OWASP Suffolk

Welcome

Welcome to the Suffolk chapter homepage. The chapter leaders are Wojciech T Cichon and Abhinav Sejpal.

Please follow as on Twitter and please subscribe to our Youtube channel.

Meeting Sponsors

The following is the list of organisations who supported OWASP Suffolk chapter by providing funds or venue.

IWIC OCCAMSEC

Call For Speakers

If you would like to present a talk on Application Security at future OWASP Suffolk Chapter events - please email the proposed talk title, abstract and speaker bio to one of the Chapter Leader

Next Meeting/Event(s)

OWASP Suffolk Chapter Meetup

Wednesday, October 7, 2020 (Virtual event)

Location: virtual

Agenda:

  • Warmly greetings by hosts

  • The Cloud Migration Playbook - Part 1: A Simple Primer To Complexity” - Jason Sewell
  • Short break / networking
  • What you need to know, but you are afraid to ask - Pentester panel

####Panelists:

  • Jason Sewell

Jason has over 15 years of experience as a web application and systems developer, in addition to over ten years in DevOps and systems architecture related roles. Jason began his journey into information security through necessity as he built skills and knowledge through his roles in leading internal initiatives for securing application and cloud infrastructure. After years of blue team and developer/devops roles, his interests centre around offensive security and wanting to help organizations actively find problems rather than just follow best practices and hope for the best.

  • Cayce Mahon

Has over nine years of experience in Information Security. Originally graduating with an AFA in fine art , she took a unique path of education in regards to her transition into information security. Through persistence and self-study, she was able to obtain a Security+ and OSCP certification on her own. While at OccamSec, she has led and has been a part of a variety of offensive engagements in the realms of cyber and physical security (security/penetration testing of applications, network/physical infrastructure and systems) as well as risk assessment (architecture/policy review, vulnerability assessment, and employee interviews). Finding crucial fault points in an organization’s infrastructure while also adapting to the ever changing demands of the clients she works with.

  • Ivano Bianco

Italian, with a fake Russian accent. Started using computers at the tender age of 11, by the age of 14 he switched from the BASIC language to Assembly and started to circumvent copy protections for fun. Spent the next 20 years working in IT Operations, keeping systems secure and automating deployments before job titles like “IT Security Engineer” and “DevOps Engineer” were a thing.

Had the opportunity to cover technical hands-on roles for a multitude of SME and multinational companies such as: - Société Générale - H3G - Ericsson - Global Payments – Puppet.

Nowadays he prefers to focus on penetration testing, web application testing (because breaking things is always fun), threat hunting and security awareness training. He still likes to figure out why a server is down, but will not fix your computer.

  • Nicholas Donarski

Has been a pioneer in the Information Security field for over 20 years. During this time, he’s worked with a diverse client list which includes multinational and global organizations, Federal, State and Local government, and enterprises of all sizes. He is recognized in the international community as a senior authority on PenTesting strategy, operations, tools and training. Over the years, he’s continued to expand his experience in security to include network security, mobile, web, and application security, compliance, high threat physical security and RedTeam Operations. Recently, he’s focused on the development of security architecture and development around machine learning and Artificial Narrow Intelligence (ANI).

Notes & Experience:

  • Started as CEO, Security Researcher, Pen Tester, Compliance Tester at ND Technical Associates in 1998 *Worked at Halock Security Labs as a Pen tester/Security Researcher beginning in 2008 *Worked at Rapid7 beginning in 2010 as a Sr. Pen Tester *Worked at HP Enterprise Security beginning in 2012 as a Sr. PenTester *Founding member of the PoV Team at HP ShadowLabs *Worked at K2 Intelligence beginning in 2016 as a Sr. Cyber Security Specialist- Red Team lead

Featured by BugCrowd: https://blog.bugcrowd.com/meet-the-bugcrowd-bughunter-profile-of-kizz-myanthia-kizz_my_anthia/

BSidesCHS 2014 Keynote: https://www.youtube.com/watch?v=bYFiNZp2Z6U

Currently, Nick is a Sr. PenTester where he leads a team that drives information practices through hands-on operations, education and defining advanced testing methodologies. He works with clients and partners to support the development of Information Security programs and directives which allows the business to function and grow while maintaining strong security practices.


