OWASP Timisoara
Welcome
Welcome to the OWASP Timisoara Chapter Homepage
Follow us on Twitter. Follow us on Meetup. Follow us on Linkedin. Subscribe on YouTube.
Timisoara has an evolved software development community and one of the most important aspects that we aim to achieve is to continuously improve the application security world. Everyone is welcome to join our chapter meetings, members and non-members. OWASP Timisoara Chapter meetings / events are free and open, so please join us!
The chapter leaders are Catalin Curelaru and Daniel Ilies.
Anyone who wants to get involved and help the Chapter evolve is very welcome and please just contact us. If you want to present at one of our meetings / events (please read the speaker agreement). In case that you have any questions about the OWASP Timisoara Chapter, send an email to Catalin Curelaru.
Next event: For details please check Upcoming Events.!
Next Meeting/Event
Please see our Meetup page for more details and to register as attendee
OWASP Timisoara #25: Firewalls, Product Security & Contingency plans [IN-PERSON]
The next OWASP Timisoara Chapter Meetup will be physical.
See https://owasp.org/www-chapter-timisoara/ for more information about the OWASP Timisoara chapter. Theme sessions: Firewalls, Product Security & Contingency plans
18:00
Welcome participants
18:10
Introduction, OWASP News & Updates - Catalin Curelaru
18:15
Securing the Gates: The Hidden Flaws Behind the Firewall - Adrian Daniel BACANU (RAZDON)
18:50
Running a Product Security Assessment Program at scale - Alina NICULA (VISMA)
19:30
Contingency plan from security point of view - Adrian BARAN (VITESCO)
20:00
Networking
Adrian Daniel BACANU - CEO @ RAZDON Adrian Daniel BACANU is the CEO and co-founder of Razdon, a pioneering CyberSecurity startup. With 14 years of enterprise experience and a lifelong passion for hacking—now spanning two decades—Daniel brings a wealth of expertise to the cybersecurity field. He still offers some Security Architectural consultancy for different companies across Europe, and from time to time, he engages in bounty hunting. When not decoding the matrix of cyber threats, Daniel enjoys life with his wife and two boys, plays football twice a week, and maintains a spirited sense of humor—because in cybersecurity, sometimes, you really can’t afford to joke
Securing the Gates: The Hidden Flaws Behind the Firewall Abstract: Effective cybersecurity is not just about having defenses in place but ensuring they are properly designed. ‘Securing the Gates: The Hidden Flaws Behind the Firewall’ illuminates the common pitfalls in firewall implementations that often go unnoticed. This presentation will demonstrate typical design errors that compromise security and provide actionable insights on how to rectify these flaws to create robust defenses. Attendees will learn how to not only deploy but also optimize firewalls to safeguard their digital assets effectively
Alina NICULA - VASP Lead and Product security assessment Service Owner and reviewer @ VISMA Alina has been working within product development teams as a software developer, security engineer, software and cloud service architect. In the last years she focused on software security by guiding Visma teams into securing their applications, data, cloud workloads, and delivery pipelines to avoid potential cybersecurity risks.
Running a Product Security Assessment Program at scale Abstract: Having a product security assessment program is essential for any company. It is equally critical to ensure that this program remains relevant over the time and is scalable as the company grows.In this presentation, I will discuss how we ensure that our designed processes empower development teams to make informed security decisions while also giving them ownership over the remediation of the security aspects that impact their products. However, achieving this goal requires a strong and knowledgeable security review team that supports the delivery teams with informed security by design best practices. So, how have we been able to grow our program? I hope you will leave this presentation with a clear understanding of our approach.
Adrian BARAN - Security Manager @ VITESCO Contingency plan from security point of view Abstract:
Past events
OWASP Timisoara #24: Bug Bounty and Cloud Security [ONLINE]
Tomi Koski - Red Team Engineer @ Visma Tomi Koski has been working with IT-systems for many moons, actually since (the wonderful) 1990’s. He is passionate about anything related to security, combining both physical and virtual worlds. He is a constant learner and very curious person about life and bug bounties. Currently, he is working for Visma as a Red (read: Purple) Teamer
Bug Bounty(Again) Abstract: My journey in the world of Bug Bounties, the good and bad. Story about how bug bounties have changed my life and why I think these are super fun and educational.
