OWASP Community Meetings

Description: **The Attacker’s Distributed Supercomputer: Your Browser** As the browser transforms into the primary computing platform, new vulnerabilities are surfacing that existing security architectures are not prepared to tackle. This gap leaves enterprises exposed to risks like client-side exploits, unmonitored communication channels, and last-mile reassembly tactics, which exploit the browser's complexity beyond the reach of traditional tools. This talk explores how the shift to browser-centric workflows has uncovered a critical weak spot at the very heart of organizations around the world, currently unprotected by conventional security measures, allowing both internal and external threat actors to bypass controls

Description: **Runtime Application Security meets LLMs** Large Language Models (LLMs) and AI Agents are rapidly transforming how applications operate - generating code, queries, and dynamic outputs on the fly. However, this innovation introduces unique security challenges, exposing applications to both classic and novel attack vectors. This talk explores the intersection of runtime application security and LLM-driven applications, highlighting how these dynamically generated interactions differ from traditional, human-coded applications. Through real-world examples, we will illustrate specific vulnerabilities and exploit techniques targeting LLM-generated outputs and discuss practical strategies for detecting and mitigating these threats in real-time. **Agenda (Subject to Change):** * **6:00 PM**: Arrival * **6:30 PM - 7:30 PM**: Presentation * **7:30 PM - approximately 9:00 PM**: Barbecue, drinks, discussion, and networking

Description: We continue on track to meet our goal of doing at least one event per quarter so without further ado, it's time for our second OWASP Lisboa event of 2025 The meetup takes place on April 2nd, 2025, at 18:00, and is sponsored by INSCALE and AP2SI. The venue is the INSCALE Office at [Av. da Liberdade 36](https://maps.app.goo.gl/DkSqfPSvRb7XKjrN9), 8th floor. Enter the building and take the elevators on the left to the 7th floor. Go through the black door on the left and go up one flight of stairs to the 8th floor. You will have arrived at your destination. The schedule is the following: 18:00 - **Quick intro** by the OWASP Lisboa chapter leadership team 18:15 - **Can APIs Be the Silent Players in the Social Engineering Game?** by Teresa Pereira 19:00 - **\~Jedi\~GenAI Mind Tricks - Are these the secure chatbots you’re looking for?** by Bruno Morisson 20:00 - **Drinks & Dinner** by INSCALE \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- **Talks:** Title: **Can APIs Be the Silent Players in the Social Engineering Game?** Speaker: **Teresa Pereira** Abstract: This talk delves into the pervasive yet often overlooked role of APIs in the realm of social engineering. Through a comprehensive exploration of case studies, security vulnerabilities and ethical considerations, this talk uncovers the hidden risks associated with APIs and gives you proactive measures to mitigate the potential for social engineering attacks facilitated by these silent weapons. Bio: Teresa Pereira, also known as starmtp, is a Cyber Threat Hunter at Siemens Energy with expertise in penetration testing, red teaming, API security, and threat hunting. Previously at KPMG Portugal, she specialized in vulnerability exploitation, OSINT, social engineering, and API pentesting. A dynamic and engaging speaker, Teresa has shared her expertise at prominent events, including apidays Paris 2023, apidays London 2024, the Geek Girls Portugal Conference 2024, apidays Paris 2024 and OWASP Porto Meetup. Her professional credentials include API Security Certified Professional (ASCP) and Certified in Cybersecurity (CC). Ranked among the top 4% on TryHackMe, Teresa is a Women in Security and Privacy (WISP) Volunteer, an APIsec University Ambassador, and also co-leads the OWASP Leiria Chapter, where she actively supports the cybersecurity community. She developed the course "Getting Started in API Pen-Testing" for APIsec University and authored the insightful article "How Can HTTP Status Codes Tip Off a Hacker?". In 2024, Teresa was named API Security Person of the Year (ASPY) by the APIsec University board. In 2025, she created a room on TryHackMe entitled "Vulnerability Chaining". With a degree in Computer Engineering and a strong passion for mentoring, Teresa is dedicated to advancing cybersecurity awareness and resilience across diverse industries. [https://pt.linkedin.com/in/maria-teresa-pereira](https://pt.linkedin.com/in/maria-teresa-pereira) \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- Title: **\~Jedi\~GenAI Mind Tricks - Are these the secure chatbots you’re looking for?** Speaker: **Bruno Morisson** Abstract: After experimenting with various public challenges on LLM chatbots—like Gandalf, PromptAirlines, and more—I decided to build my own. Not just to understand how LLMs work, but to see how easily I could break them. In this talk, I’ll dive into the security risks of Generative AI, particularly LLM chatbots, and explore vulnerabilities that are often overlooked. From sensitive information disclosure to prompt injections and jailbreaking, I’ll walk through real-world examples showing just how these systems can be manipulated. No tinfoil hat required. Bio: Bruno Morisson is a seasoned cybersecurity expert with over two decades of experience in offensive security, penetration testing, and red teaming. As the Partner and Offensive Security Services Director at Devoteam Cyber Trust, he leads world-class security testing across web and mobile applications, IoT, OT/SCADA, and threat-led penetration testing frameworks like TIBER-EU and DORA. Beyond his professional work, Bruno is a driving force in the cybersecurity community. He is the founder and organizer of BSidesLisbon, Portugal’s top security conference, and serves as a CREST Europe Council member, helping shape industry standards. His research contributions include multiple CVE disclosures, Metasploit modules, and publications on SAP security, honeypots, and Linux audit systems. Bruno holds an MSc in Information Security from Royal Holloway, University of London, alongside an impressive list of certifications, including OSCP, CISSP, CISA, and GIAC GPEN. And in case you were wondering—yes, this entire bio was generated by GenAI. [https://www.linkedin.com/in/morisson/](https://www.linkedin.com/in/morisson/)

