OWASP Community Meetings

Description: **Full Coverage Code Scanning Like a Boss** \- 20 Minutes *Do you want confidence your code is fully secure? Learn about the security scanning that teams often miss like scanning for secrets, vulnerable packages, container vulnerabilities, and misconfigured infrastructure as code. Go from beginner to full coverage security scanning like a boss!*

Description: Palestrante: Caique Barqueta Tema: Threat Modeling e Threat Intelligence: Como Ambas Podem Ser Utilizadas em ConjuntoData: 02/07/2024 às 19:30

Description: La charla abordará los 10 riesgos de seguridad más importantes identificados por OWASP, en el contexto de los Modelos Lingüístico Grandes (LLM). Revisaremos los desafíos de seguridad que enfrentan estas tecnologías de Inteligencia Artificial y cómo puedes mitigarlos. No te pierdas esta oportunidad de mantenerte a la vanguardia de la ciberseguridad en el campo de la IA.

Description: The OWASP Malaysia Federation is delighted to introduce the OWASP Penang Chapter to everyone. Join us for an online meet-and-greet event with OWASP Penang on July 3, 2024. We will feature young speakers who will present exciting and up-to-date topics related to the world of cybersecurity. Don't miss this opportunity! OWASP Malaysia Federation dengan berbesar hati ingin memperkenalkan OWASP Penang Chapter kepada semua. Sertai kami dalam acara suai kenal secara dalam talian bersama OWASP Penang pada 3 Julai 2024. Kami akan menampilkan penceramah muda yang akan mempersembahkan topik-topik menarik dan terkini berkaitan dengan dunia keselamatan siber. Jangan lepaskan peluang ini! Time: 03/07/2024 9:00PM Platform: Microsoft Teams Speaker 1 : Muhammad Fahimuddin Bin Mazlan Topic: Creating Your Own Deauther Speaker 2: Mohammad Ezaly Iman Bin Ramli Topic: Cyber Security Drill With CTF

Description: Since 4/25/24: discussions on AI and LLM's generally and the Coursera Prompt Engineering series from Vanderbilt specifically. We are now studying ChatGPT Advanced Data Analysis.... For General Study Group info, see #studygroup in OWASPAustin Slack For topic specific info, see #ai in the OWASPAustin Slack

Description: **\*\*\*\*\*This is a Ticketed event\*\*\*\*** You must have a ticket to participate in the workshop due to the limited number of test environments and so participants will have the best possible experience. Waitlist: If all tickets are registered then please add yourself to the waitlist. We will add more tickets when we learn if we have access to more test environments and draw from the waitlist on an ordered basis. Get your **FREE** ticket at: [https://buytickets.at/owaspottawachapter/1299905](https://buytickets.at/owaspottawachapter/1299905) **\*\*\*\*\*Mandatory Pre-Workshop Preparation\*\*\*\*** Please check the Mandatory preparation section below! 1. Laptop with GIT installed. 2. USB Micro B cable. 3. Clone the repo https://github.com/BenGardiner/automotive_scapy_playground 4. Install python. 5. Install all the dependencies before the class. (Ben *will* ask the unprepared to give up their seat to anyone waiting who *is* prepared) **In-Person Location**: 150 Louis-Pasteur Private, Ottawa, University of Ottawa **Room 117 (note the room change)** **5:00 PM EST** Arrival, setup, mingle, PIZZA!!! **5:30 PM EST** 1. Introduction to OWASP Ottawa, Public Announcements. 2. **Car Hacking Workshop** **Abstract:** This will be a very introductory but still very practical course on car hacking focusing on CAN, UDS on CAN and using scapy. The RAMN will give you an automotive network sandbox to explore and test ([https://github.com/ToyotaInfoTech/RAMN](https://github.com/ToyotaInfoTech/RAMN)). The hands-on sessions will use the automotive scapy playground. We currently have 5 RAMN test platforms and the best experience permits 3 attendees working together as a group on one RAMN platform. Therefore we are ticketing this event. **Mandatory Preparation before the workshop!** 1. Laptop with GIT installed. 2. Clone the repo https://github.com/BenGardiner/automotive_scapy_playground 3. Install python. 4. Install all the dependencies before the class. (Ben *will* ask the unprepared to give up their seat to anyone waiting who *is* prepared). **Speakers:** Ben Gardiner: Mr. Gardiner is an independent consultant at Yellow Flag Security, Inc. presently working to secure commercial transportation at the NMFTA and connected transportation with TMNA. With more than ten years of professional experience in embedded systems design and a lifetime of hacking experience, Gardiner has a deep knowledge of the low-level functions of operating systems and the hardware with which they interface. Prior to YFS Inc., Mr. Gardiner held security assurance and reversing roles at a global corporation, as well as worked in embedded software and systems engineering roles at several organizations. He holds a M.Sc. Eng. in Applied Math & Stats from Queen’s University. He is a DEF CON Hardware Hacking Village (DC HHV) and Car Hacking Village (CHV) volunteer. He is GIAC GPEN and GICSP certified and a GIAC advisory board member, he is also chair of the SAE TEVEES18A1 Cybersecurity Assurance Testing TF (drafting J3061-2), contributor to several ATA TMC task forces, ISO WG11 committees, and a voting member of the SAE Vehicle Electronic Systems Security Committee. Mr. Gardiner has delivered workshops and presentations at several world cybersecurity events including the Cybertruck Challenge, GENIVI security sessions, Hack in Paris, HackFest and DEF CON main stage.

