OWASP Scotland

Welcome to the OWASP Scotland Chapter page. The chapter is lead by Rob Jansson, Jim Slaughter and Sean Wright. Please follow us on Twitter for our latest updates as well as Meetup for notifications of upcoming events (as well as obtaining tickets for those events). Alternatively signup to our OWASP Scotland Google Group.

Events

Upcoming Events

Tursday, 18 April 2024

Time: 20:00 - 21:00 BST

Location: EY Edinburgh, 144 Morrison Street, Edinburgh

Tickets: Tickets are available on Meetup: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-summer-session-tickets-658038349417.

Join us at the OWASP Scotland Chapter Meeting where we have two exciting talks lined up focusing on Large Language Models (LLMs) security and risk aspects; as well as a deep dive into the recent “iSOON Leak”.

This event is perfect for software developers, ethical hackers, and cybersecurity enthusiasts interested in learning about the latest trends in cyber security.

Talk 1 - Large Language Models (LLMs) and Risk Management

Speakers: Jason Fish and Jamie Cranmer

This talk will cover the below talking points:

  1. Introduction to LLMs - Overview of Generative AI and potential Use Cases
  2. LLM Risk - Risks associated with LLM and how they differ from other types of AI
  3. AI Risk management and ML Ops - Core capabilities that support the management of AI and Generative AI risks

Talk 2 – The iSOON Leak: What Is It and How to Analyse It

Speaker: Jim Slaughter

In late February, an unusual event occurred. While it was widely known the PRC was actively engaged in espionage around the world, glimpses into how this was done were few and far between. Then a repo appeared on GitHub. The iSOON leak has revealed a significant amount of information about the internal operations and capabilities of a state-affiliated hacking contractor in China. Given the challenges of analysing a large trove of files (often without the aid of a native language speaker), new ways of utilizing technology (including AI) were needed to fully understand this dataset.

Bio: Who Am I? I’m Canadian, eh! Currently a Senior Threat Intel Engineer at Fortinet

Day-to-day responsible for looking for “interesting samples”, and reversing them. Blogs - https://www.fortinet.com/blog/search?author=James+Slaughter

Prior to Fortinet:

  • 8 years at NatWest as the Cyber Threat Hunting and Analytics Tech Lead
  • 10 years at BlackBerry as a Dev
  • My hobbies match my vocation. You can usually find me tinkering with malware or code that I stick up on GitHub - https://github.com/slaughterjames

List of our past chapter events.

Tursday, 23 November 2023

Time: 20:00 - 21:00 BST

Location: Online (details will be provide from EventBrite)

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-summer-session-tickets-658038349417

Talk 1 - Active Directory Security

During this event, industry professionals will share their insights on enhancing your Active Directory security posture. Learn how to protect against unauthorized access, prevent data breaches, and strengthen your overall cybersecurity defenses.

Whether you’re an IT professional, system administrator, or simply interested in bolstering your organization’s security, this event is a must-attend. Connect with like-minded individuals, exchange ideas, and gain valuable knowledge to safeguard your Active Directory infrastructure.

Don’t miss out on this opportunity to stay ahead of the ever-evolving threat landscape. Register now to secure your spot and take proactive steps towards a more secure Active Directory environment.

Note: Virtual meeting link will be emailed to registered attendees on the day of the event.

Tursday, 29 June 2023

Time: 18:00 - 20:00 BST

Location: Hays, 7 Castle Street, Edinburgh, EH2 3AH

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-summer-session-tickets-658038349417

Talk 1 - Insights from the Hays Global Cyber Report

Insights from the Hays Global Cyber Report on talent and demand across the Cyber Security Market. Exploring the areas that Cyber Leaders have concerns alongside domains for likely investment.

Speaker Bio - James Walsh

James is a specialist Cyber/InfoSec recruiter with over 10 years of experience in the sector. He is has worked with multiple sectors from National Government, FS, Defence, Professional Services, Logistics, Heath Care, Pub Sec and Pharmaceuticals placing CISOs, Directors of Cyber and more. He is CISMP certified and was the first recruiter in the UK to hold the certification. James leads the Hays UK&I Cyber Practice that works across Cyber/InfoSec roles from entry level to the board providing perm, interim and consultancy services.

Talk 2 - Clean Rooms, Nuclear Missiles and SideCopy, Oh My!

Occasionally, FortiGuard Labs researchers come across a file name or e-mail subject that makes us sit up and take notice. Of course, it may turn out to be nothing. But every once in a while, one of these turns out to be incredibly interesting.

We recently came across one such file that referenced an Indian state military research organization and an in-development nuclear missile. The file was meant to deploy malware with characteristics matching the APT group “SideCopy”. With activities dating back to at least 2019, this group has aligned its targeting with the goals and objectives of the Pakistani government.

Speaker Bio - James Slaughter

Who Am I? I’m Canadian, eh!

