OWASP Community Meetings

Description: In this talk, we will conduct an examination of the methodologies employed by adversaries to exploit machine learning systems and leverage these systems for their benefit. We will delve into various attack vectors, such as evasion and poisoning, and discuss the current use cases of machine learning and AI being employed by threat actors. Participants will gain insight into the latest defensive applications of machine learning, along with strategies for mitigating risks posed by new and evolving threats. This session aims to equip attendees with an understanding of both offensive and defensive aspects of machine learning in cybersecurity, fostering a proactive approach to safeguarding these advanced systems.

Description: **Agenda** * **Chapter Intro** * **Main presentation: Title: Security and Compression** Author: Lucas Driscoll [https://github.com/Lukerd-29-00/](https://github.com/Lukerd-29-00/) Abstract: This is a talk on the cybersecurity risks caused by using compression, especially in a web context. It goes over the basic mechanics of attacking a scheme where text is compressed and then encrypted, the attacks that have been discovered in practice, and mitigations against them. This relates to attacks against TLS, such as Compression Ratio Info-leak Made Easy (CRIME) and BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) . * **Web Academy hands-on labs** \- We continue our journey through the Web Academy at [https://portswigger.net/web-security/](https://portswigger.net/web-security/) The meeting will be held in the library's computer lab to encourage people to get some hands-on web security testing experience.

Description: Hello everyone, we're excited to invite you to our OWASP Chapter meeting #65! Our Chapter serves central Germany, particularly within the Rhine-Main (Hesse) region, as a platform to discuss and share information and application security topics. Anyone who is interested and enthusiastic about application security or security in general is welcome. All meetings are free and open. You do not have to be an OWASP member. There will also be plenty of time to socialize before and after the event. _What are we going to talk about? **1\. Talk:** **Data Centricity for Cloud and Application Security** *Prof. Dr. Igor Podebrad, Director CISO Office, Google Cloud* Igor's talk will demystify data-centricity as a key driver for robust application and cloud security. He'll contrast the shift to data-centricity focus how it underpins cloud, AI and supports sound risk decisions. He will also discuss how this shift is reshaping security and resilience in for digital transformation. Igor is currently a Director at Google Cloud's Office of the CISO and a former Group CISO at Commerzbank AG. He holds a PhD in Medical Care Logistics from the University of Berlin. **2\. Talk: Securing GenAI Applications on Cloud: Three pronged approach** *Hari Hayagreevan, Technical Leader – AI Security, IBM Consulting DACH* The convergence of Generative Artificial Intelligence (Gen AI) with cybersecurity introduces a spectrum of challenges and prospects. To embrace Gen AI extensively within enterprise contexts, it's imperative for these AI systems to be devoid of vulnerabilities in their application and infrastructure. This necessitates a holistic approach to securing Gen AI platforms. In this session, Hari will take you through the different viewpoints, offering insights from an Enterprise Security Architect’s perspective, with practical enterprise scenarios. Hari is Enterprise Security Architect and currently is the Technical Leader for IBM Consulting’s GenAI Security practice in DACH. He started his career as Cybersecurity incident responder (SOC Analyst) 18 years ago and now advises Enterprise CISOs and Security Architecture teams on adopting security principles for preventing cyber attacks. _Afterwards? We will pre- and conclude the evening with the possibility of **socializing** at the venue with **free food and cold & hot drinks**. For everyone who's interested, we will continue socializing at the Bockenheimer Weinkontor afterward. _When? Our Meetup takes place on 24.04.2024 from 18.00 to 21.30 o'clock CEST. _Where? codecentric AG, Lise-Meitner-Straße 4, 60486 Frankfurt am Main _Interested in **giving a talk** yourself? Submit your talk here: https://www.papercall.io/owasp-chapter-frankfurt _And now? Save the date, **spread the word,** and bring your friends and colleagues along to our event. _Follow Us! Also, follow us here and refer to our [OWASP Frankfurt site](https://owasp.org/www-chapter-germany/stammtische/frankfurt/) for information, including slides and recordings of previous presentations We're looking forward to seeing you at our event!

Description: **TOPIC**: Building A Product Security Team – The Good, The Bad And The Ugly - Lessons From The Field Join us for great networking, dinner and drinks, and see a presentation by **Peter Morin**, Principal, National Cyber Security Leader, **Grant Thornton LLP** **ABSTRACT**: Ensuring that the products and services we build, and deliver are as threat resistant as possible is extremely important today. Meeting this challenge is not just about building secure applications since we all know that rapid development of software as well as the evolution of threats and vulnerabilities can see our applications as secure today but vulnerable tomorrow. That is why having an established product security team and response capability is extremely important. During this discussion, I will discuss, using real-world examples, including that of my own, how organizations can meet the demands of product security including: * Building a culture of security within your organization beyond firewalls and anti-virus * How to “sell” security to executive management and explaining what product security does and doesn’t do (e.g., staffing, budgets, etc.) * Building and deploying software using the "DevOps" approach, while maintaining a high level of security * Difficulties of wearing multiple hats, with security being one of them * Embedding “security” in the software development life cycle (SDLC) * Establishing a proper security “response” program * Product vulnerability transparency and developing a disclosure policy * How to measure the success of your program * Establishing a bug bounty program **THANKS to OUR SPONSOR**: *[DevOcean](https://www.devocean.security)* *DevOcean Unified Remediation Platform™, a Gartner Cool Vendor, helps organizations cut the time, backlog, and manual effort needed to fix issues and manage threat exposure. Going beyond traditional methods, DevOcean enables security, dev and devops teams to collaborate efficiently without the usual pain and friction of day-to-day operations. Our powerful workflow automation engine leverages the unique context of cloud-to-code root cause analysis and ownership association to deliver a highly accurate remediation solution that drives resolution at scale.* **CODE OF CONDUCT** We hope you enjoy the event, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of our chapter leaders if you have any feedback/concerns or would like to speak to us, we take these matters very seriously. You can find out more about our policies here: [https://owasp.org/www-policy/operational/conferences-events.html#conference-and-event-anti-harassment-policy](https://owasp.org/www-policy/operational/conferences-events.html#conference-and-event-anti-harassment-policy) **SPONSORSHIP Opportunities Available** *Vendors interested in sponsoring please send an email to [email protected]*

