OWASP Community Meetings

Description: Hello OWASP Belfast! We are delighted to announce that we are back with our first hybrid event for 2023 with an exciting line up of talks from industry leaders. The Meet up will be in partnership with ESO, who have also kindly offered to host the evening and provide pizza, beers and soft drinks for everyone! **Date**: 25th May 2023 **Time**: 6.30 PM **Location**: ESO, 42 Fountain St, Belfast BT1 5EF. **Or join us virtually by Zoom**: https://eso.zoom.us/j/93766328107 First, we will talk about threat modelling, its importance to developers, and how it can be implemented as a continuous approach within the development pipeline. This will naturally lead into a discussion about the current TOP 10 threats by OWASP focusing specifically on: HTTP request smuggling, mass assignment attacks, plus terraform security best practices. Finally, to wrap up, we’ll discuss how automation can help address OWASP vulnerabilities, the importance of design principal prioritisation and how the utilisation of code analysis can improve vulnerability detection, management, and remediation as part of the development pipeline. **Agenda**: 6.30 - 6.50 Networking 6.50 - 7.00 Welcome & chat about ESO 7.00 - 7.20 Talk 1: Threat Modelling (Simon Whittaker, Vertical Structures). 7.20 - 7.30 BREAK 7.30 - 7.50 Talk 2: OWASP Top 10 (Denis Podgurskii) 7.50 - 8.00 BREAK 8.00 - 8.20 Talk 3: Automating OWASP Defences (ESO) 8.20 - 8.30 Q&A, Networking and Exit Disclaimer As always, our events are designed to educate. Any tools and techniques demonstrated are for informative purposes only. We do not endorse their use for malicious purposes. Speaker Info: **Finian Mackin** – Director of Security Architecture at ESO https://www.linkedin.com/in/finian-m-81718014/ **Simon Whittaker** \- CEO at Vertical Structure Ltd https://speaking.verticalstructure.com/bio **Denis Podgurskii** \- OWASP Belfast https://www.linkedin.com/in/denis-podgurskii/ Additional Information: ESO is located between Waterstones bookshop and the back of Boots in Belfast city centre. They have two working lifts ESO employees will be at the door to welcome attendees and show them to the meetup space.

Description: Santiago, Jueves 25-Mayo y Jueves 08-Junio, desde 20:00 horas. OwaspChile, te invita a una charla-resumen de una hora, basada en los entrenamientos disponibles para aprender OWASP Top10 y programación segura. **TRAINING ROADMAP** ===================== **Jueves 25-Mayo** **\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-** Level 1: Foundations Training. Sirve perfecto como un awareness de concientización en Seguridad de la Información. se basa en los riesgos de ciberseguridad más frecuentes. \*(Inscríbete y el día de la charla recibirás el link de conexión via e-mail). **Jueves 08-Junio,** **\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-** Level 2: Advanced Training. Es un entrenamiento de 16 horas con laboratorios de programación segura para un lenguaje a elección (JAVA, .NET o PHP a definir) y store procedures de Bases de Datos. \*(Inscríbete y el día de la charla recibirás el link de conexión via e-mail). Los esperamos.

Description: Speaker: John Mocuta, Weaponized AI and Executive Impersonation. After / during: Pizza, Beer, Assortment of soft drinks Location: National Cyber Center (NCC): https://cyber-center.org/

Description: **Location:** Exact **Address:** Molengraaffsingel 33, 2629 JD Delft See [https://owasp.org/www-chapter-netherlands/upcomingevents](https://owasp.org/www-chapter-netherlands/upcomingevents) for more information about the OWASP Netherlands chapter. 18:00 - 18:15 - **Reception of attendees** 18:15 - 19:00 - **Pizza** 19:00 - 19:15 - **Welcome and OWASP updates** 19:15 - 20:00 - **AppSec in IT contracts** by **Sebastian Avarvarei** 20:00 - 20:15- **Break with drinks** 20:15 - 21:00 - **About containers and their escapes: understanding escape patterns and possibilities** by **Mauricio Cano** **AppSec in IT contracts** *Abstract:* Back in 2018 I wrote: “In today’s multi-sourced enterprise, your security is as good as your worst written contract.” We have gotten better at writing security into commercial contracts since I first did my talk on this topic, but the yellow brick road ahead of us still goes some ways. But how about AppSec, how well is it covered in our IT contracts? What are the pitfalls and the solutions? How do we avoid that someone else’s security issues become our security problems? And, by all means, let’s learn how to be a bit lazy, and do better with less effort! *Bio:* Currently working as Information Security Manager at Canon EMEA, Sebastian has been in IT and Security for over 20 years, covering a multitude of roles ranging from Developer, Security Architect, Auditor and Consultant, before moving into security governance and management, giving him a unique multi-faceted view on today’s InfoSec challenges. He has led multiple security improvement programs and performed maturity assessments for a wide variety of organizations - while continuously asking himself:"Could we do this in another way?" **About containers and their escapes: understanding escape patterns and possibilities** *Abstract:* Containers have become one of the most common underlying infrastructure for microservice architectures. As such, they can often be part of the external attack surface of enterprise systems and applications (e.g., whenever a web application hosted on a kubernetes cluster is Internet-facing). Thus, it is important to understand what types of (mis)configurations can make containers more vulnerable against attacks of different types. In this talk, Mauricio will deep dive into different techniques that can be used to escape containers. In particular, he will talk about how to escape privileged containers, the usage of different capabilities, the usage of kernel exploits and a few other ways in which attackers may use to gain access to the hosts of the containers. *Bio:* Mauricio Cano is a cloud pentester focused on container technologies. In particular, he focuses on the security of containers and serverless architectures. He has pentested Kubernetes clusters and serverless architectures for several multinational financial institutions. Prior to his security work, he has a background in academia and a Ph.D. in Computer Science from the University of Groningen, focused on programming language design and formal methods to ensure correctness. In his spare time, Cano enjoys reading, cooking, and solving puzzles.