Currently a Senior Threat Intel Engineer at Fortinet. Day-to-day responsible for looking for “interesting samples”, reversing them and then blogging the results. Some recent examples - https://www.fortinet.com/blog/search?author=James+Slaughter

Prior to Fortinet:

8 years at NatWest as the Cyber Threat Hunting and Analytics Tech Lead

10 years at BlackBerry as a Dev

My hobbies match my vocation. You can usually find me tinkering with malware or code that I stick up on GitHub - https://github.com/slaughterjames

Tursday, 6 April 2023

Time: 18:00 - 20:00 BST

Location: PwC, 144 Morrison Street, Edinburgh, EH3 8EX

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-april-tickets-597182307357

Talk 1 - Cyber as a Science

In this talk, I discuss the importance of the scientific method within the Cybersecurity industry and the challenges created by pseudoscience and guff. I will also examine the issues with current efforts in this space, such as: the limited relevance of academia, the challenges of getting access to relevant data, the rapidly changing threat landscape and persistence in creating analogues to military doctrine.

Speaker Bio - Lawrence Munro

Lawrence is the Group CISO at NCC Group and has a background in penetration testing and social engineering. He’s currently an expert advisor to the UK Government via the ‘College of experts’ within DCMS and is a former member of the CREST executive and B-Sides London Director. Lawrence has previously presented his ideas at BlackHat USA, RSA, 44Con and a number of other conferences.

Talk 2 - Can’t you keep a secret? Cloud-Native Secrets Management with OWASP WrongSecrets

In this talk, Dan will dive into cloud secrets management best practices and show you all the things that can go terribly wrong with secrets management in the cloud through using OWASP WrongSecrets. Dan will also walk you through some example challenges related to exposed secrets in codes and misconfigured Kubernetes clusters.

Speaker Bio - Dan Gora

Dan Gora is a Lead Cloud Security Architect at Cloudreach (An ATOS Company) specialising in Cloud-Native Security, DevSecOps and Application Security. He is also an OWASP Frankfurt Chapter Lead and an avid Scottish Munro-bagger, having conquered half of all Scottish munros.

Tursday, 29 December 2022

Time: 20:00 - 21:00 GMT

Location: Virtual (Details to be announced)

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-dec-tickets-475144398687

End of Year

OWASP Scotland will be hosting an informal chapter meeting. Join in to discuss the year ending.

Friday, 13 December 2022

Time: 18:00 - 20:00 BST

Location: Hays, 7 Castle Street, Edinburgh, EH2 3AH

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-dec-tickets-475144398687

Meeting the Ministrer

Things not always being as they seem is a common adage that lends itself well to the cyber world. Phishing tries explicitly to convince an email recipient that a message is legitimate and trustworthy when it is not. This applies equally to cases where the sender is interested in criminal exploits or nation-state activity.

FortiGuard Labs recently came across an unassuming phishing email that proved to be far more than it initially seemed. Written in Russian, it attempts to lure the recipient into deploying malware on their system. This talk will cover the analysis of that malware which happens to have been Konni - a remote administration tool (RAT) that has been tied to the group APT 37 (aka: Ricochet Chollima, InkySquid, ScarCruft, Reaper, and Group123). This group has been known to align its targeting and objectives with those of the government of the Democratic People’s Republic of Korea (DPRK), commonly known as North Korea.

Speaker Bio - James Slaughter

Who Am I?

I’m Canadian, eh!

Currently a Senior Threat Intel Engineer at FortinetDay-to-day responsible for looking for “interesting samples”, reversing them and then blogging the results. Some recent examples -https://www.fortinet.com/blog/search?author=James+Slaughter

Prior to Fortinet:8 years at NatWest as the Cyber Threat Hunting and Analytics Tech Lead10 years at BlackBerry as a Dev

My hobbies match my vocation. You can usually find me tinkering with malware or code that I stick up on GitHub - https://github.com/slaughterjames

Friday, 30 June 2022

Time: 18:00 - 20:00 BST

Location: PwC, 144 Morrison Street, Edinburgh, EH3 8EX

Tickets: Tickets are available on eventbrite: <https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-december-tickets-224828597387>

Elevate your AppSec Program with the OWASP JuiceShop Project

Dan Gora will give an introduction to the OWASP JuiceShop, the German OWASP flagship project and one of the most likely sophisticated insecure web applications. Dan demonstrates how to get started with hands-on application security learning by walking through OWASP Top 10 vulnerabilities in the JuiceShop. This includes vulnerabilities such as cross-site scripting and code injection. Furthermore, it will be shown how the OWASP Juice Shop can be used for security training, awareness demos, CTFs and as a guinea pig for testing your security tooling.