Description: ** Welcome to the Summer Event of OWASP Estonia: Modern Cryptography - Vol. 2 ** In this event we'll host two very special speakers: **Stefano Alberico**, tech lead mentor at **NATO DIANA** accelerator and founder at Skudo, is a technology visionary with 25 years of international experience. He is very problem solving oriented and prefers to set up a demo with a Raspberry Pi rather than only explaining things on a PPT. He is now focused on hardware encryption (HSM and PKI) for space and drone applications, based on Skudo's own FPGA implementation. Speech: **Practical use-cases of encrypted satellite communication** In my 30-minute presentation, Stefano will discuss two key use-cases of encrypted digital satellite communication that his company has worked on. The first use-case involves a project with the European Space Agency (ESA) last year. We remotely reprogrammed the OPS-SAT's onboard FPGA with our custom cores, adding a Hardware Security Module (HSM) and a RISC-V processor. We then developed an application that captured a satellite image, processed it on the RISC-V, encrypted it on the HSM, and sent it to our ground office. There, we decrypted the image using the appropriate key and displayed it, ensuring secure data transmission. The second use-case is an ongoing project to create an encrypted satellite communication link. This involves integrating our HSM/FPGA with an Iridium modem using the Short Burst Data (SBD) service. This setup enables us to send end-to-end hardware-encrypted messages worldwide, ensuring secure and reliable communication. These examples demonstrate our work in enhancing secure satellite communications through advanced encryption and processing technologies. \-\-\- **Jelizaveta Vakarjuk** is a junior researcher in Cybernetica and industrial PhD student at Tallinn University of Technology. Her research focuses on post-quantum cryptography, privacy-preserving cryptography, and security of voting systems. Mainly she studies post-quantum digital signatures, but also focuses on the aspects of migration to post-quantum cryptography. Speech: **Obstacles of migration to post-quantum cryptography** With the rising development of quantum technologies there is an urgent need to secure existing IT infrastructure against quantum threats. Introducing post-quantum cryptography to present systems could protect them against future quantum computer attacks. Still, post-quantum migration is a challenging process which requires systematic planning and years of execution. In this talk, I will share what are the main migration obstacles in example of Estonian e-services. **And That's Not All - More Surprises Await!** Whether you're a cybersecurity professional, a tech enthusiast, or just curious about cryptography, there's something for everyone! **Connect, Collaborate, and Create:** This event is more than just talks - it's a platform to connect with like-minded folks! **Mark Your Calendars:** Thursday 04th July at 18:30 - 20:30 Workland Maakri 19 **Limited seats, registration on Meetup required!**