Description: Many cyber and application security tools love to say they can do everything needed to protect your assets. It isn’t rocket science to know that’s not true. It’s helpful to consider the limitations of tools and processes. This presentation will take attendees through how to define the limitations of threat modeling correctly, understand best practices in how, when, and by whom a proper threat model should be performed, and how this process of identifying threat model limitations can help users better understand its utility to systems and processes.

Description: **[KHUSUS MAHASISWA ITTELKOM SURABAYA]** Pentingnya Keamanan Siber bagi Mahasiswa di Era Serba Digital Di era digital yang semakin maju ini, mahasiswa menjadi salah satu kelompok yang paling rentan terhadap ancaman keamanan siber. Dalam kegiatan sehari-hari, mahasiswa sering menggunakan perangkat teknologi seperti laptop, smartphone, dan tablet untuk mengakses informasi, berkomunikasi, dan menjalankan tugas kuliah. Oleh karena itu, penting bagi mahasiswa untuk memahami betapa krusialnya menjaga keamanan siber. Dalam tulisan ini, akan dijelaskan secara persuasif mengapa keamanan siber menjadi hal yang sangat penting bagi mahasiswa. Pertama-tama, mahasiswa sering kali memiliki akses ke berbagai macam data pribadi. Informasi seperti email, nomor telepon, alamat rumah, dan bahkan informasi keuangan dapat tersimpan dalam perangkat digital mereka. Jika keamanan siber tidak dijaga dengan baik, data pribadi tersebut bisa jatuh ke tangan yang salah dan digunakan untuk tujuan yang tidak bertanggung jawab. Identitas mahasiswa dapat dicuri, dan itu bisa berdampak buruk pada kehidupan mereka baik secara pribadi maupun akademik. Keamanan siber yang kuat akan melindungi privasi mahasiswa dan mencegah kerugian yang tidak diinginkan. Selanjutnya, keamanan siber yang baik juga penting untuk melindungi informasi akademik. Mahasiswa sering kali memiliki akses ke sistem informasi universitas, database perpustakaan, dan platform pembelajaran online. Melalui serangan siber, informasi ini dapat dicuri atau diubah oleh pihak yang tidak berwenang. Jika karya tulis, proyek penelitian, atau tugas kuliah mahasiswa dimanipulasi atau diakses oleh pihak lain, itu akan merusak reputasi akademik mereka. Dengan menjaga keamanan siber, mahasiswa dapat melindungi integritas karya akademik mereka dan memastikan bahwa prestasi mereka diakui dengan adil. Selain itu, keamanan siber juga berkaitan erat dengan keamanan finansial mahasiswa. Banyak mahasiswa yang menggunakan kartu kredit atau sistem pembayaran online untuk membayar biaya kuliah, membeli bahan bacaan, atau bahkan berbelanja secara online. Jika keamanan siber tidak dijaga dengan baik, informasi keuangan mereka dapat dicuri dan disalahgunakan oleh penjahat siber. Hal ini dapat menyebabkan kerugian finansial yang signifikan bagi mahasiswa, serta mempengaruhi kemampuan mereka untuk melanjutkan pendidikan mereka. Dengan memperhatikan keamanan siber, mahasiswa dapat melindungi diri mereka dari ancaman ini dan menjaga kestabilan finansial mereka. Terakhir, penting bagi mahasiswa untuk menyadari bahwa mereka bukan hanya individu yang terisolasi dalam lingkungan digital. Mahasiswa sering berkomunikasi dengan teman, dosen, dan rekan sejawat melalui email, media sosial, atau platform kolaborasi online. Jika keamanan siber mereka tercompromi, ini juga dapat membahayakan orang lain dalam jaringan mereka.

