OWASP Community Meetings

Description: **When:** Thursday, May 9th, 5:30 pm - 7:30 pm **Where:** Lavaca Street Bar at the Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758. We will have tables reserved inside the bar, to the right as you enter. Parking: nearest parking in the Red Garage located off of Rock Rose Ave ([map of Domain](https://domainnorthside.com/map/)). **What:** The Austin Security Professionals Happy Hour is a monthly event coordinated by the OWASP Austin Chapter and sponsored by various companies. We try to meet every second Thursday of the month from January to September (but occasionally we make schedule adjustments when needed). The event is an informal social gathering of local information security professionals. If you're involved with InfoSec or even if you have an interest, come on out for drinks, good food and conversation. **Sponsor:** [Cequence](https://www.cequence.ai) *Cequence, a pioneer in API Security, is the only vendor with a comprehensive Unified API Protection solution offering discovery, compliance, and protection across all internal and external APIs to defend against attacks, targeted abuse, and fraud. Onboard APIs in less than 15 minutes, without needing any instrumentation, SDK, or JavaScript deployments. Cequence solutions scale to handle the most demanding government, Fortune and Global 2000 organizations, securing more than 8 billion daily API calls and protecting more than 3 billion user accounts across these customers. Its flexible deployment model supports passive/inline, on-premises, SaaS, and hybrid deployments.*

Description: Since 4/25/24: discussions on AI and LLM's generally and the Coursera Prompt Engineering series from Vanderbilt specifically. We are now studying ChatGPT Advanced Data Analysis.... For General Study Group info, see #studygroup in OWASPAustin Slack For topic specific info, see #ai in the OWASPAustin Slack

Description: Join us for an interactive workshop on careers in the AI era in cybersecurity, hosted by OWASP Cuddalore Chapter. Don't miss this chance to enhance your knowledge and skills in software security. See you there! Follow Our Handles for updates: [Instagram](https://www.instagram.com/owaspcuddalore/) [Twitter](https://twitter.com/owaspcuddalore)

Description: Calling all OWASP and NULL enthusiasts in Tirunelveli! Join us for an introductory session on APIs, led by Surya from the YouTube channel Cyterix. In this webinar, you'll gain a solid understanding of: => What APIs are and how they work => The role of APIs in app development => Everyday applications of APIs => How to make your first API request (with hands-on practice) This session is perfect for anyone curious about how applications communicate and the power behind APIs. Whether you're a developer, security professional, or simply interested in tech, this workshop will equip you with the foundational knowledge to dive deeper into the world of APIs. Don't miss out on this chance to level up your tech skills!

Description: Ce meetup se deroulera chez **[Theodo](https://www.theodo.fr/)** que nous remercions chaleureusement de leur soutien. OWASP Paris est le meetup dédié à la sécurité applicative. Pour rappel, le meetup se veut non commercial. Il réunit toutes personnes désireuses de concevoir et maintenir des logiciels plus sûrs. Si vous êtes intéressé par le sujet, que vous soyez débutant ou expert, n'hésitez pas à nous rejoindre pour partager vos expériences ou vos problématiques. Ce meetup propose des sessions organisées en mode "forum ouvert". Les sujets sont proposés par les participants lors de la séance. Partages de connaissances, retour d'expériences, exercices de type CTF, bonnes pratiques, gouvernance et organisation, ... sont au programme! **Lightning Talks:** La soirée commence par de courtes présentations. Chacun peut s'il le veut proposer une présentation, ce n'est pas obligatoire. Si vous avez envie de partager une technique, une opinion, une démo ou un retour d'expérience, alors vous pouvez préparer un lightning talk, entre une simple phrase et 10 minutes maxi et venez le présenter au début de la soirée. Si vous n'avez jamais fait de présentation avant, c'est l'occasion de commencer dans une ambiance sympa. **Workshop:** La soirée se poursuit avec des activités menées en groupes. Chacun peut s'il le veut proposer un sujet, ce n'est pas obligatoire. Vous avez 30 secondes au début de la session pour en donner envie aux autres participants, puis tout le monde vote pour son sujet favori. Les sujets préférés donnent lieu à des activités en groupes pendant un peu plus d'une heure. Des écrans seront disponibles Le format se veut bienveillant. Pas besoin d'être expert pour parler d'un sujet. Vous trouverez certainement d'autres personnes pour vous aider! L'accent est mis sur l'échange et le partage. L'agenda et le compte-rendu des précédents meetups est accessible ici: https://owasp.org/www-chapter-france/

Description: In the physical world, if our neighbours left their front door open and were being robbed in broad daylight, the community would do something about it, like calling the police or yelling at the criminals from a safe distance. On the internet, we don’t really do anything. Even the government just sits around waiting for people to (virtually) get shot and then report an incident. We need to rethink our approach. In this talk, Haoxi will talk about trench stories over the last 6 months of running DirectCyber, a volunteer based CSIRT that tracks exposures to critical vulnerabilities and notifies potential victims with pinpoint accuracy. He will cover why this was feasible to run with 2.5-person team, how to prioritise which vulnerabilities to track, challenges for disclosure, and legal concerns. He will share success cases from other public and private sector companies such as DIVD and TruffleSec, along with the bigger picture of how we can influence government security strategy for the better if we work together.