Description: Welcome to another OWASP Stockholm event! This time we will be visiting Omegapoint! The meetup will start with a mingle with food and drinks at 17:30 and the main presentation will begin at 18:00. ***18:00 TruffleHog Security Issue Disclosure - Helena Rosenzweig*** This presentation covers a set of security issues in TruffleHog, an open source, automated security tool that scans code repositories and configuration files for active secrets. The session provides a detailed walkthrough with several live demos, showing how the tool can be exploited to remotely harvest credentials from anyone running a default installation of TruffleHog v3. This presentation is part of a coordinated disclosure together with Truffle Security, the team behind TruffleHog. **Location**: Vasagatan 16, 111 20 Stockholm Time: April 24th, 17.30 – 21.00 Lighter food & drinks will be served. \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- Join OWASP Stockholm mailing list to get notified of upcomming events [https://groups.google.com/a/owasp.org/g/stockholm-chapter](https://groups.google.com/a/owasp.org/g/stockholm-chapter) Join our Slack channel on OWASP Slack *[#chapter-stockholm](https://owasp.slack.com/)*

Description: Palestrante: André Vidal Tema: Segurança Digital: Navegando com Confiança em um Mundo de Cyber Fraudes Data: 24/04/2024 às 19:30

Description: Hello everyone, we're excited to invite you to our OWASP Chapter meeting #65! Our Chapter serves central Germany, particularly within the Rhine-Main (Hesse) region, as a platform to discuss and share information and application security topics. Anyone who is interested and enthusiastic about application security or security in general is welcome. All meetings are free and open. You do not have to be an OWASP member. There will also be plenty of time to socialize before and after the event. _What are we going to talk about? **1\. Talk:** **Data Centricity for Cloud and Application Security** *Prof. Dr. Igor Podebrad, Director CISO Office, Google Cloud* Igor's talk will demystify data-centricity as a key driver for robust application and cloud security. He'll contrast the shift to data-centricity focus how it underpins cloud, AI and supports sound risk decisions. He will also discuss how this shift is reshaping security and resilience in for digital transformation. Igor is currently a Director at Google Cloud's Office of the CISO and a former Group CISO at Commerzbank AG. He holds a PhD in Medical Care Logistics from the University of Berlin. **2\. Talk: Securing GenAI Applications on Cloud: Three pronged approach** *Hari Hayagreevan, Technical Leader – AI Security, IBM Consulting DACH* The convergence of Generative Artificial Intelligence (Gen AI) with cybersecurity introduces a spectrum of challenges and prospects. To embrace Gen AI extensively within enterprise contexts, it's imperative for these AI systems to be devoid of vulnerabilities in their application and infrastructure. This necessitates a holistic approach to securing Gen AI platforms. In this session, Hari will take you through the different viewpoints, offering insights from an Enterprise Security Architect’s perspective, with practical enterprise scenarios. Hari is Enterprise Security Architect and currently is the Technical Leader for IBM Consulting’s GenAI Security practice in DACH. He started his career as Cybersecurity incident responder (SOC Analyst) 18 years ago and now advises Enterprise CISOs and Security Architecture teams on adopting security principles for preventing cyber attacks. _Afterwards? We will pre- and conclude the evening with the possibility of **socializing** at the venue with **free food and cold & hot drinks**. For everyone who's interested, we will continue socializing at the Bockenheimer Weinkontor afterward. _When? Our Meetup takes place on 24.04.2024 from 18.00 to 21.30 o'clock CEST. _Where? codecentric AG, Lise-Meitner-Straße 4, 60486 Frankfurt am Main _Interested in **giving a talk** yourself? Submit your talk here: https://www.papercall.io/owasp-chapter-frankfurt _And now? Save the date, **spread the word,** and bring your friends and colleagues along to our event. _Follow Us! Also, follow us here and refer to our [OWASP Frankfurt site](https://owasp.org/www-chapter-germany/stammtische/frankfurt/) for information, including slides and recordings of previous presentations We're looking forward to seeing you at our event!

Description: From: https://owasp.org/www-chapter-austin/studygroups.html The Austin OWASP Study Group is currently working on learning the [“What is ChatGPT Doing and Why Does it Work” by Stephen Wolfram](https://writings.stephenwolfram.com/2023/02/what-is-chatgpt-doing-and-why-does-it-work/) > **When:** The study group meets weekly on Thursdays from 12:00 to 1:00 PM > **Where:** We are looking for a location to meet in-person. Till then study group is held virtually. Either join the specific channel within Slack AustinOWASP (see below) or [OWASP Austin on Meetup](https://www.meetup.com/OWASP-Austin-Chapter/) to obtain details. > **How to follow:** Status of meetings and discussion of topic will be communicated through the [Slack AustinOWASP](https://austinowasp.slack.com/). Following is the specific channel for collaborating on the topic: ``` #chat-gpt-wolfram ``` > **Additional Information:** If any questions related to the study group, please contact the the group coordinator, @griff in the OWASP Austin Slack workplace.

