OWASP Community Meetings

Description: CMD+CTRL Web Application Cyber Range by Security Innovation (https://www.securityinnovation.com/) REGISTER TODAY: https://www.eventbrite.com/e/owasp-tampa-chapter-q2-ctflunch-event-2023-tickets-628632184787 Want to test your skills in identifying web app vulnerabilities? Join OWASP Tampa and Security Innovation as members compete in CMD+CTRL, a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet. For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs. Lunch and "afternoon snacks while you hack" sponsored by Bayside Solutions, Inc. (BSI) (https://bsius.com/) Venue location is sponsored by Deepwatch (https://www.deepwatch.com/)

Description: Hosted by the Cyber Security & Networking Research Group, Anglia Ruskin University, OWASP (Open Web Application Security Project) Cambridge Chapter, & BCS Cybercrime Forensics SG **Background** The **BCS – Chartered Institute for IT - Cybercrime Forensics Special Interest Group (SG)** promotes Cybercrime Forensics and the use of Cybercrime Forensics; of relevance to computing professionals, lawyers, law enforcement officers, academics and those interested in the use of Cybercrime Forensics and the need to address cybercrime for the benefit of those groups and of the wider public. **OWASP (Open Web Application Security Project)** is a 501(c)(3) not-for-profit worldwide charitable organisation focused on improving the security of application software. Their mission is to make application security visible, so that people and organisations can make informed decisions about true application security risks. **The Cyber Security and Networking (CSN) Research Group** at Anglia Ruskin University has close working strategic relationships with industry, professional bodies, law enforcement, government agencies and academia in the delivery of operationally focused applied information and application security research. We have strong international links with professional organisations such as OWASP, BCS, ISC2, CIISec & the Cyber East Cluster amongst others. The primary aims of CSNRG are to help the UK and partner nations to tackle cybercrime, be more resilient to cyber attacks and educate its users for a more secure cyberspace and operational business environment. **Abstract : OWASP ZAP - An Introduction and Deeper Dive** In this talk Simon (the ZAP founder and project lead) will give an over view of OWASP ZAP - the worlds most popular web application scanner. He will then go into more details on ZAP automation and how you can get ZAP to authentication to your web apps. **Provisional Agenda** 16:45 - Webinar waiting lobby opens 17:00 - Start of Presentation 17:50 – Questions & Answers

Description: Hello & Welcome In this session we'll be discussing various Tools used within Security. By using these tools, your teams will be able to truly show that your products are as secure as they can be. Please note this event will be recorded so we can put these talks on our YouTube channel afterwards. We will also be trying out our live streaming capabilities. **6:00 - Open doors** **6:30 - Simon Bennetts: An Introduction to OWASP ZAP** In this talk Simon (the ZAP founder and project lead) will give you an overview of the worlds most popular web security scanner. He will also talk about the most recent changes and whats coming next **7:15 - Refreshments** **8:00 - Anthony Harrison - SBOMs and why they can help make your software more secure** This talk will explain what a SBOM (Software Bill of Material) is, how and when they should be produced / some of the challenges that need to be overcome, and demonstrate how they should form part of a DevSecOPs lifecycle. I will try and supplement the talk with some demonstrations using a number of open source applications. **9:00 - Vacate venue -> to the pub for more socialising** **LOCATION** \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- Manchester Technology Centre Oxford House, Oxford Rd, Manchester M1 7ED **SPEAKERS** \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- **Simon Bennetts** The OWASP Zed Attack Proxy (ZAP) Founder and Project Leader, and a Distinguished Engineer at Jit. He has talked about and demonstrated ZAP at conferences all over the world, including Blackhat, JavaOne, FOSDEM and OWASP AppSec EU, USA & AsiaPac. Prior to making the move into security he was a developer for 25 years and strongly believes that you cannot build secure web applications without knowing how to attack them. **Anthony Harrison** An independent systems/software/cyber consultant. I am part of the SPDX community developing the forthcoming security profile, and a member of the OpenSSF SBOM Everywhere working group and SBOM Forum. I have presented on SBOMs at FOSDEM (2002 and 2023), EuroPython 2022 and will be presenting at PyCascades (Vancouver) in March. **SPONSORS** (Thank you for supporting our community!!) \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- Bruntwood - Venue Sponsor Cytix - Food & Drink Sponsor \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- Are you passionate about a security topic? Do you want to speak at a future event? Submit your interest here - https://forms.gle/zcm9bVNhgDixe8Gq5 Does your company want to sponsor a venue and/or refreshments? Email Paul - [email protected]

