From 1305e89110b80328f0a78feb83b67a4df4ba069b Mon Sep 17 00:00:00 2001 From: OWASP Foundation Date: Wed, 6 Dec 2023 23:04:16 -0600 Subject: [PATCH] remote update file --- _data/community_events.json | 50 +++++++++++++++---------------------- 1 file changed, 20 insertions(+), 30 deletions(-) diff --git a/_data/community_events.json b/_data/community_events.json index 0aa896741f..abfdf1ee73 100644 --- a/_data/community_events.json +++ b/_data/community_events.json @@ -79,16 +79,6 @@ "timezone": "America/Chicago", "description": "OWASP Dallas is ready to host in-person meets.\n\n\"** The Dark Side of Open Source Productivity**\nThere is a dark side to productivity with open source. In modern applications, the majority of code on which an application is built isn\u2019t code written by your team. Modern applications are built on the backs of volunteer communities and open-source software. These volunteers and their software delivery practices all become potential attack vectors. The truth is that most organizations do not factor open-source supply chain attacks into their organization\u2019s threat models today. Security incidents such as the CodeCov bash uploader script, the npm colors, and faker intentionally introduced malicious commits, and the recent PyPi backdoors targeting AWS credentials highlight the impact of supply chain attacks as a scalable attack pattern. To spread awareness on supply chain attacks so that organizations can scalably handle them we propose baking supply chain attacks into existing threat modeling procedures and software development culture so that organizations can champion supply chain management of open source in the places where they are most impactful, at development time. We will present a comprehensive, comprehensible, and technology-agnostic taxonomy of attack vectors, created on the basis of hundreds of real-world incidents and validated by experts in the domain. Following, we will discuss the types of defenses you can put in place to detect and respond to such modern day attacks and how you can work these defenses in based on your program\u2019s maturity" }, - { - "group": "Gothenburg", - "repo": "www-chapter-gothenburg", - "name": "OWASP Gothenburg OAuth2 and Offensive Security", - "date": "2023-12-06", - "time": "7:15+01:00", - "link": "https://www.meetup.com/owasp-gothenburg-meetup-group/events/297221787", - "timezone": "Europe/Stockholm", - "description": "**Join us at our partner Omegapoint's office for an awesome evening with food and drinks, and talks about OAuth2 pitfalls and Pentest war stories!**\n\n**Where:** Omegapoint, Rosenlundsgatan 3, 411 20 G\u00f6teborg\n\n**Agenda:**\n**17:00 - 17:30:** Welcome to Omegapoint\n**17:30 - 17:45:** Introduction from the event hosts and presentation of tonight's speakers.\n**17:45 - 18:30:** *How to f\\*ck up at OAuth2 while following BCPs*\nBest current practices (BCPs) for implementing OAuth2 and OIDC have undergone many changes over the years. In this presentation we highlight the risks of staying with the ancient (roughly 2019-2021) \u201ccurrent\u201d best practices. The current (circa 2022) BCPs bring many changes, such as deprecation of the implicit flow, required usage of PKCE and the BFF pattern which mitigates some of the previous attack vectors. It takes time for new concepts to fully mature and secure defaults emerge. While following the latest BCPs it\u2019s still possible to make mistakes and end up with a broken implementation. This presentation will show some common OAuth2/OIDC security pitfalls and why it is bad practice to use reverse proxy catch-all routing in your BFF, an OAuth2 client with access to many scopes, together with APIs that do authorization based on just a valid token and scopes. Does your BFF enable authenticated SSRF as a Service? During the presentation we will demonstrate both attacks and defences for a OAuth2/OIDC application running locally.\n**Pontus Hanssen** in an experienced security researcher and penetration tester. He loves to hack everything that blinks or has an IP address. Pontus performs security reviews and penetration tests as part of Omegapoint Cybersecurity Gothenburg, a group of experts in application security.\n**Tobias Ahnoff** is an experienced developer and architect with focus on application security. He specializes in implementing authentication flows and authorization for web applications and APIs that manage sensitive data. Tobias performs security reviews and penetration tests as part of Omegapoint Cybersecurity Gothenburg, a group of experts in application security. He also gives courses in application security and is an appreciated speaker in OAuth2 and OpenID Connect areas.