Welcome

Welcome to the OWASP Timisoara Chapter Homepage

Follow us on Twitter. Follow us on Meetup. Follow us on Linkedin. Subscribe on YouTube.

Timisoara has an evolved software development community and one of the most important aspects that we aim to achieve is to continuously improve the application security world. Everyone is welcome to join our chapter meetings, members and non-members. OWASP Timisoara Chapter meetings / events are free and open, so please join us!

The chapter leaders are Catalin Curelaru and Daniel Ilies.

Anyone who wants to get involved and help the Chapter evolve is very welcome and please just contact us. If you want to present at one of our meetings / events (please read the speaker agreement). In case that you have any questions about the OWASP Timisoara Chapter, send an email to Catalin Curelaru.

Next event: For details please check Upcoming Events.!

Next Meeting/Event

Please see our Meetup page for more details and to register as attendee

OWASP Timisoara #24: Bug Bounty and Cloud Security [ONLINE]

The next OWASP Timisoara Chapter Meetup will be Online

See https://owasp.org/www-chapter-timisoara/ for more information about the OWASP Timisoara chapter. Theme sessions - Theme: Bug Bounty and Cloud Security

18:00 Welcome participants

18:15 Introduction, OWASP News & Updates - Catalin Curelaru

18:30 Bug Bounty(Again) - Tomi Koski (Visma)

19:00 The bigger picture - Ovidiu Cical (Cyscale)

19:30 Networking

Tomi Koski - Red Team Engineer @ Visma Tomi Koski has been working with IT-systems for many moons, actually since (the wonderful) 1990’s. He is passionate about anything related to security, combining both physical and virtual worlds. He is a constant learner and very curious person about life and bug bounties. Currently, he is working for Visma as a Red (read: Purple) Teamer

Bug Bounty(Again) Abstract: My journey in the world of Bug Bounties, the good and bad. Story about how bug bounties have changed my life and why I think these are super fun and educational.

Ovidiu Cical - Cloud Security Architect @ Cyscale Ovidiu is a cybersecurity enthusiast with 20 years of experience in IT. Ovidiu speaks at international conferences covering different topics of Cybersecurity and is not a stranger to the pro-bono work of running the OWASP chapter in Cluj-Napoca for many years in the past. Currently, he leads Cyscale, a cloud security startup developing a product from the heart of Cluj-Napoca.

The bigger picture Abstract: The bigger picture: a context is critical in understanding your security posture. Why a certain problem in one part of your cloud infrastructure may affect other areas of your cloud apps, how cloud data is secured, and how safe is the rest of your cloud estate.

Past events

OWASP Timisoara #23: Secure Coding Tournament [IN-PERSON]

The next OWASP Timisoara Chapter Meetup will be in person.

See https://owasp.org/www-chapter-timisoara/ for more information about the OWASP Timisoara chapter. Theme sessions - Theme: Secure Coding Tournament

Schedule Time: 18:00 to 21:00

18:00 - 18:20 - Welcome participants - Lucian Patian (Haufe) 18:20 - 18:30 - Introduction, OWASP News & Updates - Catalin Curelaru Secure code 18:30 - 19:45 - Secure Coding Tournament 19:45 - 20:00 - Prizes

Location of the event: UBC0, et 15, Sediu Haufe.Group, Piața Consiliul Europei 2 · Timișoara

Event powered by Haufe.Group & Secure Code Warrior

More about the event: Secure Code Warrior brings you a defensive security-based tournament from a developer’s perspective. The tournament allows you to test your skill in a series of vulnerable code challenges that ask you to identify a problem, locate insecure code, and fix a vulnerability.

You don’t need extensive programming knowledge as this will be a great way to learn the foundations and intermediates of leveraging code that is not only functional but is also secure.

You can find the tournament step-by-step guide here: https://youtu.be/o8XhKK_eOOs

The tournament is hosted physically by Haufe.Group and you can join through your laptop. The tournament it should take only a 1.5 hours, drop-in as you see fit during the duration of the event to complete all the challenges and win prizes!

OWASP Timisoara #22: 08 June 2023

The next OWASP Timisoara Chapter Meeting will be in person.