Speaker Bio

Dan Gora is a Cloud Security Architect at Cloudreach (ATOS) specialising in Cloud-Native Security, DevSecOps and Application Security. Dan is also an OWASP Frankfurt Stammtisch co-organiser and regularly commutes between Edinburgh and Frankfurt, Germany. Dan is also Leading the OWASP Frankfurt Regular Table and is a Board Member of the German OWASP Chapter. If Dan is not shifting security left, you can find him with his head in the cloud on top of Scottish Highland Munros, which he very much enjoys bagging.

Friday, 31 December 2021

Time: 16:00 - 17:00 BST

Location: Virtual, details will be emailed closer to the time to those who have registered to the event below.

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-december-tickets-224828597387

Informal chapter meeting - join in to discuss the year ending

Join us for an informal discussion rounding up the year. This will be an open discussion, for which we would love as much input as possible.

Note: Participants are limited for this virtual meetup and sign-in details will be provided closer to the time.

Thursday, 16 December 2021

Time: 20:00 - 21:30 BST

Location: Virtual, details will be emailed closer to the time to those who have registered to the event below.

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-december-tickets-224828597387

Open Source Software Supply Chains

As modern software development evolves; we no longer build things from the ground up. Extensive use is made of open source software such as libraries and frameworks. While this is fantastic from a development point of view (allowing for faster development of applications and features), it does present a potential drawback if not done correctly, an increased risk. Often, we see libraries being used and seldom updated, also we see several libraries being blindly with little to not inspections and reviews. This is gold mine for attackers, there are many ways that they have will continue to use this to their advantage. The purpose of this talk is to cover some of the techniques which attackers could use to exploit open source supply chains. This will include a live demonstration of one such technique which an attacker could used. The talk will then focus on the excellent OWASP Dependency Track tool, showing how this can help reduce the risk to organizations when it comes to dealing with open source packages in software.

Speaker Bio - Sean Wright

Lead Application Security SME at Immersive Labs with an origin as a software developer. Primarily focused on web-based application security with a special interest in TLS related subjects. Experienced in providing technical leadership in relation to application security, as well as engaging with teams to improve the security of systems that they develop. Passionate to be a part of the community and giving back to the community. Additionally, enjoy spending personal time performing personal security-related research.

Note: Participants are limited for this virtual meetup and sign-in details will be provided closer to the time.

Thursday, 1 April 2021

Time: 20:00 - 21:30 BST

Location: Virtual, details will be emailed closer to the time to those who have registered to the event below.

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-april-virtual-chapter-meeting-tickets-148263727801

Scale Your Security by Embracing Secure Defaults & Eliminating Bug Classes

We’re in the middle of a significant shift in how security teams operate and prioritize their limited budget and person-time. Historically, as an industry, we’ve focused on building tools to identify vulnerabilities. While we’ve built impressive tools, these approaches have failed to address the challenges of modern engineering teams. Specifically, these tools often are too slow, require a prohibitive amount of security engineer time and domain expertise to tune, overwhelm users with false positives, and most importantly, do not ultimately raise a company’s security bar. But there’s another way. Rather than investing in finding more bugs, some modern security teams are instead focusing on providing developers with frameworks and services with secure defaults (“guard rails”) so that developers can build features quickly and securely. When done correctly, combining secure defaults and lightweight checks that enforce invariants (properties that must always hold), organizations can solve classes of vulnerabilities by construction, preventing bug whack-a-mole. In this talk, we’ll present a practical step-by-step methodology for:

  • Choosing what to focus your AppSec resources on
  • How to combine secure defaults + lightweight invariant enforcement to eradicate entire vulnerability classes
  • How to integrate continuous code scanning into your CI/CD processes in a way that’s fast, high signal, and low friction for developers
  • How to use an open source, lightweight security linting tool to find bugs and anti-patterns specific to your company
Speaker Bio

Grayson Hardaway is a security researcher at r2c, a startup working on static analysis tools purpose-built for the modern workflow. At r2c, Grayson authors static analysis tailored for finding security vulnerabilities in open source code. Previously, Grayson worked for the US Department of Defense fuzzing and exploiting obscure protocols. When not submitting patches, Grayson is hefting a heavy pack uphill, crafting guitar solos, or learning something new: currently woodworking.

Note: Participants are limited for this virtual meetup and sign-in details will be provided closer to the time.

Thursday, 10 December 2020 (December Xmas Special)

Time: 20:00 - 21:30 BST

Location: Virtual, details will be emailed closer to the time to those who have registered to the event below.

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-december-xmas-special-virtual-chapter-meeting-tickets-131521886503

Description

Join the OWASP Scotland community in this final Xmas Special chapter meeting 0f 2020 where we will talk about some of the worst hacks and breaches of the year. If you have a story you’d like to share drop us a line and we’ll fit you in. Bring yourself, bring your favourite tipple and we will see you there. Note: Participants are limited for this virtual meetup and sign-in details will be provided closer to the time.