Description: **Want to learn more about Web Application Firewalls?** **Join the Dutch Chapters of OWASP, ISACA, and ISC2 for their first-ever combined online webinar on Wednesday, June 7th, from 19:00 to 21:00 CET.** Program: 19:00 - 19:10 - **Welcome** 19:10 - 19:30 - **Web Application Firewalls** by **Aatif Khan** 19:30 - 20:55 – **Panel Discussion on Web Application Firewalls** by **Aatif Khan**, **Menno Swam** and **Nico van Rooyen** moderated by **Ramzy Elmasry** 20:55 - 21:00 – **Closing** and **Next Steps** *To receive the LIVE stream details, register via:* [https://isaca.nl/events/isaca-owasp-and-isc2-web-application-firewalls-webinar/](https://isaca.nl/events/isaca-owasp-and-isc2-web-application-firewalls-webinar/) ***Here is a summary of the event:*** With an expert presentation and a panel discussion, you will have the opportunity to learn about best practices and get your questions answered by professionals in the field. By combining the focus areas and driving forces of each Chapter, this event ensures that this topic will be addressed from different perspectives, such as risk, compliance, audit, cybersecurity, and technical. Aatif Khan, a data-driven AI and cybersecurity expert, will kick off the webinar with a compact presentation on Web Application Firewalls (WAFs). After which, we will open the panel discussion and answer questions from the audience. Our panel members are Aatif Khan, Menno Swam and Nico van Rooyen. See below for more information on our panel members and the topic. Register today for this unique opportunity! **BIO Aatif Khan** Aatif Khan is a data-driven, seasoned AI & cyber security expert who is passionate about creating Aatif Khan is a data-driven, seasoned AI & cyber security expert who is passionate about creating customer-focused products. His focus centers around developing cyber defense strategies, establishing security operations centers for large enterprises, developing data protection strategies, implementing data privacy in day-to-day operations, and developing AI strategy, governance, and risk management programs for enterprises. He specializes in building and scaling security programmes from startups to Fortune 500 organizations. With 15+ years of experience in information security, Aatif has spoken at numerous conferences such as BlackHat, SANS & UK NCSC CyberThreat London, Security BSides London, Cyber Security Asia Malaysia, @Hack, etc., amongst other conferences across the EMEA region. He has been interviewed by the Associated Press, Voice of America, Hakin9, and numerous other media channels for his expertise on emerging cybersecurity threats. Aatif holds a Master of Science in Artificial Intelligence from LJMU, UK, and is currently working on AI-driven advanced threat detection and response with modern security analytics. **BIO Menno Swam** Menno is a Senior Specialist at KPMG IT Advisory The Netherlands, and part of the Cyber Assessment (CA) team. The CA team consists of cyber security specialists executing technical IT Advisory engagements, IT Auditing and management of IT infrastructure, IT processes and IT organizations. Menno has experience in the field of Information Security and Risk Management for companies in the Financial services sector, due to his experience as an Information Security Officer and Internal Auditor. Moreover, he has specific knowledge of security frameworks (such as PCI-DSS and ISO27001) as well as the technical execution of financial law (such as WWFT and PSD2). While working in complex IT environments, Menno has been able to get accustomed with all facets of information security, both technical and non-technical. As such, he is able to translate technical findings and risks to business impact and opportunities. **BIO Nico van Rooyen** Nico is currently the CISO at CPro, a cyber security consulting firm and the one-stop shop for specialized cyber security services. They offer complete solutions that enable organizations of all sizes to protect their systems, networks, and data from digital threats. He is also a proud Executive Board Member of the ISACA NL chapter and has been an active member for many years. He started his career as an IT auditor specializing in information security, at KPMG in South Africa and for the past decade, he has deepened his experience in information security while obtaining various certifications such as CISA, CISM, CEH, and COBIT. During this time, Nico worked across various countries including Australia, Denmark, Israel, Sweden, Europe, the UK, and the USA. In 2017, he moved to the Netherlands with his wife, who is expecting their second baby boy in September of this year.