Description: This month we will be welcoming Thomas Gleason as our presenter. Thomas will be giving his presentation Be a Better Robert Oppenheimer. In the tech world, developers, likened to modern Oppenheimers, innovate quickly but may overlook security. This presentation proposes a unified language for AppSec, balancing development and security priorities. It emphasizes understanding open-source usage, risks in tooling practices, and contextualizing vulnerabilities. Join us to align security with development goals, fostering rapid innovation while ensuring security. Thomas Gleason is an AppSec enthusiast who enjoys building teams and tools to enhance security. He has hands-on experience with the pros and cons of DevSecOps. Outside of work, he cherishes his Rhode Island home and has a penchant for a well-cooked risotto. His professional expertise and personal interests make him a well-rounded individual in the field.

Description: At noon on the 2nd Wednesday of every month we host a social meeting on Zoom with mini talks and breakout rooms. The main room will always be open for social time but we plan to have 1-2 topic breakouts you can join. If the breakout session topic interests you, join that discussion. Feeling more like a casual chat and exploring other topics? Visit the main room to strike up a conversation. Suggest topics you’d like to see breakout rooms for and let us know if you’d like to sign up to lead one. Slack @ #chapter-seattle (https://bit.ly/owasp-seattle-slack) [email protected] (https://groups.google.com/a/owasp.org/g/seattle-chapter)

Description: Since 4/25/24: discussions on AI and LLM's generally and the Coursera Prompt Engineering series from Vanderbilt specifically. We are now studying ChatGPT Advanced Data Analysis.... For General Study Group info, see #studygroup in OWASPAustin Slack For topic specific info, see #ai in the OWASPAustin Slack

Description: Join us at OWASP Dhaka Chapter physical event at Islamic University, Kushtia for an interactive discussion on Navigating Cybersecurity: Current Threats and Future Trends. In the wake of cyber threats, it is crucial to strengthen Software Security by understanding the best practices for Application Security and White Hat Hacking. This session will cover practical insights on open source tools and methodologies to secure web applications and detect vulnerabilities. In the spirit of the successful event "OWASP Dhaka Chapter Cyber Awareness Day 2023," this workshop aims to empower participants with the necessary skills to safeguard their systems and tackle cybersecurity challenges effectively. Don't miss this opportunity who are available near at Kushtia.

Description: **This is a charity event and is £5 to enter. Either register here and pay on the day or get your ticket in advance at Eventbrite:** https://www.eventbrite.co.uk/e/owasp-summer-scavenger-hunt-tickets-921543680957?utm-campaign=social&utm-content=attendeeshare&utm-medium=discovery&utm-term=listing Do you like running round Manchester doing pointless challenges that may or may not be Hacker related for the chance of winning a £100 Amazon voucher? Yes?!? Then this is the event for you! This July OWASP Manchester will be hosting the first inaugural Charity Summer Scavenger Hunt. What you need to know: Who’s running it? Manchester OWASP and Silverphish, you may have entered a similar one at one of the BSides or at Steelcon. Where is it? Our base is the Piccadilly Central pub opposite Piccadilly Station, but the challenges will be all over the city centre. Teams You can enter as a team of up to five people or as an individual. It costs £5 per person to enter and the proceeds will go to the Mustard Tree. Running Time Registration is between 1pm - 2pm at Piccadilly Central, closing and prizes will be at the pub at 7pm. We’re welcome to stay on at the pub after, and may take a turn round the Gay Village. Prizes There will be £100 Amazon voucher PER TEAM for highest score and best submission, theres a £50 Amazon voucher for runner ups (second highest score). Who will Judge? Silverphish, Ben from OWASP and two exciting celebrity judges. Are there sponsors? Hell yes there are! We’d like to thank PTP for supplying the prizes and FireDuck for sponsoring the infrastructure. Will we provide refreshments? No. You’re on your own with that. Please eat before hand, and make sure to grab a Greggs during the hunt. Obvs as the base is a pub you’ll be able to buy a drink there too. Is the event suitable for Children? Hell no. It’s in a pub. It’s also not totally safe for work either, so be prepared for some mild adult content. Do you need technical knowledge to enter? You do not!!! There will be some mildly technical challenges but there will be plenty that are just silly or for fun. What should you bring with you? (These are suggestions, you’re grown-ups so we take zero responsibility for you) * A water bottle * Snacks * Comfortable shoes (preferably on your feet) * Sun cream * A brolly (it’s Manchester after all) * A sense of adventure * Probably some money **This I s a charity event and is £5 to enter. Either register here and pay on the day or get your ticket in advance at Eventbrite:** https://www.eventbrite.co.uk/e/owasp-summer-scavenger-hunt-tickets-921543680957?utm-campaign=social&utm-content=attendeeshare&utm-medium=discovery&utm-term=listing