Theme sessions - Theme: CyberSecurity Ecosystem, Cloud Security

POWERED BY VISMA

Schedule Time: 18:00 to 21:00

Introduction, OWASP News & Updates - Catalin Curelaru

CyberSecurity Ecosystem - Octavian STANCU (Eviden)

Security Log Management - Adrian PAUL (Visma)

Improving security in AWS Cognito - Lucian Patian (Haufe)

18:00 Welcome participants

18:15 Introduction, OWASP News & Updates - Catalin Curelaru

18:30 CyberSecurity Ecosystem - Octavian STANCU (Eviden)

19:00 Security Log Management - Adrian PAUL (Visma)

19:30 Break with drinks

19:40 Improving security in AWS Cognito - Lucian Patian (Haufe)

20:10 Networking - Pizza

Time: 18:00 to 21:00

POWERED BY VISMA

More about the speakers and topics

Octavian STANCU - Head of Cybersecurity Services @Eviden GDC Romania, an Atos business

Octavin Stancu is an experienced Unit Lead and IT Instructor with a demonstrated history of working in the Information Technology industry, specifically in the fields of Cybersecurity, Networking and Telecommunications. As the Head of Cybersecurity Services, Octavian brings within Global Delivery Center Romania extensive expertise and a strong track record in managing and delivering Cybersecurity services and solutions.

Adrian PAUL - CyberSecurity Engineering Manager @ VISMA I love information technology, passionate to learn about it, and always looking to put the pieces together. Currently, in the conspicuous role of managing the Cyber Security Engineering team that is in charge of implementation, maintenance and development of multiple security services at Visma. When time permits, I enjoy running and volunteering.

Security Log Management Abstract: Ensuring the confidentiality, integrity, and availability of the modern digital enterprise is not an easy task. It involves many parallel and related efforts, from systems engineering to effective cybersecurity policy and comprehensive workforce training. The essential elements in cybersecurity operations are monitoring, analyzing, responding to, and recovering from cyber attacks. Behind the scenes, programs and policies must be put into place to support cybersecurity operations. Organizations are starting to use cloud computing to take advantage of its many benefits, including cost savings, quick time-to-market, and on-demand scaling of the environment. To improve security visibility in the cloud, security operations teams will want to develop a continuous monitoring strategy that uses a combination of cloud-native services and third-party options for the Security Log Management solution. The strategy needs to provide the most complete range of coverage for both proactively assessing the environment and detecting unusual events or anomalous behaviour rapidly. Additionally, a Security Log Management focused on automation and machine learning, alongside new and updated types of monitoring, will evolve into a Next-generation Security Information and Event Management (NG-SIEM) solution. Logging is a vital part of cybersecurity, as it enables you to detect breaches and identify their source. With a robust Security Log Management solution, you can monitor your environments for unusual activity and take action to stop it before it develops into a full-blown attack. By taking the time to develop a comprehensive logging strategy, you can not only mitigate the potential damage of a cyber attack, but also learn important lessons about how to improve your solution for the future.

Lucian Pătian - Cloud Solutions Architect @ Haufe Group

Lucian Pătian is a Cloud Solutions Architect at Haufe Group Timisoara. With a SysAdmin background, for the past four years, he has earned a reputation for finding creative solutions to problems in Cloud.

Improving security in AWS Cognito

Abstract: We will discuss about why using the standard configurations in Cognito can make your application a security honeypot. How can you use AWS WAF to add an extra layer of protection and why using verified token attributes should be a must

OWASP Timisoara #21: 23 June 2022

The next OWASP Timisoara Chapter Meeting will be online.

Theme sessions - Theme: Recon, Vulnerabilities, Bug Hunting

Schedule

Introduction, OWASP News & Updates - Catalin Curelaru

Work harder, not smarter! - Daniel Tomescu (KPMG)

Recon tips and tricks - Alexis Fernandez (Visma)

Time: 18:30 to 20:30

More about the speakers and topics

Daniel Tomescu - Senior Manager / Ethical Hacker @KPMG

Daniel is a Senior Manager and Ethical Hacker at KPMG Romania by day. By night, Daniel is a Bug Bounty Hunter and Curious Security Researcher.

Work harder, not smarter! Asbtract: Every memorable presentation within the infosec community teaches you how to enumerate more, automate everything and generally work “smarter” by letting cool tools do the job for you even when you sleep. But what if you are the kind of person which likes to get their hands dirty and actually find vulnerabilities the old-fashioned way? In the age of speed, is it still possible for hard work to beat automation? This presentation will highlight the advantages of actually putting hard work into exploiting the unexploitable and the difference it makes in terms of impact.

