[ { "id" : "f084b378293bb3063d56516ef685e343", "file_path" : "tracks/API-security/_index.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/api-security/", "content_plain" : "This track is focused on API security\n", "summary" : "This track is focused on API security", "title" : "API Security", "track" : null, "type" : "track", "word_count" : 7, "params" : {"description":"Sessions focusing on API security","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Pending"],"owasp-project":false,"session_slack":"https://os-summit.slack.com/messages/CAVAQCQ5R","title":"API Security","type":"track","when_day":"Fri"} } , { "id" : "2938f3e053be89b36d5fef15fc69ad06", "file_path" : "tracks/API-security/improving-chaos-toolkit.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/api-security/improving-chaos-toolkit/", "content_plain" : " The Chaos Toolkit provides a Universal API for Chaos Engineering experiments that is then used to drive various implementations of chaos-causing and system-state-probing functions.\nThis session will focus on how the Chaos Toolkit, and the project\u0026rsquo;s open source ecosystem, can be practically used and extended for DevSecOps concerns to deliver on the needs of automation and collaboration.\nWHY Chaos is about introducing learning loops so that trust and confidence in systems can be maintained in the face of constant change.\nThe Chaos Toolkit provides a free and open source tool and community that can be extended to explore security weaknesses through the chaos engineering discipline.\nTo implement the necessary chaos-driving and system-probing functions for DevSecOps, the Chaos Toolkit will need to be extended using it\u0026rsquo;s \u0026ldquo;driver\u0026rdquo; extension point. This session will focus on how to so that.\nWhat This session will explore, using real code, the ways of extending the Chaos Toolkit to meet DevSecOps concerns.\nOutcomes Attendees will have an excellent grasp of the architecture of the Chaos Toolkit and the various ways in which it can be extended. They will have built one real-world \u0026ldquo;driver\u0026rdquo; from scratch themselves and know how to do the same for general-purpose, or even private and specific, real-world DevSecOps concerns.\nReferences The Chaos Toolkit: http://chaostoolkit.org/ The Chaos Toolkit Universal Open API for Chaos Engineering: http://chaostoolkit.org/reference/api/experiment/ Contributing to and Extending The Chaos Toolkit: http://chaostoolkit.org/reference/contributing/ Extension approaches in the Chaos Toolkit: http://chaostoolkit.org/reference/extending/approaches/ The Chaos Toolkit incubator for current, real-world \u0026ldquo;drivers\u0026rdquo;: https://github.com/chaostoolkit-incubator\n", "summary" : "The Chaos Toolkit provides a Universal API for Chaos Engineering experiments that is then used to drive various implementations of chaos-causing and system-state-probing functions.\nThis session will focus on how the Chaos Toolkit, and the project\u0026rsquo;s open source ecosystem, can be practically used and extended for DevSecOps concerns to deliver on the needs of automation and collaboration.\nWHY Chaos is about introducing learning loops so that trust and confidence in systems can be maintained in the face of constant change.", "title" : "Customising the Chaos Engineering Toolkit", "track" : "API Security", "type" : "working-session", "word_count" : 246, "params" : {"categories":null,"description":"Practical Guide to Extending the Chaos Toolkit for DevSecOps concerns.","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","locked":false,"organizers":["TBD"],"participants":null,"room_id":"room-6","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUS7SZEV","status":"review-content","technology":null,"title":"Customising the Chaos Engineering Toolkit","track":"API Security","type":"working-session","when_day":"Fri","when_time":"PM-1"} } , { "id" : "4eee4c3c8bd183e455ebee3335859a2e", "file_path" : "tracks/API-security/real-world-chaos-engineering.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/api-security/real-world-chaos-engineering/", "content_plain" : " In this session a collection of real-world security cases will be explored through the lens of the chaos engineering discipline.\nWHY In the face of increased speed of system evolution and complexity, systems are becoming harder to trust and have confidence in expecially from a security perspective.\nChaos engineering provides a specific mindset that augments the existing security mindset to provide a basis for automated exploring and discovering of weaknesses before your customers experience them.\nThis session will show how that mindset can be applied to common, real-world security cases and how, using the Deliberate Practice of Chaos Engineering, improve the entire sociotechnical system to mitigate and respond, and even preempt, these types of weaknesses coming to light.\nWhat Through real-world examples of chaos engineering, the attendees will explore recent and organisation-specific security weaknesses and how chaos engineering can be brought to bear on those weaknesses.\nOutcomes Attendees will have explored a wealth of their own, and real-world, use cases and know, through real-world chaos engineering examples, how the chaos engineering mindset and process can provide a new tool for exploring and defeating sociotechnical system weaknesses proactively.\nReferences The Principles of Chaos:http://principlesofchaos.org/\n", "summary" : "In this session a collection of real-world security cases will be explored through the lens of the chaos engineering discipline.\nWHY In the face of increased speed of system evolution and complexity, systems are becoming harder to trust and have confidence in expecially from a security perspective.\nChaos engineering provides a specific mindset that augments the existing security mindset to provide a basis for automated exploring and discovering of weaknesses before your customers experience them.", "title" : "Real world Chaos Engineering", "track" : "API Security", "type" : "working-session", "word_count" : 192, "params" : {"categories":null,"description":"An exploration and working session to characterise, explore and implement real-world DevSecOps chaos experiments.","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","locked":false,"organizers":["TBD"],"participants":null,"room_id":"room-6","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUN7NXFS","status":"review-content","technology":null,"title":"Real world Chaos Engineering","track":"API Security","type":"working-session","when_day":"Fri","when_time":"PM-3"} } , { "id" : "f0729f0639da26b757a789c8a95823da", "file_path" : "tracks/API-security/scaling-api-security.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/api-security/scaling-api-security/", "content_plain" : "", "summary" : "", "title" : "Scaling API Security", "track" : "API Security", "type" : "working-session", "word_count" : 0, "params" : {"categories":null,"description":"","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Scaling API Security","track":"API Security","type":"working-session","when_day":"Thu","when_time":"DS-2"} } , { "id" : "1bdd7fab7ccabe06fa51af7a7af87d84", "file_path" : "tracks/API-security/securing-kubernetes-hosted-apis.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/api-security/securing-kubernetes-hosted-apis/", "content_plain" : "", "summary" : "", "title" : "Securing Kubernete's hosted APIs", "track" : "API Security", "type" : "working-session", "word_count" : 0, "params" : {"categories":null,"description":"","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Securing Kubernete's hosted APIs","track":"API Security","type":"working-session","when_day":"Thu","when_time":"DS-2"} } , { "id" : "c4680632c3b7a46dc85d132facc48e36", "file_path" : "tracks/CISO/_index.md", "last_modified" : "2019-05-05T16:47:17+01:00", "link" : "/tracks/ciso/", "content_plain" : "Working Sessions on topics related for CISOs and C-Level execs.\n", "summary" : "Working Sessions on topics related for CISOs and C-Level execs.", "title" : "CISO", "track" : null, "type" : "track", "word_count" : 10, "params" : {"description":"Working Sessions on topics related for CISOs and C-Level execs.","draft":false,"iscjklanguage":false,"lastmod":"2019-05-05T16:47:17+01:00","organizers":["Tony Richards","Paul Davies"],"session_slack":"https://os-summit.slack.com/messages/CAVDMTALA","status":"done","title":"CISO","type":"track","when_day":"Thu,Fri"} } , { "id" : "c43d1cbfbde91d1aa3f40d6bf57969a2", "file_path" : "tracks/CISO/ciso-roundtable.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/ciso/ciso-roundtable/", "content_plain" : "", "summary" : "", "title" : "CISO Ask Me Anything (AMA)", "track" : "CISO", "type" : "working-session", "word_count" : 0, "params" : {"description":"Session on Risk Modeling","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Dinis Cruz"],"participants":["Ante Gulam","Kevin Fielder","Tony Richards"],"room_id":null,"room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAURV0D09","status":"draft","title":"CISO Ask Me Anything (AMA)","topics":["CISO"],"track":"CISO","type":"working-session","when_day":"Thu","when_time":"PM-2"} } , { "id" : "6c9e1e4e8c7bf6984f63faa329177759", "file_path" : "tracks/CISO/cyber-risk-modeling.md", "last_modified" : "2019-05-08T08:37:27+01:00", "link" : "/tracks/ciso/cyber-risk-modeling/", "content_plain" : "", "summary" : "", "title" : "Cyber Risk Modeling", "track" : "CISO", "type" : "working-session", "word_count" : 0, "params" : {"description":"Session on Risk Modeling","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-08T08:37:27+01:00","organizers":["Phil Huggins"],"participants":["Tony Richards"],"room_id":"room-2","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVGVTQ85","status":"draft","title":"Cyber Risk Modeling","topics":["CISO","Risk"],"track":"CISO","type":"working-session","when_day":"Thu","when_time":"PM-3"} } , { "id" : "a769513615619035a19aa80a3f2238e2", "file_path" : "tracks/CISO/owasp-collective-defence-agreement.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/ciso/owasp-collective-defence-agreement/", "content_plain" : " This Working Session aims to continue the work done at the last Summit on this CDC model.\nWhy In the same way that countries use NATO Collective defence - Article 5 to:\n create a unique and enduring principle that binds its members together, committing them to protect each other and setting a spirit of solidarity within the Alliance (http://www.nato.int/cps/cn/natohq/topics_110496.htm)\n companies should share information, knowledge, and resources so that malicious activities are easily detected and mitigated.\nThe framework created at the Working Session will promote collaboration between companies and create a shared mission to protect customer data and company assets.\nWhat Review model created last year Share experiences from companies that tried it Outcomes Create one page document with the statement supported by FAQ Commitment for more companies to try it Commitment to explore further integrations and collaboration workflows Who The target audience for this Working Session is:\n CISOs References Collective defence - Article 5 Previous Summit Working Session https://owaspsummit.org/Working-Sessions/CISO/AppSec-Article-5-Collective-Defence-Agreement.html\n", "summary" : "This Working Session aims to continue the work done at the last Summit on this CDC model.