OWASP Suffolk

Past Meeting/Event(s)

Injection Vulnerabilities

23rd May 2023 (Virtual event)

Location: virtual

Injection vulnerabilities remain a common problem today. A single mistake could expose your whole database and customer data or give an attacker the ability to remotely execute code on your server.

We will look at some examples of coding mistakes that can lead to injection vulnerabilities and discuss how they could be mitigated.

This is a joint event provided by OWASP Bristol and OWASP Suffolk.

OWASP Suffolk Fight Club - May Encore 2023

16th May 2023 (Virtual event)

Location: virtual

No agenda, no slides, no recording, 100% unscripted.

Practical learning: Live ethical hacking challenges, workshops, CTFs and sharing of knowledge.

OWASP Suffolk Fight Club - May 2023

9th May 2023 (Virtual event)

Location: virtual

No agenda, no slides, no recording, 100% unscripted.

Practical learning: Live ethical hacking challenges, workshops, CTFs and sharing of knowledge.

OWASP Suffolk Fight Club - April 2023

11th April 2023 (Virtual event)

Location: virtual

No agenda, no slides, no recording, 100% unscripted.

Practical learning: Live ethical hacking challenges, workshops, CTFs and sharing of knowledge.

Thinking like a Hacker

21st March 2023 (Virtual event)

Location: virtual

Over the past few years OWASP Suffolk has been bringing you free events to show you cyber security best practices. We discussed creating strong passwords, patching and backing up, OSINT, API Security, SCA and RASP, and many other subjects. In this event we hope to cement that knowledge by showing you the view from the other side of the fence.

In this live interactive demonstration we will show you what a web target looks like from the perspective of an attacker. With the use of a vulnerable target that has not followed security best practices we will show you just how easy it is for an attacker to gain access to your computer, it’s data and resources. With each step of the attack we will demonstrate techniques and tools while discussing what could of been done to mitigate each step of the attack.

By thinking like a Hacker and seeing your “defences” from their point of view we hope to show you how important following cyber security best practices really is.

Attendees of the OWASP Suffolk Fight Club events will be familiar with the format of this event, except that this will be scripted with interactive Q&A. The vulnerable target will be a virtual machine created for the purpose of learning.

OWASP Suffolk Fight Club - March 2023

14th March 2023 (Virtual event)

Location: virtual

No agenda, no slides, no recording, 100% unscripted.

Practical learning: Live ethical hacking challenges, workshops, CTFs and sharing of knowledge.

OWASP Suffolk Fight Club - February 2023

28th February 2023 (Virtual event)

Location: virtual

No agenda, no slides, no recording, 100% unscripted.

Practical learning: Live ethical hacking challenges, workshops, CTFs and sharing of knowledge.

OWASP Suffolk Fight Club - January 2023

24th January 2023 (Virtual event)

Location: virtual

OWASP Suffolk Fight Club - December 2022

13th December 2022 (Virtual event)

Location: virtual

An Introduction to OSINT

22nd November 2022 (Virtual event)

Location: virtual

Agenda:

• OWASP introduction and updates
• An Introduction to OSINT with Q&A

OSINT - OpenSource INTelligence is the art of research and analysis of data that is freely available from publicly available sources. Combined with digital tools and techniques it’s amazing what you can learn using nothing more than a computer and an internet connection.

This talk will:

• Introduce you to the world of OSINT
• Provide an overview of some of the techniques and resources used in OSINT
• Discuss how OSINT is being used today

Disclaimer: This talk is given for informative purposes only. Use of OSINT tools and techniques for illegal activities is not condoned by OWASP.

OWASP Suffolk Fight Club - November 2022

15th November 2022 (Virtual event)

Location: virtual

Deepfakes: A Growing Cybersecurity Concern - Mike Warner

26th October 2022 (Virtual event)

Location: virtual

The talk:

Join us for a look at Deepfakes with Mike Warner, one of the OWASP Dorset Chapter Leads.

Deepfakes; an emergent type of threat falling under the greater and more pervasive umbrella of synthetic media, utilise a form of Artificial Intelligence/Machine Learning (AI/ML) to create believable, realistic videos, pictures, audio, and text of events which never happened.

Criminals are already starting to utilise deepfake technology to impersonate executives’ voices on phone calls and even their likenesses over video to add an air of legitimacy to their attacks. As deepfakes become more lifelike, phone calls, video chats and other forms of communication will be more vulnerable to abuse.

This talk will look at the origins of Deepfake technology, how they work, the threats and ethical quandaries they pose, and potential mitigations, with a handful of demos.

This talk is hosted by OWASP Dorset and shared with OWASP Suffolk and Bristol.

OWASP Suffolk Fight Club - October 2022

25th October 2022 (Virtual event)

Location: virtual

What is eBPF and why should you care? - Kev Sheldrake

20th October 2022 (Virtual event)

The Talk:

eBPF is relatively new and “a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel.” You can achieve similar results to writing a kernel module, but in a (supposedly – we’ll come to that) safe manner. eBPF code runs in a virtual machine and, depending on the program type, can access all sorts of kernel internals, with programs being launched when specified code points get hit.