Description: *Due to supplying lunch for attendees so we have sufficient foods, if you would like to attend in-person at NI, please see* \-\- https://owasp\-austin\-2023\-may\.eventbrite\.com 30 minutes of meet-and-greet and Chapter information, then the Presentation! Presentation: How Zero Trust can improve your web application security In this presentation, we will review some of the Zero Trust concepts and roadmapping some adoption schemes. We will dive into some examples of using these concepts to improve and provide better controls around: \* Setup and configuration of Zero Trust Services \* Developer access and code security gains \* Exposing internal web sites securely with MFA (even if not designed with MFA) with user and group driven policies without a VPN \* Gain a WAF with exposing internal web sites through browser-based Zero Trust Network Access. \* Dealing with 3rd party access to internal web sites

Description: Hi all, We're thrilled to announce the return of the German OWASP Day 2023! This leading independent and non-commercial conference on application security in Germany will take place on the 30th and 31st of May, 2023 at the Frankfurt School of Finance and Management. _What's happening? We look forward to welcoming you to our German OWASP Day 2023, offering a plethora of exciting technical and non-technical talks, various seminars, and an evening event for networking. _What's on the agenda? Our main program has been released, featuring a range of talks from esteemed experts like Björn Kimminich, Claudia Ully, Clemens Hübner, Diana Waithanji, and many more. _When? Our event takes place on the 30th and 31st of May, 2023. _Where? Frankfurt School of Finance and Management, Adickesallee 32-34, 60322 Frankfurt am Main _Tickets? Limited tickets are available at [https://www.eventbrite.com/e/2023-german-owasp-day-god-tickets-515112875477](https://www.eventbrite.com/e/2023-german-owasp-day-god-tickets-515112875477) _Additional Information? More information about the German OWASP Day, training sessions, and the conference program can be found at god.owasp.de/2023/ _And now? Save the date, spread the word, and bring your friends and colleagues to our event. _Follow Us! Also, follow us on Twitter #owasp_de and #owasp_frankfurt and refer to our German OWASP Day site for information including slides and recordings of previous presentations. We're looking forward to seeing you at this exciting event of the year!

Description: OWASP Lisboa chapter meetup on May 30th, 2023, at 18:00, **supported by [Snyk](https://snyk.io/) and [AP2SI](https://ap2si.org/)**. The schedule is the following: **18:00** \- Welcome notes by the OWASP Lisboa chapter leadership team **18:15** \- Open projects you can use today to improve your AppSec posture **19:00** \- One\-Time Quantum\-Resistant Fully\-Homomorphic Padding Oracle cryptography trends\, buzzwords\, and snake oil for 2023 **20:00** \- Snacks & Drinks sponsored by Snyk \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- **Talks**: Title: **Open projects you can use today to improve your AppSec posture** Speaker: Lucas Ferreira Abstract: In this talk, we go through the most important OWASP projects (both documentation/standards and tools) to show how companies can improve their security posture and mature their AppSec program. It is meant as an overview of the main OWASP projects. Bio: Lucas is a long-time OWASP member, having worked in OWASP as a project leader and chapter leader on two continents. He was a member of the OWASP Global Conferences committee and lead the organization of 3 OWASP AppSec conferences in Brazil. LinkedIn: [https://www.linkedin.com/in/ferreira/](https://www.linkedin.com/in/ferreira/) Twitter: @lucassapao \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- Title: **One-Time Quantum-Resistant Fully-Homomorphic Padding Oracle cryptography trends, buzzwords, and snake oil for 2023** Speaker: Diogo Sousa Abstract: In our modern times, cryptography is all around us, even if we don't notice it. We use it when checking our bank statements, buying pig plushies online, or sending stickers to each other on instant messengers. Given its ubiquity, it is, for the most part, taken for granted by developers: import HTTP/crypto/TLS, throw in a certificate from Let's Encrypt, and don't think much about it while relying on (hopefully) safe defaults. While sticking with well-vetted libraries should work out of the box for most cases, in certain areas, you need to be a bit more knowledgeable, if only to make good decisions about what libraries to use and how to wrangle all the moving parts into a cohesive and secure system. Cryptography tends to be full of obscure notation that isn't that dissimilar to magic spells, and "Don't Roll Your Own Crypto" is an often repeated mantra (many times because of the previous statement). Search results for "crypto" have been getting progressively more complicated to navigate, with BTC, XRP, and others taking up all the prime SEO result space. This talk targets a beginner to an intermediate audience and, starting from a brief overview of core tenets (Kerckhoffs's principle, Schneier's Law, the economy of mechanism, theoretical vs. practical security), will expand upon the current challenges and trends in modern cryptography, from FHE to PQC (including explaining what those are), and also highlight common design pitfalls (and their consequences) and how to reduce your snake oil intake. Bio: An opinionated individual with interest in cryptography and its intersection with secure software development. LinkedIn: [https://www.linkedin.com/in/0xdsousa/](https://www.linkedin.com/in/0xdsousa/)