Description: The next OWASP Timisoara Chapter Meetup will be ***in person***. See https://owasp.org/www-chapter-timisoara/ for more information about the OWASP Timisoara chapter. Theme sessions - Theme: CyberSec Ecosystem & Cloud Security `Schedule` **`Time:`**` 18:00 to 21:00` Introduction, OWASP News & Updates - Catalin Curelaru CyberSecurity Ecosystem - Octavian STANCU (Eviden/an Atos business) Security Log Management - Adrian PAUL (Visma) Improving security in AWS Cognito - Lucian Patian (Haufe) Location of the event: UBC3, et 10, Sediu VISMA, Piața Consiliul Europei 2 · Timișoara Event powered by VISMA More about the speakers and topics: **Octavian STANCU** is an experienced Unit Lead and IT Instructor with a demonstrated history of working in the Information Technology industry, specifically in the fields of Cybersecurity, Networking and Telecommunications. As the Head of Cybersecurity Services, Octavian brings within Global Delivery Center Romania extensive expertise and a strong track record in managing and delivering Cybersecurity services and solutions. **Adrian PAUL.** I love information technology, passionate to learn about it, and always looking to put the pieces together. Currently, in the conspicuous role of managing the Cyber Security Engineering team that is in charge of implementation, maintenance and development of multiple security services at Visma. When time permits, I enjoy running and volunteering. ***\~Security Log Management\~*** Ensuring the confidentiality, integrity, and availability of the modern digital enterprise is not an easy task. It involves many parallel and related efforts, from systems engineering to effective cybersecurity policy and comprehensive workforce training. The essential elements in cybersecurity operations are monitoring, analyzing, responding to, and recovering from cyber attacks. Behind the scenes, programs and policies must be put into place to support cybersecurity operations. Organizations are starting to use cloud computing to take advantage of its many benefits, including cost savings, quick time-to-market, and on-demand scaling of the environment. To improve security visibility in the cloud, security operations teams will want to develop a continuous monitoring strategy that uses a combination of cloud-native services and third-party options for the Security Log Management solution. The strategy needs to provide the most complete range of coverage for both proactively assessing the environment and detecting unusual events or anomalous behaviour rapidly. Additionally, a Security Log Management focused on automation and machine learning, alongside new and updated types of monitoring, will evolve into a Next-generation Security Information and Event Management (NG-SIEM) solution. Logging is a vital part of cybersecurity, as it enables you to detect breaches and identify their source. With a robust Security Log Management solution, you can monitor your environments for unusual activity and take action to stop it before it develops into a full-blown attack. By taking the time to develop a comprehensive logging strategy, you can not only mitigate the potential damage of a cyber attack, but also learn important lessons about how to improve your solution for the future **Lucian Pătian** is a Cloud Solutions Architect at Haufe Group Timisoara. With a SysAdmin background, for the past four years, he has earned a reputation for finding creative solutions to problems in Cloud. ***\~ Improving security in AWS Cognito. \~*** Abstract: we will discuss about why using the standard configurations in Cognito can make your application a security honeypot. How can you use AWS WAF to add an extra layer of protection and why using verified token attributes should be a must.

Description: Joins us for a conference in person in Portland Oregon June 10th (tickets required) [https://www.appsecpnw.org/](https://www.appsecpnw.org/) Tickets [https://www.eventbrite.com/e/3rd-annual-owasp-appsec-days-pacific-northwest-conference-in-person-tickets-558186820807](https://www.eventbrite.com/e/3rd-annual-owasp-appsec-days-pacific-northwest-conference-in-person-tickets-558186820807)

Description: A collaboration between the **Vancouver, Portland, Victoria, and Seattle** chapters taking place **June 10, 2023** at **Portland Center Stage.** The CFP for AppSec PNW is OPEN and you have until April 3rd to submit a presentation. You don't want to miss on this opportunity to speak, submit your CFPs soon! https://bit.ly/AppSecPNW2023CFP Get your tickets now for the event, there are only a few available spots in the Early Bird registration: https://bit.ly/AppSecPNW2023Tickets