Description: An OWASP NYC Chapter Meetup AppSec 2.0: Security without the NOISE AppSec: Best Practices Tools... PaaS, SBOM’s, SCA and Runtime Security, let’s have some fun!!! Introductions By Dell Technologies Security Team Session 1: An intro to DTR. Founder & CEO, Adam de Delva will introduce his services and how they develop Platform-as-a-Service (PaaS) for cloud - native applications and security. Session 2: { deepfactor } (Hands-On Workshop) Workshop Topic: Vulnerability Reachability Analysis Using OSS Tools. Workshop Abstract: New vulnerabilities are disclosed every day in dependencies that you or your team may be using. But how do you know if you are actually using the vulnerable code? This talk will show you how to use two different types of tools to analyze reachability – deciding if the vulnerability needs to be prioritized based on your own code usage. Don't miss this opportunity to network with like-minded individuals in the field of cybersecurity, software security, and application security. Come share your experiences, ask questions, and connect with industry experts. This event is hosted by the OWASP New York City Chapter, known for organizing informative and interactive meetups that empower professionals to stay ahead of the ever-evolving cyber threats landscape. Grab a drink, network with peers, and enhance your knowledge of web application security.

Description: Since 4/25/24: discussions on AI and LLM's generally and the Coursera Prompt Engineering series from Vanderbilt specifically. We are now studying ChatGPT Advanced Data Analysis.... For General Study Group info, see #studygroup in OWASPAustin Slack For topic specific info, see #ai in the OWASPAustin Slack

Description: The OWASP Top 10 for Large Language Model Applications project aims to educate developers, designers, architects, managers, and organizations about the potential security risks when deploying and managing Large Language Models (LLMs). The project provides a list of the top 10 most critical vulnerabilities often seen in LLM applications, highlighting their potential impact, ease of exploitation, and prevalence in real-world applications. Examples of vulnerabilities include prompt injections, data leakage, inadequate sandboxing, and unauthorized code execution, among others. The goal is to raise awareness of these vulnerabilities, suggest remediation strategies, and ultimately improve the security posture of LLM applications.

Description: TBD

Description: With the rise of AI-fueled by Python-based libraries, it has become of paramount importance to scan Python-based projects and their dependencies for OSS vulnerabilities. Python relies on package managers like pip or conda to manage declared dependencies. Dependencies are declared in manifest files which the package manager uses to install the correct version of the required dependency. However, Python’s dependency management system coupled with its dynamic type nature makes it an especially challenging language to deal with. Of particular focus is the phenomenon of phantom dependencies which are unreported dependencies in a project's manifest profile. These hidden dependencies, which are often provided dependencies (which is especially true for libraries such as tensorflow and pytorch which are essential for AI), challenge software composition analysis (SCA) of Python code, impacting the reliability of vulnerability results. For example, in the case of OpenAI's baseline codebase, there is a dependency on tensorflow that is not explicitly declared and is hence a phantom dependency This can cause unexpected behavior and security vulnerabilities. We show how using type-aware program analysis to create call graphs and perform reachability helps us determine the correct dependency set for a codebase irrespective of what is in the manifest. Program analysis aims to extract information from software programs to enhance reliability, security, and performance. This session explores program analysis, specifically reachability analysis in Python, and delves into phantom dependencies - often overlooked in Python applications. Python's dynamic typing and interpreted nature make it a challenging subject for reachability analysis. The lack of type information makes it hard to precisely determine what dependency/features are used in the code. In summary, program analysis, including Python's unique challenges, is essential in software development. Phantom dependencies in Python underscore the significance of meticulous dependency management for code reliability and security. Understanding these concepts is vital for Python developers aiming to build robust software. This abstract sheds light on program analysis complexities and the pitfalls of phantom dependencies, offering valuable insights into Python development and software reliability.

Description: PCI DSS version 4.0 contains a host of new practices that will become requirements on March 31, 2025. In this talk, we focus on a change that looks — at first glance — to be minor, but in reality could have significant implications for Application Security teams: the requirement to manage all internal vulnerabilities, regardless of criticality. We’ll focus on how to address open source software (OSS) vulnerabilities, including: * What it means to “manage vulnerabilities” * Why OSS presents the greatest risk to compliance with this new requirement * The security tool problem preventing organizations from addressing OSS risk * Getting accurate dependency inventories and prioritizing remediation * Setting up guardrails to ensure developers select safe OSS dependencies ENTRY Enter from the door on Broadway and take the elevator to the 11th floor. SCHEDULE Doors open at 5:30. The talk will begin about 6pm. NO ENTRY AFTER 6:15 PM The outer doors auto-lock at 6pm. We will station someone at the door to let people in until 6:15. It will not be possible to enter the building after 6:15. CONTACT INFORMATION REQUIRED TO ATTEND For liability reasons, the building owner requires us collect names and contact info for each person in the building after normal business hours. You will have a choice of signing in with a phone and a QR code or on paper, but we will have to collect this info from all attendees. (If this requirement will prevent you from attending, please let us know. We can't change the rules for this venue, but we can take your feedback into account when we choose venues.) ACKNOWLEDGEMENTS * Our host this month is NedSpace, a co-working space in downtown Portland. * Our sponsor this month is Endor Labs, who will be providing food (as well as the speaker!)