Description: **DO NOT RSVP on Meetup: PLEASE REGISTER FOR THIS EVENT USING EventBrite here: [https://www.eventbrite.co.uk/e/owasp-london-chapter-meetup-in-person-tickets-634995969037?aff=mu](https://www.eventbrite.co.uk/e/owasp-london-chapter-meetup-in-person-tickets-634995969037?aff=mu)** This meetup will take place at Amazon London offices (in-person) and will also be live-streamed on OWASP London YouTube Channel. \-\-\-\- **TALKS:** **OWASP Introduction, Welcome and News - Sam Stepanyan** Welcome and a brief update on OWASP Projects & Conferences **Talk 1: "Security Chaos Engineering: When and How You Should Break Your System"** - **Anais Urlichs** The real cost of misconfiguration for businesses has been set to several trillion over the past years. These costs are the result of misconfiguration in infrastructure and workloads. One way to proactively identify misconfiguration is through security scanning. The scan results provide us with insights into the security posture of our services over time. However, these scanners treat our resources as static and evaluate misconfiguration only in single instances. To assess the potential impact of misconfiguration in our production environment, we need additional tools. In this talk, we will look at ways Chaos Engineering and Security Experimentation can help us minimise the potential damage of misconfiguration. Chaos Engineering is the process of intentionally introducing fault into a system to test its resilience to failure. Anais will walk you through the principles of Security Chaos Engineering and how it can be used to proactively identify misconfiguration and make our deployment pipeline and services more robust. **Talk 2: "It’s Not a Bug It’s Emergent Behaviour - Generative AI, Its Cybersecurity Risks and Benefits" - Sherif Mansour** A curated talk on generative AI, where Sherif will present his research findings beginning with an overview of the technology, then discuss its current technical risks, and explore its promising security use cases without making grand claims. Additionally, this talk dive into design considerations when developing web applications utilising generative AI. To conclude, Sherif will introduce open-source software announced during the talk, encouraging attendees to use and investigate them at their own discretion. **SPEAKERS:** **Anaïs Urlichs (@urlichsanais)** Anaïs Urlichs is a Developer Advocate at Aqua Security, where she contributes to Aqua’s cloud native open source projects. When she is not advocating DevOps best practices, she runs her own YouTube Channel centered around cloud native technologies. Before joining Aqua, Anais worked as SRE at Civo, a cloud native service provider, where she worked on infrastructure for hundreds of tenant clusters. As OpenUK ambassador, her passion lies in making tools and platforms more accessible to developers and community members. **Sherif Mansour (@kerberosmansour)** Sherif Mansour is the global director of information security at JustEat Takeaway.com and has been working in the field of information security for 19 years. He was the OWASP chairman and sat on of the OWASP foundations' board for four years. He was also one of the founding governing board members for the OpenSSF Foundation which he represented the OWASP Foundation. Sherif contributed to several OWASP projects and was one the main authors of the CIS Benchmark for Tomcat 7/8. As a security researcher he has disclosed vulnerabilities in Microsoft, Oracle, SAP and SiteSpect products. **TICKETS:** This event is free to attend for both members and non-members of OWASP and is open to anyone interested in web application and cyber security. Please note that you **[MUST book your place on EventBrite](https://www.eventbrite.co.uk/e/owasp-london-chapter-meetup-in-person-tickets-634995969037?aff=mu)** to be admitted to the event by the building security - your name will be checked against the guest list. Please have bring some form of ID to help the building security to check you in quicker. **CODE OF CONDUCT** We hope you enjoy the event, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of our chapter leaders if you have any feedback/concerns or would like to speak to us, we take these matters very seriously. OWASP aims to provide a harassment-free experience for everyone, regardless of gender, sexual orientation, disability, physical appearance, body size, race, age, or religion. We do not tolerate harassment of event participants in any form. Additionally, participating in OWASP events means you shall also adhere to the OWASP Code of Conduct which you can find here: [https://owasp.org/www-policy/operational/code-of-conduct](https://owasp.org/www-policy/operational/code-of-conduct)

Description: Hi all, We're thrilled to announce the return of the German OWASP Day 2023! This leading independent and non-commercial conference on application security in Germany will take place on the 30th and 31st of May, 2023 at the Frankfurt School of Finance and Management. _What's happening? We look forward to welcoming you to our German OWASP Day 2023, offering a plethora of exciting technical and non-technical talks, various seminars, and an evening event for networking. _What's on the agenda? Our main program has been released, featuring a range of talks from esteemed experts like Björn Kimminich, Claudia Ully, Clemens Hübner, Diana Waithanji, and many more. _When? Our event takes place on the 30th and 31st of May, 2023. _Where? Frankfurt School of Finance and Management, Adickesallee 32-34, 60322 Frankfurt am Main _Tickets? Limited tickets are available at [https://www.eventbrite.com/e/2023-german-owasp-day-god-tickets-515112875477](https://www.eventbrite.com/e/2023-german-owasp-day-god-tickets-515112875477) _Additional Information? More information about the German OWASP Day, training sessions, and the conference program can be found at god.owasp.de/2023/ _And now? Save the date, spread the word, and bring your friends and colleagues to our event. _Follow Us! Also, follow us on Twitter #owasp_de and #owasp_frankfurt and refer to our German OWASP Day site for information including slides and recordings of previous presentations. We're looking forward to seeing you at this exciting event of the year!

Description: ## About The Event **RSVP For Pizza + DOOR PRIZES** https://www.meetup.com/meetup-group-opbybwve/ **Location:** 10215 108 St NW, Edmonton, AB T5J 1L6 SCFL 3-110 (Singmar Center For Learning, 3rd floor, Room 110) Join us for our monthly OWASP event where we will dive deep into **Docker Security** and the **OWASP Top Ten for Docker**. This month's event will focus on privilege escalation attacks from the HOST, a critical issue that every Docker user must be aware of. Our event sponsor is **iON United,** a trusted cybersecurity solution provider for IT, OT, and cloud environments within Canada. They be providing **delicious pizza** for all attendees, so come hungry and ready to learn! Our guest speaker for this event is John, an experienced security professional who has worked for Fortune 500 companies. With his extensive knowledge and expertise in Docker security, John will provide valuable insights and practical tips to help you secure your Docker environment. **As Socrates once said**, "The only true wisdom is in knowing you know nothing." Don't miss this opportunity to expand your knowledge and learn how to protect your Docker environment from privilege escalation attacks. We look forward to seeing you there!