Description: Speaker: Stu Gentry; Intro to Software Reverse Engineering After / during: Pizza, Beer, Assortment of soft drinks Location: National Cyber Center (NCC): https://cyber-center.org/

Description: Ce meetup se deroulera chez **PADOK** que nous remercions chaleureusement de leur soutien. OWASP Paris est le meetup dédié à la sécurité applicative. Pour rappel, le meetup se veut non commercial. Il réunit toutes personnes désireuses de concevoir et maintenir des logiciels plus sûrs. Si vous êtes intéressé par le sujet, que vous soyez débutant ou expert, n'hésitez pas à nous rejoindre pour partager vos expériences ou vos problématiques. Ce meetup propose des sessions organisées en mode "forum ouvert". Les sujets sont proposés par les participants lors de la séance. Partages de connaissances, retour d'expériences, exercices de type CTF, bonnes pratiques, gouvernance et organisation, ... sont au programme! **Lightning Talks:** La soirée commence par de courtes présentations. Chacun peut s'il le veut proposer une présentation, ce n'est pas obligatoire. Si vous avez envie de partager une technique, une opinion, une démo ou un retour d'expérience, alors vous pouvez préparer un lightning talk, entre une simple phrase et 10 minutes maxi et venez le présenter au début de la soirée. Si vous n'avez jamais fait de présentation avant, c'est l'occasion de commencer dans une ambiance sympa. **Workshop:** La soirée se poursuit avec des activités menées en groupes. Chacun peut s'il le veut proposer un sujet, ce n'est pas obligatoire. Vous avez 30 secondes au début de la session pour en donner envie aux autres participants, puis tout le monde vote pour son sujet favori. Les sujets préférés donnent lieu à des activités en groupes pendant un peu plus d'une heure. Des écrans seront disponibles Le format se veut bienveillant. Pas besoin d'être expert pour parler d'un sujet. Vous trouverez certainement d'autres personnes pour vous aider! L'accent est mis sur l'échange et le partage. L'agenda et le compte-rendu des précédents meetups est accessible ici: https://owasp.org/www-chapter-france/

Description: # Vulnerability Reachability Analysis Using OSS Tools **NOTE: The following will be in effect and mandatory for this meeting venue.** * **RSVPs will close at 11:59 PM PT on April 22nd, so kindly submit your RSVP by then. Walk-ins will not be permitted.** * **Google Security mandates that RSVPs include your full name (in Meetup settings) and that you bring your ID, which will be checked at the entrance to match your RSVP.** * If your first and last name do not appear in our admin view, we will contact you. * Alternatively, feel free to reach out directly or email us at [email protected] to provide that information. **Parking** Park in the public garage structure next to the building. We will be providing paid tickets for exiting the garage. **Live Stream** Stream us live on Twitch: http://twitch.tv/owaspoc *Please change your RSVP to "No" if you can't make it and will join via livestream instead.* **Abstract** New vulnerabilities are disclosed every day in dependencies that you or your team may be using. But how do you know if you are actually using the vulnerable code? This talk will show you how to use two different types of tools to analyze reachability – deciding if the vulnerability needs to be prioritized based on your own code usage. **Workshop Overview:** The workshop will be broken into several modules; introductory modules will cover the workshop organization and administrative matters (installing and configuring the tools used in the workshop). Subsequent modules will give an outline of what vulnerability reachability is and why it is important and compare/contrast the two main ways of understanding reachability (static call graphs and runtime analysis). Next, the workshop will present two short exercises, intended for the attendees to gain hands-on experience using both types of tools against real applications with real vulnerabilities. Interpreted languages (Java) and compiled languages (C/C++/Go) will be covered. Subsequently, the following module will walk through how to interpret the results obtained from the exercises and draw conclusions. The languages chosen are merely representative; the skills learned in the workshop are equally applicable to other languages. The workshop will conclude with two modules which will present a short overview of commercial tools and a conclusion/wrap-up/Q&A session. **Workshop Outline:** I. Overview (10 minutes) A. Workshop organization B. About the tools and sample applications 1. What are the tools and applications we are going to use? C. Obtaining/installing the tools and sample applications 2\. Cloning from the github repo D. Goals of the workshop (what you will learn) 3\. Be able to understand the importance of vulnerability reachability and how it helps prioritize remediation strategy 4\. Become familiar with some of the tools available to help with vulnerability reachability 5\. Learn where you can reach out to for more help in these areas after the completion of the workshop II. Types of reachability analysis (10 minutes) A. Static analysis / call graphs 6\. What is a call graph? 7\. What information does a call graph provide to you B. Runtime analysis C. Language and environment considerations 8\. Things to consider when choosing a reachability analysis solution a. Types of applications being analyzed (COTS vs self-written) b. Availability of source code c. Robustness of test environment III. Static call graph analysis exercise (20 minutes) A. Using static call graph analysis in IntelliJ/Eclipse to analyze a Java application B. Using Go callgraph to analyze a Go application C. How to correlate a call graph with an SBOM IV. Dynamic/runtime analysis exercise (20 minutes) A. Using a Java agent to analyze runtime reachability in a running Java application B. Using valgrind/KCacheGrind to analyze a running C/C++ application C. How to correlate runtime analysis with an SBOM V. Results comparison (10 minutes) A. Using the results of each exercise to determine if vulnerable code was used 1. How to use the output of each tool to understand what vulnerabilities need to be prioritized B. Benefits and limitations of each approach VI. Conclusion & Q&A (20 minutes) **Schedule:** 6:00pm - 6:30pm Networking, Food & Drinks 6:30pm - 8:00pm Presentation

Description: Thirsty Thursdays. Same time. Same day each month. Differing places. Good chat. **What?** * Casual conversation over food & drinks **Where?** * It may differ each month, bars, restaurant and eateries around Peterborough **When?** * \~ The last Thursday of each month Everybody welcome, the next event details will be chosen from the last (and so on!).