Code of Conduct:

We hope you enjoy our events, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of our chapter leaders if you have any feedback or would like to speak to us, we take these matters very seriously. You can find out more about our policies here: https://www.owasp.org/index.php/Governance/Conference_Policies


Past Meeting/Event(s)

Friday, May 15, 2020 (Virtual event)

Location: virtual

Agenda:

  • OWASP Suffolk Introduction, Welcome and News - WTC

    Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

  • Gamification of Threat Modelling - Grant Ongers [ Video ]

    Helping your teams perform all important threat modelling in a way that doesn’t require a huge security team, or prevent delivery from being at the speed that the business requires. We do this as part of a normal agile delivery through backlog scrubbing, using gamification and OWASP Cornucopia.

  • An introduction to OWASP ZAP - Simon Bennetts [ Video ] #### Speakers

  • Grant Ongers

Grant is co-founder of the bearded trio called Secure Delivery. The philosophy and purpose of the organisation is in the name: optimal delivery and security in one dynamic package. Grant’s versatile experience in information systems spans Dev - building management platforms for some of the world’s largest Telcos, MSPs and Financial groups for more than 10 years. Twenty-plus years in Ops, doing everything from running operational teams in global NOCs to managing mainframe and database systems. He also has over thirty years pushing the limits of (Info)Sec - mostly white-hat. He’s done time on both sides of the TPSA (security assessment) table working for and with regulated organisations ensuring compliance and matching appetite with acceptance of risk. Grant’s community involvement is global: Staff at BSides (London, Las Vegas, and Cape Town), Goon at DEF CON (USA) for nearly ten years and DC2721 co-founder, staff at BlackHat (USA and EU), and OWASP Global Board member. Twitter: @rewtd

  • Simon Bennetts

Simon is the OWASP Zed Attack Proxy (ZAP) Project Leader and works for Mozilla as part of the Cloud Services Security Team. He has talked about and demonstrated ZAP at conferences all over the world, including Blackhat, JavaOne, FOSDEM and OWASP AppSec EU, USA & AsiaPac. Prior to making the move into security he was a developer for 25 years and strongly believes that you cannot build secure web applications without knowing how to attack them

Friday, May 15, 2020 (Virtual event)

Location: virtual

Agenda:

  • OWASP Suffolk Introduction, Welcome and News - WTC

    Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

  • Detecting secrets in code committed to Gitlab (in real time) - Chandrapal Badshah [ Video ]

    There are so many open source tools that can detect sensitive API keys (secrets) in git repos. But theres no single tool that can be integrated to help you achieve real time secrets detection. This talk is about the experiment on how we implemented a real time git secrets monitoring solution.

    This talk will cover the following:
     * Problem we had
     * Techniques to solve that
     * Existing tools that can help us
     * Comparison of tools
     * Final architecture and product
     * What we learnt from the experiment
     * Future enhancements
    

#### Speakers

Chandrapal Badshah is a Security Engineer by day who manages security of a rapidly scaling company. He manages “Hack with GitHub” – an initiative to showcase open source security tools on GitHub. He has given multiple talks including those at null community monthly meets. Even during his busy days, he spends some time reading books not limited to philosophy and exploring nature.

Friday, April 24, 2020 (Virtual event)

Location: virtual

Agenda:

  • OWASP Suffolk Introduction, Welcome and News - WTC

    Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

  • Living In A World of Zero Trust - Vandana Verma [ Video ]

    As now everything is moving to cloud, all the applications are accessible from anywhere and everywhere. However, No one wants their private information to be compromised and openly available for the world. We have been taking so many precautions, however breaches continue to happen. How should we fix this?

    Organisations have been talking about Zero Trust lately and this has become a buzzword. The talk will explore Zero Trust beyond the buzzword and describe what exactly is Zero Trust and why it is so important to keep organisations safe. How can we implement or deploy Zero Trust in an organisation while keeping the current and future state of an organization in mind. What should be the business model to move any organisation towards Zero Trust Architecture and what all policies need to be implemented to achieve the same. #### Speakers

Vandana has over 14 years of experience and comes from strong application security background and has been working on Cloud Security, Application security, Vulnerability assessment, secure code review, threat profiling and remediation support for web/client server applications on different technologies based on Secure Design/Development guidelines and OWASP standards/guidelines.