I will talk about the basics and how to get up and running, the challenges and pitfalls to overcome, a library I wrote when working at Sysinternals to take away some of the pain, the Sysmon For Linux tool I wrote for Sysinternals that logs events to Syslog, and Cilium/Tetragon (and Cilium/ebpf library) that makes accessing eBPF for system observability easier. I will discuss technical details and explain the different use cases that might benefit you, from blue team using Sysmon and Cilium/Tetragon to achieve super powerful abilities, to researchers building custom program tracers, to red team exploiting kernel vulns, to sysadmins seeking performance issues.

It is a truly exciting thing that everyone is talking about.

Bio: Kev Sheldrake is a security software engineer and researcher who started working in the technical security field in 1997. Over the years, Kev has been a developer and systems administrator of ‘secure’ systems, an infosec policy consultant, a penetration tester, a reverse engineer and an entrepreneur who founded and ran his own security consulting company. He currently works at Isovalent on the open source and enterprise versions of the system observability tool Tetragon, and in the past he specialised in IoT, crypto, and tool development for a number of years. Twitter: @kevsecurity

Agenda:

OWASP Updates

• Talk: What is eBPF and why should you care? with Kev Sheldrake
• Open discussion
• This event will be hosted by OWASP Bristol and is shared with OWASP Suffolk and OWASP Dorset.

OWASP Suffolk Fight Club - September 2022

27th september 2022 (Virtual event)

Location: virtual

RASP demo - Jeff Williams

14th September 2022 (Virtual event)

Location: virtual

Agenda:

• OWASP introduction and updates
• RASP demo from Jeff

The Demo:

Following on from his talk earlier this year and as requested Jeff will provide a demo of RASP.

About the speaker:

Jeff Williams - CTO of Contrast Security and OWASP Co-Founder

Jeff Williams is the co-founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API (ESAPI), OWASP Application Security Verification Standard(ASVS), XSS Prevention Cheat Sheet, WebGoat and many other widely adopted free and open projects. Jeff is the co-founder and the CTO of Contrast Security. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

Using OWASP Nettacker for Recon and Vulnerability Scanning

5th July 2022 (Virtual event)

Location: virtual

Agenda:

• OWASP introduction and updates
• **The talk - Using OWASP Nettacker for Recon and Vulnerability Scanning **
• Q&A

The Talk:

The OWASP Nettacker project was created to automate information gathering, vulnerability scanning, and in general to aid the penetration testing engagements. Nettacker is able to run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features - for example the ability to chain different scan methods. This relatively new (Summer 2017) and a lesser-known OWASP project has generated a huge amount of interest at BlackHat Europe 2018/2019 Arsenal live demo gathering massive crowds of seasoned hackers and penetration testers eager to see this new tool in action. This talk will showcase the OWASP Nettacker project giving an overview of its features and including a live demo of the tool.

About the speaker:

Sam Stepanyan is an OWASP London Chapter Leader and an Independent Application Security Consultant with over 20 years of experience in the IT industry with a background in software engineering and web application development. Sam has worked for various financial services institutions in the City of London specialising in Application Security consulting, Secure Software Development Lifecycle (SDLC), developer training, source code reviews and vulnerability management. He is also a Subject Matter Expert in Web Application Firewalls (WAF) and SIEM systems. Sam holds a Master’s degree in Software Engineering and a CISSP certification.

Patching and Backing-up

28th June 2022 (Virtual event)

Location: virtual

Agenda:

• OWASP introduction and updates
• **The talk - Patching and Backing-up **
• Q&A

The Talk:

Every day we hear more and more about computers being compromised by malicious actors or malware. Ransomware is on the rise, WordPress and other CMS sites are constantly being hit as this or that plug-in is exploited. What can we as individuals or small businesses do to protect our computers, web sites and data?

In this talk we will discuss patching and backing-up shown from both the perspective of the individual / small business owner and that of a malicious actor.

From the perspective of the individual or small business we will suggest best practices around patching and backing-up. Covering both open-source and commercial solutions we will show you ways to improve your security position by keeping your software fully patched employing techniques taken from OS hardening and the splitting of backing-up into data back-ups and system imaging.

From the perspective of the malicious actor we will show you how your computers can be scanned for weaknesses and then exploited with little effort using tools such as nmap, Nikto, WPscan, MetaSploit and SearchSploit covering the ExploitDB and the lifecycle of a CVE.

This talk will cover the following:

• Patching and backing-up strategies for the individual and small business owner
• Employing OS hardening techniques to reduce attack vectors and to speed-up backing-up
• Open-source and Commerical backup solutions for Windows, Linux, Mac and popular website CMS such as WordPress, Drupal and Joomla!
• Demonstration of how malicious actors can scan your computers for known vulnerabilities and easily exploit unpatched software that you are running
• The lifecycle of a CVE
• Limiting the risks of Ransomware

Disclaimer: As always our events are designed to educate. Any tools and techniques demonstrated are for informative purposes only. We do not endorse their use for malicious purposes.

This talk will not be recorded.

OWASP Suffolk Fight Club - June 2022

21st June 2022 (Virtual event)

Location: virtual

OWASP Suffolk’s May 2022 Fight Club

24th May 2022 (Virtual event)

Location: virtual

No agenda, no slides, no recording, 100% unscripted.

You know the rules..