Description: Em setembro teremos o nosso próximo encontro, será no dia 25/04 (quinta-feira), a partir das 19h30, online em nosso canal do YouTube. **Link para a transmissão:** https://www.youtube.com/watch?v=4ZxnGWUiunQ **Confira nossa agenda:** **19h30-20h30** **"A necessidade de segurança nos seus produtos"** Nesta palestra, abordaremos a importância crítica da segurança de produtos. Com a crescente complexidade dos produtos e a evolução das regulamentações globais, garantir a segurança tornou-se um desafio multifacetado para empresas de todos os tamanhos e setores, vamos ver como podemos garantir a segurança dos seus produtos utilizando boas práticas de desenvolvimento seguro e testes de segurança. **Palestrante:** Joas A Santos (Offensive Security Engineer na Unico IdTech) Joas A Santos é engenheiro de segurança ofensiva na Unico IdTech, Autor de livros sobre Segurança Ofensiva e Pesquisador de Segurança nas horas vagas.

Description: **Agenda**: 1. Introductions / Lunch 2. Topic of Discussion: Book Club: "[9 Lies about Work](https://www.amazon.com/Nine-Lies-about-Work-Freethinking-ebook/dp/B07C3ZT28C)" through the lens of working in AppSec. 3. Q&A Come join us for a lunch meetup at the Health Equity building in Draper, UT. Casual meetup, anyone interested in Application Security is welcome to attend. Please RSVP. We'll discuss the [book](https://www.amazon.com/Nine-Lies-about-Work-Freethinking-ebook/dp/B07C3ZT28C) in the context of how to support an organization's software security program. See you there!

Description: **J**oin us for the inaugural Seattle Cyber Mixers brought to you by the leading local security non-profit organizations and sponsored by [Archer](https://www.archerirm.com/). These new series are designed to offer more informal connection opportunities for the cybersecurity community of the Greater Seattle area. We're kicking off a casual, low-key gathering where local security professionals can connect and unwind in an informal low-pressure setting. As the first of many, we plan to host these mixers at various locations, rotating based on your feedback. Our aim is to cultivate a regular cadence, potentially monthly or bimonthly, evolving with the community's interest. Any questions or suggestions, message the [OWASP Seattle Chapter](https://www.linkedin.com/company/owasp-seattle-chapter/) or contact [Eva Benn](https://www.linkedin.com/in/evabenn/).

Description: Hello...Are you ready to dive into world of enterprise security ?. Join us for an exciting Hacker Days, where we'll explore some of the Information Security essential requirements and it's a shared responsibility to protect systems and data. In this workshop, we will play roles of Developer/End-user/Security Engineer and explore various common mistakes which lead to critical security issues. We will also discuss the best practices for preventing such attacks. Thank you very much to Endor Labs for gracious providing us the venue and Levo.ai - the guardians of the API galaxy! for sponsoring the food and drinks. This event is in partnership pacific hackers community https://www.pacifichackers.org/ Workshop outline: \* Overview \- Introduction: Responsibilities of different roles\. \- Demo application walkthrough: A custom \.net web application and a mobile app\. \- Tools: BurpSuite\, Wireshark\, ApkTool \* Developer mistakes: Various mistakes done by developers will be explained along with the impact and how to identify and prevent them. \- Hardcoded Secrets \- Login Credentials \- Lack of Awareness \- Security Misconfiguration \* End-user mistakes: As end-users, one can be a victim of cyber attack due to simple mistakes. Let's explore scenarios with live demo. \- Wi\-Fi Attack \- Offer and Freebies \* Security Engineer mistakes: Security engineers are responsible for detecting vulnerabilities and recommending fixes. But we are also human being and can commit mistakes which can lead to attacks. \- Misusing available tools \- Lack of scoping \- Few OWASP top 10 vulnerability demo \* Closing Note \* Q&A Speaker Details: Name: Sarwar Jahan M Linkedin: [https://www.linkedin.com/in/sarwarjahanm/](https://www.linkedin.com/in/sarwarjahanm/) Bio: Sarwar Jahan is currently working as a Senior Enterprise Security Engineer, who worked at tech giants like Synopsys, Microsoft and Salesforce. He has 10+ years of experience and was ranked among top ethical hackers globally. He is passionate about sharing knowledge with the community and running a non-profit initiative called InfoSecCamp to spread security awareness among people by conducting Boot Camps.(

Description: Welcome to OWASP Tunisia Follow us and Subscribe to our channel https://www.youtube.com/@owasptunisiachapter4108/streams Join our OWASP Tunisia Community via Meetup : https://www.meetup.com/owasp-tunis-meetup-group/ An Exceptional episode with our Honorable guest Speaker ***Jeff Crume*** ! Save the date 26 April 2024 at 8 pm(UTC+1) ! ***Jeff Crume*** *is an IBM Distinguished Engineer and Master Inventor with more than 40 years’ experience in the IT industry. He has a PhD in Cybersecurity and also serves as an Adjunct Professor at NC State University. Jeff’s YouTube videos have been viewed more than 3 million times and he is the author of a book entitled "Inside Internet Security: What Hackers Don't Want You To Know” as well as a contributing author to the "Information Security Management Handbook.” He is a member of the inaugural class of the NC State University Computer Science Alumni Hall of Fame and serves on the editorial board for the “Information and Computer Security” research journal. Jeff lived in Beijing on assignment in 2006 and has worked with clients in 50 countries.* **Topic: *AI: The New Attack Surface and Strategies for Securing It*** **Description:** Artificial Intelligence (AI) introduces novel security challenges, including adversarial attacks and model vulnerabilities. This session discusses proactive measures for bolstering AI by securing the data, the model, the usage and the infrastructure. In addition, six different types of AI attacks will be covered in order to provide a better understanding of the threatscape.