Description: **Ensuring Application Security Excellence in the Age of AI** with Michael Argast In a time where artificial intelligence (AI) permeates every facet of digital existence, the imperative to ensure application security has reached unprecedented heights. In this talk, Michael Argast, Co-founder and CEO of Kobalt.io will delve into the essential strategies for ensuring application security excellence amidst the pervasive influence of AI. By exploring the intricate interplay between AI and cybersecurity, you will gain insights into how AI augments defensive strategies, mitigates vulnerabilities, and addresses emerging threats within application environments. Through real-world case studies and practical recommendations, this session equips you with the knowledge and tools needed to leverage AI effectively in the face of evolving challenges. **Michael** is an experienced cybersecurity professional with over 20 years of industry experience. He is the co-founder and CEO of Kobalt.io, a rapidly growing cloud-focused security services provider. Kobalt.io works with over 200 cloud-focused technology companies to help develop their cyber security programs and ensure the security of their organization. **Enhancing Cloud Application Security with the CASA Framework** with Farshad Abasi This presentation will introduce the Cloud Application Security Assessment (CASA) framework, designed according to OWASP’s ASVS standards to secure cloud-based applications. We will explore CASA's tiered risk-based assessment model that categorizes applications into different risk tiers and applies appropriate security verifications. This systematic approach helps in effectively managing security risks associated with cloud applications, aiming to protect consumer data and conform to best practices in cybersecurity. We would like to thank **Microsoft** for sponsoring this event.

Description: Reliable data is inherently critical for application threat models. As threat modelling continues to proliferate across security programs, bad habits in feeding threat models with relevant data is becoming prevalent. This session will explore top 3 mistakes of "data starvation/ gluttony" with respect to application threat models and how to achieve a contextualized, balanced data diet. Join this OWASP Switzerland event to learn more from Tony about threat modelling and how to make sure you use quality data in doing so.

Description: An introduction to OWASP's Juice Shop. A vulnerable website built for CTF practice.

Description: On May 21st, we organize our next OWASP Belgium chapter meeting at BeCentral (Brussels), by the courtesy of Proximus-ADA. **Agenda**: * 18h00-18h30: Welcome and refreshments * 18h30-18h40: **OWASP Update** 18h40-19h30: **[User Privacy in Online Location-Based Services](https://owasp.org/www-chapter-belgium/#user-privacy-in-online-location-based-services---victor-lepochat-and-karel-dhondt-distrinet---ku-leuven)** (by Victor LePochat and Karel Dhondt, KU Leuven-Distrinet) 19h30-19h45: Break 19:45-20h35: **[Signaling New Frontiers: SS7 Insights by Jeremy Schmidt (Proximus ADA)](https://owasp.org/www-chapter-belgium/#signaling-new-frontiers-ss7-insights---jeremy-schmidt-proximus-ada)** (by Jeremy Schmidt, Proximus ADA) 21:00: Close More info can be found on the Belgium OWASP chapter page at [https://owasp.org/www-chapter-belgium/#div-meetings](https://owasp.org/www-chapter-belgium/#div-meetings) . Our chapter meetings are open for everyone, and attendance is free of charge. We ask you to register on Meetup in order to provide you with last-minute updates, if needed.

Description: Immersive Labs invites you to participate in an interactive cyber crisis simulation. You will make key decisions that could lead to mitigation and containment of the crisis or management of the fallout and potential reputational damage. You will play the role of a boardroom as you seek to make quick decisions during a cyber crisis. Attendees are encouraged to participate using their mobile phones during the session and our Head of AppSec will discuss your decisions at each stage and feedback on how you performed as a group. This is a fun session to creates discussion but also equips you with some decision making skills you can take back into the workplace. \-\-\- **Directions:** In-person event, kindly **hosted by Immersive Labs**, 6th Floor, The Programme, All Saints' St, Bristol BS1 2LZ. To find the entrance, it might be easier to search for "Programme, Bristol, BS1 2NB", or use this link to [Google Maps](https://www.google.com/maps/?q=51.455666,-2.592341). **Venue:** Photo shows the main entrance, which is visible when walking down the right hand side of the Tesco Express on Wine Street (Google Street View sometimes shows the back entrance, which is only accessible via keycard).

Description: We've resumed our regular Meetup schedule in 2024, starting in March. Our approximate agenda for the evening: * 6:00 p.m. - Gather and networking * 6:30 p.m. - Introductions, Top 10 Topic * 7:15 p.m. - Pizza and more networking * 7:45 p.m. - Technical Topic We restarted our introductory coverage of the OWASP Top 10 (2021 edition) with A01:2021 in March, covering a new item each meeting. Our Top 10 topic for May will be **A02:2021 - Cryptographic Failures**. **Technical Topic Speaker:** TBC **Talk Title:** TBC We're always looking for presenters and topics for future meetings - contact John ([email protected]) if you have an idea for a topic, or a presentation you'd like to make. That way, it won't always be John talking about what he's been working on recently. The Auckland OWASP Meetup usually takes place on the third Tuesdays of March, May, July, September, and November. There is no Meetup in January, as our members enjoy their holidays.

Description: EU is about to become a market leader in software cybersecurity regulation. With a large set of proposed and active laws, software development will be regulated like never before. With the coming EU Cyber Resilience Act (CRA) all software and embedded systems will have to get a CE mark, which is now expanded to include cybersecurity aspects. It’s going to be a huge change and will mean that the manufacturers (and in some cases importers) will get responsibility for the user’s security and will have to provide free security patches for the lifetime of the product. Software developers will have to learn secure coding and the need for cyber security professionals will be very high. One of the focus areas is vulnerability management. To keep a product secure during its lifetime, all 3rd party components will have to be monitored and up to date. At the heart of this process is the Software Bill of Materials, SBOM, which is used to monitor for known vulnerabilities in both Open Source and commercial components. The OWASP CycloneDX project fits right in and have been working with various kinds of bill-of-materials for a long time. CycloneDX is in the process of becoming an ECMA standard and thus fits better in to the EU regulation. In this talk Olle E. Johansson will introduce the proposed EU CRA legislation and talk about the SBOM with a focus on the toolchain needed to manage vulnerabilities. We will start the evening with a mingle at 17:30 followed by a presentation that will start at 18:00. The talk will be around 1 hour long followed by a further mingle/time for questions and answers. \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- Join OWASP Stockholm mailing list to get notified of upcoming events [https://groups.google.com/a/owasp.org/g/stockholm-chapter](https://groups.google.com/a/owasp.org/g/stockholm-chapter) Join our Slack channel on OWASP Slack *[#chapter-stockholm](https://owasp.slack.com/)*