Description: Le Chapitre Cotonou de la fondation OWASP en partenariat avec l’Agence des Systèmes d’information et du Numérique (ASIN), organise du 15 au 19 Juillet 2024 une formation de 5 jours sur le thème : sensibilisation à la sécurité de l’information. Cette formation est destinée à toute personne qui désire approfondir ses connaissances en sécurité informatique pour ne pas demeurer le maillon faible du système de management de la sécurité de son organisation. N'hésitez pas à vous inscrire très rapidement à partir du lien sur l'affiche ([https://owaspformation.emes.bj](https://owaspformation.emes.bj) /) car le nombre de places est très très limité.

Description: OWASP topic TBA

Description: We're picking up our regular Meetup schedule in 2024, starting in March. Our approximate agenda for the evening: * 6:00 p.m. - Gather and networking * 6:30 p.m. - Introductions, Top 10 Topic * 7:15 p.m. - Pizza and more networking * 7:45 p.m. - Technical Topic We restarted our introductory coverage of the OWASP Top 10 (2021 edition) with A01:2021 in March, covering a new item each meeting. Our Top 10 topic for July will be **A03:2021 - Injection**. **Technical Topic Speaker:** TBC **Talk Title:** TBC We're always looking for presenters and topics for future meetings - contact John ([email protected]) if you have an idea for a topic, or a presentation you'd like to make. That way, it won't always be John talking about what he's been working on recently. The Auckland-area OWASP Meetup usually takes place on the third Tuesdays of March, May, July, September, and November. There is no Meetup in January, as our members enjoy their holidays.

Description: The software supply chain is under increasing threat. New attacks and threats have popped up that we couldn't have imagined even two years ago. Total attacks on the software supply chain are increasing by more than 730% year on year since 2019. One way for organizations to combat this growing threat is to empower their red teams to test the software supply chains for that organization. But many red teams are ill-prepared to tackle this new attack surface. This talk will have three distinct parts: 1\. I will describe how security teams\, red teams\, or security researchers can quickly identify the multiple components in a particular applications software supply chain\, and then how to find soft targets to focus on\. 2\. I will describe my VBP framework \(value\, behaviour and patterns\) which is an applied threat modelling framework for software supply chains\. 3\. Finally\, I will visually describe one of my red team operations on an open\-source project and the tools that I use \(or have written\) to make that possible\.

Description: \*\* The talk is hosted on the 3rd floor of 171 John Street \*\* **TALK** **\-\-\-\-\-\-\-\-\-\-\-** **SOC Capability Maturity Model (SOC-CMM)** **Summary:** In today's ever-evolving threat landscape, a robust Security Operations Center (SOC) is no longer a luxury, but a necessity. However, building a SOC from the ground up can be a daunting task. This presentation introduces attendees to the SOC Capability Maturity Model (SOC-CMM), a powerful framework designed to guide organizations in establishing and maturing their SOC capabilities. Through practical examples and real-world scenarios, attendees will learn how to leverage the SOC-CMM to: * Define clear business objectives for their SOC. * Develop a comprehensive staffing strategy with the right skill sets. * Establish efficient and repeatable security processes. * Select and implement the most suitable security technologies. * Integrate seamlessly with existing IT infrastructure and security services. **Presenters** Ivan Salles ([https://www.linkedin.com/in/ivansalles/](https://www.linkedin.com/in/ivansalles/)) A SecOps professional with extensive global consulting experience, specializing in strategic guidance for topics including SOC, MDR, EDR, XDR, SIEM, and Vulnerability Management. Ivan collaborates as an Advisory Board member at Mente Binaria and a staff at SOC Brazil; he currently serves as the Director of Strategic Initiatives - SOC at Trend Micro Canada. Additionally, he shares his expertise as a Professor for Networking & Security at Fanshawe College. Based in London, Ontario, he enjoys spending time with his family.