Description: This is an In-Person Event Food to be provided (Typically pizza or sandwiches) Introductions Speaker 1: **Kevin Johnson** Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is a faculty member at IANS and was an instructor and author for the SANS Institute. Topic: **Replacements: What Malcolm Gladwell and Keanu Reeves can teach AppSec**. A reflection of how appsec is focused in the wrong place and how we can improve it. The talk includes stories and tangents based on Kevin's work and consulting. Speaker 2: **Jennifer Shannon** Jennifer Shannon is a Senior Security Consultant with Secure Ideas with a background in malware analysis, penetration testing, and teaching. She graduated with honors from Florida State College at Jacksonville’s networking program. An avid computer geek for most of her life, she began her journey in cybersecurity as a SOC Analyst where she showed an aptitude for both penetration testing and malware analysis. She was quickly promoted into a role that capitalized on her abilities. She has experience performing penetration tests against web applications, mobile software and platforms, and social engineering. She is the co-leader for the TOOOL chapter in Jacksonville, FL, and continues to be passionate about teaching and is eager to share her knowledge with anyone who will listen. Topic 2: **Real-world API Pentesting Case Studies** APIs (Application Programming Interfaces) have become the backbone of modern software systems, enabling seamless communication and integration between various applications and services. However, they also present a significant security challenge, with potential vulnerabilities that can lead to data breaches, unauthorized access, and other security incidents. In this talk, we delve into the world of API pentesting through a collection of real-world case studies, providing valuable insights and lessons learned from our experiences.

Description: Hi All, Please note, that this is a physical event hosted by Beumer Group A/S and OWASP Aarhus may share a list of participants with Beumer Group A/S for the sole purpose of hosting the event. Note that the doors open at 18:30 for snacks and network. OWASP Aarhus would like to invite you to an OWASP Aarhus meetup on June 1st in collaboration with ICS Range and BEUMER Group A/S, and this time, it will be a bit different as we will have OT security as a theme. Mikael Vingaard from ICS Range will present “IT/OT, more than a letter of differences! – Only a foul does not fear it-security people in their OT network”, and Jens Nielsen (Senior Security Researcher) also from ICS Range will present “In my defence, I was left unsupervised". The event will occur at BEUMER Group A/S, P.O. Pedersens Vej 10, 8200 Aarhus N (Thanks to BeumerGroup and Claus Riber for hosting us). We will start at 19:00 but the doors open for network, snacks at 18:30 and we plan to end at 21:00. Please remember to sign up!

Description: OWASP Dorset are proud to bring out latest in-person event, hosted with Hays Recruitment Bournemouth. **Talks** Andrew Howe is a locally based technical author, architect and Linux load balancer engineer. He is an advocate of open source software and a fellow member of OWASP. Andrew is a developer for the OWASP ModSecurity Core Rule Set (CRS) project. The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. The CRS provides protection against many common attack categories, including SQL Injection, Cross Site Scripting, Local File Inclusion, etc. We will also have a talk from James Walsh of Hays Recruitment. James will present the findings from the recent Hays Global Cyber Survey, where over 1000 Senior Leaders from 29 countries have given their insight. **Event and Venue** We will be joining Hays Recruitment in Bournemouth for this event, there is a limit on numbers, so signup is essential. Names will be required upon arrival to enter the building. There will be food and drink provided for this event, so please let us know of any dietary requirements or allergies.

Description: CMD+CTRL Web Application Cyber Range by Security Innovation (https://www.securityinnovation.com/) REGISTER TODAY: https://www.eventbrite.com/e/owasp-tampa-chapter-q2-ctflunch-event-2023-tickets-628632184787 Want to test your skills in identifying web app vulnerabilities? Join OWASP Tampa and Security Innovation as members compete in CMD+CTRL, a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet. For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs. Lunch and "afternoon snacks while you hack" sponsored by Bayside Solutions, Inc. (BSI) (https://bsius.com/) Venue location is sponsored by Deepwatch (https://www.deepwatch.com/)