Description: Bangalore Meet 27 April 2024 Null/OWASP Combined Meet OWASP meets are free for anyone to attend. There are absolutely no fees. Just come with an open mind and willingness to share and learn. #### Proposed sessions for this event: * CTF Solvings for OSCP Aspirants by **SATHIYANARAYANA S** * Firmware diffing to Nday exploits by **IamAlch3mist** * Wannacry : Behind The Scenes by **Abhay Naik (Abhay Vox)** * Threat Intel by **Ashwin Maganahalli** * Shielding Cloud Buckets by **Pradeep Bhat** * Note: The session details, including schedule are available below.

Description: Welcome to "Web Security 101: Safeguarding Your Digital Footprint," a comprehensive beginner-level event designed to equip you with the essential knowledge and skills to protect yourself online. In today's digital age, our online presence is more significant than ever. From personal information to financial data, we entrust a plethora of sensitive details to the web. However, with the increasing prevalence of cyber threats and malicious actors, it's crucial to fortify our defenses and ensure the safety of our digital footprint. Join us for an enlightening journey into the realm of web security, where you'll learn: \- Foundations of Web Security: Understand the basic concepts and principles of web security\, including common vulnerabilities and attack vectors\. * Protecting Your Digital Assets: Discover practical tips and best practices for safeguarding your personal and professional information online. * Securing Your Devices and Networks: Learn how to secure your devices, networks, and online accounts against cyber threats, malware, and phishing attacks. * Navigating the Cyber Landscape: Gain insights into the evolving cybersecurity landscape and emerging trends, empowering you to stay ahead of potential threats. * Interactive Workshops and Demos: Engage in hands-on workshops and live demonstrations that reinforce your learning and provide practical guidance for implementing security measures effectively. * Community Engagement: Connect with like-minded individuals, share experiences, and collaborate on strategies for enhancing web security awareness and resilience. Whether you're a student, professional, or simply a concerned internet user, "Web Security 101: Safeguarding Your Digital Footprint" offers a welcoming environment where everyone can learn and thrive. Don't miss this opportunity to take control of your online security and protect what matters most. Reserve your spot today and embark on a journey towards a safer digital future!

Description: Big thanks to NAV for sponsoring this event! * **17:00-17:15 Food** * **17:15-18:00 Finding a three 0-day exploit chain in Ivanti EPMM and Ivanti Sentry,** Tor E. Bjørstad and Erlend Leiknes, mnemonic * **18:15-19:00 Testing race conditions has never been faster,** Sofia Lindqvist, Binary Security **Finding a three 0-day exploit chain in Ivanti EPMM and Ivanti Sentry** During the summer of 2023, a team at mnemonic discovered three 0-day vulnerabilities in Ivanti Endpoint Protection Manager Mobile (EPMM, formerly known as Mobileiron Core) and Ivanti Sentry. * CVE-2023-35078: authentication bypass in Ivanti EPMM, CVSS 9.8 * CVE-2023-35081: path traversal / arbitrary file write in Ivanti EPMM, CVSS 7.2 * CVE-2023-38035: authentication bypass in Ivanti Sentry, CVSS 9.8, allowing command execution as root. All three vulnerabilities are listed in CISA's Known Exploited Vulnerabilities catalog, as they are known to have been exploited by threat actors in the wild. Ivanti has also confirmed that the vulnerabilities can be combined in an exploit chain. In this talk we'll take a closer look at what actually happened. **Speakers** * **Tor E. Bjørstad** has spent his entire career in security and privacy. For the last decade he has worked as a principal security consultant at mnemonic, based in Oslo. He has mainly focused on software security and security architecture, with a particular interest in society-critical infrastructure. Tor holds a Ph.d. in cryptography from the University of Bergen. * **Erlend Leiknes**, a security consultant at mnemonic as, Oslo, spends his days as a penetration tester. His professional motto is that most vulnerabilities are obvious, the endeavor is to look at the right places. Erlend holds a master's degree in technical societal safety from University of Stavanger. **TESTING RACE CONDITIONS HAS NEVER BEEN FASTER** Historically, testing for race condition vulnerabilities in web apps has been a painful ordeal, likely making race conditions an under-explored attack vector. In the summer of 2023, groundbreaking research by James Kettle completely changed the game, suddenly making it much easier for pentesters (and attackers) to test for this type of vulnerability. In this talk I will show how race conditions work, how to test for them and how to protect against them, based off an example vulnerability I found during a recent pentest. **Speaker** **Sofia Lindqvist**, security specialist, Binary Security Sofia works as a security specialist at Binary Security. She started her career with a PhD in pure maths, followed by three years at Cisco developing one of their networking OSs. She eventually made her way into security testing, which she has been doing for a year and a half.