Description: Since 4/25/24: discussions on AI and LLM's generally and the Coursera Prompt Engineering series from Vanderbilt specifically. We are now studying ChatGPT Advanced Data Analysis.... For General Study Group info, see #studygroup in OWASPAustin Slack For topic specific info, see #ai in the OWASPAustin Slack

Description: **This meeting will be in-person! Thank you to Kroger for hosting at their Kroger Blue Ash Technology Center. For security, RSVP by 2 days prior to the meeting is required.** **Sponsored by [Traceable](https://www.traceable.ai/)** This presentation walks through the patterns of successfully starting of a DevSecOps program from scratch. As such, it focuses on the strategies derived from both the successes and failures and lessons learned along the way on this journey. Lastly, this talk concludes how White House Executive Order (14028) centered around SBOM shapes the next steps of the DevSecOps maturity model and how organizations can leverage this new piece of legislation to bolster their application security defenses. **Approximate schedule:** 4:00 - Doors open. Come for networking and refreshments 4:15 - Presentation begins. 5:15 - Networking and refreshments resume! 6:00 EOE (End of Event)

Description: Jay Bobo from CoverMyMeds is speaking! I'll get an abstract up here shortly, but it will be fantastic. And we are at a NEW location! Check it out!

Description: How do you define the scope of penetration testing for a web application project? Is it the OWASP Top Ten, formal guidelines established by organizations such as NIST, security stories developed by the product owner and the security team, or recommendations made by your development team? The answer is all the above depending on the client, your development environment, and your capacity to take the risk. This presentation will share experiences gained from penetration testing of a web application hosted by a Government agency providing professional licenses to its prospective clients. The nature of the project touched numerous areas such as CJIS (Criminal Justice Information Service), Personal Identifiable Information (PII), Access Control (Authorization in particular), and adherence to the security standard’s office guidelines. The challenge was to identify and prioritize the test suite that will cover these specific areas in a constrained time period. To enhance the coverage, the test suite had to include DAST (using ZAP) and some specific general scenarios. The audience will take away some approaches that when applied can lead to a well balanced (both effective and efficient) penetration testing. SCHEDULE Doors open at 5:30. The talk will begin about 6pm. ENTRY There are doors on Washington and Broadway. Both of them auto-lock at 6pm. From 6 to 6:15pm, only the door on Broadway will be available. Take the elevator to the 11th floor. NO ENTRY AFTER 6:15 PM It will not be possible to enter the building after 6:15. ACKNOWLEDGEMENTS Our host again this month is NedSpace, a co-working space in downtown Portland--a friendly place to work when you don't want to work from home. FOOD We don't yet have a sponsor for July, so there may not be food this time. Plan accordingly. (If you know a company that might like to sponsor, please put them in touch with us.)

Description: Em julho teremos o nosso próximo encontro, online e com participação de todos através do **ZOOM**. Venha aprender e conversar **com um dos principais colaboradores** do OWASP Top 10 For LLM. **Link para a transmissão:** https://us06web.zoom.us/j/87962925968 **Confira nossa agenda:** 19h30 \~ 20h30 **"Segurança de IA na Prática: OWASP Top 10 para LLM Apps"** Nesta apresentação, exploraremos as melhores práticas de segurança para aplicações que utilizam Modelos de Linguagem de Grande Escala (LLM). Vamos discutir o OWASP Top 10, um guia essencial para identificar e mitigar os principais riscos de segurança nessas aplicações. Através de exemplos práticos e insights detalhados, você aprenderá como proteger suas implementações de IA, garantindo conformidade e segurança robusta. Esta sessão é fundamental para profissionais de segurança, desenvolvedores e líderes de tecnologia que buscam fortalecer suas defesas contra ameaças emergentes no campo da inteligência artificial. **Palestrante:** Emmanuel Guilherme Junior \(Cybersecurity Leadership \| AI & LLM Security \| Cloud Security \| OWASP Top 10 for LLM Core Team Member\)