Ovidiu Cical - Cloud Security Architect @ Cyscale Ovidiu is a cybersecurity enthusiast with 20 years of experience in IT. Ovidiu speaks at international conferences covering different topics of Cybersecurity and is not a stranger to the pro-bono work of running the OWASP chapter in Cluj-Napoca for many years in the past. Currently, he leads Cyscale, a cloud security startup developing a product from the heart of Cluj-Napoca.
The bigger picture Abstract: The bigger picture: a context is critical in understanding your security posture. Why a certain problem in one part of your cloud infrastructure may affect other areas of your cloud apps, how cloud data is secured, and how safe is the rest of your cloud estate.
OWASP Timisoara #23: Secure Coding Tournament [IN-PERSON]
The next OWASP Timisoara Chapter Meetup will be in person.
See https://owasp.org/www-chapter-timisoara/ for more information about the OWASP Timisoara chapter. Theme sessions - Theme: Secure Coding Tournament
Schedule
Time:
18:00 to 21:00
18:00 - 18:20 - Welcome participants - Lucian Patian (Haufe) 18:20 - 18:30 - Introduction, OWASP News & Updates - Catalin Curelaru Secure code 18:30 - 19:45 - Secure Coding Tournament 19:45 - 20:00 - Prizes
Location of the event: UBC0, et 15, Sediu Haufe.Group, Piața Consiliul Europei 2 · Timișoara
Event powered by Haufe.Group & Secure Code Warrior
More about the event: Secure Code Warrior brings you a defensive security-based tournament from a developer’s perspective. The tournament allows you to test your skill in a series of vulnerable code challenges that ask you to identify a problem, locate insecure code, and fix a vulnerability.
You don’t need extensive programming knowledge as this will be a great way to learn the foundations and intermediates of leveraging code that is not only functional but is also secure.
You can find the tournament step-by-step guide here: https://youtu.be/o8XhKK_eOOs
The tournament is hosted physically by Haufe.Group and you can join through your laptop. The tournament it should take only a 1.5 hours, drop-in as you see fit during the duration of the event to complete all the challenges and win prizes!
OWASP Timisoara #22: 08 June 2023
The next OWASP Timisoara Chapter Meeting will be in person.
Theme sessions - Theme: CyberSecurity Ecosystem, Cloud Security
POWERED BY VISMA
Schedule
Time:
18:00 to 21:00
Introduction, OWASP News & Updates - Catalin Curelaru
CyberSecurity Ecosystem - Octavian STANCU (Eviden)
Security Log Management - Adrian PAUL (Visma)
Improving security in AWS Cognito - Lucian Patian (Haufe)
18:00
Welcome participants
18:15
Introduction, OWASP News & Updates - Catalin Curelaru
18:30
CyberSecurity Ecosystem - Octavian STANCU (Eviden)
19:00
Security Log Management - Adrian PAUL (Visma)
19:30
Break with drinks
19:40
Improving security in AWS Cognito - Lucian Patian (Haufe)
20:10
Networking - Pizza
Time:
18:00 to 21:00
POWERED BY VISMA
More about the speakers and topics
Octavian STANCU - Head of Cybersecurity Services @Eviden GDC Romania, an Atos business
Octavin Stancu is an experienced Unit Lead and IT Instructor with a demonstrated history of working in the Information Technology industry, specifically in the fields of Cybersecurity, Networking and Telecommunications. As the Head of Cybersecurity Services, Octavian brings within Global Delivery Center Romania extensive expertise and a strong track record in managing and delivering Cybersecurity services and solutions.
Adrian PAUL - CyberSecurity Engineering Manager @ VISMA I love information technology, passionate to learn about it, and always looking to put the pieces together. Currently, in the conspicuous role of managing the Cyber Security Engineering team that is in charge of implementation, maintenance and development of multiple security services at Visma. When time permits, I enjoy running and volunteering.