Description: G'day all, Happy new year! We're back into the swing of things. We found the "Lean Coffee-style" format worked well in 2024, so we're back with it once again as a place for AppSec practitioners to share their knowledge. We're looking forward to the AppSec discussions we had once again. We're starting the year again at [YOI Indonesian Fusion](https://yoirestaurant.com.au/) as our location for April. On Wed, 2nd April 2025 6PM, there we shall meet. We aim to meet the 1st Wednesday every month from April to October. *There's NO BOOKING. If you're the first to arrive, please grab a table for the group and post a picture of the table's location in the comments of this meetup event. We'll use it to locate each other. (If you don't see a post, you're lucky first. Please grab us a table and post a pic. )* **Please remember to update your RSVP if you can no longer attend.** Even if it's just 30 minutes prior. It'll help whomever that arrives first know how big a table to get. We will take note of no-shows, and to make sure we've got space for those that do actually attend, your RSVP may be deprioritised for future events. See you there. More details on the format, and what to expect below: **The Practitioner's Roundtable** It's a monthly meetup, for AppSec/ProdSec practitioners to participate discussing AppSec/ProdSec topics and share knowledge. There's no speakers, or sponsors; just a facilitator, with the expectation that you'll join the conversations. Broadly, the idea is that you're swinging by after work, for a regular catch-up with our peers over dinner (with F&B at your own cost) with a known format. \-\-\- **So, what's happening?** The format: 1. At 6pm all attendees arrive, and order (and pay for) their own meals - we'll do the rest while waiting for the meals to arrive and as we eat. 2. All attendees write down on a card 1-2 AppSec/ProdSec related topics they'd like to discuss. 3. We'll all each cast 3 votes on the cards we'd like to discuss. 4. We'll sort the cards, and discuss the topics with the top 3-4 highest votes. Starting with the topic with the highest votes. 5. After 5(?) minutes, we all decide if we'd like to continue or move on to the next topic. 6. If we continue, after 15(?) minutes, we all move on to the next topic of discussion. 7. At 7pm, we wrap up and officially end. Before everyone leaves, we vote on the next restaurant that we'll meet at. This is[ inspired by Lean Coffee](https://agilecoffee.com/leancoffee/), and intended for participants to be collaborators in the conversation focused on AppSec & ProdSec topics. *You are expected to participate in the AppSec/ProdSec conversations constructively if you attend*. This isn't the place for BizDev focused conversations. For the location selection, here are the considerations we work with: 1. It must be within 1 "city block" of the Melbourne Free Tram Zone. 2. The typical price for a whole meal (without alcohol) should be under $50 per person. 3. It must allow individual orders - you'd be ordering and paying for your own meal. 4. It will need to have seating space for the group to say, just walk-in to the restaurant ( this may change if it grows beyond 10 regular attendees ). 5. It must be quiet enough for us to have meaningful conversations. 6. It must not be a restaurant we've been to in the past 6 months. (Just to keep things fresh ) Also, although we use the word “restaurant” this is used broadly to mean food establishment - if we’re all keen on hitting up a decent kebab place, that works. As a courtesy to the venue, there's an expectation that you'd order something there.

Description: Ce meetup se deroulera chez **[Theodo](https://www.theodo.fr/)** que nous remercions chaleureusement de leur soutien. OWASP Paris est le meetup dédié à la sécurité applicative. Pour rappel, le meetup se veut non commercial. Il réunit toutes personnes désireuses de concevoir et maintenir des logiciels plus sûrs. Si vous êtes intéressé par le sujet, que vous soyez débutant ou expert, n'hésitez pas à nous rejoindre pour partager vos expériences ou vos problématiques. Ce meetup propose des sessions organisées en mode "forum ouvert". Les sujets sont proposés par les participants lors de la séance. Partages de connaissances, retour d'expériences, exercices de type CTF, bonnes pratiques, gouvernance et organisation, ... sont au programme! **Lightning Talks:** La soirée commence par de courtes présentations. Chacun peut s'il le veut proposer une présentation, ce n'est pas obligatoire. Si vous avez envie de partager une technique, une opinion, une démo ou un retour d'expérience, alors vous pouvez préparer un lightning talk, entre une simple phrase et 10 minutes maxi et venez le présenter au début de la soirée. Si vous n'avez jamais fait de présentation avant, c'est l'occasion de commencer dans une ambiance sympa. **Workshop:** La soirée se poursuit avec des activités menées en groupes. Chacun peut s'il le veut proposer un sujet, ce n'est pas obligatoire. Vous avez 30 secondes au début de la session pour en donner envie aux autres participants, puis tout le monde vote pour son sujet favori. Les sujets préférés donnent lieu à des activités en groupes pendant un peu plus d'une heure. Des écrans seront disponibles Le format se veut bienveillant. Pas besoin d'être expert pour parler d'un sujet. Vous trouverez certainement d'autres personnes pour vous aider! L'accent est mis sur l'échange et le partage. L'agenda et le compte-rendu des précédents meetups est accessible ici: https://owasp.org/www-chapter-france/

Description: Dive into the world of Application Security with the OWASP NYC Chapter! # AppSec Cocktail Party sponsored by Saran Toure of Invicti This isn’t just a happy hour—it’s an AppSec celebration! Join us at The Liberty NYC for an exclusive, invite-only gathering of top application security minds. Connect with fellow experts, enjoy great food and drinks, and dive into conversations that spark innovation. Yes, it's a bring in the "Spring-Time" Jubilee!!! Yes, you can bring along a Security Minded Friend. **Where:** The Liberty NYC 29 W 35th St, New York, NY 10001 (Between 5th & 6th Avenue) **Date**: April 3, 2025 from 6-9 PM Don't miss this opportunity to network with like-minded individuals, share experiences, and stay updated on the latest trends in Information Security. Whether you are new to OWASP or a long-time member, this workshop is designed to provide valuable insights into how to effectively secure your applications in today's threat landscape. Mark your calendars and join us for an engaging Happy Hour on Application Security!

Description: AI Day Bhopal is a full-day event designed to empower developers with Generative AI skills while emphasizing the critical role of **security in AI-driven applications**. Whether you’re a backend developer, an Android or Flutter enthusiast, a security researcher, or simply passionate about AI, this event provides a unique platform to **learn, share, and network with industry experts.** **Why Should You Attend?** **Expert-Led Talks & Keynotes** – Gain insights from AI pioneers, security professionals, and industry leaders on **AI/ML security, web security, and software security challenges in AI applications.** **Hands-on Workshops** – Explore cutting-edge AI & ML techniques along with **best practices for securing AI models, APIs, and software infrastructure.** ‍ **AI-Thon (Hackathon)** – Tackle real-world challenges while integrating **AI-powered security mechanisms** into your solutions. **Startup & Product Showcase** – Discover innovative AI products and learn about **security considerations in AI-based platforms.** **Web & Software Security in AI** – Understand **threats like adversarial attacks, model poisoning, and API vulnerabilities** in AI applications, with insights from **OWASP Bhopal & ML Bhopal.** **Networking & Community Building** – Meet AI & security enthusiasts, **engage with the OWASP and ML community**, and build valuable connections. **Swags, Giveaways & Career Opportunities** – Exclusive goodies, internship/job opportunities & more! **Join us for an AI-powered, security-focused experience!**