Description: **TOPIC**: Securing Generative AI Applications using the OWASP Top 10 for Large Language Models Join us for dinner+drinks, networking, and see a presentation by **Steve Wilson**, OWASP project leader and Chief Product Officer at **Exabeam** **ABSTRACT**: What are the new risks that generative AI brings to your environment? In this cutting-edge session, we uncover the potential hazards that Large Language Models (LLMs) introduce to modern application ecosystems. Drawing on the expertise distilled in the OWASP Top 10 for LLMs, we offer a comprehensive roadmap for mitigating these risks. Attendees will gain insights into securing generative AI applications, recognizing the nuances of LLM vulnerabilities, and deploying defenses. This talk is a call to action for developers and security professionals to foster a culture of secure, responsible AI development. Equip yourself with the knowledge to anticipate threats, apply best practices, and build AI systems that are not only intelligent but also resilient in the face of cybersecurity challenges. **THANKS to OUR SPONSOR**: *[Kodem](https://www.kodemsecurity.com/)* *Kodem means “first” or “early” in Hebrew. A priority. We believe in helping appsec teams make security a priority by spotlighting risks that truly matter. We believe in helping developers improve code quality by shifting left and catching issues early. And we believe in making people a priority: our customers, our team, and our partners.* **CODE OF CONDUCT** We hope you enjoy the event, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of our chapter leaders if you have any feedback/concerns or would like to speak to us, we take these matters very seriously. You can find out more about our policies here: [https://owasp.org/www-policy/operational/conferences-events.html#conference-and-event-anti-harassment-policy](https://owasp.org/www-policy/operational/conferences-events.html#conference-and-event-anti-harassment-policy) **SPONSORSHIP Opportunities Available** *Vendors interested in sponsoring please send an email to [email protected]*

Description: Are you being asked about the security of your software supply chain? This seems to be one of the hottest and most prominent topics, both from auditors and customer compliance requirements right now within application and software security. Join us Wednesday, May 22nd from 6:30pm - 8:30pm to hear from the experts at Synopsys software integrity group on the best ways to utilize SBOM's to ensure your software supply chain is secure!

Description: Join us for an informative and hands-on workshop on securing your software supply-chain. In this event, we will be joined by Dan Lorenc, CEO and founder of Chainguard Inc. We will have food, learning, swag and, of course, networking with other like-minded folks in the area. Chainguard and Pins Mechanical will host us after the event for those that can come have some fun! To be sure that I can help ensure head count, parking and more, please be sure to RSVP if attending in-person. Note: This event is organized by the OWASP Nashville Chapter and is open to both OWASP members and non-members. Whether you are already a member or interested in becoming one, we encourage you to attend this event and learn more about the benefits of being part of the OWASP community.

Description: Are you being asked about the security of your software supply chain? This seems to be one of the hottest and most prominent topics, both from auditors and customer compliance requirements right now within application and software security. Join us Wednesday, May 22nd from 6:30pm - 8:30pm to hear from the experts at Synopsys software integrity group on the best ways to utilize SBOM's to ensure your software supply chain is secure!

Description: Since 4/25/24: discussions on AI and LLM's generally and the Coursera Prompt Engineering series from Vanderbilt specifically. We are now studying ChatGPT Advanced Data Analysis.... For General Study Group info, see #studygroup in OWASPAustin Slack For topic specific info, see #ai in the OWASPAustin Slack

Description: Securing the Web is the second meetup of OWASP Beja chapter which will be held on May 23rd, 2024, at 14:30 sponsored by **[Checkmarx](https://checkmarx.com/?utm_source=meetup&utm_medium=sponsorship&utm_campaign=owasp-beja)**. **Schedule** 14:30 - **Welcome Notes** by OWASP Beja chapter leadership team 14:35 - **Purple Team Approach Towards Confluence RCE** by Paulo Viegas 15:00 - **Newton's Third Law: Static vs. Dynamic Abusers** by Diogo Sousa 16:00 - **Snacks & Drinks** sponsored by **[Checkmarx](https://checkmarx.com/?utm_source=meetup&utm_medium=sponsorship&utm_campaign=owasp-beja)** **Talks** **Purple Team approach towards Confluence RCE** by Paulo Viegas, Threat Detection Analyst @ Siemens Talk about the value of collaboration between the red and blue team with a practical example. **About the Speaker** Curious Blue Teamer with special taste for malware and forensics. \-\-\- **Newton's Third Law: Static vs. Dynamic Abusers** by Diogo Sousa, Engineering Manager @ Canonical If you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures. **About the Speaker** An opinionated individual with an interest in cryptography and its intersection with secure software development.