\nWhy In the same way that countries use NATO Collective defence - Article 5 to:\n create a unique and enduring principle that binds its members together, committing them to protect each other and setting a spirit of solidarity within the Alliance (http://www.nato.int/cps/cn/natohq/topics_110496.htm)\n companies should share information, knowledge, and resources so that malicious activities are easily detected and mitigated.", "title" : "OWASP Collective Defence Cluster (CDC) - two years on", "track" : "CISO", "type" : "working-session", "word_count" : 159, "params" : {"description":"","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":null,"participants":null,"room_id":"table-3","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUSJ7P4H","status":"review-content","title":"OWASP Collective Defence Cluster (CDC) - two years on","topics":["Owasp Project"],"track":"CISO","type":"working-session","when_day":"Tue","when_time":"DS-2"} } , { "id" : "32a7d95ec7ee1f0788373a44985d7db0", "file_path" : "tracks/CISO/third-party-due-diligence.md", "last_modified" : "2019-05-08T18:43:05+01:00", "link" : "/tracks/ciso/third-party-due-diligence/", "content_plain" : "", "summary" : "", "title" : "Third Party Due Diligence", "track" : "CISO", "type" : "user-session", "word_count" : 0, "params" : {"description":"Session on problem and solution discussion","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-08T18:43:05+01:00","organizers":["Didar Gelici"],"participants":[""],"room_id":null,"room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAURV0D09","status":"draft","title":"Third Party Due Diligence","topics":["CISO"],"track":"CISO","type":"user-session","when_day":"Thu","when_time":"DS-2"} } , { "id" : "f97c6ff0145e1226a3d386bc5a60dc18", "file_path" : "tracks/Children-Game-Safety/_index.md", "last_modified" : "2019-04-30T23:03:11+01:00", "link" : "/tracks/children-game-safety/", "content_plain" : "Sessions focused on making it safer children to play games online\n", "summary" : "Sessions focused on making it safer children to play games online", "title" : "Children Game Safety", "track" : null, "type" : "track", "word_count" : 11, "params" : {"description":"Sessions focused on making it safer children to play games online","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-04-30T23:03:11+01:00","organizers":["Pending"],"owasp-project":false,"session_slack":null,"title":"Children Game Safety","type":"track","when_day":"Wed,Thu"} } , { "id" : "86a55719df8001f77c5af6f5b984db62", "file_path" : "tracks/Children-Game-Safety/working-session/best-practices-for-security-of-online-platforms.md", "last_modified" : "2019-04-30T22:26:42+01:00", "link" : "/tracks/children-game-safety/working-session/best-practices-for-security-of-online-platforms/", "content_plain" : "Online gaming platforms manage large volumes of sensitive data which needs to protected and managed securely\n", "summary" : "Online gaming platforms manage large volumes of sensitive data which needs to protected and managed securely", "title" : "Best practices for the security of online Gaming platforms", "track" : "Children Game Safety", "type" : "working-session", "word_count" : 16, "params" : {"categories":null,"description":"Online gaming platforms manage large volumes of sensitive data which needs to protected and managed securely","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-04-30T22:26:42+01:00","organizers":"TBD","participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Best practices for the security of online Gaming platforms","track":"Children Game Safety","type":"working-session","when_day":"Wed","when_time":"AM-1"} } , { "id" : "2583549140ccc38ee16a461b762d0941", "file_path" : "tracks/Children-Game-Safety/working-session/gdpr-implications-for-online-games.md", "last_modified" : "2019-05-02T12:00:00+01:00", "link" : "/tracks/children-game-safety/working-session/gdpr-implications-for-online-games/", "content_plain" : "What are the GDPR implications for online gaming platforms? What are the platform developers responsibilities? What are the users (and parents rights?)\n", "summary" : "What are the GDPR implications for online gaming platforms? What are the platform developers responsibilities? What are the users (and parents rights?)", "title" : "GDPR Implications for Online Games (for players, parents and platform owners)", "track" : "Children Game Safety", "type" : "working-session", "word_count" : 22, "params" : {"categories":null,"description":"What are the GDPR implications for online gaming platforms? What are the platform developers responsibilities? What are the users (and parents rights?)","draft":false,"featured":false,"iscjklanguage":false,"lastmod":"2019-05-02T12:00:00+01:00","organizers":"TBD","participants":null,"room_id":"room-2","session_slack":null,"status":"review-content","technology":null,"title":"GDPR Implications for Online Games (for players, parents and platform owners)","track":"Children Game Safety","type":"working-session","when_day":"Wed","when_time":"PM-1"} } , { "id" : "03fc8d0948116dfb71199e693d642dfd", "file_path" : "tracks/Children-Game-Safety/working-session/how-can-owasp-and-oss-help-with-online-game-safety.md", "last_modified" : "2019-05-02T12:00:00+01:00", "link" : "/tracks/children-game-safety/working-session/how-can-owasp-and-oss-help-with-online-game-safety/", "content_plain" : " OWASP and OSS (Open Security Summit) community sit at the center of a large community that has all the players and resources required to find good solutions\nWhat for example map which OWASP projects are related to Online Game Safety (and how they can help)s work with amazing sites like https://www.getsafeonline.org/ and https://www.childline.org.uk/ ", "summary" : " OWASP and OSS (Open Security Summit) community sit at the center of a large community that has all the players and resources required to find good solutions\nWhat for example map which OWASP projects are related to Online Game Safety (and how they can help)s work with amazing sites like https://www.getsafeonline.org/ and https://www.childline.org.uk/ ", "title" : "How can OWASP and OSS help with Online Game Safety", "track" : "Children Game Safety", "type" : "working-session", "word_count" : 53, "params" : {"categories":null,"description":"OWASP and OSS (Open Security Summit) community sit at the center of a large community that has all the players and resources required to find good solutions","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-02T12:00:00+01:00","organizers":"TBD","participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"How can OWASP and OSS help with Online Game Safety","track":"Children Game Safety","type":"working-session","when_day":"Wed","when_time":"PM-2"} } , { "id" : "33b5cb2f5b3f07d21553dc4ebf349560", "file_path" : "tracks/Children-Game-Safety/keynote/online-game-safety-keynote.md", "last_modified" : "2019-05-01T10:23:54+01:00", "link" : "/tracks/children-game-safety/keynote/online-game-safety-keynote/", "content_plain" : " Setting the scene and direction on how to make Online Gaming Safer for Children (and how the community can help) MLi Group Chairman Khaled Fattal to deliver the keynote address and throw the gauntlet to challenge the Open security summit techie army to come up with a solution that will help make online game playing safer, especially for children.\nWith more children than ever playing games online today, and with the recent horror stories reported in the news exposing this growing threat to children, such as the tragic murder of 14 year old gamer Breck Bednar, we believe making the online game playing safer for children is not just the responsibility of parents but also the Corporate Social Responsibility of all online gaming sector players.\nFattal will also be calling on the online game sector as well as other sectors’ leaders and stakeholders that they need to do a lot more to show their seriousness and sincerity to making online game playing safer for children beyond the usual lip service CSR / PR.\nKhaled Fattal will set the stage by calling on and inspiring the summit techie geniuses to dig in, work together, and come up with a solution that can be easily used by parents, children and industry players and which can contribute to making online game playing safer, especially for children.\nFor more information or to support this philanthropic initiative contact Keynote speaker Khaled Fattal or summit organizer Dinis Cruz\nBy Khaled Fattal, MLi Group chairman\n", "summary" : "Setting the scene and direction on how to make Online Gaming Safer for Children (and how the community can help) MLi Group Chairman Khaled Fattal to deliver the keynote address and throw the gauntlet to challenge the Open security summit techie army to come up with a solution that will help make online game playing safer, especially for children.\nWith more children than ever playing games online today, and with the recent horror stories reported in the news exposing this growing threat to children, such as the tragic murder of 14 year old gamer Breck Bednar, we believe making the online game playing safer for children is not just the responsibility of parents but also the Corporate Social Responsibility of all online gaming sector players.", "title" : "Making Online Gaming Safer for Children", "track" : "Children Game Safety", "type" : "working-session", "word_count" : 248, "params" : {"categories":null,"description":"Setting the scene and direction on how to make Online Gaming Safer for Children (and how the community can help)","draft":false,"featured":false,"iscjklanguage":false,"lastmod":"2019-05-01T10:23:54+01:00","organizers":"Khaled Fattal","participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Making Online Gaming Safer for Children","track":"Children Game Safety","type":"working-session","when_day":"Wed","when_time":"DS-1"} } , { "id" : "bf7e66c78240df3f9032e9b82a2146e7", "file_path" : "tracks/Children-Game-Safety/working-session/maturity-model-for-online-game-safety.md", "last_modified" : "2019-05-02T12:00:00+01:00", "link" : "/tracks/children-game-safety/working-session/maturity-model-for-online-game-safety/", "content_plain" : "Use the Maturity Model created by the Owasp SAMM project to create a first pass a stardard way to measure the Safety of Online Games\n", "summary" : "Use the Maturity Model created by the Owasp SAMM project to create a first pass a stardard way to measure the Safety of Online Games", "title" : "Maturity Model for Online Game Safety (based on SAMM)", "track" : "Children Game Safety", "type" : "working-session", "word_count" : 25, "params" : {"categories":null,"description":"Use the Maturity Model created by the Owasp SAMM project to create a first pass a stardard way to measure the Safety of Online Games","draft":false,"featured":false,"iscjklanguage":false,"lastmod":"2019-05-02T12:00:00+01:00","organizers":"TBD","participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Maturity Model for Online Game Safety (based on SAMM)","track":"Children Game