Description: 30 minutes of meet-and-greet and Chapter information, then the Presentation! If you would like to attend in person, please pull a ticket from [Eventbrite ](https://www.eventbrite.com/e/owasp-austin-chapter-monthly-meeting-april-2024-group-2-tickets-882900538277). Please only pull a ticket from Eventbrite if you are planning on attending, as we purchase food for in-person meeting and don't want to waste both donations and food (and canceling a ticket the day of still has food already purchased.) Agenda: 11:30-12 -- Room Opens, food is available and in-room discussions 12-12:05 -- Chapter/OWASP info presentation 12:05-1 -- Speaker Presentation **Presentation: The Truman Show: Real-world application attacks instead of canned demos** In this presentation, Kevin Johnson of Secure Ideas will walk attendees through various scenarios used in penetration testing of applications. These demonstrations will use real attacks and discuss how a penetration tester views applications. This talk will explain the mindset of an attacker, using actual applications as well as demonstration apps to allow for exploitation. **Speaker: Kevin Johnson**

Description: Join us for our 2nd mixer with participating cybersecurity communities in Southern California, enjoy the beautiful weather, amazing sunset, great conversations, network with your peers, make new friends! You **don'**t have to be a member of any group to participate. Mark your calendars; see you there!! **SPONSORSHIP Opportunities Available** *Vendors interested in sponsoring OWASP LA events please send an email to [email protected]* **CODE OF CONDUCT** We hope you enjoy the event, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of our chapter leaders if you have any feedback/concerns or would like to speak to us, we take these matters very seriously. You can find out more about our policies here: [https://owasp.org/www-policy/operational/conferences-events.html#conference-and-event-anti-harassment-policy](https://owasp.org/www-policy/operational/conferences-events.html#conference-and-event-anti-harassment-policy)

Description: This session will delve into the Cyber Kill Chain, a foundational framework for comprehending cyberattacks. We'll explore how attackers operate and empower ourselves to build targeted defenses. While a valuable tool, we'll also discuss the Kill Chain's limitations and the evolving nature of attacker tactics.

Description: From: https://owasp.org/www-chapter-austin/studygroups.html The Austin OWASP Study Group is currently working on learning the [“What is ChatGPT Doing and Why Does it Work” by Stephen Wolfram](https://writings.stephenwolfram.com/2023/02/what-is-chatgpt-doing-and-why-does-it-work/) > **When:** The study group meets weekly on Thursdays from 12:00 to 1:00 PM > **Where:** We are looking for a location to meet in-person. Till then study group is held virtually. Either join the specific channel within Slack AustinOWASP (see below) or [OWASP Austin on Meetup](https://www.meetup.com/OWASP-Austin-Chapter/) to obtain details. > **How to follow:** Status of meetings and discussion of topic will be communicated through the [Slack AustinOWASP](https://austinowasp.slack.com/). Following is the specific channel for collaborating on the topic: ``` #chat-gpt-wolfram ``` > **Additional Information:** If any questions related to the study group, please contact the the group coordinator, @griff in the OWASP Austin Slack workplace.

Description: On May 2nd, we organize our next OWASP Belgium chapter meeting at [Karel de Grote](https://www.kdg.be/) University of Applied Sciences and Arts (Antwerp). **Agenda**: * 17h30-18h20: Welcome and refreshments 18h20-18h30: **OWASP Update** 18h30-19h30: **Navigating the Evolving Landscape of Cyber Security Legislation as an IoT Device Manufacturer** (by Joris Gorinsek, NIKO) 19h30-19h45: Break 19:45-20h45: **OWASP Cornucopia and Scrum: A strategic approach to introduce threat modeling in an Agile development process** (by Ive Verstappen & Jev Meijvis, DotNET lab) 21:00: Close More info can be found on the Belgium OWASP chapter page at [https://owasp.org/www-chapter-belgium/#div-meetings](https://owasp.org/www-chapter-belgium/#div-meetings) . Our chapter meetings are open for everyone, and attendance is free of charge. We ask you to register on Meetup in order to provide you with last-minute updates, if needed.

Description: It's board game night, for anyone interested in both board games & security! The meetup will start with a mingle with snacks and refreshments at 17:30. The actual gaming will begin at 19:00 and the main presentation will begin at 18:00. \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- Join OWASP Stockholm mailing list to get notified of upcoming events [https://groups.google.com/a/owasp.org/g/stockholm-chapter ](https://groups.google.com/a/owasp.org/g/stockholm-chapter) Join our Slack channel on OWASP Slack *[#chapter-stockholm](https://owasp.slack.com/)*

Description: **Topic #1 - GitHub Supply Chain Attack Overview** \- 5 Minutes *In March, Dark Reading reported a [GitHub Supply Chain Attack](https://www.darkreading.com/application-security/github-developers-hit-in-complex-supply-chain-cyberattack). Learn about the GitHub platform, software package dependencies, and the attack techniques in this high level overview.* **Topic #2 - OWASP Top 10 Web Application Risks Quiz -** 20 Minutes *Test your knowledge of the [OWASP Top 10 web application security risks](https://owasp.org/www-project-top-ten)! Compete for a chance to win fabulous prizes (aka candy bars).* **Cost** Free! **OWASP Info** OWASP is a non-profit dedicated to **application security**. Our meetings are free to attend and you do not need to be a member, nor have any experience with application security. All are welcome! **Meetings Every Month!** Meetings occur the first Tuesday of every month. Be sure to join our Meetup page to be notified of future meetings and topics. **Free Parking** Free Parking Lot: 1 N Macdonald St, Mesa, AZ 85201 [https://downtownmesa.com/parking/green-lot](https://downtownmesa.com/parking/green-lot) Note that this parking lot is across the street from HeatSync Labs. There are other nearby lots and street parking as well.

Description: OWASP IL is excited to welcome you to our latest Meetup event! Prepare to dive into the world of AppSec with an evening filled with engaging security topics, networking, and of course, plenty of food and drinks. This time, we're delighted to have Playtika host our gathering! ==================================================================== Agenda: TBD ===================================================================== This event is hosted by Playtika in collaboration with OWASP Israel. Join us at the event physically as we will not include Zoom or remote participation this time.