Description: Neste Meetup presencial do OWASP São Paulo, vamos mergulhar nos desafios reais da segurança da informação com dois especialistas que vivem o dia a dia da cibersegurança em alto nível. Michel Roitman conduzirá a palestra **“Banco de Dados Sob Ataque”**, apresentando os principais vetores de ataque que comprometem a segurança dos dados nas organizações. De injeções SQL a falhas de configuração e criptografia, ele mostrará como identificar vulnerabilidades, entender o nível de exposição e aplicar controles eficazes. Na sequência, Marcelo Marcon traz a palestra **“Segurança da Informação e Ameaças no Cenário Global”**, oferecendo uma visão ampla sobre o ambiente internacional de ameaças cibernéticas. A partir de sua experiência no setor público e privado, ele compartilha insights sobre ataques cada vez mais sofisticados e coordenados, destacando a importância da antecipação e resposta ágil. Uma conversa essencial para entender a segurança da informação como um pilar crítico para a continuidade dos negócios. **Quer aprender com especialistas, trocar experiências e fortalecer sua rede na área de cybersecurity?** Garanta sua presença e venha se conectar com a comunidade! Link: [https://4soci.al/owaspsp](https://4soci.al/owaspsp)

Description: **Join us** for the second OWASP Stockholm event of the year. This time Kivra is hosting and Dr. Pedro Merino will present about GitHub runners and vulnerabilities that you should be aware of. **When:** 8th of April, 17:30 - 21:00 **Where:** Klara Norra kyrkogata 33, Kivra AB **Agenda:** 17:30 - 18:00 Gathering and mingling 18:00 - 18:05 Doors close and intro 18:05 - 18:50 First speaker 18:50 - 20:30 Mingle, food will be provided **More about the talk:** GitHub Actions self-hosted runners offer faster deployment and greater control for CI/CD, but they also bring security risks when misconfigured. This presentation shows how an attacker with limited access to a GitHub organization may craft a malicious workflow to execute arbitrary commands and take over a GCP instance. **‍About the speaker:** **Dr. Pedro Merino** Pedro Merino is a Security Engineer at Kivra, specializing in CI/CD security and threat modeling. With a Ph.D. in International Private Law, Pedro transitioned from finding loopholes in legal texts to uncovering security vulnerabilities in software. If there's a way in, he'll find it. Outside of cybersecurity, he’s either training for a triathlon or diving into ancient history books.

Description: At noon on the 2nd Wednesday of every month we host a social meeting on Zoom with mini talks and breakout rooms. The main room will always be open for social time but we plan to have 1-2 topic breakouts you can join. If the breakout session topic interests you, join that discussion. Feeling more like a casual chat and exploring other topics? Visit the main room to strike up a conversation. Suggest topics you’d like to see breakout rooms for and let us know if you’d like to sign up to lead one. Slack @ #chapter-seattle (https://bit.ly/owasp-seattle-slack) seattle-chapter@owasp.org (https://groups.google.com/a/owasp.org/g/seattle-chapter)

Description: During our next community call we'll share project updates and, as always, we'll have time for Q&A. See you there!

Description: Welcome to a unique event where Agnes Hammarstrand (Partner and Lawyer at Delphi Law Firm), Rikard Bodforss (CEO of Bodforss Consulting), and Tobias Ahnoff (Head of Cybersecurity at Omegapoint) clarify how new and upcoming regulations such as NIS2, CRA or DORA affect those of us who build, develop, and maintain applications: * **What do these new regulations mean in practical terms for DevOps teams and organizations at large?** * **How do we create secure, “compliant by design” applications and systems?** * **What changes, risks, and opportunities lie ahead as regulations continue to multiply?** During this session, you will gain insights into how these directives are designed to strengthen security and what concrete measures are required of organizations. We will discuss everything from the distribution of responsibilities and practical implications to how you can prepare to effectively meet today’s and tomorrow’s regulatory demands. Through presentations and a panel discussion, you will get an: * **Expert analyses of the legal landscape for IT and cybersecurity.** * **Hands-on advice on how to design robust processes and technical solutions that meet requirements.** * **Tips on how DevOps organizations can integrate compliance into their daily work without compromising on innovation and efficiency.** By understanding the fundamentals of these new regulations and learning from the experts’ experiences, you will gain a better understanding of security and compliance by design. Don’t miss the chance to get your questions answered and network with others in the industry! **Agenda:** **17:30 - 18:00:** Doors open to Omegapoint, grab a sandwich and beverage **18:00 - 18:30** Agnes Hammarstrand will introduce NIS2 from a legal perspective. **18:30 - 19:00** Tobias Ahnoff will speak about Security and Compliance: How do we create applications that are both secure and compliant by design? **19:00 - 19:10** Short break **19:10 - 19:40** Panel Discussion with Agnes, Tobias and Rikard **19:40 - 22:00** Mingle and snacks **Agnes Hammarstrand** is one of Sweden’s leading experts in IT/tech and cyber law. Her specialist expertise includes data protection/GDPR, commercial tech and IT agreement, cloud services, Cyber and information security law. Agnes has extensive experience assisting companies with drafting and negotiating contracts and giving advice within the tech sector. Together with her leading team here in Göteborg, she helps businesses navigate legal matters. Two years in a row Agnes was voted "Lawyer of the Lawyers," meaning the attorney that the most lawyers and associate lawyers in Sweden would choose to hire for a business law matter (in all categories). **Tobias Ahnoff** is an experienced developer and architect with focus on application security. He specializes in implementing authentication flows and authorization for web applications and APIs that manage sensitive data in the bank, finance, and health sectors. Tobias performs security reviews and penetration tests as part of Omegapoint Cybersecurity Gothenburg, a group of experts in application security. He is also member of the OWASP ASVS working group and co-author of[ securityblog.omegapoint.se](http://securityblog.omegapoint.se/) **Rikard Bodfoss** is a founding partner and CEO of Bodforss Consulting, a company focusing on cyber and information security for national critical infrastructure. He is highly experienced in security governance, with a strong background in technical security and infrastructure. He has led the IT forensic practice within the Volvo Group and has extensive experience in building and managing international teams. Additionally, he has overseen IT and security operations in public critical infrastructure environments and has been the CIO for the city of Gothenburg Sustainable waste and water. He possesses deep expertise in crisis management and security incident response, ranging from cyber intrusions to dawn raid scenarios. Furthermore, he has a strong understanding of international laws related to cyber security, digital forensics, eDiscovery, and data protection.