Safety","type":"working-session","when_day":"Wed","when_time":"PM-3"} } , { "id" : "802ac11fec9ad97f85751476f2656732", "file_path" : "tracks/Children-Game-Safety/working-session/online-game-safety-round-table.md", "last_modified" : "2019-05-02T12:00:00+01:00", "link" : "/tracks/children-game-safety/working-session/online-game-safety-round-table/", "content_plain" : "Round table by multiple industry experts and players on how to improve the current state of Online Game Safety\n", "summary" : "Round table by multiple industry experts and players on how to improve the current state of Online Game Safety", "title" : "Online Game Safety - Round Table", "track" : "Children Game Safety", "type" : "working-session", "word_count" : 19, "params" : {"categories":null,"description":"Round table by multiple industry experts and players on how to improve the current state of Online Game Safety","draft":false,"featured":false,"iscjklanguage":false,"lastmod":"2019-05-02T12:00:00+01:00","organizers":"TBD","participants":null,"room_id":"room-2","session_slack":null,"status":"review-content","technology":null,"title":"Online Game Safety - Round Table","track":"Children Game Safety","type":"working-session","when_day":"Thu","when_time":"PM-2"} } , { "id" : "12efb7418b13b04ea532c57128bc11a4", "file_path" : "tracks/Children-Game-Safety/user-session/risk-dashboard-for-online-game-safety.md", "last_modified" : "2019-04-30T22:26:42+01:00", "link" : "/tracks/children-game-safety/user-session/risk-dashboard-for-online-game-safety/", "content_plain" : "Creation of a Risk Dashboard for the multiple areas of Online Gaming Safety (from the games, to the online platforms, to the users)\n", "summary" : "Creation of a Risk Dashboard for the multiple areas of Online Gaming Safety (from the games, to the online platforms, to the users)", "title" : "Risk Dashboard - Online Gaming Safety", "track" : "Children Game Safety", "type" : "user-session", "word_count" : 23, "params" : {"description":"Creation of a Risk Dashboard for the multiple areas of Online Gaming Safety (from the games, to the online platforms, to the users)","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-04-30T22:26:42+01:00","organizers":"TBD","participants":null,"room_id":"room-2","session_slack":null,"status":"draft","title":"Risk Dashboard - Online Gaming Safety","topics":null,"track":"Children Game Safety","type":"user-session","when_day":"Thu","when_time":"PM-1"} } , { "id" : "244b786bb2bd235fb9f486891e45d635", "file_path" : "tracks/Children-Game-Safety/user-session/online-game-safety-wardley-map.md", "last_modified" : "2019-05-02T12:00:00+01:00", "link" : "/tracks/children-game-safety/user-session/online-game-safety-wardley-map/", "content_plain" : "User session to create several Wardley Maps for the Gaming industry (and its past, present and future)\n", "summary" : "User session to create several Wardley Maps for the Gaming industry (and its past, present and future)", "title" : "Wardley Map - Online Game Safety", "track" : "Children Game Safety", "type" : "user-session", "word_count" : 17, "params" : {"categories":null,"description":"User session to create several Wardley Maps for the Gaming industry (and its past, present and future)","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-02T12:00:00+01:00","organizers":"TBD","participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Wardley Map - Online Game Safety","track":"Children Game Safety","type":"user-session","when_day":"Thu","when_time":"AM-1"} } , { "id" : "a7c410ade1dcf3f83a00add10f82b9d0", "file_path" : "tracks/Cyber-Insurance/_index.md", "last_modified" : "2019-05-05T14:53:36+01:00", "link" : "/tracks/cyber-insurance/", "content_plain" : " Sessions focused on Cyber Insurance\nOrganiser needed for this track If you can help, please send your changes as PR (Pull Requests) or ask for help at the #oss-helpdesk Slack Channel\nReferences Data from last year\u0026rsquo; Working session on Cyber Insurance\n Working Session: https://2018.open-security-summit.org/tracks/ciso/working-sessions/cyber-insurance/ … Outcomes: https://2018.open-security-summit.org/outcomes/tracks/ciso/working-sessions/cyber-insurance/ … Presentation: https://www.slideshare.net/opensecsummit/cyber-insurance-102132613 …\n There was also a session on \u0026lsquo;Cyber Risk Modeling\u0026rsquo; https://2018.open-security-summit.org/tracks/ciso/working-sessions/cyber-risk-modeling/\n Twitter threads:\n https://twitter.com/DinisCruz/status/1125033311141806086 ", "summary" : "Sessions focused on Cyber Insurance\nOrganiser needed for this track If you can help, please send your changes as PR (Pull Requests) or ask for help at the #oss-helpdesk Slack Channel\nReferences Data from last year\u0026rsquo; Working session on Cyber Insurance\n Working Session: https://2018.open-security-summit.org/tracks/ciso/working-sessions/cyber-insurance/ … Outcomes: https://2018.open-security-summit.org/outcomes/tracks/ciso/working-sessions/cyber-insurance/ … Presentation: https://www.slideshare.net/opensecsummit/cyber-insurance-102132613 …\n There was also a session on \u0026lsquo;Cyber Risk Modeling\u0026rsquo; https://2018.open-security-summit.org/tracks/ciso/working-sessions/cyber-risk-modeling/\n Twitter threads:\n https://twitter.", "title" : "Cyber Insurance", "track" : null, "type" : "track", "word_count" : 64, "params" : {"description":"Sessions focused on Cyber Insurance","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-05T14:53:36+01:00","organizers":["Pending"],"owasp-project":false,"session_slack":null,"title":"Cyber Insurance","type":"track","when_day":"Wed,Thu"} } , { "id" : "71afdf290cfe509bf8f47a76e48c97ac", "file_path" : "tracks/Cyber-Insurance/working-session/cyber-insurance.md", "last_modified" : "2019-05-08T08:35:34+01:00", "link" : "/tracks/cyber-insurance/working-session/cyber-insurance/", "content_plain" : " According to industry veteran and Chief of Security Strategy at SentinelOne, Jeremiah Grossman, the security industry must change. Today, the security industry is one of very few businesses that does not offer any guarantees or warranties. As a result, almost one third of all U.S. companies have some kind of cyber insurance coverage and PWC estimates that the market for cyber insurance will grow to $7.5 billion by 2020.\nWhy According to Grossman, companies spend $3.8 billion annually on traditional security equipment like AV, firewalls, and intrusion detection, but they also spend $3.2 billion on cyber insurance. This means that a lot of companies opt to spend their money on insurance when they get hit with a breach. But looking at the numbers from some of the biggest incidents, we can conclude that companies are not buying enough cyber insurance:\n Target breach cost the retailer $248 million, but the insurance company only paid out $90 million. Home Depot lost $43 million on its breach, with an insurance payout of about $15 million. Anthem, which experienced a major breach in February 2015, now has a policy in excess of $150 million This Working Session will focus on how well the cyber insurance market is working, and how cost-effective it is.\nWhat Common cyber insurance terms and coverage How insurance companies measure risk Should insurance companies lead the need for common standards and labels? Should governments provide/buy cyber insurance for its citizens and companies? How can organizations like OWASP work with insurance companies? Outcomes Study of common cyber insurance coverage Content Analysis of Cyber Insurance Policies: How do carriers write policies and price cyber risk? https://custom.cvent.com/C674EF8FB0604BC9BF9B668FCA89DFEB/files/event/2FCD5F30B42F4C9CA06E17CF90A33A4C/2b17224650b04acfa1182127e09b3d37.pdf\nHow COULD insurance companies measure risk? There are a number of different, broad categories: - Events (botnet infections, evidence of spam/scanning/malware hosting) - Diligence (exposed services, how they are configured, etc.) - User behavior - Some endpoint data points\nGenerally speaking, all the security signals coming out of a company are roughly correlated. If a company is generally bad with their diligence, they also will have problems with botnet infections, user behavior and so on. This is intuitive since a company who does not prioritize security will probably have a similar commitment to certificate management as they do to patching and monitoring. The converse is also true; if a company is doing well in some areas it is probably doing well in others. The impact of application security in the equation has not been studied sufficiently, but is expected to fit into the correlation model.\nOnce studied, the Loss Exceedance Curves can answer the question of “How likely is it that my losses will exceed a specific amount?” and will generally talk about probability in terms of “return years” which is an intuitive way to talk about probability. For example a 1 in 50 year event (written as 50 return years) is just 1\u0026frasl;50 or 2% chance.\nHow DO insurance companies measure risk? The majority of the insurance companies are not using all the tools available to \u0026ldquo;measure\u0026rdquo; risk, and continue to make decisions on fairly subjective formulations. In this way, the insurance industry is similar to how risk is measured in majority of the organizations (high/medium/low = based on how I am \u0026ldquo;feeling\u0026rdquo; at any moment). The underwriter makes the risk assessment call and will either reject the applicant or tailor the policy to their perceived level of risk.\nThere are three primary underwriting methodologies:\nSelective Underwriting - Long application forms - Warranty app wording - Highly detailed review of Customer’s IT Systems - Narrow number of applicants qualify - Quotes manage risk by limiting the policy offerings: limits, deductibles, coverage based on Underwriting appetite of domicile, industry, size of risk, and app info\nCollateral Customer Underwriting - Add Cyber extensions to the customer’s current policy - Additional premium is calculated as percent of policy premium\nThe Law of Large Numbers Underwriting - Premise is based on Macro data number of potential businesses creating a large pool of insureds \u0026amp; predictability - 85m possible insured entities vs. 250,000 (est.) cyber incidents - Remove barriers of purchase: - Simple application - Broad coverage rating based on domicile, industry, revenue and number of employees - Streamlined claims process \u0026amp; payment (focused on cyber time vs. natural time)\nCyber Insurance Trends Worth Watching Insurance companies realized that the handling of a cyber event can have a significant impact on the total amount of the claim. Therefore, many companies are working to develop Cyber Incident Response services that come bundled with the policies. This way, once an incident takes place, insurance companies can help to minimize the payouts by making sure events are handled appropriately and with all the necessary due process.