Description: At noon on the 2nd Wednesday of every month we host a social meeting on Zoom with mini talks and breakout rooms. The main room will always be open for social time but we plan to have 1-2 topic breakouts you can join. If the breakout session topic interests you, join that discussion. Feeling more like a casual chat and exploring other topics? Visit the main room to strike up a conversation. Suggest topics you’d like to see breakout rooms for and let us know if you’d like to sign up to lead one. Slack @ #chapter-seattle (https://bit.ly/owasp-seattle-slack) [email protected] (https://groups.google.com/a/owasp.org/g/seattle-chapter)

Description: The ultimate goal of Zero-Trust Architecture is to protect an organization’s critical data against advanced threats. However, the current market focus is overly focused on network architecture, overlooking the elephant in the room. In a modern application architecture, APIs are the backbone of interconnecting microservices. This means APIs are the most closely related ‘services’ to an organization’s data, which explains why advanced attackers target APIs. In this session, we will explain how the zero-trust concept protects APIs.

Description: **When:** Thursday, May 9th, 5:30 pm - 7:30 pm **Where:** Lavaca Street Bar at the Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758. We will have tables reserved inside the bar, to the right as you enter. Parking: nearest parking in the Red Garage located off of Rock Rose Ave ([map of Domain](https://domainnorthside.com/map/)). **What:** The Austin Security Professionals Happy Hour is a monthly event coordinated by the OWASP Austin Chapter and sponsored by various companies. We try to meet every second Thursday of the month from January to September (but occasionally we make schedule adjustments when needed). The event is an informal social gathering of local information security professionals. If you're involved with InfoSec or even if you have an interest, come on out for drinks, good food and conversation. **Sponsor:** [Cequence](https://www.cequence.ai) *Cequence, a pioneer in API Security, is the only vendor with a comprehensive Unified API Protection solution offering discovery, compliance, and protection across all internal and external APIs to defend against attacks, targeted abuse, and fraud. Onboard APIs in less than 15 minutes, without needing any instrumentation, SDK, or JavaScript deployments. Cequence solutions scale to handle the most demanding government, Fortune and Global 2000 organizations, securing more than 8 billion daily API calls and protecting more than 3 billion user accounts across these customers. Its flexible deployment model supports passive/inline, on-premises, SaaS, and hybrid deployments.*

Description: From: https://owasp.org/www-chapter-austin/studygroups.html The Austin OWASP Study Group is currently working on learning the [“What is ChatGPT Doing and Why Does it Work” by Stephen Wolfram](https://writings.stephenwolfram.com/2023/02/what-is-chatgpt-doing-and-why-does-it-work/) > **When:** The study group meets weekly on Thursdays from 12:00 to 1:00 PM > **Where:** We are looking for a location to meet in-person. Till then study group is held virtually. Either join the specific channel within Slack AustinOWASP (see below) or [OWASP Austin on Meetup](https://www.meetup.com/OWASP-Austin-Chapter/) to obtain details. > **How to follow:** Status of meetings and discussion of topic will be communicated through the [Slack AustinOWASP](https://austinowasp.slack.com/). Following is the specific channel for collaborating on the topic: ``` #chat-gpt-wolfram ``` > **Additional Information:** If any questions related to the study group, please contact the the group coordinator, @griff in the OWASP Austin Slack workplace.

Description: The OWASP Top 10 for Large Language Model Applications project aims to educate developers, designers, architects, managers, and organizations about the potential security risks when deploying and managing Large Language Models (LLMs). The project provides a list of the top 10 most critical vulnerabilities often seen in LLM applications, highlighting their potential impact, ease of exploitation, and prevalence in real-world applications. Examples of vulnerabilities include prompt injections, data leakage, inadequate sandboxing, and unauthorized code execution, among others. The goal is to raise awareness of these vulnerabilities, suggest remediation strategies, and ultimately improve the security posture of LLM applications.

Description: TBD

Description: **Ensuring Application Security Excellence in the Age of AI** with Michael Argast In a time where artificial intelligence (AI) permeates every facet of digital existence, the imperative to ensure application security has reached unprecedented heights. In this talk, Michael Argast, Co-founder and CEO of Kobalt.io will delve into the essential strategies for ensuring application security excellence amidst the pervasive influence of AI. By exploring the intricate interplay between AI and cybersecurity, you will gain insights into how AI augments defensive strategies, mitigates vulnerabilities, and addresses emerging threats within application environments. Through real-world case studies and practical recommendations, this session equips you with the knowledge and tools needed to leverage AI effectively in the face of evolving challenges. **Michael** is an experienced cybersecurity professional with over 20 years of industry experience. He is the co-founder and CEO of Kobalt.io, a rapidly growing cloud-focused security services provider. Kobalt.io works with over 200 cloud-focused technology companies to help develop their cyber security programs and ensure the security of their organization. We would like to thank **Microsoft** for sponsoring this event.

Description: Reliable data is inherently critical for application threat models. As threat modelling continues to proliferate across security programs, bad habits in feeding threat models with relevant data is becoming prevalent. This session will explore top 3 mistakes of "data starvation/ gluttony" with respect to application threat models and how to achieve a contextualized, balanced data diet. Join this OWASP Switzerland event to learn more from Tony about threat modelling and how to make sure you use quality data in doing so.

Description: An introduction to OWASP's Juice Shop. A vulnerable website built for CTF practice.