Description: **OWASP Leiria** is excited to invite you to an engaging evening filled with technology insights, networking opportunities, and inspiring discussions. We are **collaborating with Leiria Tech Talks, OutSystems, StartUp Leiria,** and **the Ministry of Testing Leiria** to bring together the tech community for another enlightening event. A **special thanks** to our fantastic **sponsors**, **Synvert xgeeks, StartUp Leiria,** and **Fnac Leiria**, for making this event possible! **Date:** April 10th, 2025 **Time:** 18:00 - 22:00 **Location:** Auditório FNAC, LeiriaShopping **Agenda:** **18:00 – Check-in & Networking** Kick off the evening in a relaxed setting, perfect for connecting with fellow professionals before the talks commence. **18:30 – Event Opening** Hosted by Francisco (StartUp Leiria) & Fábio (Leiria Tech Talks) **18:45 – Talk 1: Vibe Coding: Fad or Future?** ‍ David Alecrim & Luís Oliveira (Staff Engineers @ xgeeks) *Abstract:* Discover how AI is reshaping software development through vibe coding—where intuition meets engineering. From indie projects to enterprise systems, learn when to adopt this paradigm shift and its implications for the future of development. **19:15 – Talk 2: HTML Smuggling to EDR Bypass** ‍ Milton Araújo (Security Researcher) *Abstract:* Delve into how cybercriminals utilize HTML Smuggling to circumvent traditional security measures like Antivirus (AV) and Endpoint Detection and Response (EDR) solutions. This session will explore the nuances of this stealthy attack method, showcasing how malicious payloads can be discreetly delivered to target devices via browsers while evading standard security protocols. **19:45 - 20:00 – Break / Networking** Take a moment to grab a snack, stretch, and connect with other attendees. **20:00 – Talk 3: Modernizing the DBA: Embracing DBaaS for Efficiency and Automation** ‍ Diogo Passadouro (Senior Engineering Manager @ La Redoute) *Abstract:* Investigate the transition to Database-as-a-Service (DBaaS) and its impact on modern database management. Learn how adopting DBaaS solutions can enhance efficiency, automation, and seamless integration across various tech platforms. **20:30 – Talk 4: Faster Laps in the Software Development Life Cycle** ‍ Nuno Reis (MVP @ OutSystems) *Abstract:* Explore how OutSystems is speeding up the Software Development Lifecycle (SDLC) by optimizing application delivery through a low-code approach. Discover how AI and visual development work together to enhance efficiency while ensuring security and high-quality standards. **21:00 - 22:00 – Pizzas, Networking & Event Closing** **Reserve Your Spot:** Don’t miss this incredible opportunity! All our partners will be promoting the event, and you can RSVP through any of them—your entry will be validated! Remember, spots are limited, so be sure to secure yours today! We can’t wait to see you there!

Description: **AI Use Cases for AppSec - A discussion of AppSec Best Practices** 11am-2:30pm for session 2:30pm-3:30pm for happy hour **Details** Topics- See abstracts below * **Host Intro-Potential AI use cases for Application Security** * **Leveraging AI for Vulnerability Identification-NowSecure** * **AI coding agents -Risks and Benefits-Endor Lab** * **AppSec for AI AND NHI (Non Human Identity**) **-GrayLog** * **Shadow AI and AppSec: What You Don’t Know Will Get You!**-**ByteWhisper** **Lunch Provided** Scuzzi’s Italian Restaurant - 4035 N Loop 1604 W #102, San Antonio, TX 78257 HAPPY HOUR & DEMO LAB networking after session!! Snyk Rapid 7 **ZOOM** link provided below for remote attendees Join Zoom Meeting **https://ftsc.zoom.us/j/87354552283?pwd=riuQYJOQfGAjjEkAoY2eb5YORAvU7D.1** Meeting ID: 873 5455 2283 Passcode: 994707 We encourage everyone to attend in person. We will have door prizes and excellent food for all to enjoy, as you take advantage of this excellent networking opportunity! Please feel free to pass this information on to your peers and team members. Please reply **“ONSITE”** if you plan on attending in person so we can finalize headcount for food and room attendance **Presentations will include:** **Host Intro**-Potential AI use cases for Application Security ***I.* Leveraging AI for Vulnerability Identification-NowSecure** Artificial intelligence (AI) language models are emerging as valuable tools for mobile security analysts and developers, offering significant benefits such as aiding in structured vulnerability assessments or [generating code](https://urldefense.com/v3/__https:/www.nowsecure.com/blog/2023/08/23/key-security-considerations-for-ai-coding-assistants-in-mobile-devsecops/__;!!CiF3mHgEawk!GssNkv5CwozvfTaxygbQLi1ioHIc19CE3CvGKAs_O0ele9J9xXF2cotd_ExIbn2DT0uSktJ44pJhX1KU8Mtiq6eRnRD80zjvVg$ "https://urldefense.com/v3/__https://www.nowsecure.com/blog/2023/08/23/key-security-considerations-for-ai-coding-assistants-in-mobile-devsecops/__;!!CiF3mHgEawk!GssNkv5CwozvfTaxygbQLi1ioHIc19CE3CvGKAs_O0ele9J9xXF2cotd_ExIbn2DT0uSktJ44pJhX1KU8Mtiq6eRnRD80zj"). However, limitations such as “hallucinations” in which the model generates inaccurate or misleading outputs highlight the importance of human oversight in managing [risk posed by AI.](https://urldefense.com/v3/__https:/www.nowsecure.com/blog/2024/11/13/the-ai-expansion-of-the-mobile-app-attack-surface-2/__;!!CiF3mHgEawk!GssNkv5CwozvfTaxygbQLi1ioHIc19CE3CvGKAs_O0ele9J9xXF2cotd_ExIbn2DT0uSktJ44pJhX1KU8Mtiq6eRnRAODGYNig$ "https://urldefense.com/v3/__https://www.nowsecure.com/blog/2024/11/13/the-ai-expansion-of-the-mobile-app-attack-surface-2/__;!!CiF3mHgEawk!GssNkv5CwozvfTaxygbQLi1ioHIc19CE3CvGKAs_O0ele9J9xXF2cotd_ExIbn2DT0uSktJ44pJhX1KU8Mtiq6eRnRAODGYNig$") This talk covers a novel approach for recovering application source code, leveraging AI language models to transform pseudo-disassembly into high-level source code. This method is able to handle complex abstractions introduced in high-level languages SwiftUI or Dart and generates output in popular programming languages like Swift, C#, Kotlin, Java, Python or even Bash. ***II.* AI coding agents -Risks and Benefits-Endor Lab** The proliferation of AI coding agents will accelerate the production of code, but what are the risks associated with this acceleration? In many ways the core challenge to securing these outputs will be the familiar fundamental challenges that appsec has always faced: maintaining an understanding of your inventory and risk-posture, conducting security assessments at scale, and managing processes for risk acceptance and remediation. Good appsec fundamentals will be critical in the new era of AI generated code. But coding agents also introduce novel concerns born from the inherent differences between these agents and human developers, as well the additional layers of abstraction which will become intrinsic to AI development: understanding how to vet and validate non-human agents, identifying the operational risks posed by agents trained on open-source, and the complexity of managing code developed through natural language will all require the development of new practices in appsec. This talk will look at some of the new risks that will arise in the era of large scale AI code development, and discuss possible paths forward for deploying such agents in a secure way. ***III.*** **AppSec for AI AND NHI -GrayLog** APPSEC FOR AI AND NHI - As we're empowering NHIs (**Non Human Identity**) to take on greater responsibilities, it's smart to wonder how we'll keep these good bots in bounds. This isn't possible to answer without acknowledging a dirty little secret -- while modern software is already driven by bots, modern security tools fall short in observing and regulating interactions between bots and APIs, whether those bots are trusted NHIs or malicious attackers. This session dispels a few myths about bots and bot detection and shows a few practical considerations and techniques to identify and block high-risk activities. ***IV.*** **The Shadow AI and AppSec: What You Don’t Know Will Get You!-ByteWhisper** The over-the-top headlines about artificial intelligence (AI) have only been outstripped by the breakneck speed by which many are adopting AI to transform their organizations. Shadow AI creates significant security exposures, like development teams processing sensitive customer data through unauthorized AI tools for creating mission-critical solutions using unvetted open-source AI models. This session will focus on where Shadow AI and appsec intersect – the coding co-pilots, the platforms, and the risks that they represent to your organization. This session will provide an overview of Shadow AI, how application development might unknowingly create Shadow AI, and tools to identify and mitigate Shadow AI.

