OWASP Scotland

Welcome to the OWASP Scotland Chapter page. The chapter is lead by Sean Wright and Rob Jansson. Please follow us on Twitter for our latest updates as well as Eventbrite for notifications of upcoming events (as well as obtaining tickets for those events). Alternatively signup to our OWASP Scotland Google Group.

Events

Upcoming Events

Please follow us on Twitter, OWASP Scotland Google Group or Eventbrite to find out about new upcoming events. Future events will also be added to this page closer to the time.

Thursday, 1 April 2021

Time: 20:00 - 21:30 BST

Location: Virtual, details will be emailed closer to the time to those who have registered to the event below.

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-april-virtual-chapter-meeting-tickets-148263727801

Scale Your Security by Embracing Secure Defaults & Eliminating Bug Classes

We’re in the middle of a significant shift in how security teams operate and prioritize their limited budget and person-time. Historically, as an industry, we’ve focused on building tools to identify vulnerabilities. While we’ve built impressive tools, these approaches have failed to address the challenges of modern engineering teams. Specifically, these tools often are too slow, require a prohibitive amount of security engineer time and domain expertise to tune, overwhelm users with false positives, and most importantly, do not ultimately raise a company’s security bar. But there’s another way. Rather than investing in finding more bugs, some modern security teams are instead focusing on providing developers with frameworks and services with secure defaults (“guard rails”) so that developers can build features quickly and securely. When done correctly, combining secure defaults and lightweight checks that enforce invariants (properties that must always hold), organizations can solve classes of vulnerabilities by construction, preventing bug whack-a-mole. In this talk, we’ll present a practical step-by-step methodology for:

  • Choosing what to focus your AppSec resources on
  • How to combine secure defaults + lightweight invariant enforcement to eradicate entire vulnerability classes
  • How to integrate continuous code scanning into your CI/CD processes in a way that’s fast, high signal, and low friction for developers
  • How to use an open source, lightweight security linting tool to find bugs and anti-patterns specific to your company
Speaker Bio

Grayson Hardaway is a security researcher at r2c, a startup working on static analysis tools purpose-built for the modern workflow. At r2c, Grayson authors static analysis tailored for finding security vulnerabilities in open source code. Previously, Grayson worked for the US Department of Defense fuzzing and exploiting obscure protocols. When not submitting patches, Grayson is hefting a heavy pack uphill, crafting guitar solos, or learning something new: currently woodworking.

Note: Participants are limited for this virtual meetup and sign-in details will be provided closer to the time.


List of our past chapter events.

Thursday, 10 December 2020 (December Xmas Special)

Time: 20:00 - 21:30 BST

Location: Virtual, details will be emailed closer to the time to those who have registered to the event below.

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-december-xmas-special-virtual-chapter-meeting-tickets-131521886503

Description

Join the OWASP Scotland community in this final Xmas Special chapter meeting 0f 2020 where we will talk about some of the worst hacks and breaches of the year. If you have a story you’d like to share drop us a line and we’ll fit you in. Bring yourself, bring your favourite tipple and we will see you there. Note: Participants are limited for this virtual meetup and sign-in details will be provided closer to the time.

Thursday, 24 September 2020

Time: 20:00 - 21:30 BST

Location: Virtual, details will be emailed closer to the time to those who have registered to the event below.

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-virtual-chapter-meeting-sept-tickets-119944656697

Description

We are pleased to announce that the second OWASP Scotland Chapter meeting of 2020 will take place on Thursday the 28th of May.

Rory McCune (@raesene)

Abstract – The world of containerization can be a morass of new and odd sounding acronyms and terms. However when you start to dig into what’s really happening with Docker, Kubernetes et al, you will find that there’s a lot of familiar technologies involved which can have existing approaches to security applied to them. This talk aims to demystify the container security world and explain some of the underlying concepts”. Bio - Rory has worked in the Information and IT Security arena for the last 20 years in a variety of roles. These days he spends most of his work time on application, cloud and container security. He’s an active member of the UK information security community having delivered presentations at a variety of IT and Information security conferences. He has also presented at major containerization conferences and is an author of the CIS Benchmarks for Docker and Kubernetes.