Description: **Webauthn - WTF or FTW?** with Don Burks While it has been around for a few years, the Web Authentication Standard (or Webauthn) is just starting to become mainstream. This talk will explore some of the real-world applications of this technology, in particular discussing adoption strategies, observability practices, and evaluating Webauthn against other strategies such as OAuth and 2FA. **Don Burks** is a technical leader who has been working in the industry for over 25 years. Former Head Instructor of Lighthouse Labs and with experience both in startups and FAANG companies, Don's background in software development and technical leadership has provided a wealth of experience which he shares in books, talks, and the great teams with which he gets to work. Currently, Don is the Director of Engineering for Bulletproof Studio Tools, based in Vancouver, BC.

Description: Topics- See abstracts below * Securing API's in the Cloud * The top API threats seen in the first quarter of 2024 * Salesforce Security Pen Testing **Lunch Provided** small fee for parking est $5-$7.50 Bauerle Road Garage at UTSA Campus University Room 2.06.04 - Business Building, John Peace Library, 1 UTSA Circle, San Antonio, TX 78249 ZOOM link provided for remote attendees We encourage everyone to attend in person. We will have door prizes and excellent food for all to enjoy, as you take advantage of this excellent networking opportunity! Please feel free to pass this information on to your peers and team members. Please reply **“ONSITE”** if you plan on attending in person so we can finalize headcount for food and room attendance **Presentations will include:** ***I. Presentation on API Lifecycle-Optiv*** API lifecycle graphic review-provided baseline understanding of API journey-Optiv ***II. Securing APIs in the Cloud: Insights and Best Practices- Palo Alto*** This presentation explores the current state of API security in the cloud, covering industry trends and common challenges organizations face. It delves into effective strategies for API discovery, risk profiling, and real-time protection, providing practical insights and best practices to enhance API security. The discussion will highlight key concerns such as inadequate authentication, lack of visibility, and poor endpoint management, aiming to equip attendees with the knowledge to better secure their API ecosystems. ***III. API ThreatStats™ Report Q1 2024 Spotlight: Why API Security Is The First Thing For Enterprise AI- Wallarm*** The Wallarm Research Team has analyzed billions of data points to identify the top API vulnerabilities and exploits for the 1st quarter of 2024, shining a spotlight on the rising threat of API attacks targeting AI applications. The report explores the top significant threats, identifies key trends, and provides actionable insights that can help you strengthen your API Security program, with an emphasis on identifying and protecting your AI applications from API security issues. ***IV. Salesforce Pen-testing-Rodney*** Topic 2-PaaS Cloud Goat is a simulated vulnerable Salesforce Application providing hands-on experience with penetration testing of custom Salesforce applications. The tool is similar to other test tools like AWS CloudGoat, CloudFoxable, AzureGoat, GCPGoat, and Pen-Testing Cloud REST APIs in OpenStack. It is not, however, a tool for attacking [Salesforce.com](http://salesforce.com/) itself. It is novel because it focuses on custom applications deployed using the Salesforce platform and is the first tool to provide lab exercises with a collection of security tests. The main takeaways: 1\. Hands\-on learning opportunity of security tests for a custom Salesforce application 2\. Detailed training documentation material about the underlying flaws to look for 3\. Single consolidated list of common Salesforce application vulnerabilities