Description: Le prochain meetup aura lieu en physique. Nous serons accueilli par notre sponsor **TotalEnergies** que nous remercions chaleureusement de leur soutien. **Date limite d'inscription: jeudi 8 juin** OWASP Paris est le meetup dédié à la sécurité applicative. Pour rappel, le meetup se veut non commercial. Il réunit toutes personnes désireuses de concevoir et maintenir des logiciels plus sûrs. Si vous êtes intéressé par le sujet, que vous soyez débutant ou expert, n'hésitez pas à nous rejoindre pour partager vos expériences ou vos problématiques. Ce meetup propose des sessions organisées en mode "forum ouvert". Les sujets sont proposés par les participants lors de la séance. Partages de connaissances, retour d'expériences, exercices de type CTF, bonnes pratiques, gouvernance et organisation, ... sont au programme! **Lightning Talks:** La soirée commence par de courtes présentations. Chacun peut s'il le veut proposer une présentation, ce n'est pas obligatoire. Si vous avez envie de partager une technique, une opinion, une démo ou un retour d'expérience, alors vous pouvez préparer un lightning talk, entre une simple phrase et 10 minutes maxi et venez le présenter au début de la soirée. Si vous n'avez jamais fait de présentation avant, c'est l'occasion de commencer dans une ambiance sympa. **Workshop:** La soirée se poursuit avec des activités menées en groupes. Chacun peut s'il le veut proposer un sujet, ce n'est pas obligatoire. Vous avez 30 secondes au début de la session pour en donner envie aux autres participants, puis tout le monde vote pour son sujet favori. Les sujets préférés donnent lieu à des activités en groupes pendant un peu plus d'une heure. Des écrans seront disponibles Le format se veut bienveillant. Pas besoin d'être expert pour parler d'un sujet. Vous trouverez certainement d'autres personnes pour vous aider! L'accent est mis sur l'échange et le partage. *--* *Pour des raisons de sécurité d'accès aux locaux de notre sponsor, il est nécessaire de fournir votre nom et prénom pour ce meetup. **Une pièce d'identité sera demandée** pour l'obtention d'un badge d'accès. Nous vous remercions de votre compréhension.* *--* L'agenda et le compte-rendu des précédents meetups est accessible ici: https://owasp.org/www-chapter-france/

Description: The OWASP Foundation came online on December 1st, 2001 it was established as a not-for-profit charitable organization in the United States on April 21, 2004, to ensure the ongoing availability and support for our work at OWASP. OWASP is an international organization and the OWASP Foundation supports OWASP efforts around the world. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas. We can be found at www.owasp.org.

Description: Requested Topics: * Discuss the Open Letter to OWASP and the Response/Updates https://owasp.org/blog/2023/03/10/strategic-plan-open-letter-update.html https://owasp.org/blog/2023/03/31/owasp-strategy-2023-1.html * Industry Roundtable: initiatives, struggles, successes from the Madison Metro AppSec Space * Jazzer Demo https://github.com/CodeIntelligenceTesting/jazzer

Description: No agenda, no slides, no recording, 100% unscripted. Practical learning: Live ethical hacking challenges, workshops, CTFs and sharing of knowledge.

Description: Hybrid Attendance: Join us in person or online (link to be provided). Join us for discussion, food, appsec news, and an OWASP-related talk. For our June meeting, Julie Peterson, Senior Product Marketing Manager at Cycode, will be speaking to the chapter about The Risks of Hardcoding Secrets in AI-Generated Code. Machine learning, particularly Language Learning Models (LLMs), has paved the way for groundbreaking advancements in many fields, including code generation. However, this innovation is not without inherent risks. One potential issue is that these models generate code with hardcoded secrets, such as API keys or database credentials. This practice stands in stark contrast to the recommended way of managing these secrets – through a secrets manager. In this presentation, we consider the following: \- What are hardcoded secrets and how to prevent them \- The importance of secrets management \- The impact of LLMs in generating code \- How to mitigate the risk of hardcoded secrets in code generated by LLM This will be an exciting session, RSVP now!

Description: At noon on the 2nd Wednesday of every month we host a social meeting on Zoom with mini talks and breakout rooms. The main room will always be open for social time but we plan to have 1-2 topic breakouts you can join. If the breakout session topic interests you, join that discussion. Feeling more like a casual chat and exploring other topics? Visit the main room to strike up a conversation. Suggest topics you’d like to see breakout rooms for and let us know if you’d like to sign up to lead one. Slack @ #chapter-seattle (https://bit.ly/owasp-seattle-slack) [email protected] (https://groups.google.com/a/owasp.org/g/seattle-chapter)