Security Log Management Abstract: Ensuring the confidentiality, integrity, and availability of the modern digital enterprise is not an easy task. It involves many parallel and related efforts, from systems engineering to effective cybersecurity policy and comprehensive workforce training. The essential elements in cybersecurity operations are monitoring, analyzing, responding to, and recovering from cyber attacks. Behind the scenes, programs and policies must be put into place to support cybersecurity operations. Organizations are starting to use cloud computing to take advantage of its many benefits, including cost savings, quick time-to-market, and on-demand scaling of the environment. To improve security visibility in the cloud, security operations teams will want to develop a continuous monitoring strategy that uses a combination of cloud-native services and third-party options for the Security Log Management solution. The strategy needs to provide the most complete range of coverage for both proactively assessing the environment and detecting unusual events or anomalous behaviour rapidly. Additionally, a Security Log Management focused on automation and machine learning, alongside new and updated types of monitoring, will evolve into a Next-generation Security Information and Event Management (NG-SIEM) solution. Logging is a vital part of cybersecurity, as it enables you to detect breaches and identify their source. With a robust Security Log Management solution, you can monitor your environments for unusual activity and take action to stop it before it develops into a full-blown attack. By taking the time to develop a comprehensive logging strategy, you can not only mitigate the potential damage of a cyber attack, but also learn important lessons about how to improve your solution for the future.
Lucian Pătian - Cloud Solutions Architect @ Haufe Group
Lucian Pătian is a Cloud Solutions Architect at Haufe Group Timisoara. With a SysAdmin background, for the past four years, he has earned a reputation for finding creative solutions to problems in Cloud.
Improving security in AWS Cognito
Abstract: We will discuss about why using the standard configurations in Cognito can make your application a security honeypot. How can you use AWS WAF to add an extra layer of protection and why using verified token attributes should be a must
OWASP Timisoara #21: 23 June 2022
The next OWASP Timisoara Chapter Meeting will be online.
Theme sessions - Theme: Recon, Vulnerabilities, Bug Hunting
Schedule
Introduction, OWASP News & Updates - Catalin Curelaru
Work harder, not smarter! - Daniel Tomescu (KPMG)
Recon tips and tricks - Alexis Fernandez (Visma)
Time:
18:30 to 20:30
More about the speakers and topics
Daniel Tomescu - Senior Manager / Ethical Hacker @KPMG
Daniel is a Senior Manager and Ethical Hacker at KPMG Romania by day. By night, Daniel is a Bug Bounty Hunter and Curious Security Researcher.
Work harder, not smarter! Asbtract: Every memorable presentation within the infosec community teaches you how to enumerate more, automate everything and generally work “smarter” by letting cool tools do the job for you even when you sleep. But what if you are the kind of person which likes to get their hands dirty and actually find vulnerabilities the old-fashioned way? In the age of speed, is it still possible for hard work to beat automation? This presentation will highlight the advantages of actually putting hard work into exploiting the unexploitable and the difference it makes in terms of impact.
Alexis Fernandez - Read Team engineer @Visma
Read Team operator at Visma, pentester and bug hunter with extensive experience in Linux systems administration and programming. In love with assets recon and discovery techniques. ReconFTW and PentestBook author.
Recon tips and tricks Abstract:In this talk I will explain some hidden gems to perform a better and deeper reconnaissance of your targets, especially when it comes to subdomains enumeration, but also the rest of the phases.
OWASP Timisoara #20: 09 December 2021
The next OWASP Timisoara Chapter Meeting will be online.