Description: **Want to learn more about Web Application Firewalls?** **Join the Dutch Chapters of OWASP, ISACA, and ISC2 for their first-ever combined online webinar on Wednesday, June 7th, from 19:00 to 21:00 CET.** Program: 19:00 - 19:10 - **Welcome** 19:10 - 19:30 - **Web Application Firewalls** by **Aatif Khan** 19:30 - 20:55 – **Panel Discussion on Web Application Firewalls** by **Aatif Khan**, **Menno Swam** and **Nico van Rooyen** moderated by **Ramzy Elmasry** 20:55 - 21:00 – **Closing** and **Next Steps** *To receive the LIVE stream details, register via:* [https://isaca.nl/events/isaca-owasp-and-isc2-web-application-firewalls-webinar/](https://isaca.nl/events/isaca-owasp-and-isc2-web-application-firewalls-webinar/) ***Here is a summary of the event:*** With an expert presentation and a panel discussion, you will have the opportunity to learn about best practices and get your questions answered by professionals in the field. By combining the focus areas and driving forces of each Chapter, this event ensures that this topic will be addressed from different perspectives, such as risk, compliance, audit, cybersecurity, and technical. Aatif Khan, a data-driven AI and cybersecurity expert, will kick off the webinar with a compact presentation on Web Application Firewalls (WAFs). After which, we will open the panel discussion and answer questions from the audience. Our panel members are Aatif Khan, Menno Swam and Nico van Rooyen. See below for more information on our panel members and the topic. Register today for this unique opportunity! **BIO Aatif Khan** Aatif Khan is a data-driven, seasoned AI & cyber security expert who is passionate about creating Aatif Khan is a data-driven, seasoned AI & cyber security expert who is passionate about creating customer-focused products. His focus centers around developing cyber defense strategies, establishing security operations centers for large enterprises, developing data protection strategies, implementing data privacy in day-to-day operations, and developing AI strategy, governance, and risk management programs for enterprises. He specializes in building and scaling security programmes from startups to Fortune 500 organizations. With 15+ years of experience in information security, Aatif has spoken at numerous conferences such as BlackHat, SANS & UK NCSC CyberThreat London, Security BSides London, Cyber Security Asia Malaysia, @Hack, etc., amongst other conferences across the EMEA region. He has been interviewed by the Associated Press, Voice of America, Hakin9, and numerous other media channels for his expertise on emerging cybersecurity threats. Aatif holds a Master of Science in Artificial Intelligence from LJMU, UK, and is currently working on AI-driven advanced threat detection and response with modern security analytics. **BIO Menno Swam** Menno is a Senior Specialist at KPMG IT Advisory The Netherlands, and part of the Cyber Assessment (CA) team. The CA team consists of cyber security specialists executing technical IT Advisory engagements, IT Auditing and management of IT infrastructure, IT processes and IT organizations. Menno has experience in the field of Information Security and Risk Management for companies in the Financial services sector, due to his experience as an Information Security Officer and Internal Auditor. Moreover, he has specific knowledge of security frameworks (such as PCI-DSS and ISO27001) as well as the technical execution of financial law (such as WWFT and PSD2). While working in complex IT environments, Menno has been able to get accustomed with all facets of information security, both technical and non-technical. As such, he is able to translate technical findings and risks to business impact and opportunities. **BIO Nico van Rooyen** Nico is currently the CISO at CPro, a cyber security consulting firm and the one-stop shop for specialized cyber security services. They offer complete solutions that enable organizations of all sizes to protect their systems, networks, and data from digital threats. He is also a proud Executive Board Member of the ISACA NL chapter and has been an active member for many years. He started his career as an IT auditor specializing in information security, at KPMG in South Africa and for the past decade, he has deepened his experience in information security while obtaining various certifications such as CISA, CISM, CEH, and COBIT. During this time, Nico worked across various countries including Australia, Denmark, Israel, Sweden, Europe, the UK, and the USA. In 2017, he moved to the Netherlands with his wife, who is expecting their second baby boy in September of this year.

Description: The next OWASP Timisoara Chapter Meetup will be ***in person***. See https://owasp.org/www-chapter-timisoara/ for more information about the OWASP Timisoara chapter. Theme sessions - Theme: CyberSec Ecosystem & Cloud Security `Schedule` **`Time:`**` 18:00 to 21:00` Introduction, OWASP News & Updates - Catalin Curelaru CyberSecurity Ecosystem - Octavian STANCU (Atos) Security Log Management - Adrian PAUL (Visma) Improving security in AWS Cognito - Lucian Patian (Haufe) Location of the event: UBC3, et 10, Sediu VISMA, Piața Consiliul Europei 2 · Timișoara Event powered by VISMA More about the speakers and topics: **Octavian STANCU** is an experienced Unit Lead and IT Instructor with a demonstrated history of working in the Information Technology and Services industry, specifically in the fields of Cybersecurity, Networking and Telecommunications. As the Head of Cybersecurity Services at Eviden, an Atos business, Octavian brings extensive expertise and a strong track record in managing and delivering Cybersecurity services and solutions. **Adrian PAUL** **Lucian Pătian** is a Cloud Solutions Architect at Haufe Group Timisoara. With a SysAdmin background, for the past four years, he has earned a reputation for finding creative solutions to problems in Cloud. \~ Improving security in AWS Cognito. \~ Abstract: we will discuss about why using the standard configurations in Cognito can make your application a security honeypot. How can you use AWS WAF to add an extra layer of protection and why using verified token attributes should be a must.

Description: Joins us for a conference in person in Portland Oregon June 10th (tickets required) [https://www.appsecpnw.org/](https://www.appsecpnw.org/) Tickets [https://www.eventbrite.com/e/3rd-annual-owasp-appsec-days-pacific-northwest-conference-in-person-tickets-558186820807](https://www.eventbrite.com/e/3rd-annual-owasp-appsec-days-pacific-northwest-conference-in-person-tickets-558186820807)

Description: A collaboration between the **Vancouver, Portland, Victoria, and Seattle** chapters taking place **June 10, 2023** at **Portland Center Stage.** The CFP for AppSec PNW is OPEN and you have until April 3rd to submit a presentation. You don't want to miss on this opportunity to speak, submit your CFPs soon! https://bit.ly/AppSecPNW2023CFP Get your tickets now for the event, there are only a few available spots in the Early Bird registration: https://bit.ly/AppSecPNW2023Tickets

Description: The OWASP Foundation came online on December 1st, 2001 it was established as a not-for-profit charitable organization in the United States on April 21, 2004, to ensure the ongoing availability and support for our work at OWASP. OWASP is an international organization and the OWASP Foundation supports OWASP efforts around the world. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas. We can be found at www.owasp.org.