Description: The SAMM Core team is happy to host a community call during a more friendly time for users in EU and Asia. This is not a replacement of the regular community call. We will share any project news and updates during the call. We also encourage bringing your SAMM questions and we are happy to discuss them.

Description: Join us for an insightful event where we delve into the intersection of artificial intelligence and cybersecurity. This event will feature two expert-led sessions that explore the impact of agentic AI on cybersecurity and provide a beginner's guide to vulnerability research. Whether you're a seasoned professional or just starting out, this event offers valuable knowledge and networking opportunities. ### Session 1: Agentic AI and the Impact on Cybersecurity **Speaker: Ahmed Shosha** **Brief:** In this session, Ahmed Shosha will explore the concept of agentic AI and its implications for cybersecurity. Attendees will learn about the potential risks and benefits of AI-driven systems, how they can be leveraged for both offensive and defensive cybersecurity strategies, and the ethical considerations that come with deploying such technologies. ### Session 2: Intro to Vulnerability Research: How to Start **Speaker: Fady Othman** **Brief:** Fady Othman will provide a comprehensive introduction to vulnerability research. This session is designed for those new to the field and will cover the basics of identifying, analyzing, and mitigating vulnerabilities in software and systems. Attendees will gain practical insights and tips on how to embark on a career in vulnerability research. ### Additional Information: * **Date and Time:** Saturday, April 12th, 2025, from 10:00 AM to 12:00 PM

Description: Join OWASP Rewa Chapter for an in-depth discussion on Cloud Security Best Practices, focusing specifically on securing online payments. Our expert speakers will delve into the importance of implementing strong security measures in cloud computing to safeguard online transactions and protect sensitive financial information. Learn about the latest trends, technologies, and strategies in cloud security to mitigate risks and strengthen your payment systems. This event is perfect for professionals in the fields of Data Science, Information Security, and Cybersecurity, as well as anyone interested in learning how to enhance the security of online payments. Don't miss this opportunity to network with like-minded individuals, expand your knowledge on cloud security, and stay ahead in the ever-evolving landscape of digital banking and online transactions.

Description: We’re excited to invite you to an evening of insightful cybersecurity talks with an open source twist! Join us for a community-day where we jump the gun for the upcoming FOSS-North conference. WirelessCar is proud to host this event, where we’ll dive into open-source security, red team operations, psychological safety, and more. Whether you’re a seasoned pro or just starting your journey in cybersecurity and open-source, this is a perfect opportunity to learn, share, and connect with like-minded professionals. **Agenda Highlights:** **13:00 - 13:30 OWASP Dependency-Track: Commercial Implementations** Take a closer look at OWASP’s Dependency-Track, a powerful platform for tracking and managing software components. We’ll see how organizations use it in real-world, commercial environments to improve visibility, mitigate risks, and maintain continuous security. **13:45 - 14:30 CodeQL and SAST: Practical Application in Secure Development** Learn how CodeQL and Static Application Security Testing (SAST) can be integrated into your development process. Gain insights into how these tools streamline vulnerability detection and help teams ship more secure code. **15:00 - 15:45 When Trust Becomes a Threat – Psychological Safety as a Defense Against Compliance & Manipulation** Sometimes, silence can be the biggest vulnerability. Learn about the real-world consequences when no one challenges assumptions, and discover practical ways to foster a culture of psychological safety. This talk will highlight how trust without open dialogue can lead to catastrophic outcomes—and how to protect against it. **16:00 - 17:00 Open-Source Red Team Operations: Borrowed Tools, Real Risks** This talk explores the high-speed world of red teaming with free, community-built tools. You’ll hear how readily available open-source software empowers small teams on tight budgets, but also introduces hidden pitfalls. Understand where open-source solutions can be a huge advantage—and where they can become a dangerous liability. **Event Speakers:** * **Daniel Wester** is an experienced change facilitator and team developer, and co-founder of Both&More AB. He supports organizations in driving value-focused transformation, enabling effective collaboration, and creating psychologically safe environments in complex, global settings. * **Martin Berg** is an experienced organizational consultant and leadership coach, and co-founder of Both&More AB. He helps teams and leaders navigate complexity, strengthen collaboration, and build cultures grounded in psychological safety and continuous improvement. * **Nima Statius** is a security expert with nearly two decades of experience in the field. With a broad technical skill set spanning offensive security and incident response, combined with a background in behavioral science and criminology, he brings a unique perspective on adversarial behavior and threat actor tactics. As an internationally recognized instructor in defense tactics, Nima blends deep technical expertise with an understanding of human behavior, helping organizations strengthen their defenses against both digital and physical attacks. * **Mikael Carneholm** is a Computer and Data Scientist with a passion for Machine Learning, Automation, Cloud and Container Technology. He possesses a technical depth like few others. He is thorough and sets the bar high in regard to quality and maintainability of the code he writes. Mikael is one of the contributors to the OWASP Dependency tracker and during the event sheds light on how it is used and developed. * **Viktor Lindström** is a Security Architect at WirelessCar, adept at crafting and communicating security frameworks to ensure solutions are robust and compliant. With a strong background in IT security, agile development, and cloud technologies, he expertly navigates the landscape of security standards and risk management, guiding teams towards achieving WirelessCar’s security objectives.