Alexis Fernandez - Read Team engineer @Visma

Read Team operator at Visma, pentester and bug hunter with extensive experience in Linux systems administration and programming. In love with assets recon and discovery techniques. ReconFTW and PentestBook author.

Recon tips and tricks Abstract:In this talk I will explain some hidden gems to perform a better and deeper reconnaissance of your targets, especially when it comes to subdomains enumeration, but also the rest of the phases.

OWASP Timisoara #20: 09 December 2021

The next OWASP Timisoara Chapter Meeting will be online.

Winter sessions - Theme: AI, Bug Bounty & Web Fuzzing Schedule

Introduction, OWASP News & Updates - Catalin Curelaru

AI in Security - Robbe Van Roey (Intigriti)

FFUF - Fuzz Faster, U’re **ed … (The good, the bad and the ugly of web fuzzing) - Joona Hoikkala (Visma)

Time: 18:30 to 20:30

More about the speakers and topics

Robbe Van Roey - Hacker Manager @ Intigriti

Robbe Van Roey or better known as PinkDraconian finished his studies in AI & robotics, but because of his passion for cybersecurity, he became the Hacker Manager for the popular bug bounty platform Intigriti. Besides his work life, he runs a YouTube channel where he details challenges, CVEs, and all kinds of cybersecurity related topics in videos. Check him out on twitter (@PinkDraconian)

AI in Security Asbtract: Artificial intelligence has been the driving development factor in many industries over the past decade, but what about the cybersecurity industry? In this presentation, I would like to introduce all of you into what AI could mean for you in the cybersecurity field. We’re going on a journey on what is possible and what will be possible when combining AI with cybersecurity.

Joona Hoikkala - Red Team Manager @Visma

Working as red team manager at Visma, Joona is a hacker that has experience from multiple vantage points and aspects of information security, software development and brewing. He’s an open so(u)rcerer and has built or contributed to a wide variety of security tools, both offensive and defensive. This talk is discussing both positive and negative phenomenom around a web fuzzing tool he built and maintains: ffuf, or: “fuzz faster u fool”.

FFUF - Fuzz Faster, U’re ****ed … The good, the bad and the ugly of web fuzzing Abstract:Web fuzzing is a powerful method for automating the boring tasks in both black box, and gray box testing of web applications. There’s only so much one can do when approaching this kind of target manually but with proper tooling the server resources are the only limit. Wait? Server resources being the limit?

Penetration testers, bug bounty hunters, security researchers and criminals are using the same techniques for different purposes. What happens when you are able to send tens of thousands of requests from your laptop, over the internet to a target. What if you scale it up horizontally, doing the same thing from hundreds of sources? What if the responding endpoint is intentionally slow - a login for example?

At the cloud-native age, rate limiting might seem as an ancient thing from a distant past but for the very same reasons it’s more relevant than ever…

OWASP Timisoara #19: 17 June 2021

The next OWASP Timisoara Chapter Meeting will be online.

Summer sessions - Theme: Threat Modeling & Iterative Security

Schedule

Introduction, OWASP News & Updates - Catalin Curelaru

Challenges and Experiences with Threat Modeling in Agile Development Projects - Monica Iovan (Visma) & Daniela S. Cruzes (NTNU)

Security through an iterative process - Dario Cavallaro (Cisco)

Time: 18:30 to 20:30

More about the speakers and topics

Dr. Monica Iovan, Head of Security Development @ Visma.

Dr. Monica Iovan, Head of Security Development, Visma; In her free time, Monica enjoys peaceful moments in nature and the company of a good book. She is a passionate researcher having the goal of simplifying the use of security services within Agile development. She leads the security development team in Visma and conducts research on security in agile software development

Dr. Daniela S. Cruzes, Professor @ Norwegian University of Science and Technology (NTNU)

Dr. Daniela S. Cruzes is a Professor at the Norwegian University of Science and Technology (NTNU). Previously, she worked as a senior research scientist at SINTEF in Norway. She has also been a researcher fellow at the University of Maryland and Fraunhofer Center for Experimental Software Engineering-Maryland. Dr. Daniela Cruzes received her PhD in experimental software engineering from the University of Campinas - UNICAMP in Brazil in 2007. Her research interests are empirical software engineering, research methods and theory development, synthesis of SE studies, software security, software testing and agile and DevOps

Challenges and Experiences with Threat Modeling in Agile Development Projects

Abstract: The goal of secure software engineering is to create software that keeps performing as intended even when exposed to attacks. Threat modeling is considered to be a key activity, but can be challenging to perform for developers, and even more so in agile software development. Hence, threat modeling has not seen widespread use in agile software projects. The goal of the presentation is to show some of these challenges and approaches that the teams are working on.