Log4J - Past, Present, and Future - Ariel Assaraf, Yuval Khalifa

17th May 2022 (Virtual event)

Location: virtual

Agenda:

• OWASP introduction and updates
• The talk - Log4J - Past, Present, and Future
• Q&A

The Talk:

The log4j incident shocked the world back in December - but by implementing the proper protocols and tools early-on organizations can be better prepared moving forward. Logs, metrics, security, and metrics can be your secret weapon when it comes to the observability of your applications and software. But are you using all of your data sources to their full potential?

We’ll go over what organizations should keep in mind before, during, and post-security vulnerabilities (based on the log4j incident) when it comes to their monitoring tools and how powerful insights can be pulled to avoid delayed crisis management.

About the speakers:

Ariel Assaraf - Co-founder and CEO at Coralogix

Ariel is a veteran of the Israeli intelligence elite unit 8200. He has over 10 years of Product and team management experience and was the former product manager at the IDF and QA & Integration GL at Verint.

Yuval Khalifa - Chief Security Architect at Coralogix

A former enterprise security expert at Sygnia, Cyber solutions architect at the IAI, and a CTO at the largest insurance agency in Israel. Yuval has vast experience in Cybersecurity secure coding, network architecture, and AI/ML.

Securing your Machine Learning solutions and protecting your models - Phil Basford

3rd May 2022 (Virtual event)

Location: virtual

Agenda:

• OWASP introduction and updates
• The talk - Securing your Machine Learning solutions and protecting your models
• Q&A

The Talk:

Machine Learning is increasingly being used by companies as a disruptor or providing a USP. This means that Machine Learning models need to cope with being a critical part of solutions and if those solutions use PCI-DSS or PII then the models must be highly secure.

In addition, if a Machine Learning model is part of your USP then you will want to protect it. Also, the EU AI Regulation and UK AI Strategy means that AI is becoming increasingly regulated. This means you need able to prove what model made a prediction and why it made it by providing auditability and explainabilty.

In this talk we go over these issues and how to address them including using AWS and how to implement development best practices.

About the speaker:

Phil Basford is one of the Ipswich AWS User Group Leaders and contributes to the AWS Community by speaking at a number of summits, community days and meet-ups. He is a regular blogger, open-source contributor, and SME on Machine Learning, MLOps, DevOps, Containers and Serverless. Phil has over 6 years of commercial AWS experience and holds 12 AWS Certifications, including: AWS Certified Solutions Architect Professional AWS DevOps Engineer Professional and Amazon Machine Learning Specialism. Phil works for Inawisdom (an AWS Partner) as a CTO AI & ML. Phil is Inawisdom’s AWS APN Ambassador and evangelist.

Are We Secure? - Jeff Williams

26th April 2022 (Virtual event)

Location: virtual

Agenda:

• OWASP introduction and updates
• The talk - Are we Secure?
• Q&A

The Talk:

We all trust software with the most important aspects of our life… but it’s a blind trust with virtually no justification. Actually, by almost any measure, application security has been failing for 20 years. Software is still riddled with vulnerabilities and gets attacked thousands of times a month – mostly undetected. Yet instead of trying different approaches, we mostly keep pushing the same futile and expensive practices harder.

In this talk, we’ll discuss why the underlying asymmetric information problem in the software market makes it impossible to make progress. And we’ll talk about how we can escape this trap, change the software market, and make software trustworthy for everyone.

About the speaker:

Jeff Williams - CTO of Contrast Security and OWASP Co-Founder

Jeff Williams is the co-founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API (ESAPI), OWASP Application Security Verification Standard(ASVS), XSS Prevention Cheat Sheet, WebGoat and many other widely adopted free and open projects. Jeff is the co-founder and the CTO of Contrast Security. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

All about Passwords

12th April 2022 (Virtual event)

Location: virtual

Agenda:

• OWASP introduction and updates
• All about Passwords
• Q&A

Love them or hate them, passwords have become part of our daily life. We use them to sign into just about everything, from our devices to emails, social media, cloud services and digital banking. We have to remember different passwords for each site we need to log-in to, and we are forced to change them on occasion. It can be a lot to remember. Password Managers can help and 2FA or MFA can provide extra security. Yet despite all that, service providers can still be compromised and our carefully chosen passwords can end up somewhere on the darkweb being sold by the hundred thousand.

Making use of both slides and live demonstrations Martin and David will take you through a brief history of passwords, discussing password lengths and formats, password policies, guidelines and best practices, the storage and transmission of passwords, 2FA and MFA, and pretty much everything you ever wanted to know about passwords. All in under an hour.

Throughout the talk we will employ a Red vs Blue format with Martin playing Blue, discussing best practices and how to keep your logins protected. While David will be playing Red, discussing the techniques and tools employed by malicious actors in an attempt to secure access to your logins.

Disclaimer: As always our events are designed to educate. Any tools and techniques demonstrated are for informative purposes only. We do not endorse their use for malicious purposes.

The best practices of working securely on AWS - Alex Kearns

29th March 2022 (Virtual event)

Location: virtual

Agenda:

• OWASP introduction and updates
• The talk - The best practices of working securely on AWS
• Q&A

The Talk:

Cloud has been around for a relatively long time now, yet there doesn’t seem to be a huge community of purely security focused individuals working with it. My theory is that this is down to cloud security appearing to be so different to what people are used to working with. Let’s try and bust that myth.