Daniel Card (@UK_Daniel_Card)

Panel Discussion - Panel discussion involving Daniel Card, covering topics ranging from the community, common security mistakes, and community based events.

Thursday, 28 May 2020

Time: 20:00 - 21:30 BST

Location: Virtual, details will be emailed closer to the time to those who have registered to the event below.

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-virtual-chapter-meeting-may-tickets-105453656726

Description

We are pleased to announce that the second OWASP Scotland Chapter meeting of 2020 will take place on Thursday the 28th of May.

STÖK - Bounty curious? How to win at bug bounties in 2020 (and stay sane)

Speaker: STÖK - @stokfredrik, youtube.com/stokfredrik

STÖK will be providing us insight into how to approach bug bounties as a hobby in 2020, what tools most people use, why you need automation, understanding depth vs. breadth, fuzzing vs code review; and how to stay sane whilst competing against 700,000 other hackers.

Context IS - Open Banking Applications

Speaker: Margus Lind & Daniela Schoeffmann, Context IS

Open Banking is the UK implementation for PSD2. On top of the PSD2 regulations, Open Banking provides a detailed specification for banks and third parties to follow when communicating with one another. This allows companies (TPPs) to build their applications and integrate with online services exposed by any bank (ASPSP) in a standardised way.

With an increasing number of banks using APIs to share data, Open Banking promises better business opportunities and more robust security for customers and banks. However, implementation of publicly accessible APIs and introduction of new security models create a myriad of challenges. This makes for a wider attack surface and puts data in the hands of more companies (third party providers) who have differing approaches to customer data protection. In this talk we will cover a brief introduction to Open Banking, our experiences with testing implementations of Open Banking, as well as the technical and project management challenges we have overcome along the way. We will demonstrate the technical complexities encountered, and share some interesting discoveries made during the engagements.

Code of Conduct

We hope you enjoy our events, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of the chapter leaders if you have any feedback or would like to speak to us, we take these matters very seriously. You can find out more about our policies here: https://owasp.org/www-policy/operational/conferences-events.html.

Tuesday, 11 Febraury 2020

Time: 18:00 - 20:00 BST

Location: PwC, 144 Morrison Street, Edinburgh, EH3 8EX

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-2020-tickets-90016877905

Description

We are pleased to announce that the first OWASP Scotland Chapter meeting of 2020 will take place on Tuesday the 11th of Feb. Many thanks to PwC, who has kindly offered to host this event for us. They will also be providing pizza and refreshments on the evening.

Security Culture and Behaviour - security is still often seen as a technology problem

Speaker: Louise MacDougall

This presentation will focus on the culture and behaviours surrounding cyber security and explore the ‘People layer’ of defence. Louise will discuss how organisations should be approaching cyber security leadership and how they can drive the right security behaviours within their staff. Particular focus will be on the role of senior leadership and behavioural models that can be applied to cyber security.

Nothing Rhymes with Purple

Speaker: Lawrence Munro

In this talk, I discuss the need for collaborative strategies between blue and red teams. I dive deep into the concepts of ‘always-on’ red teaming and the processes of generating use cases from TI through threat hunting to validation. I also discuss the use of point-in-time purple teaming and maximising the value to the SOC. Moreover, I will discuss the direction of travel within the professional services industry and open the floor to discussion.

Bio: Lawrence Munro is Technical Director at NCC Group, a Post-Graduate Student at Oxford University, a CREST Executive member and Director for B-Sides London. His research (and presentation topics) are varied, but often include: red teaming, education in InfoSec and weird side-projects. Lawrence has previously presented his ideas and research at: Black Hat USA, DEFCON, 44CON, RootCon, B-Sides (Various), ToorCon.