Description: At noon on the 2nd Wednesday of every month we host a social meeting on Zoom with mini talks and breakout rooms. The main room will always be open for social time but we plan to have 1-2 topic breakouts you can join. If the breakout session topic interests you, join that discussion. Feeling more like a casual chat and exploring other topics? Visit the main room to strike up a conversation. Suggest topics you’d like to see breakout rooms for and let us know if you’d like to sign up to lead one. Slack @ #chapter-seattle (https://bit.ly/owasp-seattle-slack) [email protected] (https://groups.google.com/a/owasp.org/g/seattle-chapter)

Description: In-person event, kindly **hosted by Immersive Labs**, 6th Floor, The Programme, All Saints' St, Bristol BS1 2LZ. **Agenda:** * OWASP Updates * Talk 1: Browser extension security, with Billy Sheppard from Immersive Labs * Break * Talk 2: Intro to Scripting for Web Application Testers with Alex Archondakis * Networking **Venue:** Photo shows the main entrance, which is visible when walking down the right hand side of the Tesco Express on Wine Street (Google Street View sometimes shows the back entrance, which is only accessible via keycard). Address: 6th Floor, The Programme, All Saints' St, Bristol BS1 2LZ \-\-\- Talk 1: **A look into browser extension security**, the risks involved with allowing users to install browser extensions and browser security/attack vectors, presented by **Billy Sheppard**. **Abstract**: As web technologies are becoming more and more popular, you need to be more careful about what you put in your browsers. While extensions can be very useful, they come with hidden dangers – users often prioritise functionality over safety. In this talk, you'll uncover the real risks of using extensions, explore common attacks, and learn about pitfalls. You'll also take a look at some real-life security incidents and what went wrong. You'll leave with a deeper understanding of the need for browser extension security and how to safeguard your browser. **Bio:** Billy Sheppard is a Bristol-based Senior Application Security Engineer working at Immersive Labs where he creates Secure Code content and challenges for their product. In his career thus far, he has earned several achievements including VDP submissions for Fortune 500 companies, Bug bounties, and created and released his own niche CTF/Hacking challenge specifically aimed at increasing security awareness for ServiceNow developers. He has also created a Web Security YouTube Channel to demonstrate security concepts and educate developers and reported multiple real security issues to VDPs/Bug Bounty Programs for large companies such as BBC, RedHat and Accenture. He is a keen learner and spends a lot of his personal time continuously learning and is passionate about education around secure code. \-\-\- Talk 2: **An Introduction to scripting for Application Testers,** presented by **Alex Archondakis**. **Abstract**: Scripting, or the ability to write code that allows you to perform actions or automate repetitive tasks is a crucial tool in any application security testers belt, however, it doesn’t seem to be a common one. The purpose of this talk is to introduce scripting to application security testers, this will be achieved by looking at case studies to determine where scripting may be appropriate and how to solve the problem. We will discuss multiple languages and their advantages whilst focussing on interacting with the HTTP protocol. The key learning points from this talk are as follows: * To gain an understanding of the importance of scripting for application security testers * What programming languages are used, and their advantages/disadvantages. * Typical scenarios where scripting is required because tooling is not comprehensive enough **Bio**: Alex is head of professional services & a senior consultant at Pentest People. He has a wealth of experience in penetration testing, people management and training hackers. He believes that all application security professionals should be able to write basic scripts to solve common problems.

Description: Accelerate your software delivery with DevSecOps culture! Join our free webinar led by Ahmed Abdallah, a Senior Solutions Architect and Cyber Security Consultant, and learn about all things DevSecOps. In this session, participants will gain further knowledge on the importance of the concept and discover how integrating security throughout the software development process can enhance speed, quality, and overall success.