Join me for a bird’s eye view of the most important security concepts on AWS, what the best practices are around them as well as what AWS can do to help make life easier. I hope that this talk makes some of you more comfortable exploring AWS in the future.

About Alex:

Alex Kearns is a consultant at Inawisdom in Ipswich delivering data and AI/ML solutions on AWS for a variety of customers. Prior to this he has worked for an early stage startup and BT in a security focused role. He has a firm belief that security best practices should underpin all workloads, especially those in public clouds such as AWS.

A Swiss Knife for API Security and Legal Risk Management - Dr Baljeet Malhotra

10th March 2022 (Virtual event)

Location: virtual

Agenda:

• OWASP updates
• The talk - A Swiss Knife for API Security and Legal Risk Management

The Talk:

Web applications are prone to various cybersecurity risks. Did you know that 96% of these web applications contain some Open Source? Furthermore, did you know that 99% of such Open Source contain some web APIs. You may be surprised to know that web APIs contribute 83% of the traffic over the internet. Unfortunately, this growing API usage also means growing cybersecurity risks. Although, APIs benefit organizations immensely through accelerated innovations, newer business models, competitive differentiation, but organizations are also negatively impacted by APIs due to their weak security posture leading to business disruptions, legal and compliance issues. In 2022, API abuses are predicted to be the most frequent attack vector resulting in data breaches for web applications. Given the importance of APIs for digital transformation at organizations it is imperative for their Security, Compliance and Audit professionals to get a handle on APIs to manage various API related risks.

This session will provide an overview of an API Governance framework for effective API Risk Management. This framework is inspired by the Zero Trust model that enterprises can use as a “Swiss Knife” for reducing their API related risks. We’ll also highlight best practices and hands-on examples for API Risk Management.

About Dr Baljeet Malhotra:

Dr Baljeet Malhotra is an award-winning researcher known for his work in Open Source and API Data Management. He conceptualized the world’s first “API Composition Analysis” based on source code static analysis. He founded TeejLab in 2017 and steered the team to build API Discovery and Security™, world’s first comprehensive end-to-end API Management platform. Prior to TeejLab, he established the R&D unit of Black Duck Software in 2016 (acquired by Synopsys), he has also served as Research Director at SAP. He received a PhD in Computing Science from the University of Alberta and won several awards including NSERC (Canada) scholar in 2005 and Global Young Scientist (Singapore). He concurrently holds Adjunct Professor positions at the University of British Columbia, University of Victoria and University of Northern BC.

Hosting:

The talk is hosted by the OWASP Bristol chapter and is shared with OWASP Suffolk and OWASP Dorset and will be streamed live on YouTube. The streaming link will be made available closer to the event.

OWASP Juice Shop demonstration

22nd February 2022 (Virtual event)

Location: virtual

Agenda:

• OWASP introduction and updates
• Live demo of OWASP Juice Shop

So you want to have a go at ethical hacking but you don’t know where to start?

In under an hour Dave, Wojciech and Martin will walk you through installing, setting up and attacking OWASP Juice Shop from the comfort of your own home.

OWASP Juice Shop is a free insecure web application that you can install on your own computer. It’s a popular security training tool riddled with security issues like SQL injection, XSS and security misconfigurations. Using gamification Juice Shop acts as an e-commerce website that you can legally attack on your own computer.

Juice Shop has built-in tutorials and comes with 100 challenges for you to find and exploit. With each challenge you solve your score increases on the scoreboard. But wait, where is the scoreboard? That’s your very first challenge, to find the scoreboard hidden within the application. As you progress Juice Shop awards you points and displays your progress. Challenges are ranked by difficulty.

After walking you through installation and setup we will have an interactive session where we demo how to find the scoreboard and complete a few of the easy challenges.

Cyber Security - Thinking Like The Enemy - Peter Cochrane OBE

15th February 2022 (Virtual event)

Location: virtual

Agenda:

• OWASP introduction and updates
• The talk - Cyber Security: Thinking Like The Enemy
• Q&A

The Talk:

There is far more to cyber security than technology.

Every successful attack starts with human fallibility and failure.

The Dark Side is an integrated business venture on a global scale.

Operating as individually isolated organisations means we can only lose.

Integrating the information and resources across sectors and countries is essential.

The projected ‘business earnings of The Dark Side will be >5x the GDP of the UK by 2030.

About Peter Cochrane OBE:

Peter is an academic, advisor and consultant with multiple awards and accreditations. Around Ipswich, he is known for leading the Research at BT Labs at Adastral Park for many years, and more recently for working in the Department of Science and Technology at the University of Suffolk. He has been an advisor to Facebook, written over 1,000 scientific and engineering papers, patents, press articles, edited books and chapters. He has appeared on over 400 national and international appearances on radio and TV. He is a regular contributor to the Times, Telegraph, Guardian, and The Australian newspapers plus Wired Magazine, T3, Intelligence and Weekly Diamond Magazines.

Hacking Demystified - How hackers locate, identify and target your business

26th January 2022 (Virtual event)

Location: virtual

Agenda:

• Introduction from the ISTN, Suffolk Developers and OWASP Suffolk
• The talk - Hacking Demystified
• Q&A

A high-level overview around some of the tactics and attack paths ‘hackers’ utilise when profiling and ultimately attacking organisations.