Description: Requested Topics: * Discuss the Open Letter to OWASP and the Response/Updates https://owasp.org/blog/2023/03/10/strategic-plan-open-letter-update.html https://owasp.org/blog/2023/03/31/owasp-strategy-2023-1.html * Industry Roundtable: initiatives, struggles, successes from the Madison Metro AppSec Space * Jazzer Demo https://github.com/CodeIntelligenceTesting/jazzer

Description: No agenda, no slides, no recording, 100% unscripted. Practical learning: Live ethical hacking challenges, workshops, CTFs and sharing of knowledge.

Description: At noon on the 2nd Wednesday of every month we host a social meeting on Zoom with mini talks and breakout rooms. The main room will always be open for social time but we plan to have 1-2 topic breakouts you can join. If the breakout session topic interests you, join that discussion. Feeling more like a casual chat and exploring other topics? Visit the main room to strike up a conversation. Suggest topics you’d like to see breakout rooms for and let us know if you’d like to sign up to lead one. Slack @ #chapter-seattle (https://bit.ly/owasp-seattle-slack) seattle-chapter@owasp.org (https://groups.google.com/a/owasp.org/g/seattle-chapter)

Description: At noon on the 2nd Wednesday of every month we host a social meeting on Zoom with mini talks and breakout rooms. The main room will always be open for social time but we plan to have 1-2 topic breakouts you can join. If the breakout session topic interests you, join that discussion. Feeling more like a casual chat and exploring other topics? Visit the main room to strike up a conversation. Suggest topics you’d like to see breakout rooms for and let us know if you’d like to sign up to lead one. Slack @ #chapter-seattle (https://bit.ly/owasp-seattle-slack) seattle-chapter@owasp.org (https://groups.google.com/a/owasp.org/g/seattle-chapter)

Description: In-person event, kindly **hosted by Immersive Labs**, 6th Floor, The Programme, All Saints' St, Bristol BS1 2LZ. **Agenda:** * OWASP Updates * Talk 1: Browser extension security, with Billy Sheppard from Immersive Labs * Break * Talk 2: Intro to Scripting for Web Application Testers with Alex Archondakis * Networking **Venue:** Photo shows the main entrance, which is visible when walking down the right hand side of the Tesco Express on Wine Street (Google Street View sometimes shows the back entrance, which is only accessible via keycard). Address: 6th Floor, The Programme, All Saints' St, Bristol BS1 2LZ \-\-\- Talk 1: **A look into browser extension security**, the risks involved with allowing users to install browser extensions and browser security/attack vectors, presented by **Billy Sheppard**. **Abstract**: As web technologies are becoming more and more popular, you need to be more careful about what you put in your browsers. While extensions can be very useful, they come with hidden dangers – users often prioritise functionality over safety. In this talk, you'll uncover the real risks of using extensions, explore common attacks, and learn about pitfalls. You'll also take a look at some real-life security incidents and what went wrong. You'll leave with a deeper understanding of the need for browser extension security and how to safeguard your browser. **Bio:** Billy Sheppard is a Bristol-based Senior Application Security Engineer working at Immersive Labs where he creates Secure Code content and challenges for their product. In his career thus far, he has earned several achievements including VDP submissions for Fortune 500 companies, Bug bounties, and created and released his own niche CTF/Hacking challenge specifically aimed at increasing security awareness for ServiceNow developers. He has also created a Web Security YouTube Channel to demonstrate security concepts and educate developers and reported multiple real security issues to VDPs/Bug Bounty Programs for large companies such as BBC, RedHat and Accenture. He is a keen learner and spends a lot of his personal time continuously learning and is passionate about education around secure code. \-\-\- Talk 2: **An Introduction to scripting for Application Testers,** presented by **Alex Archondakis**. **Abstract**: Scripting, or the ability to write code that allows you to perform actions or automate repetitive tasks is a crucial tool in any application security testers belt, however, it doesn’t seem to be a common one. The purpose of this talk is to introduce scripting to application security testers, this will be achieved by looking at case studies to determine where scripting may be appropriate and how to solve the problem. We will discuss multiple languages and their advantages whilst focussing on interacting with the HTTP protocol. The key learning points from this talk are as follows: * To gain an understanding of the importance of scripting for application security testers * What programming languages are used, and their advantages/disadvantages. * Typical scenarios where scripting is required because tooling is not comprehensive enough **Bio**: Alex is head of professional services & a senior consultant at Pentest People. He has a wealth of experience in penetration testing, people management and training hackers. He believes that all application security professionals should be able to write basic scripts to solve common problems.

