OWASP London Welcome and Intro Sherif Mansour and Sam Stepanyan
Welcome and an Update on OWASP Projects from the OWASP London Chapter Leaders. This event was kindly sponsored and hosted by Expedia. ... https://www.youtube.com/watch?v=1cIAlwLO1Qo
Facebook's Whitehat bug bounty program receives 1000's of security bug reports annually, covering a wide range of issues and products. Come listen to some of the interesting bugs Facebook's Whitehat program team handled over the past year, and some pro-tips when looking for bugs outside of "facebook.com".
Jack Whitton is a Security Engineer, based at Facebook's London HQ. Jack focuses primarily on the Whitehat program, which involves interacting with the security community who find vulnerabilities in Facebook-family products, in addition to working with internal teams to ensure code is shipped securely. Prior to joining Facebook in 2016, he was one of the top researchers in the Whitehat program.
This talk was presented at the OWASP London Chapter Meeting on the 6th September 2018 at Facebook London HQ
...
https://www.youtube.com/watch?v=ldt__TFEu9c
OWASP Amass project - a tool which obtains subdomain names by scraping data sources, recursive brute forcing, crawling web archives, permuting/altering names and reverse DNS sweeping. All the information is then used to build maps of the target networks.
Speaker: Jeff Foley
Jeff serves as CTO & Co-founder of ClaritySec, an Upstate New York based information security startup. Prior to this, he was the Director of Research for the Cyber Systems, Weapon Systems & Sensors Operation at Alion Science & Technology. In his spare time, Jeff enjoys experimenting with new blends of coffee, supporting local university’s information security programs, and participating in information security competitions, such as DEFCON Capture The Flag
This talk was presented (remotely) at the OWASP London Chapter Meeting on the 6th September 2018 at Facebook London HQ
...
https://www.youtube.com/watch?v=8cOCaPwbr60
Using Trivy and Falco to Detect Malware and exploitable binaries in a Kubernetes Environment - Marco Mancini
SPEAKER
Marco Mancini (@ManciniJ)
Marco Mancini is a Security Engineer at Thought Machine
Slides of this talk can be downloaded here: https://github.com/OWASP/www-chapter-london/raw/master/assets/slides/OWASPLondon20220908_Using_Trivy_and_Falco_to_Detect_Malware_and_exploitable_binaries_in_a_Kubernetes_Environment-Marco_Mancini.pdf
This talk was presented at the OWASP London Chapter Meeting on September 8th 2022 (kindly sponsored and hosted by @Thought Machine
...
https://www.youtube.com/watch?v=eznt3gG8ze4
Slides: https://drive.google.com/file/d/1ZTnU7XYjTAcUg5MfdXsnZlryl07s9NmE/view?usp=sharing
Talk abstract:
In March 2017 hackers took three days to identify and exploit a new vulnerability in Equifax’s web applications. In the post-Equifax world, moving new business requirements (e.g., a non-vulnerable version of Struts2) into production in under three days might just be your new normal. Find out what the analysis of 17,000 applications reveals about the quality and security of software built with open source components. Join this session to better understand how DevSecOps teams are applying lessons from W. Edwards Deming (circa 1982), Malcolm Goldrath (circa 1984) and Gene Kim (circa 2013) to improve their ability to respond to new business requirements and cyber risks.
Speaker: Stefania Chaplin (@DevStefOps) is a Solutions Engineer at Sonatype. At Sonatype Stefania is responsible for helping customers understand and implement DevSecOps across the EMEA region. Stefania holds a BSc degree in Computer Science from the University of Manchester and has a backgroud as a Python/Java developer. She enjoys the challenge of improving the quality of software across different languages and ecosystems. Stefania is passionate about women in technology and is Founder and President of 'Women at Sonatype'. She has spoken about DevSecOps at many conferences and meetups across Europe including; JavaZone in Norway, JFokus in Sweden and Cloud Expo, Women of Silicon Roundabout and Women in DevOps in London.
This talk was presented at the OWASP London Chapter meetup on 22-November-2018 at Microsoft Reactor
...
https://www.youtube.com/watch?v=tFd6enAvn30
Talk by Irene Dixon, Operator of Original Colossus Computer, in which she reveals that not only was the enigma machines were cracked but the Lorenz machines as well (this recently came out).
...
https://www.youtube.com/watch?v=x70GHsk6JRQ
Since Keccak has been selected as the winner of the SHA-3 competition in 2012, a myriad of different hash functions have been trending. From BLAKE2 to KangarooTwelve we'll cover what hash functions are out there, what is being used, and what you should use. Extending hash functions, we’ll also discover STROBE, a symmetric protocol framework derived from SHA-3
Slides can be found here: https://www.owasp.org/images/f/f5/OWASPLondon20171123_SHA3_vs_the_world.pdf
Speaker Bio: David Wong (@lyon01_david)
David Wong is a Security Consultant at the Cryptography Services practice of NCC Group. He has been part of several publicly funded open source audits such as OpenSSL and Let's Encrypt. He has conducted research in many domains in cryptography, publishing whitepapers and sharing results at various conferences including DEF CON and ToorCon as well as giving a recurrent cryptography course at Black Hat. He has contributed to standards like TLS 1.3 and the Noise Protocol Framework. He has found vulnerabilities in many systems including CVE-2016-3959 in the Go programming language and a bug in SHA-3's derived KangarooTwelve reference implementation. Prior to NCC Group, David graduated from the University of Bordeaux with a Masters in Cryptography, and prior to this from the University of Lyon and McMaster University with a Bachelor in Mathematics.