What we will cover:

✔ Common cyber security misconceptions ✔ Types of hackers ✔ Examples of how hackers profile organisations ✔ Office365 attack scenarios ✔ Defence

About Matthew Hunn:

Matthew Hunn is a penetration tester who supports organisation’s in identifying their security weaknesses and their impact on the integrity of critical business assets. Leveraging his past experience in digital forensics and incident response, Matthew replicates the ‘attack vectors’ a malicious actor would seek and exploit to compromise a victim; allowing them to ensure resilient, fit for purpose, defences are in place.

Xperience’s Labsec cyber security division delivers continuous security monitoring, consultancy and strategy planning, penetration testing and Cyber Essentials certification services.

Your Hosts:

Delivered to you in collaboration with Suffolk Developers group, Ipswich & Suffolk Tech Network and OWASP Suffolk.

Discussion: Getting started in Ethical Hacking

18th January 2022 (Virtual event)

Location: virtual

Agenda:

• Welcome back & overview of what we have in store for 2022
• OWASP updates
• Open discussion on how to get started in Ethical Hacking

Getting started in Ethical Hacking can seem daunting. There is so much information out there, so many websites, tools, YouTube videos, courses, etc etc. Where do you start? Do you have to do a course or be certified? Do I need to set up my own testing lab, and if so, what operating system and tools do I use? Is there a way to learn for free? So many questions. It can feel so overwhelming at times, enough to put you off.

The aim of this event is to offer an open discussion where we can all share tips, tricks, resources and suggestions around how to go about getting started in Ethical Hacking. Everything from how to make learning fun, recommended resources such as websites, podcasts, gamification sites (CTFs), tools, bug bounty platforms and tips and tricks on how to learn and remain focused.

This event will be open to members of OWASP Suffolk and other OWASP groups. This event will not be recorded.

Infrastructure as Code (IaC) Misconfigurations

2nd December 2021 (Virtual event)

Location: virtual

Agenda:

• OWASP updates
• The talk
• Open discussion

Infrastructure as Code (IaC) makes deploying cloud or container configurations scalable and faster. If you are launching a microservice into a Kubernetes cluster, or even building an entire AWS virtual infrastructure, IaC can automate the deployment. By building repeatable templates you can also ensure that deployments happen exactly as you design, every time. However, errors in infrastructure configuration are now regarded as the second biggest cause of data breaches. There are many ways to give adversaries an advantage through security misconfigurations. Overly permissive storage volumes, unauthenticated database access, or ports left open to the internet have all been a cause of compromise. The solution? Treat your infrastructure code the same as your application code. During your build process, use tools to scan for infrastructure misconfigurations. When you find them raise alerts or even break the build.

In this session, we will discuss common types of IaC misconfigurations, and demonstrate a free, open-source security tool that developers can build into their pipelines to help protect infrastructure from compromise.

About Ori Bendet:

An experienced product leader combining strong technical and marketing skills, Ori has been leading Checkmarx’s flagship product, CxSAST (Static Application Security Testing), a Gartner and Forrester market-leading solution, serving thousands of customers worldwide for the last 2 years. Prior to Checkmarx, he was in Time To Know, HPE, PicApp and Bezeq in various product and engineering positions.

Your Hosts:

Delivered to you in collaboration with OWASP Bristol.

29th September 2021 (Virtual event)

Location: virtual

Agenda:

• Introduction
• The Eastern Cyber Resilience Centre - helping SMEs be cyber resilient by Detective Inspector Fiona Bail

Cybercrime is a growing threat to businesses of all sizes, but small and medium enterprises may not have the resources or confidence to implement cyber resilience strategies. The ECRC has been set up to help those companies recognise the risk and mitigate it, through free membership, guidance and affordable services.

Join us for a review of the current cybercrime landscape, why the ECRC has been set up and some practical tips that companies can implement to help improve their cyber resilience.

✔ What is the Eastern Cyber Resilience Centre (ECRC)

✔ Why the ECRC is required

✔ A review of the current cyber resilience landscape

✔ Some practical guidance for companies to implement

8th June 2021 (Virtual event)

Location: virtual

Agenda:

Get together to discuss OWASP, hot topics, to share learning resources, discuss tools and techniques.

This is a social event where you can have your say on the direction of the group, suggest topics for future meetings, discuss where you are in your security journey and how we can help. There will be no slides or speakers, just a social chit-chat.

22nd June 2021 (Virtual event)

Location: virtual

Agenda:

• Introduction
• IoT Security by Ilya Kudryavtsev
• Networking

25th May 2021 (Virtual event)

Location: virtual

Agenda:

• Introduction
• Securing SDLC - SCA Tools by Wojciech Cichon
• Networking

27th April 2021 (Virtual event)

Location: virtual

Agenda:

• Introduction
• OWASP ZAP for the complete beginner - A practical demo - David Flint
• Networking

24th March 2021 (Virtual event)

Location: virtual

Agenda:

• Introduction
• Security for Managers - Martin Russ
• Networking

“Security For Managers”’ is intended as a wake-up call for people who assume that IT security doesn’t apply to them or their company. Think of it as a visit from a consultant who spends a lot of time with you, and then says: ‘This is what you need to do’, and then doesn’t charge you a penny!