\nWho The target audience for this Working Session is:\n Insurance Companies CISO Working materials Here are the current \u0026lsquo;work in progress\u0026rsquo; materials for this session (please add as much information as possible before the sessions): - draft document about cyber insurance\nContent Cyber security ratings for companies Previous Summit Working Session https://owaspsummit.org/Working-Sessions/CISO/Cyber-Insurance.html\n", "summary" : "According to industry veteran and Chief of Security Strategy at SentinelOne, Jeremiah Grossman, the security industry must change. Today, the security industry is one of very few businesses that does not offer any guarantees or warranties. As a result, almost one third of all U.S. companies have some kind of cyber insurance coverage and PWC estimates that the market for cyber insurance will grow to $7.5 billion by 2020.", "title" : "Cyber Insurance", "track" : "Cyber Insurance", "type" : "working-session", "word_count" : 835, "params" : {"categories":["CISO"],"description":"Session on Cyber Insurance","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-08T08:35:34+01:00","organizers":["Yvette Connor"],"room_id":"room-2","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAV65AXGU","status":"review-content","title":"Cyber Insurance","topics":["CISO"],"track":"Cyber Insurance","type":"working-session","when_day":"Tue","when_time":"PM-2"} } , { "id" : "8f98fe94aceeef0609536463b5601bdd", "file_path" : "tracks/Cyber-Insurance/working-session/online-game-safety-round-table.md", "last_modified" : "2019-05-02T12:00:00+01:00", "link" : "/tracks/cyber-insurance/working-session/online-game-safety-round-table/", "content_plain" : "Round table by multiple industry experts and players on how to improve the current state of Cyber Insurance\n", "summary" : "Round table by multiple industry experts and players on how to improve the current state of Cyber Insurance", "title" : "Cyber Insurance - Round Table", "track" : "Cyber Insurance", "type" : "working-session", "word_count" : 18, "params" : {"categories":null,"description":"Round table by multiple industry experts and players on how to improve the current state of Cyber Insurance","draft":false,"featured":false,"iscjklanguage":false,"lastmod":"2019-05-02T12:00:00+01:00","organizers":"TBD","participants":null,"room_id":"room-2","session_slack":null,"status":"review-content","technology":null,"title":"Cyber Insurance - Round Table","track":"Cyber Insurance","type":"working-session","when_day":"Thu","when_time":"PM-2"} } , { "id" : "7e07f8c824315de63e8fe8d355af410b", "file_path" : "tracks/Cyber-Insurance/working-session/how-can-owasp-and-oss-help-with-online-game-safety.md", "last_modified" : "2019-05-02T12:00:00+01:00", "link" : "/tracks/cyber-insurance/working-session/how-can-owasp-and-oss-help-with-online-game-safety/", "content_plain" : "OWASP and OSS (Open Security Summit) community sit at the center of a large community that has all the players and resources required to find good solutions\n", "summary" : "OWASP and OSS (Open Security Summit) community sit at the center of a large community that has all the players and resources required to find good solutions", "title" : "How can OWASP and OSS help with Cyber Insurance", "track" : "Cyber Insurance", "type" : "working-session", "word_count" : 27, "params" : {"categories":null,"description":"OWASP and OSS (Open Security Summit) community sit at the center of a large community that has all the players and resources required to find good solutions","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-02T12:00:00+01:00","organizers":"TBD","participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"How can OWASP and OSS help with Cyber Insurance","track":"Cyber Insurance","type":"working-session","when_day":"Wed","when_time":"PM-2"} } , { "id" : "ba51b233d9a1a198f3986a05807eaa6e", "file_path" : "tracks/Cyber-Insurance/working-session/maturity-model-for-cyber-insurance.md", "last_modified" : "2019-05-02T12:00:00+01:00", "link" : "/tracks/cyber-insurance/working-session/maturity-model-for-cyber-insurance/", "content_plain" : "Use the Maturity Model created by the Owasp SAMM project to create a first pass a standard way to review Cyber Insurance\n", "summary" : "Use the Maturity Model created by the Owasp SAMM project to create a first pass a standard way to review Cyber Insurance", "title" : "Maturity Model for Cyber Insurance", "track" : "Cyber Insurance", "type" : "working-session", "word_count" : 22, "params" : {"categories":null,"description":"Use the Maturity Model created by the Owasp SAMM project to create a first pass a standard way to review Cyber Insurance","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-02T12:00:00+01:00","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Maturity Model for Cyber Insurance","track":"Cyber Insurance","type":"working-session","when_day":"Wed","when_time":"PM-3"} } , { "id" : "9b928c09c1711523add502c406b88557", "file_path" : "tracks/Cyber-Insurance/user-session/risk-dashboard-for-online-game-safety.md", "last_modified" : "2019-05-02T12:00:00+01:00", "link" : "/tracks/cyber-insurance/user-session/risk-dashboard-for-online-game-safety/", "content_plain" : "Creation of a Risk Dashboard for the multiple areas of Cyber Insurance\n", "summary" : "Creation of a Risk Dashboard for the multiple areas of Cyber Insurance", "title" : "Risk Dashboard - Cyber Insurance", "track" : "Cyber Insurance", "type" : "user-session", "word_count" : 12, "params" : {"description":"Creation of a Risk Dashboard for the multiple areas of Cyber Insurance","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-02T12:00:00+01:00","organizers":"TBD","participants":null,"room_id":"room-2","session_slack":null,"status":"draft","title":"Risk Dashboard - Cyber Insurance","topics":null,"track":"Cyber Insurance","type":"user-session","when_day":"Thu","when_time":"PM-1"} } , { "id" : "e1a135709daf9fc3f946762340723b3d", "file_path" : "tracks/Cyber-Insurance/user-session/online-game-safety-wardley-map.md", "last_modified" : "2019-05-02T12:00:00+01:00", "link" : "/tracks/cyber-insurance/user-session/online-game-safety-wardley-map/", "content_plain" : "User session to create several Wardley Maps for the Cyber Insurance industry (and its past, present and future)\n", "summary" : "User session to create several Wardley Maps for the Cyber Insurance industry (and its past, present and future)", "title" : "Wardley Map - Cyber Insurance", "track" : "Cyber Insurance", "type" : "user-session", "word_count" : 18, "params" : {"categories":null,"description":"User session to create several Wardley Maps for the Cyber Insurance industry (and its past, present and future)","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-02T12:00:00+01:00","organizers":"TBD","participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Wardley Map - Cyber Insurance","track":"Cyber Insurance","type":"user-session","when_day":"Thu","when_time":"AM-1"} } , { "id" : "0ed68c5c3ec2df11aebb7bf48316ae3f", "file_path" : "tracks/Cynefin-Framework/_index.md", "last_modified" : "2019-05-08T08:56:32+01:00", "link" : "/tracks/cynefin-framework/", "content_plain" : "Sessions focusing on the use of Wardley Maps in Security\n", "summary" : "Sessions focusing on the use of Wardley Maps in Security", "title" : "Cynefin Framework", "track" : null, "type" : "track", "word_count" : 10, "params" : {"description":"Sessions focusing on the use of Cynefin-Framework in Security","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-08T08:56:32+01:00","organizers":["Pending"],"owasp-project":false,"session_slack":null,"title":"Cynefin Framework","type":"track","when_day":"Mon,Tue,Wed"} } , { "id" : "e6be0d5de52ce848a03adbf44bdcefb0", "file_path" : "tracks/Cynefin-Framework/training-sessions/hands-on-cynefin-framework-creation.md", "last_modified" : "2019-05-08T09:01:28+01:00", "link" : "/tracks/cynefin-framework/training-sessions/hands-on-cynefin-framework-creation/", "content_plain" : "", "summary" : "", "title" : "Hand's on Cynefin Framework creation (Training Session)", "track" : "Cynefin Framework", "type" : "working-session", "word_count" : 0, "params" : {"description":"What to know more about Cynefin Framework? This training session will give you hands on experience in creating maps for multiple scenarios","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-08T09:01:28+01:00","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"Hand's on Cynefin Framework creation (Training Session)","topics":null,"track":"Cynefin Framework","type":"working-session","when_day":"Mon","when_time":"PM-3"} } , { "id" : "d1dfaaa7d752dae18257456e2f4ef765", "file_path" : "tracks/Cynefin-Framework/training-sessions/introduction-to-cynefin-framework.md", "last_modified" : "2019-05-08T09:01:28+01:00", "link" : "/tracks/cynefin-framework/training-sessions/introduction-to-cynefin-framework/", "content_plain" : "", "summary" : "", "title" : "Introduction to Cynefin Framework (Training Session)", "track" : "Cynefin Framework", "type" : "working-session", "word_count" : 0, "params" : {"description":"New to Cynefin Framework? This session is for you","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-08T09:01:28+01:00","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"Introduction to Cynefin Framework (Training Session)","topics":null,"track":"Cynefin Framework","type":"working-session","when_day":"Mon","when_time":"PM-1"} } , { "id" : "8b89bf8c9b763d114c15f643ae7ad70c", "file_path" : "tracks/Cynefin-Framework/working-sessions/using-cynefin-framework-for-security.md", "last_modified" : "2019-05-08T09:01:28+01:00", "link" : "/tracks/cynefin-framework/working-sessions/using-cynefin-framework-for-security/", "content_plain" : "", "summary" : "", "title" : "Using Cynefin Framework for Security", "track" : "Cynefin Framework", "type" : "working-session", "word_count" : 0, "params" : {"description":"Session on how to use the Cynefin Framework in the Security Domain","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-08T09:01:28+01:00","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"Using Cynefin Framework for Security","topics":null,"track":"Cynefin Framework","type":"working-session","when_day":"Wed","when_time":"PM-1"} } , { "id" : "b74fdab29ff4378f76d8c4ec7e61921f", "file_path" : "tracks/Cynefin-Framework/working-sessions/using-cynefin-framework-for-weak-signal-detection.md", "last_modified" : "2019-05-08T09:01:28+01:00", "link" : "/tracks/cynefin-framework/working-sessions/using-cynefin-framework-for-weak-signal-detection/", "content_plain" : "", "summary" : "", "title" : "Using Cynefin Framework for Weak Signal Detection", "track" : "Cynefin Framework", "type" : "working-session", "word_count" : 0, "params" : {"description":"Session on how to use the Cynefin Framework for Weak Signal Detection","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-08T09:01:28+01:00","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"Using Cynefin Framework for Weak Signal Detection","topics":null,"track":"Cynefin Framework","type":"working-session","when_day":"Wed","when_time":"PM-2"} } , { "id" : "4c9c1700e365a7d5c0bc6e68304078a2", "file_path" : "tracks/Cynefin-Framework/working-sessions/using-cynefin-framework-for-making-strategic-security-decisions.md", "last_modified" : "2019-05-08T09:01:28+01:00", "link" : "/tracks/cynefin-framework/working-sessions/using-cynefin-framework-for-making-strategic-security-decisions/", "content_plain" : "", "summary" : "", "title" : "Using Cynefin Framework making strategic security decisions", "track" : "Cynefin Framework", "type" : "working-session", "word_count" : 0, "params" : {"description":"Session on how to use Cynefin Framework making strategic security decisions","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-08T09:01:28+01:00","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"Using Cynefin Framework making strategic security decisions","topics":null,"track":"Cynefin Framework","type":"working-session","when_day":"Wed","when_time":"AM-1"} } , { "id" : "162e143d81bc6a99c8bb388e3a31243e", "file_path" : "tracks/DevSecOps/_index.