This talk was presented at OWASP London Chapter Meeting (meetup) on 23-Nov-2017 hosted by The Telegraph. Follow OWASP London on Twitter: @owasplondon
...
https://www.youtube.com/watch?v=2R3dTeRBhQw
We doing security wrong. We’re living in a construct where we chase vulnerabilities, patch-levels, configurations, etc. We chase around the unimportant because it’s what we’ve always done. It wasn’t wrong then, but times have changed. What if I told you there was another way, a way out of the chaos, a way to clear (most) of the alert-fatigue and focus on what is important. Today we need to be data-centric as that’s what attackers are after, and losing control of it gets CISOs fired – be it data-leaks, ransom-ware, or breaches of compliance/privacy. But we’re losing this battle because data is everywhere, so how does one decide what is or isn’t important?
SPEAKER BIO
Mike Andrews(@ma)
Mike Andrews is head of engineering and product at Open Raven – a VC funded startup in the data security space (and promises that this talk, in no way, is a product pitch!). He’s previously held leadership roles at Oracle and Microsoft, joining security, engineering, and DevOps/SRE, but started out in academia researching programmer psychology and productivity, and “fell into” security via a strange convergence of bug reporting, government contracts, and early days of OWASP. He’s the author of “How to break web software” – one of the first WebAppSec books way back in early 2000’s, and is still surprised that he’s receiving royalties off it.
This talk was presented at the OWASP London Chapter Meetup on February 28thth, 2023 at Monzo Bank London offices
#OWASPLondon
...
https://www.youtube.com/watch?v=NPImSK42uSU
This talk was presented at the OWASP London Chapter [ONLINE] Meeting on 04 March 2021
GraphQL is becoming the next big API technology for developers, but with new technology comes new risk, and for us that means bug bounties! In this talk you will learn everything GraphQL, from how it works to what kind of bugs are common.
Speaker Bio:
KATIE PAXTON-FEAR (@InsiderPhD)
Katie is a Lecturer in Cyber Security at Manchester Metropolitan University, however, in her free time, she's a bug bounty hunter and an educational YouTuber. She started out hacking in June 2019 during a HackerOne mentorship program and now hopes to be a mentor to others, creating educational cyber security videos on YouTube. In her videos, she attempts to bridge the gap between "I know what bug bounties are" and "bug bounty hunter" giving advice specifically tailored to bug hunting. She's now produced over 50 videos on bug bounty hunting for an audience of over 25,000 YouTube subscribers. Aimed at a beginner audience these go from finding your first bug, to how to use specific tools, to how to find specific bug classes.
Katie has discovered and responsibly reported security vulnerabilities to several large organisations such as Verizon Media and the US Department of Defense
Index:
00:00 OWASP Introduction and Member Benefits
01:31 Katie's talk start - About Katie
05:31 What is GraphQL?
09:21 Where to Find GraphQL
12:19 Queries
15:10 Mutations
18:01 Why is it important to learn GraphQL syntax?
19:32 Introspection
17:15 GraphQL IDE
27:55 InQL Burp add-on and scanner
28:40 GraphQL Map
19:43 Common GraphQL Bugs
32:47 How To Hack GraphQL APIs
41:15 Q&A session
Presentation Slides can be downloaded from the OWASP London GitHub repo here: https://github.com/OWASP/www-chapter-london/raw/master/assets/slides/GraphQL_Hacking-Katie_Paxton_Fear_OWASPLondon.pdf
#BugBounty #OWASP #GraphQL #InsiderPhD
...
https://www.youtube.com/watch?v=GlvNwhq-uBg
Pwning the CI Workflow and How to Prevent It "- Steve Giguere
Our journey to open source and GitOps heaven has exposed new security challenges as our CI platforms are exposed to the outside world. The soft underbelly of our development pipeline is visible as much to willing contributors as it is malicious subversives looking for the keys to the backdoor. In this talk, we'll look at some known potential exploits to GitHub Actions workflows to show how simple misconfigurations or straight up bad practices can leave our supply chain wide open to attackers.
SPEAKER BIO:
Steve Giguere (@SteveGiguere)
Steve Giguere is a Developer Advocate with Bridgecrew by Prisma Cloud specialising in cloud and infrastructure security automation. Prior to this Steve was a Solution Architect for StackRox and Aqua Security specialising in container and kubernetes security and also previously spent several years at Synopsys establishing DevSecOps best practices for enterprise CI/CD pipelines. Steve runs DevSecOps London Gathering community and several security podcasts including CoSeCast - The Continuous Security Podcast, Twitch/YouTube show C9K, as well as a personal blog and podcast called Codifyre.
This talk was presented at the OWASP London Chapter Meeting on September 8th, 2022. This event was kindly sponsored and hosted by @Thought Machine
...
https://www.youtube.com/watch?v=erD-ClTUmck