Wednesday, October 7, 2020 (Virtual event)

Location: virtual

Agenda:

• Warmly greetings by hosts

• The Cloud Migration Playbook - Part 1: A Simple Primer To Complexity” - Jason Sewell [ Video ]

  In this talk, we will go over an introductory overview on the common areas of AWS an organization should start to focus on as they prepare to migrate to the cloud, including both offensive techniques and defensive mitigation.

• Short break / networking

• What you need to know, but you are afraid to ask - Pentester panel [ Video ]

Panelists:

• Jason Sewell

Jason has over 15 years of experience as a web application and systems developer, in addition to over ten years in DevOps and systems architecture related roles. Jason began his journey into information security through necessity as he built skills and knowledge through his roles in leading internal initiatives for securing application and cloud infrastructure. After years of blue team and developer/devops roles, his interests centre around offensive security and wanting to help organizations actively find problems rather than just follow best practices and hope for the best.

• Cayce Mahon

Has over nine years of experience in Information Security. Originally graduating with an AFA in fine art , she took a unique path of education in regards to her transition into information security. Through persistence and self-study, she was able to obtain a Security+ and OSCP certification on her own. While at OccamSec, she has led and has been a part of a variety of offensive engagements in the realms of cyber and physical security (security/penetration testing of applications, network/physical infrastructure and systems) as well as risk assessment (architecture/policy review, vulnerability assessment, and employee interviews). Finding crucial fault points in an organization’s infrastructure while also adapting to the ever changing demands of the clients she works with.

• Ivano Bianco

Italian, with a fake Russian accent. Started using computers at the tender age of 11, by the age of 14 he switched from the BASIC language to Assembly and started to circumvent copy protections for fun. Spent the next 20 years working in IT Operations, keeping systems secure and automating deployments before job titles like “IT Security Engineer” and “DevOps Engineer” were a thing.

Had the opportunity to cover technical hands-on roles for a multitude of SME and multinational companies such as: - Société Générale - H3G - Ericsson - Global Payments – Puppet.

Nowadays he prefers to focus on penetration testing, web application testing (because breaking things is always fun), threat hunting and security awareness training. He still likes to figure out why a server is down, but will not fix your computer.

• Nicholas Donarski

Has been a pioneer in the Information Security field for over 20 years. During this time, he’s worked with a diverse client list which includes multinational and global organizations, Federal, State and Local government, and enterprises of all sizes. He is recognized in the international community as a senior authority on PenTesting strategy, operations, tools and training. Over the years, he’s continued to expand his experience in security to include network security, mobile, web, and application security, compliance, high threat physical security and RedTeam Operations. Recently, he’s focused on the development of security architecture and development around machine learning and Artificial Narrow Intelligence (ANI).

Notes & Experience:

• Started as CEO, Security Researcher, Pen Tester, Compliance Tester at ND Technical Associates in 1998 *Worked at Halock Security Labs as a Pen tester/Security Researcher beginning in 2008 *Worked at Rapid7 beginning in 2010 as a Sr. Pen Tester *Worked at HP Enterprise Security beginning in 2012 as a Sr. PenTester *Founding member of the PoV Team at HP ShadowLabs *Worked at K2 Intelligence beginning in 2016 as a Sr. Cyber Security Specialist- Red Team lead

Featured by BugCrowd: https://blog.bugcrowd.com/meet-the-bugcrowd-bughunter-profile-of-kizz-myanthia-kizz_my_anthia/

BSidesCHS 2014 Keynote: https://www.youtube.com/watch?v=bYFiNZp2Z6U

Currently, Nick is a Sr. PenTester where he leads a team that drives information practices through hands-on operations, education and defining advanced testing methodologies. He works with clients and partners to support the development of Information Security programs and directives which allows the business to function and grow while maintaining strong security practices.

Friday, May 15, 2020 (Virtual event)

Location: virtual

Agenda:

• OWASP Suffolk Introduction, Welcome and News - WTC

  Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

• Gamification of Threat Modelling - Grant Ongers [ Video ]

  Helping your teams perform all important threat modelling in a way that doesn’t require a huge security team, or prevent delivery from being at the speed that the business requires. We do this as part of a normal agile delivery through backlog scrubbing, using gamification and OWASP Cornucopia.

• An introduction to OWASP ZAP - Simon Bennetts [ Video ]

#### Speakers

• Grant Ongers

Grant is co-founder of the bearded trio called Secure Delivery. The philosophy and purpose of the organisation is in the name: optimal delivery and security in one dynamic package. Grant’s versatile experience in information systems spans Dev - building management platforms for some of the world’s largest Telcos, MSPs and Financial groups for more than 10 years. Twenty-plus years in Ops, doing everything from running operational teams in global NOCs to managing mainframe and database systems. He also has over thirty years pushing the limits of (Info)Sec - mostly white-hat. He’s done time on both sides of the TPSA (security assessment) table working for and with regulated organisations ensuring compliance and matching appetite with acceptance of risk. Grant’s community involvement is global: Staff at BSides (London, Las Vegas, and Cape Town), Goon at DEF CON (USA) for nearly ten years and DC2721 co-founder, staff at BlackHat (USA and EU), and OWASP Global Board member. Twitter: @rewtd