Dario Cavallaro, Security Customer Success Specialists @ Cisco.

Security through an iterative process

Abstract: Security through an iterative process is a collection of notes collected in 15+ years’ experience. We will go through what has worked for most companies, some myths and some of the common things that are typically missing, but that everybody wants.

OWASP Timisoara #18: 18 March 2021

Spring sessions - Theme: Security Automation & Intelligence, Code Patters

More about the speakers and topics

Teofil Cojocariu, Application Security Engineering Lead @ Betfair Development Romania.

I’m focused on Application Security Engineering & Penetration Testing combined with CAMS mindset (Culture, Automation, Measurement, Sharing - DevSecOps) and I reported security bugs to Google, Facebook, Uber, Bitdefender, ING Bank, Yahoo or other companies. One of the most interesting thing is that I built a platform “Surface - Security Intelligence Automation Platform” which is being used by more than 900 people in Paddy Power Betfair, Flutter and I was the Security SME for a Private Cloud based on OpenStack with environments as code.

Surface Security - Security Intelligence Automation Platform

Abstract: Our external attack surface is constantly growing, which gives external attackers the opportunity to continuously search for new attack vectors. In order to successfully respond to Security incidents we needed a centralized platform which aggregates all the data about our premises in a single place.

Surface Security (Security Intelligence Automation Platform) is an internally built tool which assists our internal Security teams to gain a holistic view about our externally exposed assets. More than that, it facilitates faster incident response based on the information correlated by it. Surface started as a small project in which we tried to close the gaps identified in our security controls. The platform’s core is built in Django which is a Python-based open-source framework which has a fast learning curve. Besides Django, we’re using technologies like Ansible (automation), Dkron (fault-tolerant jobs), Elasticsearch (Security metrics storage) and Grafana (reporting). During the whole period it gained a lot of traction in our company determining people to contribute to its success by implementing and suggesting new features. We’re currently utilizing it for reporting the Security gaps to other areas of key business areas and for Security controls like: monitoring our externally exposed assets, vulnerability management, security incidents, bug bounty reports and penetration testing.

Bence Nagy, software engineer @ r2c.

Bence Nagy is a software engineer at r2c, working on Semgrep, an open-source syntax-aware code search tool. At r2c, his responsibilities tend towards building various interfaces atop the core semgrep CLI. These include CI integrations, editor extensions, and the semgrep.dev web app. He previously led a developer experience team at Kiwi.com, the Czech Republic’s top startup at the time of its acquisition in 2019. You should totally ask him for video game recommendations after the talk.`

Detect complex code patterns using semantic grep

Abstract: We’ll discuss a program analysis tool we’re developing called Semgrep. It’s a multilingual semantic tool for writing security and correctness queries on source code (for Python, Java, Go, C, and JS) with a simple “grep-like” interface. The original author, Yoann Padioleau, worked on Semgrep’s predecessor, Coccinelle, for Linux kernel refactoring, and later developed Semgrep while at Facebook. He’s now full time with us at r2c.

Semgrep is a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. Semgrep is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.

OWASP Timisoara #17: 03 December 2020

Online Event - Due to #COVID19 in #Romania, we have to make the announcement that the #17 OWASP Timisoara Chapter meetup will be ONLINE. Winter sessions - Theme: Hackers Mindset + Web Indexing and Crawlers

More about the speakers and topics

Per Olsson(repolsson), Application Security Engineer at Visma. Per has a background as a developer focusing on the security aspects of software development, he has an unhealthy obsession with passwords and understanding the human behind the hoodie.

Hackers and the hacker mindset Abstract: Per will talk about what hacking actually is, how a hacker thinks compared to for example a developer and about a few different types of hackers.

Tom Hudson (TomNomNom), Security Research Tech Lead at Detectify. Tom is from Bradford in the UK and he is a Open-source tool maker, trainer, talker, fixer, eater, not really a sheep.