Description: \*\*\* THIS TALK IS BOTH ONLINE (https://www.youtube.com/watch?v=eMSnga3arIA) and OFFLINE @ the Okta offices \*\*\* **TALK** **Container and Kubernetes security policy design: 10 critical best practices** **Summary:** Companies are constantly seeking new and innovative ways to stay ahead in a highly competitive and rapidly changing business landscape. One strategy that has proven to be highly effective is application modernization. This is not just a mere upgrade; it is a complete transformation of how businesses operate. By embracing this approach, companies can accelerate innovation, optimize costs, and improve their overall security posture. However, embarking on the journey of application modernization is not an easy task. It requires a significant investment in people, processes, and technology to achieve the desired business outcomes. The right foundation must be established from the beginning to avoid the high cost of re-architecture, which can be a major roadblock in achieving success. One crucial aspect is developing a standard and scalable security design for their Kubernetes environment. This will establish the framework for implementing the necessary checks, enforcement, and visibility to enable strategic business objectives. In conclusion, application modernization is a strategic initiative that can transform businesses. Developing a standard and scalable security design for the Kubernetes environment is critical to establishing the framework for implementing the necessary checks, enforcement, and visibility to enable strategic business objectives. **Presenter:** **Regis Martins** Regis Martins is a passionate problem solver and technologist with a deep-rooted love for finding innovative solutions. With a background in Electrical Engineering and a Master's Degree in Computer Science, he has honed his expertise in areas such as deep packet inspection technologies, traffic management, network analytics, and Kubernetes. His journey has led him to excel as a Sales Engineer, where he architects solutions, educates clients, and thrives in helping organizations overcome challenges. With a diverse skill set encompassing Python, Linux, virtualization, cloud computing, and more, Regis is committed to making a positive impact in the world of technology through continuous innovation and knowledge sharing.

Description: **Tema: Phishing** Es una técnica de ingeniería social que consiste en el envío de correos electrónicos que suplantan la identidad de compañías u organismos públicos y solicitan información personal y bancaria al usuario. Este método sirve para engañarle y hacer que comparta contraseñas, números de tarjeta de crédito, y otra información confidencial haciéndose pasar por una institución de confianza en un mensaje de correo electrónico o llamada telefónica

Description: Intro - Craig & Michael PCI - What is it? PCI Projects - The Game Plan App Sec Deep(ish) Dive Auditor Whispering War Stories Is PCI DSS Effective? The Verdict Event location will be announced soon.

Description: "Common Security Considerations for Web 3.0” Join this virtual event to discuss: * an overview of decentralization * digital identities in 3.0 and typical threats * examples of Web 3.0 attacks and mitigations * security concerns and some actions to consider to protect organizations.

Description: **As always, everyone is welcome! You do NOT have to be an OWASP member to attend.** Join us June 21st for food, drinks, networking and a super informative presentation on "The Joys of Mobile Application Testing" from one of the best and brightest in the industry: Greg Leonard. Networking with your peers starts at 5 - food is served at 5:30 and the presentation starts at 6. **Sponsor: A big thank you to our Denver OWASP sponsor [SpyderSec](https://spydersec.com)** **Presentation Title:** The Joys of Mobile Application Testing **Presentation Details:** In this talk, I will walk through the major challenges of testing mobile applications. This will include reliably capturing HTTPS traffic between the app and it's backend APIs, reviewing data stored by the app on the mobile device, working around defenses built into many apps, and discussing some obstacles that need to be worked around with modern mobile operating systems.

Description: OWASP Sacramento will meet the third Wednesday of each month. We will announce topics 2-3 weeks in advanced of our meetups. 7PM-9PM Please join our [Slack](https://owasp.org/slack/invite) @ #chapter-sacramento Agenda * Food and Beverages * Community Topics * Presentation TBD

Description: Interested in learning how to secure your software development lifecycle? Then join us as we dive deep into the OWASP Software Assurance Maturity Model (SAMM), a technology and process agnostic framework that helps to provide an effective and measurable way for you to analyze and improve your secure development lifecycle. Our speaker, Christian DeHoyos, will walk through its history, use cases, benefits, and how one can quickly leverage OWASP SAMM at their org.

Description: Mobile apps dominate all digital time spent online - but mobile AppSec programs often lag. Jumpstart your team and skills by stepping inside the OWASP Mobile AppSec Project (MAS), the OWASP Mobile Application Security Verification Standard (MASVS), and OWASP Mobile Application Security Testing Guide (MASTG) to learn about the fundamentals of mobile app security and the latest updates just released in OWASP MASVS V2 launched at OWASP Global AppSec in Dublin. Learn the differences in Mobile AppSec vs Web AppSec and how to put OWASP MAS project, tools and resources to work. In this session we will drill down into the top 5 most frequent security issues found in testing thousands of mobile apps. Learn how to test for them, and how to teach your dev teams to prevent them with code examples, test examples, links to additional resources and how to build your own toolkit. Along the way we will hit the latest privacy and security updates with iOS and Android. Come join us! \*Food and drinks will be provided by NowSecure \*This will be an in person meet up event but we will be offering a remote attendee option for folks who are not local to Maine or Northern New England but still want to attend. A zoom link will be posted/provided as the event nears.