Description: \*\*\* THIS TALK IS BOTH ONLINE (https://www.youtube.com/watch?v=eMSnga3arIA) and OFFLINE @ the Okta offices \*\*\* **TALK** **Container and Kubernetes security policy design: 10 critical best practices** **Summary:** Companies are constantly seeking new and innovative ways to stay ahead in a highly competitive and rapidly changing business landscape. One strategy that has proven to be highly effective is application modernization. This is not just a mere upgrade; it is a complete transformation of how businesses operate. By embracing this approach, companies can accelerate innovation, optimize costs, and improve their overall security posture. However, embarking on the journey of application modernization is not an easy task. It requires a significant investment in people, processes, and technology to achieve the desired business outcomes. The right foundation must be established from the beginning to avoid the high cost of re-architecture, which can be a major roadblock in achieving success. One crucial aspect is developing a standard and scalable security design for their Kubernetes environment. This will establish the framework for implementing the necessary checks, enforcement, and visibility to enable strategic business objectives. In conclusion, application modernization is a strategic initiative that can transform businesses. Developing a standard and scalable security design for the Kubernetes environment is critical to establishing the framework for implementing the necessary checks, enforcement, and visibility to enable strategic business objectives. **Presenter:** **Regis Martins** Regis Martins is a passionate problem solver and technologist with a deep-rooted love for finding innovative solutions. With a background in Electrical Engineering and a Master's Degree in Computer Science, he has honed his expertise in areas such as deep packet inspection technologies, traffic management, network analytics, and Kubernetes. His journey has led him to excel as a Sales Engineer, where he architects solutions, educates clients, and thrives in helping organizations overcome challenges. With a diverse skill set encompassing Python, Linux, virtualization, cloud computing, and more, Regis is committed to making a positive impact in the world of technology through continuous innovation and knowledge sharing.

Description: "Common Security Considerations for Web 3.0” Join this virtual event to discuss: * an overview of decentralization * digital identities in 3.0 and typical threats * examples of Web 3.0 attacks and mitigations * security concerns and some actions to consider to protect organizations.

Description: **As always, everyone is welcome! You do NOT have to be an OWASP member to attend.** Join us June 21st for food, drinks, networking and a super informative presentation on "The Joys of Mobile Application Testing" from one of the best and brightest in the industry: Greg Leonard. Networking with your peers starts at 5 - food is served at 5:30 and the presentation starts at 6. **Sponsor: A big thank you to our Denver OWASP sponsor [SpyderSec](https://spydersec.com)** **Presentation Title:** The Joys of Mobile Application Testing **Presentation Details:** In this talk, I will walk through the major challenges of testing mobile applications. This will include reliably capturing HTTPS traffic between the app and it's backend APIs, reviewing data stored by the app on the mobile device, working around defenses built into many apps, and discussing some obstacles that need to be worked around with modern mobile operating systems.

Description: OWASP Sacramento will meet the third Wednesday of each month. We will announce topics 2-3 weeks in advanced of our meetups. 7PM-9PM Please join our [Slack](https://owasp.org/slack/invite) @ #chapter-sacramento Agenda * Food and Beverages * Community Topics * Presentation TBD

Description: Mobile apps dominate all digital time spent online - but mobile AppSec programs often lag. Jumpstart your team and skills by stepping inside the OWASP Mobile AppSec Project (MAS), the OWASP Mobile Application Security Verification Standard (MASVS), and OWASP Mobile Application Security Testing Guide (MASTG) to learn about the fundamentals of mobile app security and the latest updates just released in OWASP MASVS V2 launched at OWASP Global AppSec in Dublin. Learn the differences in Mobile AppSec vs Web AppSec and how to put OWASP MAS project, tools and resources to work. In this session we will drill down into the top 5 most frequent security issues found in testing thousands of mobile apps. Learn how to test for them, and how to teach your dev teams to prevent them with code examples, test examples, links to additional resources and how to build your own toolkit. Along the way we will hit the latest privacy and security updates with iOS and Android. Come join us! \*Food and drinks will be provided by NowSecure \*This will be an in person meet up event but we will be offering a remote attendee option for folks who are not local to Maine or Northern New England but still want to attend. A zoom link will be posted/provided as the event nears.

Description: Mobile apps dominate all digital time spent online - but mobile AppSec programs often lag. Jumpstart your team and skills by stepping inside the OWASP Mobile AppSec Project (MAS), the OWASP Mobile Application Security Verification Standard (MASVS), and OWASP Mobile Application Security Testing Guide (MASTG) to learn about the fundamentals of mobile app security and the latest updates just released in OWASP MASVS V2 launched at OWASP Global AppSec in Dublin. Learn the differences in Mobile AppSec vs Web AppSec and how to put OWASP MAS project, tools and resources to work. In this session we will drill down into the top 5 most frequent security issues found in testing thousands of mobile apps. Learn how to test for them, and how to teach your dev teams to prevent them with code examples, test examples, links to additional resources and how to build your own toolkit. Along the way we will hit the latest privacy and security updates with iOS and Android. Come join us! \*Food and drinks will be provided by NowSecure \*This will be an in person meet up event but we will be offering a remote attendee option for folks who are not local to Maine or Northern New England but still want to attend. A zoom link will be posted/provided as the event nears.