Vandana has been a speaker and trainer at security events including Blackhat USA 2019, BSides LV 2019, Diana Initiative, Defcon (AppSec Village), AppSec California 2019, Global Appsec EU 2018, Global Appsec USA 2018, Global AppSec Tel Aviv, BSides Delhi 2018, c0c0n 2017 and Nullcon etc. She has trained over 3000+ Women in cybersecurity.

Friday, April 3, 2020 (Virtual event)

Location: virtual

Agenda:

  • OWASP Suffolk Introduction, Welcome and News - WTC

    Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

  • Security Testing for all - David Flint

    Security testing isn’t just for the professional penetration tester hired to check the software before go-live. Everyone in the SDLC can take part in security. In this talk David Flint discusses the benefits of building security into the SDLC and how you can acquire security testing skills for free in a fun way avoiding the need for expensive courses and qualifications. Packed with examples from his career this talk will also show how these skills should be a part of everyone’s skillset. #### Speakers Davd Flint is a professional contract Tester with over 20-years experience testing IT products and services. With a background in electronics, programming and technical testing, David has tested the quality and security of products and services for a wide range of clients.

Wednesday, March 25, 2020 (Virtual event)

Location: virtual

Agenda:

  • OWASP Suffolk Introduction, Welcome and News - WTC

    Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

  • how to prevent Dev from committing secrets and credentials into git repositories - Abhinav Sejpal [ Video ]

    Sensitive information such as the AWS keys, access tokens, SSH keys etc. are often erroneously leaked via the public source code repositories due to accidental git commits. This can be avoided by using pre-commit hooks like “Talisman” which checks for sensitive information in the files before commits or push activity.

Monday, 16 December 2019 (Ipswich)

Location: The Briarbank Bar

Agenda:

  • Secure Beer tasting.

    We will enjoy beer, socialise and discuss various aspects of InfoSec. Additionally, we will also summarise what we achieved this year and set up goals for next year.

4 November 2019 (Ipswich)

Location:   University of Suffolk, Waterfront Building, 19 Neptune Quay, Ipswich IP4 1QJ

Agenda:

  • OWASP Suffolk Introduction, Welcome and News - WTC

    Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

  • Practical Threat Analysis – Martin Russ [ Slides ][ Video ]

    Martin Russ shows you how to actually do Threat Analysis using a simple spreadsheet as a guide. The key to successful threat analysis and modelling is to have a clear idea of how to get to the end-point, and not to get overwhelmed with how you are going to get there! Having a simple guide makes this much easier, but there aren’t many examples out there - this turns to be one of those rare topics where Google searches don’t return much that is particularly useful. So we will be using a very straight-forward approach that isn’t scary or hard to understand, and which doesn’t require a brain the size of a planet. or the services of an expensive consultant!

Speakers

  • Martin Russ passed the CISSP exam in just over four hours (you are allowed to take six!), but has just lapsed and returned to the status of mere mortal. He worked in the Security Engineering department of a major US utility metering company for nearly ten years, and knows too much about hacking devices that measure, or web front-ends that interface to the real world, or cloud back-ends that assume that replication is a substitute for backups… He has always wanted a t-shirt that says: ‘There’s no way that could ever happen…’ because he has heard it too many times in security workshops…

30 September 2019 (Ipswich)

Location:   University of Suffolk, Waterfront Building, 19 Neptune Quay, Ipswich IP4 1QJ

Agenda:

  • OWASP Suffolk Introduction, Welcome and News - WTC

    Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

  • What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby [ Slides ][ Video ]

    Introduction to threat modeling what it is, why is needed and how to do it right. Why and how threat modeling should evolve to be ready for 21st century threats. We will discuss potential threats in each stage of SDLC, and how to approach them.

Speakers

  • Phil Ashby has over 30+ years experience in tech. He is currently working for an identity intelligence company, trying to evolve it from a single location, sub-300 people business to a global 1000+ people corporate.