Description: Welcome from OWASP Birmingham our first Meetup of 2024 Once again we'll be @Hays at One Colmore Square Thursday 23rd May for two great Infosec talks 5.45pm - Doors open 6.15pm - Welcome and Food 6.30pm - "**Post-Quantum Cryptography**" Speaker: Charlie Anglin Synopsis : Quantum computers are here and research is advancing every day. Boffins tell us that the rise of quantum computing will soon make our current encryption algorithms irrelevant. This talk aims to cover questions such as: · What are the facts? · What's being done to produce quantum-safe cryptography? · What can we expect to happen in the next few years? · What actions, if any, should we be taking? Speaker Bio: Charlie is an engineer at Capgemini. He's spent the last 8 years in a number of roles, in particular as a security engineer and as a developer across multiple languages. 7.15pm - Break 7.30pm - "**Practical Security Testing for E-Commerce and Payment Applications**" Speaker: Soroush Dalili Synopsis: This talk aims to deepen the audience's understanding of security challenges in e-commerce and payment applications and to introduce a practical testing methodology. We will detail specific vulnerabilities and demonstrate how to test for race conditions using tools like Burp Suite and Turbo Intruder. Additionally, if time permits, we will explore intriguing cases where simple arithmetic operations lead to unexpected security outcomes. Speaker Bio: Soroush, the founder and director of SecProject, is a distinguished expert in web application security with over 15 years of experience specialising in vulnerability discovery, security source code review, and penetration testing. Before establishing his own company, he served as a principal security consultant at MDSec and NCC Group. He has contributed numerous security advisories to industry giants such as Microsoft, Mozilla, Adobe, Yahoo, and Facebook. Soroush's expertise has been showcased through speaking engagements at security conferences and events, including AppSec EU, SteelCon, BSides Manchester, and HackPra. 8.15pm - Questions/Any Other Business 8.30pm - Close RSVP when you get a chance so we can plan accordingly. We look forward to catching up with you all next month!

Description: **Can we outsmart the adversaries? (Effective) Cyber Deception with Honeypots** In today's ever-evolving cyber threat landscape, traditional defence mechanisms often struggle to keep pace with attacker ingenuity. Cyber deception offers a proactive approach, utilizing traps and deceiving tactics to lure attackers into controlled environments. Honeypots are one of the prominent techniques of cyber deception that act as decoy systems for capturing attacks and analyzing the adversary strategy. They provide an early detection mechanism as well as a method for learning how adversaries work and think. However, over the past years, several researchers have shown methods for fingerprinting honeypots. This significantly decreases the value of a honeypot; if an attacker can recognize the existence of such a system, they can evade it. This talk delves into the world of cyber deception, focusing on honeypots, their efficacy, and some fingerprinting techniques from my research. We'll explore how honeypots function and the contributions from The Honeynet Project, a non-profit, open-source community. **Speaker:** [Shreyas Srinivas](https://www.linkedin.com/in/shreyas-srinivasa-ph-d-47038b13/overlay/contact-info/) is Cyber Security Specialist at TERMA Group, Co-founder of Selene CTI and previously Security Researcher at Aalborg University. He is contributor to the [Honeynet project](https://www.honeynet.org/), a non-profit dedicated to investigating the latest attacks and developing open source security tools to improve Internet security. **Information-Flow Security for the Working Software Engineer** How does information flow through your software? Awareness of this gives you a new perspective when writing software with security requirements; it helps you avoid introducing information leaks into software, and gives you a conceptual framework for reasoning about software security in general. In this talk, you will meet concepts like information leak, sources & sinks, dependencies, side–channels, and flow policies. You will learn to identify information flows in software, to express application–specific security requirements as flow policies, and to implement software that adheres to said flow policies. Want to try this out? Then bring a laptop; right after the talks, I will organize a little activity where you can tinker with \`ifc-ts\` - my TypeScript library for expressing flow policies. In \`ifc-ts\`, flow policy checks are reduced to checks performed by TypeScript's type checker. Thus, if your code type-checks, then your code is guaranteed to adhere to the flow policies expressed therein. **Speaker:** [Willard Rafnsson](https://www.willardthor.com/) is Associate Professor at the IT University of Copenhagen (ITU). I am a member of the Center for Information Security and Trust (CISAT), as well as the Programming, Logic and Semantics (PLS) and Software Quality Research (SQUARE) groups. **Location:** to be announced

Description: ### **Book your ticket now as seats are limited!** Cyber Booked is a one of a kind physical CyberSecurity event, featuring both recently published and more well-known CyberSecurity books. The authors will share the latest insights from their books and you will have the opportunity to ask them questions about their books. During the break and drinks you can meet & greet with the authors and maybe even get your book signed! This event is a joint event organised by the Dutch chapters of OWASP along with ISACA, ISC2 and the Secure Software Alliance (SSA). The event is free of charge and CPE certificates will be issued from ISACA and ISC2. The event will be presented in English. Please use the link below to register for the event with you full and correct information as this information will be used to process your CPE points. https://isaca.nl/events/cyber-booked-2024/