\n\n**18:30 - 19:15:** Food\n\n**19:15 - 20:00:** *Pentesting War Stories*\nWorking in penetration testing generates quite a few interesting stories\nabout spectacular vulnerabilities found in tested systems.\nOften these stories are not shared outside of a small circle of people.\nThis presentation goes through a selection of vulnerabilities found\nduring assignments in the recent years. The titles of the stories are:\n\u201cThe omnipotent client cert\u201d (automotive app), \u201cNext level XSS\u201c (web),\nNo route to boat\u201d (network), and \u201dHaving a conversation with a door\nhandle\" (embedded).\n**Emilie Barse** is an experienced IT security consultant with a deep\ninterest in security testing and log analysis. She has worked in IT\nsecurity since 2005 and has worked in numerous different industries, and has tested applications, networks, cloud environments, IoT systems, and cars. Emilie has a PhD in computer security from Chalmers University of Technology.\n\n**20:00 - 21:30:** Over-time (optional)\nHang out, grab something to drink, and discuss security, the weather or anything in between!" - }, { "group": "Jakarta", "repo": "www-chapter-jakarta", @@ -119,6 +109,16 @@ "timezone": "Asia/Nicosia", "description": "[Location](https://www.google.com/maps/place/BrainRocket/@34.6979542,33.0460735,20z/data=!4m6!3m5!1s0x14e733f291b01fad:0x5ff57bb6ed3f9838!8m2!3d34.6979152!4d33.0461381!16s%2Fg%2F11q_08mvzb?entry=ttu) is the restaurant at the Brain Rocket office.\n\n**Calling all tech and security enthusiasts!**\n\nWe are thrilled to announce the second meetup of the [OWASP Chapter in Limassol](https://owasp.org/www-chapter-limassol/)! We cordially invite you to join us for an evening of engaging discussions, networking, and knowledge sharing among cybersecurity enthusiasts, professionals, and enthusiasts from various backgrounds.\n\n**Schedule:**\n18:30 \u2014 19:00 \u2014 Gathering & Intro\n19:00 \u2014 TBA\n19:55 \u2014 20:05 A short break\n20:05 \u2014 20:30 TBA\n22:00 \u2014 23:00 \u2014 Eat, drink, networking!\n\nWe'll have catering, a cocktail bar, a DJ, and a shisha zone all set up to make the evening unforgettable. \n\n[Don't forget to join us on Telegram (we will send updates there quickly).](https://t.me/+W1hEPzn4BOcwMTNi)" }, + { + "group": "Melbourne", + "repo": "www-chapter-melbourne", + "name": "EOY Hangout - Final Meetup of 2023!", + "date": "2023-12-14", + "time": "7:30+11:00", + "link": "https://www.meetup.com/application-security-owasp-melbourne/events/297790571", + "timezone": "Australia/Melbourne", + "description": "It's almost the End of 2023! Can you believe it!\nLet's end the year with one last meetup - a social hangout at a bar.\n\nIt's been a while since we caught up, with the whirlwind of cyber events the past few month. Let's grab a pint, and a meal together. Join us.\n\nThere's no agenda.\nUs organisers, will be sitting outside and getting on the beers. We'll be there at The Bottom End from 5:30pm. If you're there early, just grab a table outside the bar.\n\nHope to see you there :)\n\nPlease RSVP if you're attending so that we know if we need to sort out a booking. Thanks heaps." + }, { "group": "Minneapolis St Paul", "repo": "www-chapter-minneapolis-st-paul", @@ -139,6 +139,16 @@ "timezone": "Africa/Casablanca", "description": "## DevSecOps Toolchain Transformation Hands-on\n\nThe DevSecOps Mindset and Salient Features\n\n* Shared Objectives\n* Prioritizing Security\n* Auomation\n* Operational Insights and Threat Intelligence\n* Holistic Security\n* Proactive Threat Monitoring\n* Security-as-a-Code\n* Infrastructure-as-a-Code\n* Improved Collaboration\n* Developers as Security Proponents\n* Continuous Monitoring and Auditing\n* Defined Incident Response\n\nHere are some actions you can take to upgrade your DevOps toolchain into a DevSecOps toolchain:\n\n1. Learn From Others in the DevOps and DevSecOps Communities\nLook to the DevOps community to help close your critical knowledge gaps.\n2. 2\\. Start With Your Container Security\nThe first step to building out the security of your DevOps toolchain starts with your container security.\n3. Institute Continuous Compliance\nDevSecOps is a platform for continuous compliance to protect your software supply chains against vulnerable packages and vulnerable configurations.\n4. Double Down on Automation\nWhile you may have already been experimenting with automation during your DevOps phase, it only becomes more integral once you throw the switch in by going DevSecOps. Go into your DevOps to DevSecOps transformation with an automation strategy that focuses on automating common developer and sysadmin tasks.