Monday 15th July 2019 (Ipswich)

Location:   University of Suffolk, Waterfront Building, 19 Neptune Quay, Ipswich IP4 1QJ

Agenda:

  • OWASP Suffolk Introduction, Welcome and News - WTC

    Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

  • Your only as strong as your weakest link – Edward Ogden [ Slides ] [ Video ]

    Servers are the root of all web apps and sites, it’s the central point that your clients/customers will connect to and where you put your code. Many small and under resource companies that do there own hosting don’t normally put the time and investment in there hosting technology and this is where it starts to go wrong. This talk will discuss what some of the dangers are and what could happen if an attacker gets into your infrastructure, we will also talk about how some simple changes to the infrastructure can reduce the risk of being attacked.

  • Discussion about future of OWASP Suffolk

    We will have open discussion about what we are doing, and what YOU expecting us to do.

Speakers

  • Edward Ogden has been in the IT industry for only 6 years and has learnt most of his skill on the job. He started his career as a web developer progressing on to operations side of the industry. Currently he is working for SETL Ltd as a DevOps engineer automating code deploys for client around the world. As a young child he was always interested in servers starting off by hosting gaming servers from his bedroom at the age of 14.

Tuesday, 21 May 2019 (Ipswich)

Location:   University of Suffolk, Waterfront Building, 19 Neptune Quay, Ipswich IP4 1QJ

Agenda:

  • OWASP Suffolk Introduction, Welcome and News - WTC

    Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

  • Windows Active Directory Security Lowlights - Barry Myles

    Once an attacker is inside your organisation they very often will misuse Windows Active Directory for almost total compromise of every aspect of an organisation’s computing infrastructure and the data it holds. This talk will describe how an attacker might do this, when they have done so in the past, the kinds of tools they would use, what common mistakes enable this, and how organisations could go about defending themselves both through changes in behaviour and changes to their setup.

Speakers

  • Barry Myles leads an internal penetration testing team at BT, although tries to stay away from very traditional views of pen testing as much as possible. After becoming somewhat bored and jaded with project management work in 2006 he decided the life on an attacker was a very much more fun, but perhaps less constructive way of life. He enjoys large scale scanning, reverse engineering, cryptography, hardware hacking and network protocols a bit too much.

Tuesday, 23rd April 2019 (Ipswich)

Location:   University of Suffolk, Waterfront Building, 19 Neptune Quay, Ipswich IP4 1QJ

Agenda:

  • OWASP Suffolk Introduction, Welcome and News - WTC

    Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

  • Data Protection Act 2018 - Rebecca Moran [ PDF ] [ Video ]

    An overview of the requirements of the new Data Protection Act 2018 (GDPR) and it’s influence in development and project management.

Speakers

  • Rebecca Moran is owner of ReMo InfoSec - qualified ISO27001 lead implementer and auditor – preacher of the ISO27001 bible. Registered GDPR practitioner and all round data protection whiz.

Tuesday, 19th March 2019 (Ipswich)

Location:   University of Suffolk, Waterfront Building, 19 Neptune Quay, Ipswich IP4 1QJ

Agenda:

  • OWASP Suffolk Introduction, Welcome and News - WTC

    Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

  • Understanding how to prevent Sensitive Data Exposure - Simon Greatrix [ PDF ] [ Video ]

    Sensitive data is often the target of any attack, and its exposure has the greatest risk of long-term damage. OWASP and the PCI DSS provide many recommendations. The internet provides even more. These can be hard to understand, hard to implement, and contradictory. I will be sharing my understanding of how the cryptographic algorithms work and how they should best be used.

Speakers

  • Dr Simon Greatrix has been writing software since the late 70s and has worked as a security expert for e-commerce for nearly 20 years. He is currently working on SETL’s block chain product. Java has been his preferred programming language since 1996.

Monday, 25th February 2019 (Ipswich)

Location:  Connexions, 159 Princess Street, Ipswich

Agenda:

  • OWASP Suffolk Introduction, Welcome and News - WTC

- Welcome and an update on OWASP Projects & Events from the OWASP Suffolk Chapter Leader.

  • Yet another talk on OWASP Top 10 - WTC [PDF]

    Brief overview of OWASP Top 10.

Category:OWASP Chapter Category:Europe