Description: The next OWASP Timisoara Chapter Meetup will be ***in person***. See https://owasp.org/www-chapter-timisoara/ for more information about the OWASP Timisoara chapter. Theme sessions - Theme: Firewalls, Product Security & Contingency plans. \`Schedule\` **\`Time:\`**\` 18:00 to 20:30\` Introduction, OWASP News & Updates - Catalin Curelaru Securing the Gates: The Hidden Flaws Behind the Firewall - Adrian Daniel BACANU (RAZDON) Running a Product Security Assessment Program at scale - Alina NICULA (VISMA) Contingency plan from security point of view - Adrian BARAN (VITESCO) Location of the event: UBC3, et 10, Sediu VISMA, Piața Consiliul Europei 2 · Timișoara Event powered by VISMA More about the speakers and topics: **Adrian Daniel BACANU - CEO @ RAZDON,** is the CEO and co-founder of Razdon, a pioneering CyberSecurity startup. With 14 years of enterprise experience and a lifelong passion for hacking—now spanning two decades—Daniel brings a wealth of expertise to the cybersecurity field. He still offers some Security Architectural consultancy for different companies across Europe, and from time to time, he engages in bounty hunting. When not decoding the matrix of cyber threats, Daniel enjoys life with his wife and two boys, plays football twice a week, and maintains a spirited sense of humor—because in cybersecurity, sometimes, you really can't afford to joke. ***\~Securing the Gates: The Hidden Flaws Behind the Firewall\~*** Effective cybersecurity is not just about having defenses in place but ensuring they are properly designed. 'Securing the Gates: The Hidden Flaws Behind the Firewall' illuminates the common pitfalls in firewall implementations that often go unnoticed. This presentation will demonstrate typical design errors that compromise security and provide actionable insights on how to rectify these flaws to create robust defenses. Attendees will learn how to not only deploy but also optimize firewalls to safeguard their digital assets effectively. **Alina NICULA** - **VASP Lead and Product security assessment service owner and reviewer @Visma**. Alina has been working within product development teams as a software developer, security engineer, software and cloud service architect. In the last years she focused on software security by guiding Visma teams into securing their applications, data, cloud workloads, and delivery pipelines to avoid potential cybersecurity risks. ***\~Running a Product Security Assessment Program at scale\~*** Having a product security assessment program is essential for any company. It is equally critical to ensure that this program remains relevant over the time and is scalable as the company grows.In this presentation, I will discuss how we ensure that our designed processes empower development teams to make informed security decisions while also giving them ownership over the remediation of the security aspects that impact their products. However, achieving this goal requires a strong and knowledgeable security review team that supports the delivery teams with informed security by design best practices. So, how have we been able to grow our program? I hope you will leave this presentation with a clear understanding of our approach. **Adrian BARAN -** **Security Manager @ VITESCO**, ***\~ Contingency plan from security point of view \~*** Abstract:

Description: 30 minutes of meet-and-greet and Chapter information, then the Presentation!

Description: Join us for the 7th OWASP Lisboa meetup! The OWASP Lisboa chapter meetup will be held on May 28th, 2024, at 18:00, **and is** **supported by [Springer](https://www.springer.com/) and [AP2SI](https://ap2si.org/).** The schedule is the following: **18:00** - **Welcome notes** by the OWASP Lisboa chapter leadership team **18:15** - **Technical Challenges of Security Scanning in CI/CD** by Tiago Mendo **19:10** - **Harnessing Reachability Analysis to Discern Real Threats in** by Joseph Hejderup **20:00** - **Drinks & Dinner** by Springer \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- **Talks**: Title: **Technical Challenges of Security Scanning in CI/CD** Speaker: **Tiago Mendo** Abstract: Have you ever tried to add a web application security scanner to a CI/CD pipeline? I intend to draw attention to some of the challenges that development/security teams experience when trying to automate security tests. The objective is to make the audience aware of these problems so that they can solve them as soon as possible, increasing the success of the tests and the adoption by the teams, which, in the end, will lead to greater security for the organization. The focus will be on problems such as the scale of tests, speed of obtaining results, false positives and how these can destroy the process - or make it more expensive, and the use of the tools itself. All problems will be based on real situations, with examples whenever possible. I will propose solutions for different teams' maturity levels, giving practical tips to start implementing security in the developers' pipeline. Bio: Tiago Mendo is a co-founder and CTO of Probely, a cybersecurity company that does web and API security scanning. With over 19 years of experience in the security field, he has extensive experience in pentesting applications, training, and providing all-around security consultancy. Holds a Master's in Information Security from Carnegie Mellon University and a CISSP certification. He is also a qualified member of AP2SI, a non-profit organization that promotes Information Security, and Co-Leader of the OWASP Lisboa Chapter, in Portugal. He is also an international speaker at security conferences, such as SnowFROC, LASCON, BSides Kraków, and BSides Lisbon. LinkedIn: [https://www.linkedin.com/in/tiagomendo/](https://www.linkedin.com/in/tiagomendo/) \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- Title: **Harnessing Reachability Analysis to Discern Real Threats in Software Dependencies** Speaker: **Joseph Hejderup** Abstract: In this talk, we will dive into the shortcomings of traditional dependency analysis methods, which usually focus on looking at build manifests and metadata, to spot security or performance vulnerabilities in Java projects. While tools like Maven Dependency Checker and Gradle's dependency-analysis plugin are invaluable for their ability to manage dependencies, they often fall short when we need quick and precise answers, forcing developers to lean on time-consuming tests and manual code reviews. We believe that a thorough look at how dependencies are actually used in the code—with the help of static and reachability analyses—can be a more effective way to pinpoint real threats in Java dependencies. We'll use real-world examples to show how static analysis, and in particular reachability analysis, offers deeper insights into potential vulnerabilities by moving beyond simple metadata. By sharing examples where static analysis has been a game-changer, and pointing out where it might not be enough, we aim to shed light on the challenges and opportunities this method brings to improving security and performance in software projects. Our goal is to provide attendees with practical strategies for using static and reachability analyses, promoting a more detailed method for managing dependencies and finding vulnerabilities in software applications. Bio: Part-time developer, part-time PhD student, full-time enthusiast in developing and researching techniques that makes package management system more intelligent and resilient against supply chain problems! Joseph Hejderup (Researcher/Software Engineer at Endor Labs & PhD student at Delft University of Technology) is applying program analysis techniques to better understand how we use third-party components and what risks third-party components entails from a security and maintenance perspective. Currently, he is applying years of research in Endor Labs with the mission to make dependency management a robust process that will empower developers, increase productivity, and solve security problems. LinkedIn: [https://www.linkedin.com/in/josephhejderup/](https://www.linkedin.com/in/josephhejderup/)