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/devsecops/", "content_plain" : "This track is focused on the DevSecOps tools and techniques to embed security as part of CI/CD pipelines.\n", "summary" : "This track is focused on the DevSecOps tools and techniques to embed security as part of CI/CD pipelines.", "title" : "DevSecOps", "track" : null, "type" : "track", "word_count" : 18, "params" : {"description":"Sessions focusing on the DevSecOps tools and techniques to embed security as part of CI/CD pipelines","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Imran Mohammed A","Francois Raynaud"],"owasp-project":false,"session_slack":"https://os-summit.slack.com/messages/CAVDNF1NE","title":"DevSecOps","type":"track","when_day":"Wed,Thu","when_time":null} } , { "id" : "bf605faa6f0765dd6302d0f57dc8ed50", "file_path" : "tracks/DevSecOps/working-sessions/agile-practices-for-security-teams.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/devsecops/working-sessions/agile-practices-for-security-teams/", "content_plain" : " Until recently, cyber security was often considered as “nice to have” in the software development lifecycle. However, due to several data breaches that hit the headlines, more and more dev teams are now starting to incorporate security practices in their processes. Considering how agile methodologies benefit the development lifecycle, security should be approached in the same, or a similar, way.\nWhy Agile practices have been around for quite some time now and a lot of organisations incorporate Agile practices into their daily operations. This working session will discuss how security teams can utilise these Agile practices to improve their position and make their operational side more productive. Early delivery, a synonym of Agile, is one of the biggest challenges for info-sec, but using some Agile practices could enable security teams to integrate more effectively within their organisations.\nWhat Agile and its practices Security adoption of Agile Architecting security for early delivery Situational awareness in Agile environments Optimising Agile SDLC security Outcomes A Draft List of Agile Security Practices\nSynopsis and Takeaways The following categories highlight some of the key activities of an agile security team:\nEducation - Define and deliver security training programmes\nCommunication - Security team to be visible, present at standups, available - Connect dev to production - Empower security champions\nStandardisation and Compliance - Own strong guidelines, e.g. data classification, regulatory, compliance - Two tier security standards? mandatory, depend on risk/sensitivity etc - Library of standard stories\nSupport - Technical support - Help create security user stories, personas, anti-personas, patterns - Culture of \u0026ldquo;security is not to say no, but to help\u0026rdquo; - Testing - Automation is needed for CI/CD e.g. tool to track 3rd party licenses - \u0026ldquo;Development enablement tribe\u0026rdquo;\nGovernance/Control - Project initiation touch point to define \u0026ldquo;gates\u0026rdquo; - Prioritisation of involvement based on risk assessment, lifecycle stage - Define \u0026ldquo;done\u0026rdquo; - 3rd party maturity assessment - Internal compliance checks - Centralised tracking in primary colours - Security team KPIs - Security organisation has to be separate from development - Monetary value on risks helps prioritisation - Risk acceptance/escalation process\nEngineering - Bring in shared security solutions such as WAF- engineering effort\nPractices - Perhaps agile not applicable, more lean/kanban - View security as functions, not people - resourcing can change but functions don\u0026rsquo;t - Don\u0026rsquo;t be a blocker to agile, e.g. in operational approvals - \u0026ldquo;Security team as a service\u0026rdquo; - Struggle to manage BAU and hence forecasting: separate functions - Need visibility of project portfolio - Separation of duty can be a constraint\nWho The target audience for this Working Session is:\n Developers Security professionals DevSecOps Security champions Working materials Here are the current \u0026lsquo;work in progress\u0026rsquo; materials for this session (please add as much information as possible before the sessions):\nOWASP Proactive Controls\nPrevious Summit Working Session https://owaspsummit.org/Working-Sessions/Agile-AppSec/Agile-Practices-for-Security-Teams.html\n", "summary" : "Until recently, cyber security was often considered as “nice to have” in the software development lifecycle. However, due to several data breaches that hit the headlines, more and more dev teams are now starting to incorporate security practices in their processes. Considering how agile methodologies benefit the development lifecycle, security should be approached in the same, or a similar, way.\nWhy Agile practices have been around for quite some time now and a lot of organisations incorporate Agile practices into their daily operations.", "title" : "Agile Practices for Security Teams", "track" : "DevSecOps", "type" : "working-session", "word_count" : 466, "params" : {"description":"Agile Practices for Security Teams","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":"Ante Gulam","participants":null,"room_id":"room-3","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAU62737S","status":"done","title":"Agile Practices for Security Teams","topics":["Agile"],"track":"DevSecOps","type":"working-session","when_day":"Tue","when_time":"PM-1"} } , { "id" : "df5f6473bf00925aa42f60af27c32e76", "file_path" : "tracks/DevSecOps/user-sessions/create-a-slack-bot-in-python.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/devsecops/user-sessions/create-a-slack-bot-in-python/", "content_plain" : "Hands on session to show participants how to create a Slack bot in Python\n", "summary" : "Hands on session to show participants how to create a Slack bot in Python", "title" : "Create a Slack bot in Python", "track" : "DevSecOps", "type" : "user-session", "word_count" : 14, "params" : {"description":"Hands on session to show participants how to create a Slack bot in Python","draft":false,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","locked":true,"organizers":["PhotoBox-GS"],"participants":null,"room_id":"villa-2","session_slack":"https://os-summit.slack.com/messages/CAVHKD1TP","status":"review-content","title":"Create a Slack bot in Python","topics":null,"track":"DevSecOps","type":"user-session","when_day":"Mon","when_time":"Eve-1,Eve-2"} } , { "id" : "088dd30177d090205fb4e7d4a382e04d", "file_path" : "tracks/DevSecOps/working-sessions/security-champions.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/devsecops/working-sessions/security-champions/", "content_plain" : " Security Champions are a key element of any AppSec team, since they create a cross-functional team focused on Application Security.\nWhat is a Security Champion?\n Security Champions are active members of a team that may help to make decisions about when to engage the Security Team Security Champions act as the \u0026ldquo;voice\u0026rdquo; of security for the given product or team Security Champions assist in the triage of security bugs for their team or area (see definition here)\nWhy The main purpose of this working session is to discuss the role of Security Champions within organizations, and how Security Champions\u0026rsquo; skills can best be utilized across organizations. The session will also discuss the need for a better definition of the role of Security Champion.\nWhat How to define Security Champions\u0026rsquo; roles, responsibilities, and OKR How to create a network of Security Champions Forum for Security Champions to share their experiences The importance of being supported by the corporate Security Policy How to \u0026lsquo;create\u0026rsquo; Security Champions? How to reward Security Champions? Do Security Champions have a path into Application Security profession? Is being a Security Champion worth including in your LinkedIn profile? What is the Security Champion\u0026rsquo;s role in Threat Modelling? Outcomes Agreed definition of security champions\u0026rsquo; roles, responsibilities, and OKR Agreed structure to help companies create networks of security champions Creation of a forum for security champions Who The target audience for this Working Session is:\n Security Champions CISOs Developers References https://www.owasp.org/index.php/Security_Champions https://www.linkedin.com/pulse/do-you-have-security-champions-your-company-robert-hurlbut https://www.brighttalk.com/webcast/5418/165801/creating-a-network-of-security-champions-at-diageo https://securingthehuman.sans.org/blog/2015/01/19/creating-a-security-champions-network http://blog.diniscruz.com/2016/10/if-you-dont-have-security-champion-get.html http://blog.diniscruz.com/2015/01/does-your-team-has-security-champion-if.html Previous Summit Working Session https://owaspsummit.org/Working-Sessions/Agile-AppSec/Security-Champions.html\n", "summary" : "Security Champions are a key element of any AppSec team, since they create a cross-functional team focused on Application Security.\nWhat is a Security Champion?\n Security Champions are active members of a team that may help to make decisions about when to engage the Security Team Security Champions act as the \u0026ldquo;voice\u0026rdquo; of security for the given product or team Security Champions assist in the triage of security bugs for their team or area (see definition here)", "title" : "Creating a Security Champions network", "track" : "DevSecOps", "type" : "working-session", "word_count" : 251, "params" : {"description":"","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":null,"participants":["Arne Zismer"],"room_id":null,"room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWE8J5JB","status":"review-content","title":"Creating a Security Champions network","topics":["Security Champions"],"track":"DevSecOps","type":"working-session","when_day":null,"when_time":null} } , { "id" : "17aea82629fdfe6925493b209b33c675", "file_path" : "tracks/DevSecOps/working-sessions/devsecops-maturity-model.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/devsecops/working-sessions/devsecops-maturity-model/", "content_plain" : "Start with this http://gdosmm-translation.timo-pagel.de/\n", "summary" : "Start with this http://gdosmm-translation.timo-pagel.de/", "title" : "DevSecOps Maturity Model (DSOMM)", "track" : "DevSecOps", "type" : "working-session", "word_count" : 4, "params" : {"categories":null,"description":"DevSecOps Maturity Model (DSOMM)","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Francois Raynaud","Puneet Thapliyal","Imran Mohammed A","Paul Dubourg","Timo Pagel"],"participants":["Mario Platt"],"room_id":"room-5","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUS9V0CR","status":"review-content","technology":null,"title":"DevSecOps Maturity Model (DSOMM)","topics":["DevSecOps"],"track":"DevSecOps","type":"working-session","when_day":"Tue","when_time":"PM-1,PM-2,PM-3"} } , { "id" : "97b207a5c5ae99879dae3034d9f0f510", "file_path" : "tracks/DevSecOps/working-sessions/threat-modeling-to-devsecops.