Description: **Important note first:** Unfortunately our previous venue - Techies' is temporarily closed, so this time we are creating this meeting with [Zendesk KRK](https://www.meetup.com/zendesk-krk/) at **[Zendesk Connect](https://www.linkedin.com/company/zendesk/) office**. ***Use this [sign-up link](https://docs.google.com/forms/d/e/1FAIpQLSdvj6iOdA_dD5tO9sYfRgD2Ko1jKaUiPSUndh4Fxr-YgFXOpg/viewform) to streamline your walk-in to the Zendesk office and secure your spot at this inspiring event.*** Join us for a deep dive into cryptographic failures with[ ](https://www.linkedin.com/in/iwona-polak/)**[Iwona Polak (IGNIS)](https://www.linkedin.com/in/iwona-polak/)**! Expect a mix of math, live demos, and real-world security mishaps, followed by an open discussion on challenges, common mistakes, and best practices. Don't miss out—RSVP now and spread the word! Agenda: 1. **When cryptography let us down - or maybe we let the cryptography down?** *[Iwona Polak (IGNIS)](https://www.linkedin.com/in/iwona-polak/)* Cryptography is meant to serve and protect us, but sometimes it brings us to tears. During the presentation, I will show how we can hurt ourselves with cryptography. There'll be a little bit of math, and a lot of demos. 2. After the break, we will be hosting a **discussion about cryptography in use**. Any examples of real-world cryptography failures? What are the challenges in reliably implementing cryptographic security? What are the most common cryptography programming errors that lead to security breaches? Is there a risk that legal regulations may hinder the implementation of modern cryptographic solutions? How to train development teams on the proper use of cryptography? Why people still roll their own cryptography in production environments, after decades of saying not to do that? **Please RSVP and save the date!** ***Use this [sign-up link](https://docs.google.com/forms/d/e/1FAIpQLSdvj6iOdA_dD5tO9sYfRgD2Ko1jKaUiPSUndh4Fxr-YgFXOpg/viewform) to streamline your walk-in to the Zendesk office and secure your spot at this inspiring event.*** If you have a minute, **please share this invitation** with friends and in your social media. **Who is our host?** **[Zendesk](https://www.linkedin.com/company/zendesk/)** is a global tech company that creates customer service software and products help more than 145,000 global brands (AirBnb, Uber, JetBrains, Slack, among others) making their customers happy, every day. The Polish hub with main office in Krakow is one of Zendesk's key European centers with software developers and security specialists, with 300+ members and continuing to grow. * Headquarters: SF * Global offices: 15 * Employees: 5,700+ * Customers: 145K+d

Description: **Everyone is welcome! Bring a friend...** Join us on April 16th for food, drinks, networking and an exciting presentation. Networking with your peers starts at 6:00 pm - the presentation starts at 6:30pm . ***Note***: This time is a little later than usual as someone else has our usual room until 5:00 pm and D&B will need time to turn over the room. This month's presentation is brought to you by SquareX! **Presentation:** The Attacker’s Distributed Supercomputer: Your Browser **Abstract**: As the browser transforms into the primary computing platform, new vulnerabilities are surfacing that existing security architectures are not prepared to tackle. This gap leaves enterprises exposed to risks like client-side exploits, unmonitored communication channels, and last-mile reassembly tactics, which exploit the browser's complexity beyond the reach of traditional tools. This talk explores how the shift to browser-centric workflows has uncovered a critical weak spot at the very heart of organizations around the world, currently unprotected by conventional security measures, allowing both internal and external threat actors to bypass controls

Description: Join our chapter leaders to discuss with us our favorite OWASP projects and how we use them for our work! This can be a great opportunity to get exposure to the work that OWASP does and learn a bit more about what your membership fees (if a paid member) help support the development of.

Description: The EU's Cyber Resilience Act is a groundbreaking regulation designed to enhance cybersecurity standards for products with digital components. It aims to address widespread vulnerabilities and ensure manufacturers take responsibility for the security of their products throughout their lifecycle. This act introduces mandatory cybersecurity requirements for manufacturers and retailers, covering the planning, design, development, and maintenance of digital products. It also emphasizes transparency, enabling consumers and businesses to make informed decisions about the cybersecurity of the products they purchase. CRob will explain why all of that still really, really matters to us here in the US.

Description: We are excited to partner with **Central Indiana ISSA** for our April meeting. We have two great presentations scheduled for this upcoming meeting. ***Please register at their link, for our hosts to get an accurate count:*** [https://www.eventbrite.com/e/central-indiana-issa-chapter-meeting-april-2025-tickets-1292924625359](https://www.eventbrite.com/e/central-indiana-issa-chapter-meeting-april-2025-tickets-1292924625359?aff=oddtdtcreator) #### #### **Presentation One**: #### Title: Insights from a Chief Security and Trust Officer #### **Speaker: Mike Towers, Chief Security and Trust Officer at Veza** #### Topics will include: * Transforming Identity Security with Intelligent Access * The Identity Security challenge * The need for a new approach * Enabling important business initiatives * Vision for Identity Security * Finally achieving least privilege As the founder of Digital Trust Group LLC and a distinguished executive, Mike specializes in digital security, trust, and business resiliency. Prior to joining Veza, he served as Takeda’s Chief Digital Trust Officer and held leadership roles at Allergan and GSK, where he developed robust security frameworks. Mike has been influential in over 50 M&A deals and has been honored by the CSO Hall of Fame. A respected speaker, author, and board advisor to multiple companies, Mike is dedicated to responsible innovation, data protection, and industry knowledge sharing. Based in Boston, he continues to make significant contributions to the field of digital trust and security. #### **Presentation Two**: #### Title: **From Adversaries to Allies:Developers and AppSec, a Love-Hate-Love Relationship** #### **Speaker: Peter Chestna, CISO at Checkmarx** AppSec is hard. Great AppSec is really hard. Over almost 2 decades, Peter Chestna has consulted on and observed hundreds of AppSec programs. He's even built a few of my own. The similarities are striking and the impact and outcomes in these programs are stymied by common misconceptions about the goal of AppSec and the results we should be seeking. In general, we find too much, fix too little, and do almost nothing to prevent new vulnerabilities. We have built a world where we attempt to report and goal our way to victory. How's that working for us? We need to rebalance our efforts across these three pillars and put the emphasis where it belongs. The accumulation of security debt is burying us all under a mountain of exception processing and annual recertification. Stop the madness! Whether you are a security leader or a development leader, Peter has practical guidance for you. In this presentation, Peter hopes to convince you that by shifting your current focus, you can drastically improve the results you get from your efforts. In this talk, Peter will describe how to: 1\. Turn developers from adversaries to allies\. 2\. Modify your controls to reflect reality and make compliance feel better 3\. Put the effort of your finite resources to places that will have the greatest impact 4\. Elevate your AppSec program to a level of excellence through effective developer engagement **Dinner Sponsorship: Brooksource** **Parking Information:** See picture below for parking and entrance information. **Evening Agenda:** 5:30 – 6:00 pm > Networking and Food (**in-person only**) 6:00 – 6:15 pm > Central Indiana ISSA Introduction and Chapter Business 6:15 – 7:30 pm > Meeting Speaker(s) 7:30 – 8:00 pm > Brooksource Social (Rooftop Bar) / Cleanup **Please note that the location for our chapter meetings is at Brooksource located at 6215 College Avenue, Indianapolis, IN 46220.** **PLEASE ARRIVE as close to 6:00 pm. as you can** 