• Simon Bennetts

Simon is the OWASP Zed Attack Proxy (ZAP) Project Leader and works for Mozilla as part of the Cloud Services Security Team. He has talked about and demonstrated ZAP at conferences all over the world, including Blackhat, JavaOne, FOSDEM and OWASP AppSec EU, USA & AsiaPac. Prior to making the move into security he was a developer for 25 years and strongly believes that you cannot build secure web applications without knowing how to attack them

Friday, May 15, 2020 (Virtual event)

Location: virtual

Agenda:

• OWASP Suffolk Introduction, Welcome and News - WTC

  Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

• Detecting secrets in code committed to Gitlab (in real time) - Chandrapal Badshah [ Video ]

  There are so many open source tools that can detect sensitive API keys (secrets) in git repos. But theres no single tool that can be integrated to help you achieve real time secrets detection. This talk is about the experiment on how we implemented a real time git secrets monitoring solution.

  This talk will cover the following:
   * Problem we had
   * Techniques to solve that
   * Existing tools that can help us
   * Comparison of tools
   * Final architecture and product
   * What we learnt from the experiment
   * Future enhancements
  

#### Speakers

Chandrapal Badshah is a Security Engineer by day who manages security of a rapidly scaling company. He manages “Hack with GitHub” – an initiative to showcase open source security tools on GitHub. He has given multiple talks including those at null community monthly meets. Even during his busy days, he spends some time reading books not limited to philosophy and exploring nature.

Friday, April 24, 2020 (Virtual event)

Location: virtual

Agenda:

• OWASP Suffolk Introduction, Welcome and News - WTC

  Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

• Living In A World of Zero Trust - Vandana Verma [ Video ]

  As now everything is moving to cloud, all the applications are accessible from anywhere and everywhere. However, No one wants their private information to be compromised and openly available for the world. We have been taking so many precautions, however breaches continue to happen. How should we fix this?

  Organisations have been talking about Zero Trust lately and this has become a buzzword. The talk will explore Zero Trust beyond the buzzword and describe what exactly is Zero Trust and why it is so important to keep organisations safe. How can we implement or deploy Zero Trust in an organisation while keeping the current and future state of an organization in mind. What should be the business model to move any organisation towards Zero Trust Architecture and what all policies need to be implemented to achieve the same. #### Speakers

Vandana has over 14 years of experience and comes from strong application security background and has been working on Cloud Security, Application security, Vulnerability assessment, secure code review, threat profiling and remediation support for web/client server applications on different technologies based on Secure Design/Development guidelines and OWASP standards/guidelines.

Vandana has been a speaker and trainer at security events including Blackhat USA 2019, BSides LV 2019, Diana Initiative, Defcon (AppSec Village), AppSec California 2019, Global Appsec EU 2018, Global Appsec USA 2018, Global AppSec Tel Aviv, BSides Delhi 2018, c0c0n 2017 and Nullcon etc. She has trained over 3000+ Women in cybersecurity.

Friday, April 3, 2020 (Virtual event)

Location: virtual

Agenda:

• OWASP Suffolk Introduction, Welcome and News - WTC

  Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

• Security Testing for all - David Flint

  Security testing isn’t just for the professional penetration tester hired to check the software before go-live. Everyone in the SDLC can take part in security. In this talk David Flint discusses the benefits of building security into the SDLC and how you can acquire security testing skills for free in a fun way avoiding the need for expensive courses and qualifications. Packed with examples from his career this talk will also show how these skills should be a part of everyone’s skillset. #### Speakers Davd Flint is a professional contract Tester with over 20-years experience testing IT products and services. With a background in electronics, programming and technical testing, David has tested the quality and security of products and services for a wide range of clients.

Wednesday, March 25, 2020 (Virtual event)

Location: virtual

Agenda:

• OWASP Suffolk Introduction, Welcome and News - WTC

  Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

• how to prevent Dev from committing secrets and credentials into git repositories - Abhinav Sejpal [ Video ]

  Sensitive information such as the AWS keys, access tokens, SSH keys etc. are often erroneously leaked via the public source code repositories due to accidental git commits. This can be avoided by using pre-commit hooks like “Talisman” which checks for sensitive information in the files before commits or push activity.

Monday, 16 December 2019 (Ipswich)

Location: The Briarbank Bar

Agenda:

• Secure Beer tasting.

  We will enjoy beer, socialise and discuss various aspects of InfoSec. Additionally, we will also summarise what we achieved this year and set up goals for next year.

4 November 2019 (Ipswich)

Location:   University of Suffolk, Waterfront Building, 19 Neptune Quay, Ipswich IP4 1QJ

Agenda:

• OWASP Suffolk Introduction, Welcome and News - WTC

  Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

• Practical Threat Analysis – Martin Russ [ Slides ][ Video ]

  Martin Russ shows you how to actually do Threat Analysis using a simple spreadsheet as a guide. The key to successful threat analysis and modelling is to have a clear idea of how to get to the end-point, and not to get overwhelmed with how you are going to get there! Having a simple guide makes this much easier, but there aren’t many examples out there - this turns to be one of those rare topics where Google searches don’t return much that is particularly useful. So we will be using a very straight-forward approach that isn’t scary or hard to understand, and which doesn’t require a brain the size of a planet. or the services of an expensive consultant!