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/devsecops/working-sessions/threat-modeling-to-devsecops/", "content_plain" : " Why What Content Outcomes Who The target audience for this Working Session is: - Developers - Security professionals - DevSecOps - Security champions\nReferences ", "summary" : " Why What Content Outcomes Who The target audience for this Working Session is: - Developers - Security professionals - DevSecOps - Security champions\nReferences ", "title" : "From Threat Modeling to DevSecOps metrics", "track" : "DevSecOps", "type" : "working-session", "word_count" : 24, "params" : {"categories":null,"draft":false,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Imran Mohammed A","Francois Raynaud"],"room_id":"room-5","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVDU1W4S","status":"done","technology":null,"title":"From Threat Modeling to DevSecOps metrics","topics":["Visualisation"],"track":"DevSecOps","type":"working-session","when_day":"Thu","when_time":"PM-1"} } , { "id" : "2b3a104846d0021ba689ffe267cf5960", "file_path" : "tracks/DevSecOps/working-sessions/securing-the-ci-pipeline.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/devsecops/working-sessions/securing-the-ci-pipeline/", "content_plain" : " Why This Working Session will consider the securing of the CI Pipeline - A key element of DevOps.\nDoing CI builds, testing, and deployments have many advantages when done correctly. Using libraries from 3rd parties in your build can be on compromised servers. Even signing your packages or artifacts automatically could result in you delivering compromised software to others.\nWhat Identify best practice for DevOps and Developers Agree what to include in a cheat sheet for developers who use third party services Agree recommendations for 3rd party service providers (for example, provide warning messages of possible insecurities) Outcomes This Working Session will publish:\n A set of practices for DevOps and Developers Cheat sheet for developers who use third party services Recommendations for 3rd party service providers Who DevSecOps 3rd party service providers: Travis, SNYK, Codiscope, Gitlab, Node Security, \u0026hellip;. Security professionals Developers References How to Secure a Continuous Integration Process DEF CON 22 - Kyle Kelley and Greg Anderson - Is This Your Pipe? Hijacking the Build Pipeline Previous Summit Working Session https://owaspsummit.org/Working-Sessions/DevSecOps/Securing-the-CI-Pipeline.html\n", "summary" : "Why This Working Session will consider the securing of the CI Pipeline - A key element of DevOps.\nDoing CI builds, testing, and deployments have many advantages when done correctly. Using libraries from 3rd parties in your build can be on compromised servers. Even signing your packages or artifacts automatically could result in you delivering compromised software to others.\nWhat Identify best practice for DevOps and Developers Agree what to include in a cheat sheet for developers who use third party services Agree recommendations for 3rd party service providers (for example, provide warning messages of possible insecurities) Outcomes This Working Session will publish:", "title" : "Securing the CI Pipeline", "track" : "DevSecOps", "type" : "working-session", "word_count" : 173, "params" : {"categories":null,"description":"Secure the CI/CD pipeline","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Imran Mohammed A","Francois Raynaud"],"participants":["Arne Zismer","Franziska Buehler"],"room_id":"room-5","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUNFBMAL","status":"review-content","technology":null,"title":"Securing the CI Pipeline","topics":["CI Pipeline"],"track":"DevSecOps","type":"working-session","when_day":"Thu","when_time":"PM-2,PM-3"} } , { "id" : "93231c376c2793b42eaefcc1f4c0a828", "file_path" : "tracks/DevSecOps/user-sessions/share-your-playbooks-and-release-them-under-cc.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/devsecops/user-sessions/share-your-playbooks-and-release-them-under-cc/", "content_plain" : "Session to consolidate and publish anonymised real-word playbooks (provided by Summit partipants)\n", "summary" : "Session to consolidate and publish anonymised real-word playbooks (provided by Summit partipants)", "title" : "Share your playbooks and release them under Creative Commons", "track" : "DevSecOps", "type" : "working-session", "word_count" : 12, "params" : {"description":"Session to consolidate and publish anonymised real-word playbooks","draft":false,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Ann-Marie Grace"],"participants":["Ante Gulam","Neil Barlow","Kevin Fielder","Wayne Moore","Mark Regensberg"],"room_id":"table-4","session_slack":"https://os-summit.slack.com/messages/CAVHKD1TP","status":"draft","technology":null,"title":"Share your playbooks and release them under Creative Commons","topics":["Security Playbooks"],"track":"DevSecOps","type":"working-session","when_day":"Tue","when_time":"DS-3"} } , { "id" : "f790432df99915a7e849cbad8c7698ab", "file_path" : "tracks/DevSecOps/user-sessions/writing-security-tests-to-confirm-vulnerabilities-and-fixes.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/devsecops/user-sessions/writing-security-tests-to-confirm-vulnerabilities-and-fixes/", "content_plain" : "Hands on session writing security tests\nSee previous summit session on this topic\n", "summary" : "Hands on session writing security tests\nSee previous summit session on this topic", "title" : "Writing security tests to confirm vulnerabilities and fixes", "track" : "DevSecOps", "type" : "user-session", "word_count" : 13, "params" : {"description":"Hands on session writing security tests","draft":false,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Sotiraki Sima"],"participants":["Stephen Hookings","John Killilea","Arne Zismer"],"room_id":"room-6","session_slack":"https://os-summit.slack.com/messages/CAVHKD1TP","status":"draft","technology":null,"title":"Writing security tests to confirm vulnerabilities and fixes","topics":null,"track":"DevSecOps","type":"user-session","when_day":"Thu","when_time":"PM-1"} } , { "id" : "848fa4b8dce446b58116653d982c063d", "file_path" : "tracks/Machine Learning/_index.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/machine-learning/", "content_plain" : "This track is focused on Machine Learning\n", "summary" : "This track is focused on Machine Learning", "title" : "Machine Learning", "track" : null, "type" : "track", "word_count" : 7, "params" : {"description":"Sessions focusing on Machine Learning","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Pending"],"owasp-project":false,"session_slack":"https://os-summit.slack.com/messages/CAUNNK1S4","title":"Machine Learning","type":"track","when_day":"Wed,Thu"} } , { "id" : "e7e87d5eb8280bed37208bc093b41931", "file_path" : "tracks/Machine Learning/securing-ml-workflows.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/machine-learning/securing-ml-workflows/", "content_plain" : "", "summary" : "", "title" : "Hacking ML Applications", "track" : "Machine Learning", "type" : "working-session", "word_count" : 0, "params" : {"categories":null,"description":"","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Hacking ML Applications","track":"Machine Learning","type":"working-session","when_day":"Thu","when_time":"DS-2"} } , { "id" : "8141a0834db3838b26c8c5b8ea1a93ab", "file_path" : "tracks/Machine Learning/ml-for-scaling-security-analysis.md", "last_modified" : "2019-02-04T19:13:35Z", "link" : "/tracks/machine-learning/ml-for-scaling-security-analysis/", "content_plain" : "", "summary" : "", "title" : "ML for Scaling Security Analysis", "track" : "Machine Learning", "type" : "working-session", "word_count" : 0, "params" : {"categories":null,"description":"","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T19:13:35Z","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"ML for Scaling Security Analysis","track":"Machine Learning","type":"working-session","when_day":"Thu","when_time":"DS-2"} } , { "id" : "757674c5090960e61c3358af6a230cd3", "file_path" : "tracks/Machine Learning/real-world-ml-case-studies.md", "last_modified" : "2019-02-04T19:12:07Z", "link" : "/tracks/machine-learning/real-world-ml-case-studies/", "content_plain" : "", "summary" : "", "title" : "Real world ML case-studies", "track" : "Machine Learning", "type" : "working-session", "word_count" : 0, "params" : {"categories":null,"description":"","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T19:12:07Z","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Real world ML case-studies","track":"Machine Learning","type":"working-session","when_day":"Thu","when_time":"DS-2"} } , { "id" : "744df1984bbe4c387e5782f070e5336a", "file_path" : "tracks/Machine Learning/hacking-ml-applications.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/machine-learning/hacking-ml-applications/", "content_plain" : "", "summary" : "", "title" : "Using Lambda functions to scale security teams", "track" : "Machine Learning", "type" : "working-session", "word_count" : 0, "params" : {"categories":null,"description":"","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Using Lambda functions to scale security teams","track":"Machine Learning","type":"working-session","when_day":"Thu","when_time":"DS-2"} } , { "id" : "79e08f638f249a0f785e6108cad259fe", "file_path" : "tracks/Maps-and-graphs/_index.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/maps-and-graphs/", "content_plain" : "This track is focused on Maps and Graphs\n", "summary" : "This track is focused on Maps and Graphs", "title" : "Maps and Graphs", "track" : null, "type" : "track", "word_count" : 8, "params" : {"description":"Sessions focusing on Maps and graphs","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Pending"],"owasp-project":false,"session_slack":"https://os-summit.slack.com/messages/CAULHPHU2","title":"Maps and Graphs","type":"track","when_day":"Mon,Tue,Wed"} } , { "id" : "7d17ca52f299457c516f571b94c2ae13", "file_path" : "tracks/Maps-and-graphs/user-sessions/creating-elk-dashboards.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/maps-and-graphs/user-sessions/creating-elk-dashboards/", "content_plain" : "Practical session on creating ELK Dashboards\n", "summary" : "Practical session on creating ELK Dashboards", "title" : "Creating ELK Dashboards", "track" : "Maps and Graphs", "type" : "user-session", "word_count" : 6, "params" : {"categories":null,"description":"Practical session on creating ELK Dashboards","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":null,"participants":null,"room_id":"table-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CB289CD3Q","status":"review-content","technology":null,"title":"Creating ELK Dashboards","topics":["ELK","Neo4J"],"track":"Maps and Graphs","type":"user-session","when_day":"Tue","when_time":"DS-2"} } , { "id" : "e94bb6997af9cd8ac7041c8049f6f9f2", "file_path" : "tracks/Maps-and-graphs/working-sessions/cynefin-framework-for-security.