Winter sessions - Theme: AI, Bug Bounty & Web Fuzzing
Schedule
Introduction, OWASP News & Updates - Catalin Curelaru
AI in Security - Robbe Van Roey (Intigriti)
FFUF - Fuzz Faster, U’re **ed … (The good, the bad and the ugly of web fuzzing) - Joona Hoikkala (Visma)
Time:
18:30 to 20:30
More about the speakers and topics
Robbe Van Roey - Hacker Manager @ Intigriti
Robbe Van Roey or better known as PinkDraconian finished his studies in AI & robotics, but because of his passion for cybersecurity, he became the Hacker Manager for the popular bug bounty platform Intigriti. Besides his work life, he runs a YouTube channel where he details challenges, CVEs, and all kinds of cybersecurity related topics in videos. Check him out on twitter (@PinkDraconian)
AI in Security Asbtract: Artificial intelligence has been the driving development factor in many industries over the past decade, but what about the cybersecurity industry? In this presentation, I would like to introduce all of you into what AI could mean for you in the cybersecurity field. We’re going on a journey on what is possible and what will be possible when combining AI with cybersecurity.
Joona Hoikkala - Red Team Manager @Visma
Working as red team manager at Visma, Joona is a hacker that has experience from multiple vantage points and aspects of information security, software development and brewing. He’s an open so(u)rcerer and has built or contributed to a wide variety of security tools, both offensive and defensive. This talk is discussing both positive and negative phenomenom around a web fuzzing tool he built and maintains: ffuf, or: “fuzz faster u fool”.
FFUF - Fuzz Faster, U’re ****ed … The good, the bad and the ugly of web fuzzing Abstract:Web fuzzing is a powerful method for automating the boring tasks in both black box, and gray box testing of web applications. There’s only so much one can do when approaching this kind of target manually but with proper tooling the server resources are the only limit. Wait? Server resources being the limit?
Penetration testers, bug bounty hunters, security researchers and criminals are using the same techniques for different purposes. What happens when you are able to send tens of thousands of requests from your laptop, over the internet to a target. What if you scale it up horizontally, doing the same thing from hundreds of sources? What if the responding endpoint is intentionally slow - a login for example?
At the cloud-native age, rate limiting might seem as an ancient thing from a distant past but for the very same reasons it’s more relevant than ever…
OWASP Timisoara #19: 17 June 2021
The next OWASP Timisoara Chapter Meeting will be online.
Summer sessions - Theme: Threat Modeling & Iterative Security
Schedule
Introduction, OWASP News & Updates - Catalin Curelaru
Challenges and Experiences with Threat Modeling in Agile Development Projects - Monica Iovan (Visma) & Daniela S. Cruzes (NTNU)
Security through an iterative process - Dario Cavallaro (Cisco)
Time:
18:30 to 20:30
More about the speakers and topics
Dr. Monica Iovan, Head of Security Development @ Visma.
Dr. Monica Iovan, Head of Security Development, Visma; In her free time, Monica enjoys peaceful moments in nature and the company of a good book. She is a passionate researcher having the goal of simplifying the use of security services within Agile development. She leads the security development team in Visma and conducts research on security in agile software development
Dr. Daniela S. Cruzes, Professor @ Norwegian University of Science and Technology (NTNU)
Dr. Daniela S. Cruzes is a Professor at the Norwegian University of Science and Technology (NTNU). Previously, she worked as a senior research scientist at SINTEF in Norway. She has also been a researcher fellow at the University of Maryland and Fraunhofer Center for Experimental Software Engineering-Maryland. Dr. Daniela Cruzes received her PhD in experimental software engineering from the University of Campinas - UNICAMP in Brazil in 2007. Her research interests are empirical software engineering, research methods and theory development, synthesis of SE studies, software security, software testing and agile and DevOps
Challenges and Experiences with Threat Modeling in Agile Development Projects
Abstract: The goal of secure software engineering is to create software that keeps performing as intended even when exposed to attacks. Threat modeling is considered to be a key activity, but can be challenging to perform for developers, and even more so in agile software development. Hence, threat modeling has not seen widespread use in agile software projects. The goal of the presentation is to show some of these challenges and approaches that the teams are working on.
Dario Cavallaro, Security Customer Success Specialists @ Cisco.
Security through an iterative process
Abstract: Security through an iterative process is a collection of notes collected in 15+ years’ experience. We will go through what has worked for most companies, some myths and some of the common things that are typically missing, but that everybody wants.