Speakers

• Martin Russ passed the CISSP exam in just over four hours (you are allowed to take six!), but has just lapsed and returned to the status of mere mortal. He worked in the Security Engineering department of a major US utility metering company for nearly ten years, and knows too much about hacking devices that measure, or web front-ends that interface to the real world, or cloud back-ends that assume that replication is a substitute for backups… He has always wanted a t-shirt that says: ‘There’s no way that could ever happen…’ because he has heard it too many times in security workshops…

30 September 2019 (Ipswich)

Location:   University of Suffolk, Waterfront Building, 19 Neptune Quay, Ipswich IP4 1QJ

Agenda:

• OWASP Suffolk Introduction, Welcome and News - WTC

  Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

• What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby [ Slides ][ Video ]

  Introduction to threat modeling what it is, why is needed and how to do it right. Why and how threat modeling should evolve to be ready for 21st century threats. We will discuss potential threats in each stage of SDLC, and how to approach them.

Speakers

• Phil Ashby has over 30+ years experience in tech. He is currently working for an identity intelligence company, trying to evolve it from a single location, sub-300 people business to a global 1000+ people corporate.

Monday 15th July 2019 (Ipswich)

Location:   University of Suffolk, Waterfront Building, 19 Neptune Quay, Ipswich IP4 1QJ

Agenda:

• OWASP Suffolk Introduction, Welcome and News - WTC

  Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

• Your only as strong as your weakest link – Edward Ogden [ Slides ] [ Video ]

  Servers are the root of all web apps and sites, it’s the central point that your clients/customers will connect to and where you put your code. Many small and under resource companies that do there own hosting don’t normally put the time and investment in there hosting technology and this is where it starts to go wrong. This talk will discuss what some of the dangers are and what could happen if an attacker gets into your infrastructure, we will also talk about how some simple changes to the infrastructure can reduce the risk of being attacked.

• Discussion about future of OWASP Suffolk

  We will have open discussion about what we are doing, and what YOU expecting us to do.

Speakers

• Edward Ogden has been in the IT industry for only 6 years and has learnt most of his skill on the job. He started his career as a web developer progressing on to operations side of the industry. Currently he is working for SETL Ltd as a DevOps engineer automating code deploys for client around the world. As a young child he was always interested in servers starting off by hosting gaming servers from his bedroom at the age of 14.

Tuesday, 21 May 2019 (Ipswich)

Location:   University of Suffolk, Waterfront Building, 19 Neptune Quay, Ipswich IP4 1QJ

Agenda:

• OWASP Suffolk Introduction, Welcome and News - WTC

  Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

• Windows Active Directory Security Lowlights - Barry Myles

  Once an attacker is inside your organisation they very often will misuse Windows Active Directory for almost total compromise of every aspect of an organisation’s computing infrastructure and the data it holds. This talk will describe how an attacker might do this, when they have done so in the past, the kinds of tools they would use, what common mistakes enable this, and how organisations could go about defending themselves both through changes in behaviour and changes to their setup.

Speakers

• Barry Myles leads an internal penetration testing team at BT, although tries to stay away from very traditional views of pen testing as much as possible. After becoming somewhat bored and jaded with project management work in 2006 he decided the life on an attacker was a very much more fun, but perhaps less constructive way of life. He enjoys large scale scanning, reverse engineering, cryptography, hardware hacking and network protocols a bit too much.

Tuesday, 23rd April 2019 (Ipswich)

Location:   University of Suffolk, Waterfront Building, 19 Neptune Quay, Ipswich IP4 1QJ

Agenda:

• OWASP Suffolk Introduction, Welcome and News - WTC

  Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

• Data Protection Act 2018 - Rebecca Moran [ PDF ] [ Video ]

  An overview of the requirements of the new Data Protection Act 2018 (GDPR) and it’s influence in development and project management.

Speakers

• Rebecca Moran is owner of ReMo InfoSec - qualified ISO27001 lead implementer and auditor – preacher of the ISO27001 bible. Registered GDPR practitioner and all round data protection whiz.

Tuesday, 19th March 2019 (Ipswich)

Location:   University of Suffolk, Waterfront Building, 19 Neptune Quay, Ipswich IP4 1QJ

Agenda:

• OWASP Suffolk Introduction, Welcome and News - WTC

  Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

• Understanding how to prevent Sensitive Data Exposure - Simon Greatrix [ PDF ] [ Video ]

  Sensitive data is often the target of any attack, and its exposure has the greatest risk of long-term damage. OWASP and the PCI DSS provide many recommendations. The internet provides even more. These can be hard to understand, hard to implement, and contradictory. I will be sharing my understanding of how the cryptographic algorithms work and how they should best be used.

Speakers

• Dr Simon Greatrix has been writing software since the late 70s and has worked as a security expert for e-commerce for nearly 20 years. He is currently working on SETL’s block chain product. Java has been his preferred programming language since 1996.

Monday, 25th February 2019 (Ipswich)

Location:  Connexions, 159 Princess Street, Ipswich

Agenda:

• OWASP Suffolk Introduction, Welcome and News - WTC

- Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

• Yet another talk on OWASP Top 10 - WTC [PDF]

  Brief overview of OWASP Top 10.

Category:OWASP Chapter Category:Europe