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/maps-and-graphs/working-sessions/cynefin-framework-for-security/", "content_plain" : "", "summary" : "", "title" : "Cynefin Framework for Security", "track" : "Maps and Graphs", "type" : "working-session", "word_count" : 0, "params" : {"description":"Cynefin Framework for Security","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":null,"room_id":"room-3","room_layout":null,"session_slack":null,"status":"done","title":"Cynefin Framework for Security","topics":["Wardley Maps"],"track":"Maps and Graphs","type":"working-session","when_day":"Thu","when_time":"PM-1"} } , { "id" : "e2d9bfbb156b896defae04fbc0cf03bc", "file_path" : "tracks/Maps-and-graphs/working-sessions/using-data-science-for-log-analysis.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/maps-and-graphs/working-sessions/using-data-science-for-log-analysis/", "content_plain" : "Find out ways to use Data Science for log analysis\n", "summary" : "Find out ways to use Data Science for log analysis", "title" : "Using Data Science for log analysis", "track" : "Maps and Graphs", "type" : "working-session", "word_count" : 10, "params" : {"categories":null,"description":"Find out ways to use Data Science for log analysis","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":null,"participants":["James Wharton"],"room_id":"table-3","room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Using Data Science for log analysis","topics":null,"track":"Maps and Graphs","type":"working-session","when_day":"Thu","when_time":"DS-2"} } , { "id" : "d45fd7a18516ddaf12241264be6c8a23", "file_path" : "tracks/Maps-and-graphs/working-sessions/user-story-mapping-for-effective-communication.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/maps-and-graphs/working-sessions/user-story-mapping-for-effective-communication/", "content_plain" : " Based on the work by @jeffpatton namely the presentation User Story Mapping, Discover the whole story\nExplore how it relates to Threat Modeling This paragraph from Jeff\u0026rsquo;s User Story Mapping book pretty much describes threat modeling in non-technical terms:\nWHY User story mapping is all about discovery and communication. Threat modeling is all about discovery and communication. What can threat modeling learn from user story mapping and related techniques to help make it more effective? Can using user story mapping techniques reduce the friction to getting started with threat modeling for development and engineering teams?\nWhat To be determined based on who\u0026rsquo;s in the room, but possibly:\n A discussion of how user story mapping relates to threat modeling Experimentation with using story maps in threat modeling Outcomes A summary of how user story mapping can work for threat modeling, and how to get started A comparison with more traditional approaches to threat modeling References ", "summary" : "Based on the work by @jeffpatton namely the presentation User Story Mapping, Discover the whole story\nExplore how it relates to Threat Modeling This paragraph from Jeff\u0026rsquo;s User Story Mapping book pretty much describes threat modeling in non-technical terms:\nWHY User story mapping is all about discovery and communication. Threat modeling is all about discovery and communication. What can threat modeling learn from user story mapping and related techniques to help make it more effective?", "title" : "Using User Story Mapping for effective communication", "track" : "Maps and Graphs", "type" : "working-session", "word_count" : 154, "params" : {"description":"","draft":false,"featured":false,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","locked":true,"organizers":["Fraser Scott"],"participants":["Vladimir Voskresenskiy","Orid Ahmed","Tony Richards"],"room_id":"room-3","session_slack":"https://os-summit.slack.com/messages/CAX9L015H","status":null,"technology":null,"title":"Using User Story Mapping for effective communication","topics":null,"track":"Maps and Graphs","type":"working-session","when_day":"Wed","when_time":"PM-1"} } , { "id" : "b5d5b15fc57b8645eb1d0af3fde7fbde", "file_path" : "tracks/Mobile/_index.md", "last_modified" : "2019-05-20T22:58:52+02:00", "link" : "/tracks/mobile/", "content_plain" : " Welcome to the Mobile Security track! This track is focusing mainly on the following two documents that were created as part of the OWASP Mobile Security Testing Guide (MSTG) project:\n The Mobile Application Security Verification Standard (MASVS) establishes a framework of security requirements needed to design, develop and test secure mobile apps on iOS and Android. The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the controls listed in the MASVS. Why We, the OWASP Mobile Security team, love the OWASP Summit. That time of the year when we come together, all in one place, and forget about the rest of the world (literally as we\u0026rsquo;re in the middle of a forest). Forget about companies / business and concentrate on making the mobile security world a better place. To achieve this we tirelessly work on the MSTG to make it even more awesome as it is already.\nWhat Imagine being in the same room as these people who share your same passion:\n the main authors of the MSTG and MASVS security engineers experienced pentesters researchers \u0026hellip; All working together on mobile security topics:\n creating new content for the MSTG researching together on the latest cutting-edge iOS and Android security topics learning and sharing knowledge with other experts and beginners Our working sessions are ticket based, just take the one you like or you\u0026rsquo;ll get one assigned depending on your level of expertise. We want to start the summit with a focus on the following milestones:\n MASVS milestone 1.1.4: MSTG milestone 1.2: Once you start you\u0026rsquo;ll not only have the chance to do a great contribution but also to drive interesting discussions with the rest of the participants.\nThis year we want to focus on the values that made the first summit a great oppertunity: learning through contributing!\nEveryone is welcome! If you\u0026rsquo;re already experienced you\u0026rsquo;re probably familiar with the issue that you cannot find any trainings/events on mobile security advanced topics that matches your level. Here you\u0026rsquo;ll be able to work hand in hand with people sharing your passion, interest and close to your experience level. One can always learn so much from doing research and being guided by other people (experts or not). If you enjoy sharing your knowledge you\u0026rsquo;ll have the chance to do so at the best working atmosphere. If you\u0026rsquo;re a beginner this is THE PLACE to start!\nCannot come over? Join us remotely! You may want to attend the presentations about onboarding or a 101. Otherwise: contact us, grab a ticket, enjoy the ride! We would love to guide you in your contribution and will take on PRs from morning till early evening (21:00).\nCheck the scheduled sessions below.\n", "summary" : "Welcome to the Mobile Security track! This track is focusing mainly on the following two documents that were created as part of the OWASP Mobile Security Testing Guide (MSTG) project:\n The Mobile Application Security Verification Standard (MASVS) establishes a framework of security requirements needed to design, develop and test secure mobile apps on iOS and Android. The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security testing and reverse engineering.", "title" : "Mobile Security", "track" : null, "type" : "track", "word_count" : 459, "params" : {"description":"Sessions focusing on the OWASP MSTG project.","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-20T22:58:52+02:00","organizers":["Jeroen Willemsen","Carlos Holguera","Sven Schleier","Jeroen Beckers"],"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile","title":"Mobile Security","topics":"Mobile Security","type":"track","when_day":"Mon, Tue, Wed, Thu, Fri","when_time":null} } , { "id" : "e264ff7bf4640ef991a2b6cf94218211", "file_path" : "tracks/Mobile/working-sessions/android-ios-Security-enhancements.md", "last_modified" : "2019-05-20T23:24:34+02:00", "link" : "/tracks/mobile/working-sessions/android-ios-security-enhancements/", "content_plain" : " Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!\nWhy Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.\nWhat Get to share the latest Android and iOS security enhancements The first stream is all about making the guide up to date with the latest security updates on iOS 12, Android 9 and 10:\niOS 12:\n UIWebViews are officially deprecated new AuthenticationServices and Network Frameworks New Password AutoFill Framework for iOS and web apps \u0026hellip; Android 9\u0026frasl;10:\n Scoped Storage: an isolated storage sandbox right on external storage device! The READ_ and WRITE_EXTERNAL_STORAGE permissions are being replaced with more fine-grained media specific permissions. StrongBox Keymaster: an implementation of the Keymaster HAL that resides in a hardware security module. You can now import encrypted keys securely into the Keystore using an ASN.1‑encoded key format. \u0026hellip; This and much more that we or you might know about. Let\u0026rsquo;s make sure we extend the guide on best practices and what testers should look for in terms of bad practices.\nThe focus will be on issues identified for the 1.2 milestone of the MSTG, which you can find at Github.\nGet your hands dirty with the Android and iOS crackmes In the second stream, we want to focus on getting better crackmes and playground apps. In order to do this, there are a bunch of things we need to work on (in order of priority):\n Upgrade the existing crackmes \u0026amp; apps to be compatible with the latest version of iOS and Android. Ensure a proper build pipeline for the apps as part of the project so we can easily fix them. Have newer detection mechanisms in the crackmes, for instance: make sure we have a crackme that effectively refuses to run on a rooted Android device (e.g. running Magisk)? Or make the app Frida-resilient. Or\u0026hellip; whatever you like! Try to make cool challenging apps for other people. Just make sure it can be built and tested by the pipeline mentioned in 2. Are UnCrackable App for iOS Level 1 and UnCrackable App for iOS Level 2 too easy for you? Do you have some ideas for a Level 3? In this stream you get the chance to work hand in hand with the Mobile Security team on the MSTG crackme apps. The defenders will make them secure (or intentionally leave some holes) and the attackers will prove they can crack them using the latest techniques and available tools.\nWho The target audience for this Working Session is:\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners. Anybody who is passionate about app mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nDepending on the tasks/challenges you choose:\n For creating a better pipeline: a MacBook is recommended, but not mandatory. For iOS: an iOS device (preferably jailbroken). A MacBook is recommended but not mandatory. For Android: an Android device is highly recommended (preferably rooted). However for many tasks you can use the emulator. The MSTG and crackmes are hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes Updated iOS and Android chapters in the MSTG covering the latest security changes in iOS and Android.