The Unsearchables - Finding Things That Google Doesn’t Abstract: Google does a fine job of indexing the web for most purposes, but we often want to find things that “regular” people aren’t so interested in. Let’s take a look at some places you can look, and some techniques you can use to find things that Google doesn’t index. We’ll look at digging into git repository histories, Docker images, and a few other things to find secrets and other useful information.

Schedule 18:30 Welcome participants

18:40 Hackers and the hacker mindset - Per Olsson (Visma)

19:15 The Unsearchables - Finding Things That Google Doesn't - Tom Hudson (Detectify)

19:50 Networking or Other Questions

Time: 18:30 to 20:00

OWASP Timisoara #16: 24 September 2020

Online Event - This summer at the #16 OWASP Timisoara edition you will find out from experts what pushes the industry further. We will explore the latest cyber trends in Bug Bounty, Responsible Disclosure Programs presented by the OWASP Timisoara Board members (Ioana Piroska & Daniel Ilies) and in Cyber threat Intelligence by Julius Nicklasson from Recorded Future. Summer sessions - Theme: Bug Bounty, Responsible Disclosure and Cyber Threat Intelligence

Schedule 18:00 Welcome participants 18:10 Working with Hackers (Bug Bounty and Responsible Disclosure Program) - Ioana Piroska (Visma) & Daniel Ilies (Visma)  18:45 Cyber Threat Intelligence - Julius Nicklasson (Recorded Future) Time: 18:00 to 19:20

OWASP Timisoara #15: 11 December 2019

Powered by UnifiedPost / Address: C. Brediceanu, 10, City Business Center,Building D, 5th floor, Timisoara, Romania Winter sessions - Theme: Honeypots, Hacking and Community Building

Schedule 18:00 Welcome participants 18:15 About Honeypots - Florin Patruta  18:50 Break 18:55 Too good to be true - Learning path: How to become a hacker - Catalin Curelaru 19:30 Break 19:35 Learning Security & Community Building - Radu Ticiu 20:10 Networking Time: 18:00 to 21:00

POWERED BY UnifiedPost

> snacks and drinks on the house

Winter sessions - Theme: Honeypots, Hacking and Community Building

OWASP Timisoara #14: 29th August 2019

Powered by Visma / Address: Strada Aristide Demetriade, Nr 1, UBC3 building, 10th Floor, Timisoara Summer sessions - Theme: CyberSecurity, XSS/CSRF Attacks, Transparency

Schedule 18:00 Welcome participants 18:15 Intro OWASP Timisoara - Catalin Curelaru 18:20 CyberSecurity - Behind your front door - Adrian Daniel Bacanu 18:50 Break 19:00 XSS & CSRF attacks - Daniel Ilies & Claudiu Ivan 19:45 Break 19:50 Transparency of Episode XVI: The Empire Strikes - Catalin Curelaru 20:20 Endnote - Plans for the future - Involvement in the Chapter - Catalin Curelaru 20:30 Networking Time: 18:00 to 21:00

POWERED BY Visma Romania

20th September 2016, OWASP InfoSecTM #13

Speakers

Matei-Eugen Vasile, ApTI - Digital privacy și inamicii săi

Lucian Florin Ilca, Atos - Prezentarea și dezvoltarea vulnerabilităților la nivel de routere, switch-uri și access point-uri

31th May 2016, OWASP InfoSecTM #12

Speakers

Daniel BORCA - engine developer, Bitdefender - Be aware of your bugs, if you aren’t, someone else is

12th April 2016, OWASP InfoSecTM #11

Title: Be aware of your bugs, if you aren’t, someone else is The first session will introduce key concepts necessary in understanding what is going on “under the hood” of your program and how this correlates with being a possible victim of an exploit.

We will also dissect a real life exploit to see how this is done “in the wild” and what can we do to prevent it.

Speakers

Daniel BORCA - engine developer, Bitdefender

Alin BARBATEI - malware researcher, Bitdefender

17th February 2016, OWASP InfoSecTM #9

17th February 2016, OWASP InfoSecTM #9

15th december 2015, OWASP InfoSecTM #8

Previous speakers at OWASP Timisoara Andreea Bozesan Ciprian Lucaci Dan Negrea Radu Ciorbă `Flavius Oprițoiu

Sponsorship

Become a supporter of OWASP or of OWASP’s Timisoara Chapter and help us to make application security more visible. All information about becoming a member/sponsor can be found here. https://www.owasp.org/index.php/Local_Chapter_Supporter

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.