Thursday, 24 September 2020

Time: 20:00 - 21:30 BST

Location: Virtual, details will be emailed closer to the time to those who have registered to the event below.

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-virtual-chapter-meeting-sept-tickets-119944656697

Description

We are pleased to announce that the second OWASP Scotland Chapter meeting of 2020 will take place on Thursday the 28th of May.

Rory McCune (@raesene)

Abstract – The world of containerization can be a morass of new and odd sounding acronyms and terms. However when you start to dig into what’s really happening with Docker, Kubernetes et al, you will find that there’s a lot of familiar technologies involved which can have existing approaches to security applied to them. This talk aims to demystify the container security world and explain some of the underlying concepts”. Bio - Rory has worked in the Information and IT Security arena for the last 20 years in a variety of roles. These days he spends most of his work time on application, cloud and container security. He’s an active member of the UK information security community having delivered presentations at a variety of IT and Information security conferences. He has also presented at major containerization conferences and is an author of the CIS Benchmarks for Docker and Kubernetes.

Daniel Card (@UK_Daniel_Card)

Panel Discussion - Panel discussion involving Daniel Card, covering topics ranging from the community, common security mistakes, and community based events.

Thursday, 28 May 2020

Time: 20:00 - 21:30 BST

Location: Virtual, details will be emailed closer to the time to those who have registered to the event below.

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-virtual-chapter-meeting-may-tickets-105453656726

Description

We are pleased to announce that the second OWASP Scotland Chapter meeting of 2020 will take place on Thursday the 28th of May.

STÖK - Bounty curious? How to win at bug bounties in 2020 (and stay sane)

Speaker: STÖK - @stokfredrik, youtube.com/stokfredrik

STÖK will be providing us insight into how to approach bug bounties as a hobby in 2020, what tools most people use, why you need automation, understanding depth vs. breadth, fuzzing vs code review; and how to stay sane whilst competing against 700,000 other hackers.

Context IS - Open Banking Applications

Speaker: Margus Lind & Daniela Schoeffmann, Context IS

Open Banking is the UK implementation for PSD2. On top of the PSD2 regulations, Open Banking provides a detailed specification for banks and third parties to follow when communicating with one another. This allows companies (TPPs) to build their applications and integrate with online services exposed by any bank (ASPSP) in a standardised way.

With an increasing number of banks using APIs to share data, Open Banking promises better business opportunities and more robust security for customers and banks. However, implementation of publicly accessible APIs and introduction of new security models create a myriad of challenges. This makes for a wider attack surface and puts data in the hands of more companies (third party providers) who have differing approaches to customer data protection. In this talk we will cover a brief introduction to Open Banking, our experiences with testing implementations of Open Banking, as well as the technical and project management challenges we have overcome along the way. We will demonstrate the technical complexities encountered, and share some interesting discoveries made during the engagements.

Code of Conduct

We hope you enjoy our events, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of the chapter leaders if you have any feedback or would like to speak to us, we take these matters very seriously. You can find out more about our policies here: https://owasp.org/www-policy/operational/conferences-events.html.

Tuesday, 11 Febraury 2020

Time: 18:00 - 20:00 BST

Location: PwC, 144 Morrison Street, Edinburgh, EH3 8EX

Tickets: Tickets are available on eventbrite: https://www.eventbrite.co.uk/e/owasp-scotland-chapter-meeting-february-2020-tickets-90016877905

Description

We are pleased to announce that the first OWASP Scotland Chapter meeting of 2020 will take place on Tuesday the 11th of Feb. Many thanks to PwC, who has kindly offered to host this event for us. They will also be providing pizza and refreshments on the evening.

Security Culture and Behaviour - security is still often seen as a technology problem

Speaker: Louise MacDougall

This presentation will focus on the culture and behaviours surrounding cyber security and explore the ‘People layer’ of defence. Louise will discuss how organisations should be approaching cyber security leadership and how they can drive the right security behaviours within their staff. Particular focus will be on the role of senior leadership and behavioural models that can be applied to cyber security.

Nothing Rhymes with Purple

Speaker: Lawrence Munro

In this talk, I discuss the need for collaborative strategies between blue and red teams. I dive deep into the concepts of ‘always-on’ red teaming and the processes of generating use cases from TI through threat hunting to validation. I also discuss the use of point-in-time purple teaming and maximising the value to the SOC. Moreover, I will discuss the direction of travel within the professional services industry and open the floor to discussion.

Bio: Lawrence Munro is Technical Director at NCC Group, a Post-Graduate Student at Oxford University, a CREST Executive member and Director for B-Sides London. His research (and presentation topics) are varied, but often include: red teaming, education in InfoSec and weird side-projects. Lawrence has previously presented his ideas and research at: Black Hat USA, DEFCON, 44CON, RootCon, B-Sides (Various), ToorCon.