Description: **!WANTED! --> Women in IT Security <-- !WANTED!** **Agenda** * *Vortrag:* **<- WIR SUCHEN NOCH VORTRAGENDE!** * Austausch & Networking **Bitte gebt Bescheid**, wenn ihr kommt und ggf. wie viele Leute ihr mitbringt, damit wir auch genug Platz haben. Du hast eine Idee oder willst einen Talk halten? Melde dich einfach! Wichtiges für Talks in aller Kürze: * Verwende einen neutralen Foliensatz - ohne Logo, ohne Werbung * Auf einer Folie kannst du dich und deinen Arbeitgeber vorstellen - hier auch mit Logo * Gib kurz Bescheid, ob du den Vortrag auch auf Englisch halten könntest * Vertriebler, die eine Verkaufsveranstaltung durchführen wollen, werden ausgebuht und müssen diverse Runden Bier ausgeben

Description: **Join us at our partner Benify's office for an interesting evening with food and drinks, and talks about AI security and the security implications of attacker controlled HTTP response headers!** **Where:** Benify, Masthamnsgatan 5, 413 27 Göteborg **Agenda:** **17:00 - 17:25:** Welcome to Benify **17:25 - 17:40:** Introduction from the event hosts and presentation of tonight's speakers. **17:40 - 18:40:** *Securing the Future: Ethical, Robust, and Secure AI Development* Outline: Historical Overview of AI * Evolution of artificial intelligence * Key milestones in AI development AI and Ethics * Impact on business operations and decision-making * Overview of ethical guidelines and frameworks * Best practices for ethical AI implementation * Strategies to mitigate ethical risks Robustness & Reliability of AI Code Generation * Common misuse patterns and how to address them * Key metrics for measuring AI system reliability Artificial Intelligence Security Introduction * Historical case studies of AI failures OWASP Top Ten for Large Language Models * Security issues ranging from prompt injection to model theft Threat Modeling AI Systems * Methodologies for assessing and mitigating threats in AI ecosystems Hugging Face Open Source AI Tools * Overview of tools for AI development and research Differential Privacy and AI * Principles and applications to protect user data NIST AI Risk Framework * Framework for managing AI risks Executive Order on AI Development and Use (Dated Oct 30, 2023) * Analysis of the executive order and its implications for AI EU AI Act * Exploration of the EU's first regulation on AI (link provided in the talk) **Jim Manico** is the Founder of Manicode Security, a company dedicated to providing expert training in secure coding and security engineering to software developers. His work at Manicode Security reflects his deep commitment to elevating software security standards in the industry. In addition to leading Manicode, Jim is actively involved in the tech startup ecosystem as an investor and advisor. His portfolio includes notable companies such as SemGrep, EdgeScan, Nucleus Security, Defect Dojo, KSOC, Akto, MergeBase, Inspectiv, Levo.ai and Pheonix. Furthermore, he is a fund-limited investor with Aviso Ventures, bringing his knowledge of software security to the venture capital domain. Jim is a recognized figure in the software development community, particularly known for his contributions to secure software practices. He holds the title of a Java Champion, acknowledging his contributions to the Java community. He is also the author of "Iron-Clad Java: Building Secure Web Applications", published by Oracle Press. Jim is committed to giving back to the community through his volunteer work with the OWASP foundation. He co-leads projects such as the OWASP Application Security Verification Standard and the OWASP Cheatsheet Series, contributing significantly to the field of web application security. For more information, please visit his LinkedIn profile at https://www.linkedin.com/in/jmanico or visit him on X/Twitter @manicode. **18:40 - 19:20:** Food & Drinks **19:20 - 20:00:** *Controlling the response: a peek into the risk of attacker-controlled HTTP headers* The talk will present research into the security implications of attacker-controlled response headers. What can go wrong when we intentionally or unintentionally allow an attacker to control the headers of an HTTP response? We will examine some services where this exists "by design" where developers have tried to mitigate any risk using filters and Content Security Policies. We will also take a new look at the classic "CRLF header injection". The presentation will cover some known escalations in this area but also present a lesser-known escalation that abuses Network Error Logging. **Johan Carlsson** is a developer, bug bounty hunter, and hobby security researcher. He works at Recorded Future but has just finished three months of self-employment as a full-time bug hunter. Johan has found numerous vulnerabilities in many companies but is most known for his work on securing GitLab. **20:00 - 21:30:** Over-time (optional) Hang out, grab something to drink, and discuss security, the weather or anything in between!

Description: We still haven't found a suitable in-person meeting venue. We'll be hosting this meeting online. The meeting’s URL will become visible on the meetup page after you RSVP. Please join us virtually for our May 2024 Meeting. BYOB - Bring Your Own Beverage **Agenda** === * Chapter update/news * Talk by Rohini Sulatycki * Virtual Networking **Talk Title:** Securing the Digital Pipeline: Unveiling the Power of Software Bill of Materials (SBOM) **Talk Summary:** A significant increase in cyber attacks due to vulnerabilities within the supply chain has led to a heightened awareness of the security of supply chains and creating a software bill of materials (SBOM) is gaining traction as a good initial step. A SBOM is essentially the “ingredient list” that goes into the making of the software. In this talk, we will discuss: * What is an SBOM * The elements that make up an SBOM * The problems that can be solved by an SBOM * SBOM tooling * Future thoughts