OWASP Timisoara #18: 18 March 2021
Spring sessions - Theme: Security Automation & Intelligence, Code Patters
More about the speakers and topics
Teofil Cojocariu, Application Security Engineering Lead @ Betfair Development Romania.
I’m focused on Application Security Engineering & Penetration Testing combined with CAMS mindset (Culture, Automation, Measurement, Sharing - DevSecOps) and I reported security bugs to Google, Facebook, Uber, Bitdefender, ING Bank, Yahoo or other companies. One of the most interesting thing is that I built a platform “Surface - Security Intelligence Automation Platform” which is being used by more than 900 people in Paddy Power Betfair, Flutter and I was the Security SME for a Private Cloud based on OpenStack with environments as code.
Surface Security - Security Intelligence Automation Platform
Abstract: Our external attack surface is constantly growing, which gives external attackers the opportunity to continuously search for new attack vectors. In order to successfully respond to Security incidents we needed a centralized platform which aggregates all the data about our premises in a single place.
Surface Security (Security Intelligence Automation Platform) is an internally built tool which assists our internal Security teams to gain a holistic view about our externally exposed assets. More than that, it facilitates faster incident response based on the information correlated by it. Surface started as a small project in which we tried to close the gaps identified in our security controls. The platform’s core is built in Django which is a Python-based open-source framework which has a fast learning curve. Besides Django, we’re using technologies like Ansible (automation), Dkron (fault-tolerant jobs), Elasticsearch (Security metrics storage) and Grafana (reporting). During the whole period it gained a lot of traction in our company determining people to contribute to its success by implementing and suggesting new features. We’re currently utilizing it for reporting the Security gaps to other areas of key business areas and for Security controls like: monitoring our externally exposed assets, vulnerability management, security incidents, bug bounty reports and penetration testing.
Bence Nagy, software engineer @ r2c.
Bence Nagy is a software engineer at r2c, working on Semgrep, an open-source syntax-aware code search tool. At r2c, his responsibilities tend towards building various interfaces atop the core semgrep CLI. These include CI integrations, editor extensions, and the semgrep.dev web app. He previously led a developer experience team at Kiwi.com, the Czech Republic’s top startup at the time of its acquisition in 2019. You should totally ask him for video game recommendations after the talk.`
Detect complex code patterns using semantic grep
Abstract: We’ll discuss a program analysis tool we’re developing called Semgrep. It’s a multilingual semantic tool for writing security and correctness queries on source code (for Python, Java, Go, C, and JS) with a simple “grep-like” interface. The original author, Yoann Padioleau, worked on Semgrep’s predecessor, Coccinelle, for Linux kernel refactoring, and later developed Semgrep while at Facebook. He’s now full time with us at r2c.
Semgrep is a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. Semgrep is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.
OWASP Timisoara #17: 03 December 2020
Online Event - Due to #COVID19 in #Romania, we have to make the announcement that the #17 OWASP Timisoara Chapter meetup will be ONLINE. Winter sessions - Theme: Hackers Mindset + Web Indexing and Crawlers
More about the speakers and topics
Per Olsson(repolsson), Application Security Engineer at Visma. Per has a background as a developer focusing on the security aspects of software development, he has an unhealthy obsession with passwords and understanding the human behind the hoodie.
Hackers and the hacker mindset Abstract: Per will talk about what hacking actually is, how a hacker thinks compared to for example a developer and about a few different types of hackers.
Tom Hudson (TomNomNom), Security Research Tech Lead at Detectify. Tom is from Bradford in the UK and he is a Open-source tool maker, trainer, talker, fixer, eater, not really a sheep.
The Unsearchables - Finding Things That Google Doesn’t Abstract: Google does a fine job of indexing the web for most purposes, but we often want to find things that “regular” people aren’t so interested in. Let’s take a look at some places you can look, and some techniques you can use to find things that Google doesn’t index. We’ll look at digging into git repository histories, Docker images, and a few other things to find secrets and other useful information.