Description: This is an online meeting and will be streamed on YouTube. The meeting will start at 19:00. See [https://owasp.org/www-chapter-netherlands/upcomingevents](https://owasp.org/www-chapter-netherlands/upcomingevents) for more information about the OWASP Netherlands chapter. 19:00 - 19:10 - **Welcome and OWASP updates** 19:10 - 19:55 - **OWASP Top 10 for LLM Apps and Gen.AI Security** by **John Sotiropoulos** 19:55 - 20:05 - **Questions and Break** 20:05 - 20:50 - **Building a Robust AppSec Program: SAMM’s Roadmap to SSDLC Maturity** by **Nariman Aga-Tagiyev** **OWASP Top 10 for LLM Apps and Gen.AI Security** *Abstract:* The OWASP 10 for LLM Apps has been a highly successfully project creating the foundation for many other project initiatives including Agentic AI, Red Teaming, and LLM Exploit Generation. This session will provide a project update with an overview of the latest 2025 Top 10 for LLM apps and the new project initiatives *Bio:* John Sotiropoulos is the head of AI Security at Kainos where he is responsible for AI security and securing national-scale systems in government, regulators, and healthcare. A co-lead of the OWASP Top 10 for Large Language Model (LLM) Applications John leads Agentic Security Initiative and alignment with other standards organizations and national cybersecurity agencies including NIST, MITRE, CSA, the NCSC, and the US AISIC, where he is the OWASP lead. He is the author of the bestselling book on Adversarial AI, Attacks, Mitigations, and Defense Strategies and more recently he authored the UK Government’s Implementation Guide for the UK Code of Practice for the Cybersecurity of AI, both submitted to ETSI for international standardization. **Building a Robust AppSec Program: SAMM’s Roadmap to SSDLC Maturity** *Abstract:* In this talk, we will explore how the OWASP Software Assurance Maturity Model (SAMM) provides a structured approach to building and improving an organization’s Secure Software Development Lifecycle (SSDLC). From assessing current AppSec practices to defining a practical roadmap for maturity, this talk will guide you through SAMM’s core pillars and actionable best practices. Whether you’re just starting or looking to refine your AppSec program, this session offers insights into fostering sustainable change and aligning security with business objectives. *Bio:* Nariman Aga-Tagiyev is an Application Security Architect with over two decades of experience in software development. Over the course of his career, Nariman has worn multiple hats, serving as a full stack web application developer, backend developer, DevOps engineer, and cloud developer. However, since 2016, his focus has been exclusively dedicated to the realm of Application Security and advancing Software Security Development Life Cycle (SSDLC) maturity.

Description: AI is the ultimate accelerant for application development - it's power unmatched - but without balance and control, it can quickly ignite new risks, turning potential into destruction. Explore the tangible impact of AI-generated code in this session buy playing with fire - Using GPT-driven prompts, we'll build a fully functional application, and in real time, we'll uncover how common security flaws like SQL injection, cross-site scripting, and weak authentication can manifest in AI-generated code. Through hands-on exploration, we'll walk through the potential impact of these vulnerabilities and how these risks could be avoided with secure coding practices, defined policies, developer guardrails, and thorough security audits and code review. By the end of the session, you'll have a deep understanding of how to: * Recognize and assess the risks AI introduces in your code. * Implement secure coding practices and enforce security policies. * Integrate security audits, code reviews, and testing into your development workflow to ensure AI-generated code is safe for production. This session is vendor agnostic and designed to empower you to reap the benefits of AI without sacrificing security.

Description: [English] First OWASP Yaounde chapter meeting. Schedule: * Introduction and Welcome by Ernest Mougoue and Valery Melou * Talk: "What to expect From the OWASP Yaounde Chapter" by Ernest Mougoue * Networking Speakers: Ernest Mougoue Ernest is a Chapter Lead for OWASP Yaounde. He has 12+ years of experience in the software security field, having worked as a consultant or cybersecurity team leader for some of the largest companies in the United States. More recently, he is the co-CEO of MBOA DIGITAL, building the Cybersecurity practice. Valéry Melou Valéry is a Chapter Lead for OWASP Yaounde. Coming from a self-taught background, he is an exceptional and atypical full-stack web developer. He honed his skills developing for various clients as a freelancer on online platforms before joining MBOA DIGITAL over 5 years ago. Today he is the CTO of MBOA DIGITAL focusing on AI research with some interest in Cybersecurity. \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- [French] Première réunion du chapitre OWASP Yaoundé. Programme : * Introduction et bienvenue par Ernest Mougoue et Valéry Melou * Conférence : "Ce qu'il faut attendre du chapitre OWASP Yaoundé" par Ernest Mougoue * Réseautage Intervenants: Ernest Mougoue Ernest est un chapter lead pour OWASP Yaoundé. Il a plus de 12 ans d'expérience dans le domaine de la sécurité informatique, ayant travaillé comme consultant ou chef d'équipe de cybersécurité pour certaines des plus grandes entreprises aux États-Unis. Plus récemment, il est le co-CEO de MBOA DIGITAL, où il développe le pôle cybersécurité. Valéry Melou Valéry est un chapter lead pour OWASP Yaoundé. Issu d'un parcours autodidacte, il est un développeur web full-stack exceptionnel et atypique. Il a perfectionné ses compétences en développant pour divers clients en tant que freelance sur des plateformes en ligne avant de rejoindre MBOA DIGITAL il y a plus de 5 ans. Aujourd'hui, il est le directeur technique de MBOA DIGITAL, se concentrant sur la recherche en intelligence artificielle avec un intérêt pour la cybersécurité.

Description: In this session, we will walk through the fundamentals of modern application security, focusing on three key types of scanning: Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Dynamic Application Security Testing (DAST). We’ll look at common tools for each type of scan, what kinds of issues they’re designed to catch, and how to prioritize and address those issues based on real-world risk. This is a high-level overview designed for anyone looking to get a clearer picture of how these tools work together to improve code and application security. Presented by J.P. Pesare.