\n5. Improve Your Monitoring and Analytics\nBuilding out a DevSecOps toolchain takes your monitoring and analytics options to a new level. Consider the fact that you should already collect and publish data from your toolchain and deliver reports to your project managers, developers, QA testers, and stakeholders outside your team. Commonly, DevOps reporting is still a work in progress for organizations. Use the introduction of new security tools into your toolchain as a chance to offer more granular and real-time security reporting into all parts of your DevSecOps toolchain.\n6. Implement Accessibility Assurance\nDepending on your organization\u2019s definition of compliance, the option is there to add accessibility compliance or Section 508 to your DevSecOps toolchain.\n\nThis hands-on training is reserver for 70% professional and 30% students.\n\nMandatory:\n\nGeneral Conditions in order to validate your participation to this event:\n\n1\\. Student must send University/Student ID\\, otherwise registration will be rejected\\.\n\n2.Professional must register company emails, otherwise registration will be rejected.\n\nRegistration only via EventBrite. We don't accept answer via meetup.\n\nPlease indicate your firstname, lastname, company name, a valid business email or school email (email like gmai, free, hotmail, outlook, etc are not accepted and registration will be cancelled).\n\nPlease register here:\nhttps://www.eventbrite.com/e/billets-devsecops-toolchain-transformation-374188276207" }, + { + "group": "Mugla University", + "repo": "www-chapter-mugla-university", + "name": "\ud83d\uddb1 Click\u2019inize Hakim Olun!", + "date": "2023-12-07", + "time": "7:45+03:00", + "link": "https://www.meetup.com/owasp-mugla-university-student-chapter/events/297790531", + "timezone": "Europe/Istanbul", + "description": "Mouse ile yapt\u0131\u011f\u0131m\u0131z Click olaylar\u0131n\u0131n \u00e7al\u0131narak istemedi\u011fimiz \u015fekilde kullanmas\u0131na neden olan Clickjacking sald\u0131r\u0131s\u0131n\u0131 inceliyoruz.\n Etkinli\u011fimzde hem teorik hem de uygulamal\u0131 olarak Clickjacking sald\u0131r\u0131s\u0131 analiz edilecektir. Dileyenler kendi bilgisayarlar\u0131n\u0131 da getirebilir.\n Yer: M\u00fchendislik Fak\u00fcltesi, B-3B-08 Linux Laboratuvar\u0131\n Tarih: 7 Aral\u0131k Per\u015fembe, 17:45" + }, { "group": "Northern Virginia", "repo": "www-chapter-northern-virginia", @@ -219,16 +229,6 @@ "timezone": "Europe/Tallinn", "description": "** Welcome to the Inaugural Event of OWASP Estonia: Cybersecurity & AI - Vol. 1 **\n\n Get ready to dive into the world of AI technology and cybersecurity at our first-ever event! We are thrilled to present a lineup of distinguished speakers and groundbreaking topics.\n\n **Featuring a Core Member from OWASP Top 10 LLM:** Delve into the depths of cybersecurity with insights from a key figure behind the renowned OWASP Top 10 for large language models. Learn about the latest trends, challenges, and strategies in securing large language models and AI systems.\n\n **TalTech\u2019s Cybersecurity RA for AI-Driven Autonomous Ships:** Join our guest from TalTech, a leading assistant researcher in cybersecurity, specializing in AI-driven autonomous ships. Discover how AI is revolutionizing maritime technology and the critical role of cybersecurity in this innovative domain.\n\n **And That's Not All - More Surprises Await!** Whether you're a cybersecurity professional, a tech enthusiast, or just curious about the future of AI, there's something for everyone.\n\n **Connect, Collaborate, and Create:** This event is more than just talks - it's a platform to connect with like-minded individuals, collaborate on ideas, and contribute to the ever-evolving field of cybersecurity and AI.\n\n **Mark Your Calendars:**\nFriday 15th December at 18:30 - 20:30\nWIP Maakri 19, Tallinn\n\n **Join us at OWASP Estonia's inaugural event, Cybersecurity & AI - Vol. 1!**" }, - { - "group": "Tampa", - "repo": "www-chapter-tampa", - "name": "ISSA / OWASP Tampa Chapters Q4 Year-end Minicon", - "date": "2023-12-06", - "time": "8:30-05:00", - "link": "https://www.meetup.com/owasp-tampa/events/296916076", - "timezone": "America/New_York", - "description": "**Welcome to our joint ISSA & OWASP End of Year Minicon!**\n\nWe invite you to join us and members of our local Tampa Bay community to hear from industry experts in cybersecurity. This half day minicon will bring topics that influence discussion among your peers and provide a venue to meet others that share your passions.