Description: Mobile apps dominate all digital time spent online - but mobile AppSec programs often lag. Jumpstart your team and skills by stepping inside the OWASP Mobile AppSec Project (MAS), the OWASP Mobile Application Security Verification Standard (MASVS), and OWASP Mobile Application Security Testing Guide (MASTG) to learn about the fundamentals of mobile app security and the latest updates just released in OWASP MASVS V2 launched at OWASP Global AppSec in Dublin. Learn the differences in Mobile AppSec vs Web AppSec and how to put OWASP MAS project, tools and resources to work. In this session we will drill down into the top 5 most frequent security issues found in testing thousands of mobile apps. Learn how to test for them, and how to teach your dev teams to prevent them with code examples, test examples, links to additional resources and how to build your own toolkit. Along the way we will hit the latest privacy and security updates with iOS and Android. Come join us! \*Food and drinks will be provided by NowSecure \*This will be an in person meet up event but we will be offering a remote attendee option for folks who are not local to Maine or Northern New England but still want to attend. A zoom link will be posted/provided as the event nears.

Description: *Due to supplying lunch for attendees so we have sufficient foods, if you would like to attend in-person at NI, please see* \-\- Coming Soon\! 30 minutes of meet-and-greet and Chapter information, then the Presentation!

Description: No agenda, no slides, no recording, 100% unscripted. Practical learning: Live ethical hacking challenges, workshops, CTFs and sharing of knowledge.

Description: **TOPIC**: Security Architecture - What is it? How to Deploy it Join us for great networking, dinner and drinks, and see a presentation by President and Founder of iSecurePrivacy, LLC. **ABSTRACT**: Security Architecture is a security design that addresses the technology goals, approaches, controls, and potential for the enterprise. It also specifies when and where to apply security controls. This discussion starts from the enterprise perspective using SABSA (Sherwood Applied Business Security Architecture). It then introduces COBIT, from ISACA, which is a framework that focuses on the governance and management of enterprise IT. TOGAF (The Open Group Architecture Framework) aligns security with business needs. Then there is the OWASP SAMM (Software Assurance Maturity Model) that is a framework for helping organizations analyze their current software security practices in the development of new applications. Within these four security architectures, we will also talk about some software secure coding standards such as (PCI Software Security Framework, SEI CERT Coding Standards, NIST SSDF, Microsoft Secure Coding Guidelines , and OWASP Secure Coding Practices). These standards are important, but they need to be based on meeting the business strategic objectives, business model, and business needs. That is what security architectures provide. **Thanks to our Sponsor**: *[Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud)* *The Most Complete Cloud-Native Application Protection Platform (CNAPP). Prisma Cloud secures applications from code to cloud, enabling security and DevOps teams to effectively collaborate to accelerate secure cloud-native application development and deployment.* **SPONSORSHIP Opportunities Available** *Vendors interested in sponsoring please send an email to [email protected]* **CODE OF CONDUCT** We hope you enjoy the event, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of our chapter leaders if you have any feedback/concerns or would like to speak to us, we take these matters very seriously. You can find out more about our policies here: [https://owasp.org/www-policy/operational/conferences-events.html#conference-and-event-anti-harassment-policy](https://owasp.org/www-policy/operational/conferences-events.html#conference-and-event-anti-harassment-policy)

Description: **NOTE: IN-PERSON EVENT** **Abstract:** Cloud security presents unique challenges. As enterprises continue to move to the cloud, security practitioners face new threats and paradigms. In this session, we’ll forensically reconstruct major cloud-centric breaches and step through them, building an understanding of what happened, how it happened, and developing key takeaways to help secure our own infrastructure, especially in AWS, Azure, and GCP. **Code of Conduct:** We hope you enjoy the event, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of our chapter leaders if you have any feedback/concerns or would like to speak to us, we take these matters very seriously. You can find out more about our policies here: [https://owasp.org/www-policy/operational/conferences-events.html#conference-and-event-anti-harassment-policy](https://owasp.org/www-policy/operational/conferences-events.html#conference-and-event-anti-harassment-policy) **Sponsorship:** Vendors who are interested in sponsoring OWASP OC monthly meetings, please send an email to [[email protected]](http://[email protected])

Description: TBA