Description: null/owasp combined meets are free for anyone to attend. There are absolutely no fees. Just come with an open mind and willingness to share and learn. * Deepfakes Detection Techniques by **pretti Rajesh** * Block chain and Smart contracts by **Meera** * There's no honour among phishers: free phishing kits with hidden backdoors by **Anshuman** * Building your own threat intel sink by **Pavan Karthick M** ### Session Schedule | Name | Speaker | Start Time | End Time | Resources | | ---- | ------- | ---------- | -------- | --------- | | **Welcome Note / Registrations** | 09:30 AM | 09:40 AM | | | [Deepfakes Detection Techniques](https://null.community/event_sessions/4336-deepfakes-detection-techniques) | [pretti Rajesh](https://null.community/profile/48106-pretti-rajesh) | 09:40 AM | 10:10 AM | | | **Introduction to beginners** | 10:10 AM | 10:25 AM | | | [Block chain and Smart contracts](https://null.community/event_sessions/4338-block-chain-and-smart-contracts) | [Place Holder](https://null.community/profile/2-place-holder) | 10:25 AM | 11:20 AM | | | **Networking Session + Break** | 11:20 AM | 11:45 AM | | | [There's no honour among phishers: free phishing kits with hidden backdoors](https://null.community/event_sessions/4340-there-s-no-honour-among-phishers-free-phishing-kits-with-hidden-backdoors) | [Place Holder](https://null.community/profile/2-place-holder) | 11:45 AM | 12:40 PM | | | [Building your own threat intel sink](https://null.community/event_sessions/4341-building-your-own-threat-intel-sink) | [Pavan Karthick M](https://null.community/profile/37062-pavan-karthick-m) | 12:40 PM | 01:35 PM | | | **Feedback + Next Month’s Planning** | 01:35 PM | 01:55 PM |

Description: **TOPIC**: Breaking Through CVE Noise: Analyzing 5 Key Prioritization Inputs Join us for great networking, dinner and drinks, and see a presentation by **Chelsea Boling**, a Customer Success Architect at **FOSSA** **ABSTRACT**: Thousands of new Common Vulnerabilities and Exposures (CVEs) are reported each year, which puts a massive burden on security teams to prioritize and address the most critical threats effectively. This is especially true since most vulnerabilities aren’t actually exploitable in their real-world context, and wasting time on non-exploitable issues can get in the way of remediating the most impactful vulnerabilities. This talk will explore strategies to mitigate CVE overload and streamline the vulnerability resolution process. In addition to exploring complexities around CVE noise — such as the difficulty in distinguishing between high-risk, low-risk, and no-risk vulnerabilities and the pressure to maintain business continuity while ensuring robust security — we’ll analyze five specific vulnerability prioritization inputs: 1. CVSS scores 2. EPSS scores 3. VEX 4. The CISA KEV Catalog 5. Reachability analysis Additionally, the talk will cover the role of automation and tooling to prioritize vulnerabilities at scale as well as recommended workflows between IT, security teams, and business units to ensure comprehensive risk management. **Thanks to our Sponsor**: *[FOSSA](https://fossa.com/)* *FOSSA is a leading application security and compliance platform that specializes in helping engineering teams deliver trusted software. FOSSA enables companies to prioritize real vulnerabilities in their open source dependencies with comprehensive SCA (software composition analysis) capabilities, while also making it possible for organizations to automate compliance reporting and SBOM (software bill of materials) lifecycle management to meet customer and regulatory requirements. Founded in 2015, FOSSA is trusted by thousands of global organizations, has been downloaded nearly two million times, and has conducted nearly 100 million open-source scans.* **SPONSORSHIP Opportunities Available** *Vendors interested in sponsoring please send an email to [email protected]* **CODE OF CONDUCT** We hope you enjoy the event, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of our chapter leaders if you have any feedback/concerns or would like to speak to us, we take these matters very seriously. You can find out more about our policies here: [https://owasp.org/www-policy/operational/conferences-events.html#conference-and-event-anti-harassment-policy](https://owasp.org/www-policy/operational/conferences-events.html#conference-and-event-anti-harassment-policy)

Description: Brinqa will join us to discuss strategies that their customers have used that have lead to successful or unsuccessful vulnerability management programs and risk mitigation.

Description: We're taking July off so you can enjoy some summer vacation time. See you again in August! -Terry

Description: Thirsty Thursdays. Same time. Same day each month. Differing places. Good chat. **What?** * Casual conversation over food & drinks **Where?** * It may differ each month, bars, restaurant and eateries around Peterborough **When?** * \~ The last Thursday of each month Everybody welcome, the next event details will be chosen from the last (and so on!).