Description: On May 21st, we organize our next OWASP Belgium chapter meeting at BeCentral (Brussels), by the courtesy of Proximus-ADA. **Agenda**: * 17h30-18h20: Welcome and refreshments * 18h20-18h30: **OWASP Update** 18h30-19h30: **User Privacy in Online Location-Based Services** (by Victor LePochat and Karel Dhondt, KU Leuven-Distrinet) 19h30-19h45: Break 19:45-20h45: **SS7 Security** (by Jeremy Schmidt, Proximus ADA) 21:00: Close More info can be found on the Belgium OWASP chapter page at [https://owasp.org/www-chapter-belgium/#div-meetings](https://owasp.org/www-chapter-belgium/#div-meetings) . Our chapter meetings are open for everyone, and attendance is free of charge. We ask you to register on Meetup in order to provide you with last-minute updates, if needed.

Description: We've resumed our regular Meetup schedule in 2024, starting in March. Our approximate agenda for the evening: * 6:00 p.m. - Gather and networking * 6:30 p.m. - Introductions, Top 10 Topic * 7:15 p.m. - Pizza and more networking * 7:45 p.m. - Technical Topic We restarted our introductory coverage of the OWASP Top 10 (2021 edition) with A01:2021 in March, covering a new item each meeting. Our Top 10 topic for May will be **A02:2021 - Cryptographic Failures**. **Technical Topic Speaker:** TBC **Talk Title:** TBC We're always looking for presenters and topics for future meetings - contact John ([email protected]) if you have an idea for a topic, or a presentation you'd like to make. That way, it won't always be John talking about what he's been working on recently. The Auckland OWASP Meetup usually takes place on the third Tuesdays of March, May, July, September, and November. There is no Meetup in January, as our members enjoy their holidays.

Description: **TOPIC**: Securing Generative AI Applications using the OWASP Top 10 for Large Language Models Join us for dinner+drinks, networking, and see a presentation by **Steve Wilson**, OWASP project leader and Chief Product Officer at **Exabeam** **ABSTRACT**: What are the new risks that generative AI brings to your environment? In this cutting-edge session, we uncover the potential hazards that Large Language Models (LLMs) introduce to modern application ecosystems. Drawing on the expertise distilled in the OWASP Top 10 for LLMs, we offer a comprehensive roadmap for mitigating these risks. Attendees will gain insights into securing generative AI applications, recognizing the nuances of LLM vulnerabilities, and deploying defenses. This talk is a call to action for developers and security professionals to foster a culture of secure, responsible AI development. Equip yourself with the knowledge to anticipate threats, apply best practices, and build AI systems that are not only intelligent but also resilient in the face of cybersecurity challenges. **THANKS to OUR SPONSOR**: *[Kodem](https://www.kodemsecurity.com/)* *Kodem means “first” or “early” in Hebrew. A priority. We believe in helping appsec teams make security a priority by spotlighting risks that truly matter. We believe in helping developers improve code quality by shifting left and catching issues early. And we believe in making people a priority: our customers, our team, and our partners.* **CODE OF CONDUCT** We hope you enjoy the event, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of our chapter leaders if you have any feedback/concerns or would like to speak to us, we take these matters very seriously. You can find out more about our policies here: [https://owasp.org/www-policy/operational/conferences-events.html#conference-and-event-anti-harassment-policy](https://owasp.org/www-policy/operational/conferences-events.html#conference-and-event-anti-harassment-policy) **SPONSORSHIP Opportunities Available** *Vendors interested in sponsoring please send an email to [email protected]*

Description: Mark your calendars, for our next meetup! We will be editing this shortly with the speaker info and topic!

Description: Join us for an informative and hands-on workshop on securing your software supply-chain. In this event, we will be joined by Dan Lorenc, CEO and founder of Chainguard Inc. We will have food, learning, swag and, of course, networking with other like-minded folks in the area. Note: This event is organized by the OWASP Nashville Chapter and is open to both OWASP members and non-members. Whether you are already a member or interested in becoming one, we encourage you to attend this event and learn more about the benefits of being part of the OWASP community.

Description: Mark your calendars, for our next meetup! We will be editing this shortly with the speaker info and topic!

Description: Securing the Web is the second meetup of OWASP Beja chapter which will be held on May 23rd, 2024, at 14:30 sponsored by **[Checkmarx](https://checkmarx.com/?utm_source=meetup&utm_medium=sponsorship&utm_campaign=owasp-beja)**. **Schedule** 14:30 - **Welcome Notes** by OWASP Beja chapter leadership team 14:35 - **Purple Team Approach Towards Confluence RCE** by Paulo Viegas 15:00 - **Newton's Third Law: Static vs. Dynamic Abusers** by Diogo Sousa 16:00 - **Snacks & Drinks** sponsored by **[Checkmarx](https://checkmarx.com/?utm_source=meetup&utm_medium=sponsorship&utm_campaign=owasp-beja)** **Talks** **Purple Team approach towards Confluence RCE** by Paulo Viegas, Threat Detection Analyst @ Siemens Talk about the value of collaboration between the red and blue team with a practical example. **About the Speaker** Curious Blue Teamer with special taste for malware and forensics. \-\-\- **Newton's Third Law: Static vs. Dynamic Abusers** by Diogo Sousa, Engineering Manager @ Canonical If you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures. **About the Speaker** An opinionated individual with an interest in cryptography and its intersection with secure software development.

Description: Welcome from OWASP Birmingham our first Meetup of 2024 Once again we'll be @Hays at One Colmore Square Thursday 23rd May for two great Infosec talks Watch this space, more details to come! Looking forward to another oppotunity to connect around Cybersecurity with lots of interesting folks from all over the Midlands