\n\n**Agenda:**\n\n* 8:30am - Registration\n* 9:00am - First Talk: Tsvi Korren, Field CTO Aqua Security\n* 10:00am - Second Talk: Tony Cook, Sr. Dir, DFIR & Threat Intel\n* 11:00am - Third Talk: Beth Miller, Field CISO Code42\n* 12:00pm - Lunch\n\n**Speakers:**\n\n* Tsvi Korren has been an IT security professional for over 25 years. In previous positions at DEC and CA Inc., he consulted with various industry verticals on the process and organizational aspects of security. As the Field CTO at Aqua, he is tasked with delivering commercial and open source solutions that make Cloud Native workloads the most secure, compliant and resilient application delivery platform.\n* Tony Cook is the Sr. Director of DFIR & Threat Intelligence on GuidePoint Security\u2019s consulting team, where he manages digital forensics and incident response engagements on behalf of the firm\u2019s clients. His career background includes high-level national security activities in cybersecurity operations for several clients over various verticals.\n* Beth Miller is an Sr. Insider Risk Advisor at Code42 where she coaches individuals and organizations to think creatively about risk management. She is a former intelligence officer with over 20 years of insider risk experience across the Federal Government, Intelligence Community, and Private Sector. Beth specializes in building resilient data protection programs at the intersection of behavior analysis and digital signature management. She earned her Masters from NYU and Bachelors from FSU.\n\n**Location:**\n3030 N Rocky Point Drive W\nSte 600\nTampa, FL\n\n**Sponsors:**\n[Aqua Security](https://www.aquasec.com/)\n[Code42](https://www.code42.com/)\n[GuidePoint Security](https://www.guidepointsecurity.com/)" - }, { "group": "Timisoara", "repo": "www-chapter-timisoara", @@ -239,16 +239,6 @@ "timezone": "Europe/Bucharest", "description": "The next OWASP Timisoara Chapter Meetup will be Online\nSee https://owasp.org/www-chapter-timisoara/ for more information about the OWASP Timisoara chapter. Theme sessions - Theme: Bug Bounty and Cloud Security\n**`18:00`**` Welcome participants`\n**`18:15`**` Introduction, OWASP News & Updates - Catalin Curelaru`\n**`18:30`**` Bug Bounty(Again) - Tomi Koski (Visma)`\n**`19:00`**` The bigger picture - Ovidiu Cical (Cyscale)`\n**`19:30`**` Networking`\n**Tomi Koski** \\- Red Team Engineer @ VISMA \\| Tomi Koski has been working with IT\\-systems for many moons\\, actually since \\(the wonderful\\) 1990\u2019s\\. He is passionate about anything related to security\\, combining both physical and virtual worlds\\. He is a constant learner and very curious person about life and bug bounties\\. Currently\\, he is working for Visma as a Red \\(read: Purple\\) Teamer\n*Bug Bounty(Again)* Abstract: My journey in the world of Bug Bounties, the good and bad. Story about how bug bounties have changed my life and why I think these are super fun and educational.\n**Ovidiu Cical** \\- Cloud Security Architect @ Cyscale \\| Ovidiu is a cybersecurity enthusiast with 20 years of experience in IT\\. Ovidiu speaks at international conferences covering different topics of Cybersecurity and is not a stranger to the pro\\-bono work of running the OWASP chapter in Cluj\\-Napoca for many years in the past\\. Currently\\, he leads Cyscale\\, a cloud security startup developing a product from the heart of Cluj\\-Napoca\\.\n*The bigger picture* Abstract: The bigger picture: a context is critical in understanding your security posture. Why a certain problem in one part of your cloud infrastructure may affect other areas of your cloud apps, how cloud data is secured, and how safe is the rest of your cloud estate." }, - { - "group": "Toronto", - "repo": "www-chapter-toronto", - "name": "OWASP Toronto | Privacy by Design (PbD)", - "date": "2023-12-06", - "time": "8:30-05:00", - "link": "https://www.meetup.com/owasp-toronto/events/297636602", - "timezone": "America/Toronto", - "description": "TALK\n\nPrivacy by Design (PbD)\n\nSummary:\n\nThis presentation will discuss Privacy by Design (PbD) and what it can look like when put into practice. PbD will be looked at as a best practice and as a requirement set out by privacy laws and regulations. In this talk, you will learn about the foundational principles of PbD, and concepts to consider that can help you in your role and collaboration with stakeholders.\n\nPresenter:\n\nHoria Tabatabaei Soltani,\n\nHoria is currently the Director (Fellow) of Privacy at Canon Canada. She oversees the development and maturity of Canon Americas (Canada, US, Latin America) privacy program. She is also completing her Masters of Law (LLM) at Osgoode Law School, York University in Privacy and Cybersecurity." - }, { "group": "Vancouver", "repo": "www-chapter-vancouver",