Description: **TOPIC**: Enhancing Open Source Tools Using AI: A "No Code" Journey to Build an Automated DefectDojo Parser Generator Join us for great networking, dinner and drinks, and see a presentation by **Tracy Walker,** Principal Solution Architect, **DefectDojo** **ABSTRACT**: See a live demonstration of using an AI LLM to accelerate the ability to adopt new, custom or unsupported security tools into DefectDojo, an open-source vulnerability management platform. Through live examples, attendees will see a data transformation problem deconstructed into a series of repeatable prompts using an AI LLM to automatically generate 100% of parsing code, detailed documentation, and unit tests while maintaining code quality and existing best practices. The demonstration: 1) Highlights OWASP feature project DefectDojo, 2) Is *applicable* to any open source tool or community, and 3) Is *accessible* to security practitioners or engineers of all technical levels. **Thanks to our SPONSOR**: *[DefectDojo](https://defectdojo.com/)* *DevSecOps, ASPM, Vuln Management - All on one platform!* *DefectDojo is the platform and product that enables scalable security through DevSecOps, integrates with 180+ security tools and counting, with a vibrant and active open source community. We also have a Pro Edition for those who are looking to achieve security automation and actionable insights with the smallest lift possible.* **Thanks to our HOST**: *[HiveWatch](https://www.hivewatch.com/)* *Intelligent, efficient, and scalable security* *HiveWatch is a cloud-based SaaS platform built for physical security teams to enhance their current security technologies. It streamlines incident response, allows for the consolidation of disparate programs and systems, and reduces false alarms.* **CODE OF CONDUCT** We hope you enjoy the event, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of our chapter leaders if you have any feedback/concerns or would like to speak to us, we take these matters very seriously. You can find out more about our policies here: [https://owasp.org/www-policy/operational/conferences-events.html#conference-and-event-anti-harassment-policy](https://owasp.org/www-policy/operational/conferences-events.html#conference-and-event-anti-harassment-policy) **SPONSORSHIP Opportunities Available** *Vendors interested in sponsoring please send an email to sponsorship.la@owasp.org*

Description: **Note about In-Person Attendance** \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* We will be capping the in-person attendance to **40 people**, on a **first-come, first-serve** basis. This will allow us to effectively facilitate the Secure Coding Tournament at the venue. Doors will open at **6:00 PM**, with the event will start at **6:30 PM** (EDT). For those who cannot attend in person, no worries! Please join us virtually via the Zoom call! **Event Description** \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* The presentation delves into the current state of secure coding practices, focusing on technical aspects and the challenges faced by developers and security professionals. We will highlight prevalent issues such as the increasing complexity of software systems, the evolving nature of cyber threats, and the persistent gap between development and security teams. Emphasizing the importance of integrating security into the software development lifecycle, the discussion covers best practices, common vulnerabilities, and the need for continuous education and collaboration to build a robust approach to secure coding across the industry. The presentation will be followed by a Secure Coding Tournament for any interested members. **Bring your laptop to participate!**

Description: **Overview:** Operational technology (OT) perimeters are rapidly emerging as a new frontier for attackers, mirroring the adversarial challenges seen in traditional IT boundaries. This talk explores crucial vulnerability classes and real-world exploitation tacticsaffecting common OT perimeter technologies. We will highlight significant risks and potential impacts of perimeter compromise on industrial environments. Attendees will gain a deeper understanding of the emerging threats at the OT boundary and the exploitation techniques adversaries may leverage. **Abstract:** Attacking IACS: Strategic Industrial Exploitation Industrial Automation and Control Systems (IACS) underpin critical infrastructure worldwide but often rely on outdated security paradigms, which may leave them vulnerable to modern attacks. This presentation explores technical attack methodologies targeting IACS, contrasting them with traditional enterprise network exploitation techniques. Drawing on extensive experience in vulnerability research, exploit development, and red teaming, I will highlight the unique challenges and attacker opportunities presented by IACS environments—such as reliance on legacy technologies, proprietary protocols, and stringent operational constraints. Structured around the IEC/TR 62443-3-1 standard, this presentation addresses critical gaps in modern security guidance for IACS environments. I will use examples to demonstrate strategic attack opportunities and illustrate how vulnerabilities are exploited differently within industrial settings compared to enterprise environments. Attendees will gain technical insights into the challenges of securing IACS against sophisticated attacks and leave with actionable defense strategies that address current IACS security gaps.

Description: On April 24th, we organize our next OWASP Belgium chapter meeting at Karel de Grote Hogeschool (Antwerp). We'll have two talks centered around ethical hacking and bug bounty hunting, stay tuned for more details on the speakers and their topics. **Agenda**: * 17:30-18:00: Welcome with snacks & drinks * 18:00-18:10: **OWASP update** * 18:10-19:00: TALK 1 * 19:10-20:00: TALK 2 * 20:30: End of the meetup More info can be found on the Belgium OWASP chapter page at [https://owasp.org/www-chapter-belgium/#div-meetings](https://owasp.org/www-chapter-belgium/#div-meetings) . Our chapter meetings are open for everyone, and attendance is free of charge. We ask you to register on Meetup in order to provide you with last-minute updates, if needed.

Description: **NOTE: The following will be in effect and mandatory for this meeting venue.** * **RSVPs will close at 11:59 PM PT on Monday, April 21st, so kindly submit your RSVP by then. Walk-ins will not be permitted.** * **Google Security mandates that RSVPs include your full name (in Meetup settings) and that you bring your ID, which will be checked at the entrance to match your RSVP.** * If your first and last name do not appear in our admin view, we will contact you. * Alternatively, feel free to reach out directly or email us at [orange-county-leaders@owasp.org](http://orange-county-leaders@owasp.org) to provide that information or any questions you may have regarding the event. **Parking** Park in the public garage structure next to the building. We will be providing paid tickets for exiting the garage. **Abstract** As the browser transforms into the primary computing platform, new vulnerabilities are surfacing that existing security architectures are not prepared to tackle. This gap leaves enterprises exposed to risks like client-side exploits, unmonitored communication channels, and last-mile reassembly tactics, which exploit the browser's complexity beyond the reach of traditional tools. This talk explores how the shift to browser-centric workflows has uncovered a critical weak spot at the very heart of organizations around the world, currently unprotected by conventional security measures, allowing both internal and external threat actors to bypass controls

Description: 30 minutes of meet-and-greet and Chapter information, then the Presentation! (To Be updated)

Description: \*ATTENTION - DATE CHANGE & VENUE UPDATE \* Cyber Peterborough presents *Get Into Cyber Security*! An evening of focused discussion, interactive sessions and presentations on how to get into the field of cyber security. Technical or non-technical, this event will help you break down how to get into the cyber security field. Join us and meet other people interested in Cyber. **Where?** * University Centre Peterborough PE1 4DZ **When?** * Wednesday 30th April **Agenda** * **5:30pm:** Welcome * **5:40pm:** Cyber Myth Busting * **6:10pm:** Steven Trippier, Anglian Water CISO * **6:40pm:** Cyber Career Paths * **7:15pm:** Ask **your** questions - Panel * **7:45pm:** UCP Educational Opportunities * **8:00pm:** Networking Drinks @ the Pub! Please respond to this event to confirm numbers for the event ensuring each attendee is catered for. Thank you, Ryan