Schedule
18:30
Welcome participants
18:40
Hackers and the hacker mindset - Per Olsson (Visma)
19:15
The Unsearchables - Finding Things That Google Doesn't - Tom Hudson (Detectify)
19:50
Networking or Other Questions
Time:
18:30 to 20:00
OWASP Timisoara #16: 24 September 2020
Online Event - This summer at the #16 OWASP Timisoara edition you will find out from experts what pushes the industry further. We will explore the latest cyber trends in Bug Bounty, Responsible Disclosure Programs presented by the OWASP Timisoara Board members (Ioana Piroska & Daniel Ilies) and in Cyber threat Intelligence by Julius Nicklasson from Recorded Future. Summer sessions - Theme: Bug Bounty, Responsible Disclosure and Cyber Threat Intelligence
Schedule
18:00
Welcome participants
18:10
Working with Hackers (Bug Bounty and Responsible Disclosure Program) - Ioana Piroska (Visma) & Daniel Ilies (Visma)
18:45
Cyber Threat Intelligence - Julius Nicklasson (Recorded Future)
Time:
18:00 to 19:20
OWASP Timisoara #15: 11 December 2019
Powered by UnifiedPost / Address: C. Brediceanu, 10, City Business Center,Building D, 5th floor, Timisoara, Romania Winter sessions - Theme: Honeypots, Hacking and Community Building
Schedule
18:00
Welcome participants
18:15
About Honeypots - Florin Patruta
18:50
Break
18:55
Too good to be true - Learning path: How to become a hacker - Catalin Curelaru
19:30
Break
19:35
Learning Security & Community Building - Radu Ticiu
20:10
Networking
Time:
18:00 to 21:00
POWERED BY UnifiedPost
> snacks and drinks on the house
Winter sessions - Theme: Honeypots, Hacking and Community Building
OWASP Timisoara #14: 29th August 2019
Powered by Visma / Address: Strada Aristide Demetriade, Nr 1, UBC3 building, 10th Floor, Timisoara Summer sessions - Theme: CyberSecurity, XSS/CSRF Attacks, Transparency
Schedule
18:00
Welcome participants
18:15
Intro OWASP Timisoara - Catalin Curelaru
18:20
CyberSecurity - Behind your front door - Adrian Daniel Bacanu
18:50
Break
19:00
XSS & CSRF attacks - Daniel Ilies & Claudiu Ivan
19:45
Break
19:50
Transparency of Episode XVI: The Empire Strikes - Catalin Curelaru
20:20
Endnote - Plans for the future - Involvement in the Chapter - Catalin Curelaru
20:30
Networking
Time:
18:00 to 21:00
POWERED BY Visma Romania
20th September 2016, OWASP InfoSecTM #13
Speakers
Matei-Eugen Vasile, ApTI - Digital privacy și inamicii săi
Lucian Florin Ilca, Atos - Prezentarea și dezvoltarea vulnerabilităților la nivel de routere, switch-uri și access point-uri
31th May 2016, OWASP InfoSecTM #12
Speakers
Daniel BORCA - engine developer, Bitdefender - Be aware of your bugs, if you aren’t, someone else is
12th April 2016, OWASP InfoSecTM #11
Title: Be aware of your bugs, if you aren’t, someone else is The first session will introduce key concepts necessary in understanding what is going on “under the hood” of your program and how this correlates with being a possible victim of an exploit.
We will also dissect a real life exploit to see how this is done “in the wild” and what can we do to prevent it.
Speakers
Daniel BORCA - engine developer, Bitdefender
Alin BARBATEI - malware researcher, Bitdefender
17th February 2016, OWASP InfoSecTM #9
17th February 2016, OWASP InfoSecTM #9
15th december 2015, OWASP InfoSecTM #8
Previous speakers at OWASP Timisoara
Andreea Bozesan
Ciprian Lucaci
Dan Negrea
Radu Ciorbă
`Flavius Oprițoiu
Sponsorship
Become a supporter of OWASP or of OWASP’s Timisoara Chapter and help us
to make application security more visible.
All information about becoming a member/sponsor can be found
here.
https://www.owasp.org/index.php/Local_Chapter_Supporter
Participation
OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.