Description: Speaker: Ben Struebing; "The Summit Awaits: Are you ready the Purple Ascent?" After / during: Pizza, Beer, Assortment of soft drinks Location: National Cyber Center (NCC): https://cyber-center.org/

Description: **NOTE: The following will be in effect and mandatory for this meeting venue.** * **RSVPs will close at 11:59 PM PT on May 26th, so kindly submit your RSVP by then. Walk-ins will not be permitted.** * **Google Security mandates that RSVPs include your full name (in Meetup settings) and that you bring your ID, which will be checked at the entrance to match your RSVP.** * If your first and last name do not appear in our admin view, we will contact you. * Alternatively, feel free to reach out directly or email us at [email protected] to provide that information. **Parking** Park in the public garage structure next to the building. We will be providing paid tickets for exiting the garage. **Live Stream** Stream us live on Twitch: http://twitch.tv/owaspoc *Please change your RSVP to "No" if you can't make it and/or will join via livestream instead.* **Abstract** In an era where cloud security is critical, the delicate balance between rapid development and maintaining stringent security measures is more critical than ever. Join Doron Naim (DevOcean) as he addresses this challenge head-on, offering members of OWASP new actionable strategies and expert insights for enhancing collaboration and efficiency in cloud security and remediation efforts. **Key Insights:** * **Collaboration Techniques**: Learn proven collaboration methods to boost synergy across security, DevOps, and development teams. * **Smart Remediation**: Discover how intelligent workflows can significantly speed up the identification and resolution of security vulnerabilities. * **Ownership & Efficiency**: Gain insights on automating the assignment of fixes to the right team members, streamlining the remediation pipeline, and cutting down on ticket clutter. * **Preventive Measures:** Explore methods to ensure vulnerabilities are fixed right the first time, preventing future occurrences. **Why Attend:** * **Immediate Value**: Walk away with strategies you can implement now, no matter your platform or tools. * **Enhanced Security Posture**: Learn how to reduce friction and elevate your cloud security practices. * **Practical Knowledge**: Whether or not DevOcean is part of your toolkit, this session promises insights to help your organization thrive in cloud security. **Ready to Bridge the Gap between Security and Dev?** Join us to unlock NextGen collaboration strategies that support secure, rapid development. Learn how to streamline workflows, elevate your cloud security posture, and achieve continuous innovation.

Description: Thirsty Thursdays. Same time. Same day each month. Differing places. Good chat. **What?** * Casual conversation over food & drinks **Where?** * It may differ each month, bars, restaurant and eateries around Peterborough **When?** * \~ The last Thursday of each month Everybody welcome, the next event details will be chosen from the last (and so on!).

Description: The location is **The Ballroom Suite B** at the [Crowne Plaza Hotel](https://maps.app.goo.gl/38rAWxBS9gMoSiH69). **Calling all tech and security enthusiasts!** We are thrilled to announce the fourth meetup of the [OWASP Chapter in Limassol](https://owasp.org/www-chapter-limassol/), supported by [Semrush Inc.](https://semrush.com)! We cordially invite you to join us for an evening of engaging discussions, networking, and knowledge sharing among cybersecurity enthusiasts, professionals, and enthusiasts from various backgrounds. We look forward to seeing you there and would be delighted to offer a **complimentary gift to each attendee**! **Schedule:** 18:30 — 19:00 — Gathering & Intro 19-00 — 19:35 "**ASPM** \- a story about unicorns\, sneaky business\, and unexpected decisions\." [Ivan Elkin](https://www.linkedin.com/in/ivan-elkin/) 19-35 — 20:05 TBA 20:05 — 20:30 A short break 20-30 — 21:00 TBA 21:05 — 21:40 TBA 21:40 — 22:05 Outro 22:05 — 23:00 Eat, drink, networking! In addition, as usual, we are working hard to deliver the best knowledge to the community and are happy to announce that this event is fully packed with amazing gifts: \- quizzes winners \(**RTL-SDR Blog V3** R860 RTL2832U 1PPM TCXO HF Bias Tee SMA SDR with Dipole Antenna Kit) + branded T-shirt \- activity winners \(NooElec '**Yard Stick One**' USB Transceiver & 915MHz Antenne) + branded T-shirt \- speakers \(**Hamgeek HackRF One R9** and Portapack H2 Include 5 Antennas and Data Cable 1MHz-6GHz SDR Radio Unmounted Black) + branded T-shirt We'll have catering and a chilly sunset view zone to make the evening unforgettable. [Don't forget to join us on Telegram (we will send updates there quickly).](https://t.me/+W1hEPzn4BOcwMTNi)

Description: Time for a summer get together before we all disappear for the summer holidays . This is the perfect opportunity for all of us app-sec interested folks to get together and meet up in real life for a relaxed chat and maybe a beer or some other refreshments. When: 5th June, 2024 17:00 Where: The Old Brewer - Public House & Dining Room at Luntmakargatan 98, 113 51 Stockholm Expect: Quick AppSec Tips Networking Drinks & Laughter The meeting will start at 17:00, but it's a casual event so turn up when it suits.

Description: Join us at the inaugural OWASP Stuttgart Chapter Stammtisch and celebrate our revival. :-) We are currently seeking contributors as the event does not yet have a designated topic or speaker. If you wish to contribute, please contact Sven Strittmatter (Weltraumschaf) or Johannes Merkert. **Agenda (Subject to Change):** * **6:00 PM**: Arrival * **6:30 PM - 7:30 PM**: Presentation (TBD) * **7:30 PM - approximately 9:00 PM**: Barbecue, drinks, discussion, and networking