previously presented his ideas and research at: Black Hat USA, DEFCON, 44CON, RootCon, B-Sides (Various), ToorCon.