\nReferences Workflow for MSTG contributions via Github Android Security Android Oreo iOS Security Whitepaper MSTG GitHub Issues MSTG GitHub Project Page MSTG Hacking Playground UnCrackable Mobile Apps UnCrackable App for Android Level 1 UnCrackable App for Android Level 2 UnCrackable App for Android Level 3 UnCrackable App for iOS Level 1 UnCrackable App for iOS Level 2 UnCrackable App repository ", "summary" : "Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!\nWhy Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.", "title" : "Android and iOS Security Enhancements and Crackme Apps", "track" : "Mobile Security", "type" : "working-session", "word_count" : 671, "params" : {"categories":"MSTG","description":"Updating the content of the MSTG","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-20T23:24:34+02:00","organizers":"Jeroen Willemsen, Carlos Holguera, Sven Schleier","participants":"Jeroen Willemsen, Sven Schleier, Abderrahmane AFTAHI (remote), Carlos Holguera","room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Android and iOS Security Enhancements and Crackme Apps","track":"Mobile Security","type":"working-session","when_day":"Mon,Tue,Wed,Thu,Fri","when_time":"AM-1, DS-2, PM-1, PM-2, Eve-1, Eve-2"} } , { "id" : "c83837a003774d81c9f9aeac620deb46", "file_path" : "tracks/Mobile/working-sessions/masvs-enhancements.md", "last_modified" : "2019-05-20T23:24:34+02:00", "link" : "/tracks/mobile/working-sessions/masvs-enhancements/", "content_plain" : " Welcome to the OWASP MASVS session!\nWhy The MASVS has served as a great basis for the MSTG in terms of providing the right requirements. It has been translated to multiple languages and has been embraced by many parties as a source for security requirements for mobile applications. In order to support the MASVS and allow for easier integration in the SDLC, we have a set of tasks left, which are summarized in milestone 1.1.4 of the project. Note: we do not want to come up with new requirements yet as we rather first try to get the MSTG in sync.\nWhat In this working session, we want to focus on issues identified in the 1.1.4 milestone of the MASVS. Which you can find at Github. Think of a variety of issues, such as:\n Fix the Markdown issues Make sure we have the same code of conduct and contribution guide as the MSTG If you are keen in doing some coding, you can help out with the following:\n Generate JSON/XML Ensure markdown validation automation Make sure gitbooks site shows all languages The tickets for this working session will cover these topics and contribute to increasing the value, readability and extensability of the MASVS. Which in turn will make it easier to extend it across all languages.\nWho The target audience for this Working Session is:\n anyone who wants to help out improving the quality of an OWASP project and anybody interest in mobile security. From experts to beginners. Anybody who is passionate about app mobile security and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nThe MASVS is hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes Hopefully a better (en)coded MASVS! And milestone 1.1.4!\nReferences OWASP MASVS ", "summary" : "Welcome to the OWASP MASVS session!\nWhy The MASVS has served as a great basis for the MSTG in terms of providing the right requirements. It has been translated to multiple languages and has been embraced by many parties as a source for security requirements for mobile applications. In order to support the MASVS and allow for easier integration in the SDLC, we have a set of tasks left, which are summarized in milestone 1.", "title" : "Mobile AppSec Verification Standard (MASVS)", "track" : "Mobile Security", "type" : "working-session", "word_count" : 318, "params" : {"categories":"MSTG","description":"Work on the open issues of the MASVS","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-20T23:24:34+02:00","organizers":["Jeroen Willemsen","Sven Schleier"],"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Mobile AppSec Verification Standard (MASVS)","track":"Mobile Security","type":"working-session","when_day":"Mon","when_time":"AM-1, DS-2, PM-1, PM-2, Eve-1"} } , { "id" : "26997891becd9c1afd65eec05ad149ac", "file_path" : "tracks/Mobile/working-sessions/mstg-restructuring.md", "last_modified" : "2019-05-20T23:24:34+02:00", "link" : "/tracks/mobile/working-sessions/mstg-restructuring/", "content_plain" : " Welcome to the ultimate OWASP Mobile Security Testing Guide content reshuffle session!\nWhy If you\u0026rsquo;re familiar with mobile security testing you\u0026rsquo;ll probably know that the way we perform the testing on the different platforms is completely different but at the end, what we want to achieve is the same. We want to get this reflected in the guide. We will be working on topics from basic to advanced Mobile App Security Testing, Reverse Engineering and Tampering on Android and iOS.\nAs a result, the current content will be restructured, which will help\n achieving a more organized testing approach and methodology. detecting potential missing tools or techniques. fixing missing links across chapters. Android and iOS chapter will mirror each other, so the next time someone (e.g. a beginner) wants to get started on these topics it will be very clear what has to be done and how. If you\u0026rsquo;re already an expert on e.g. Android, this will help you quickly identify the things you need when starting testing on iOS, e.g. \u0026ldquo;Accessing the Device Shell\u0026rdquo;.\nWhat Join us in a 2-day sprint to restructure the basic-testing and reverse-engineering chapters in a way that they are easily mappable. We want to be able to restructure the MSTG and connect it to the MASVS in a better way during the first 2 days in order to make the chapters more accessible.\nThis session focus on the following topics (and their corresponding chapters from the MSTG):\n Android and iOS Basic Security Testing (0x5b/0x6b) Android and iOS Reverse Engineering and Tampering (0x5c/0x6c) After the first restructuring and updated outline, you\u0026rsquo;ll have the chance to get your hands dirty and craft examples and new content for the MSTG to add next to existing tooling. For the new examples we will be introducing new tools like r2frida. Did you know you can reverse engineer an app straight from the process memory? That means, e.g. for iOS that you may skip the decryption and extraction of the binary.\nThe tickets for this working session will cover these topics and contribute to the restructuring of the MSTG as described in this issue. This should simplify the chapters, improve their readability and make the project a lot easier to maintain!\nWho The target audience for this Working Session is:\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners. Anybody who is passionate about app mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nDepending on the tasks/challenges you choose:\n General rewriting tasks do not require any devices, however if you want to add new cases, then: For iOS: an iOS device (preferably jailbroken). A MacBook is recommended but not mandatory. For Android: an Android device is highly recommended (preferably rooted). However for many tasks you can use the emulator. The MSTG is hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes A beautifully restructured MSTG.\nReferences \u0026ldquo;Basic Security Testing / Reverse Engineering and Tampering\u0026rdquo; Chapters Restructuring Issue Android Basic Security Testing Android Reverse Engineering and Tampering iOS Basic Security Testing iOS Reverse Engineering and Tampering ", "summary" : "Welcome to the ultimate OWASP Mobile Security Testing Guide content reshuffle session!\nWhy If you\u0026rsquo;re familiar with mobile security testing you\u0026rsquo;ll probably know that the way we perform the testing on the different platforms is completely different but at the end, what we want to achieve is the same. We want to get this reflected in the guide. We will be working on topics from basic to advanced Mobile App Security Testing, Reverse Engineering and Tampering on Android and iOS.", "title" : "Mobile Basic Security Testing and Reverse Engineering", "track" : "Mobile Security", "type" : "working-session", "word_count" : 548, "params" : {"categories":"MSTG","description":"Work on the Mobile Basic Security Testing and Reverse Engineering topics with focus on restructuring the contents of the MSTG","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-20T23:24:34+02:00","organizers":"Jeroen Willemsen, Carlos Holguera, Sven Schleier","participants":["Abderrahmane AFTAHI (remote)"],"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Mobile Basic Security Testing and Reverse Engineering","track":"Mobile Security","type":"working-session","when_day":"Mon,Tue","when_time":"AM-1, DS-2, PM-1, PM-2, Eve-1, Eve-2"} } , { "id" : "650ab8c24a804197a393a303649bb45b", "file_path" : "tracks/Mobile/user-sessions/mstg-contributor-onboarding.md", "last_modified" : "2019-05-20T22:58:52+02:00", "link" : "/tracks/mobile/user-sessions/mstg-contributor-onboarding/", "content_plain" : " Why A take-off session for all participants that want to contribute to the OWASP Mobile Security Testing Guide project, but are not sure what to do yet during this week or after.\nWhat Introduction into the current state of the MSTG. Issues Milestones Project Page Release process. Contribution guidelines. Outline of the activities planned for this week. This is not a basic introduction into the project itself! Note the first hour will cover the Introduction into the MSTG session, in the second hour, we will have the contributor-onboarding.\nWho Everyone that would like to start contributing to the OWASP Mobile Security Testing Guide project.\nReferences OWASP Mobile Application Verification Standard (MASVS) OWASP Mobile Security Testing Guide (MSTG) style_guide.md ", "summary" : "Why A take-off session for all participants that want to contribute to the OWASP Mobile Security Testing Guide project, but are not sure what to do yet during this week or after.\nWhat Introduction into the current state of the MSTG. Issues Milestones Project Page Release process. Contribution guidelines. Outline of the activities planned for this week. This is not a basic introduction into the project itself!", "title" : "Mobile Security Testing Guide onboarding", "track" : "Mobile Security", "type" : "user-session", "word_count" : 118, "params" : {"description":"MSTG introduction for new contributors","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-20T22:58:52+02:00","organizers":["Jeroen Willemsen","Carlos Holguera","Sven Schleier"],"participants":["Sven Schleier"],"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Mobile Security Testing Guide onboarding","topics":null,"track":"Mobile Security","type":"user-session","when_day":"Mon, Wed","when_time":"AM-1"} } , { "id" : "32fbe6c4ba102e465c8d2779f4559678", "file_path" : "tracks/Mobile/user-sessions/intro-mstg.md", "last_modified" : "2019-05-20T22:58:52+02:00", "link" : "/tracks/mobile/user-sessions/intro-mstg/", "content_plain" : " Why Pick up session for all participants who are interested in the Mobile Security Testing Guide project but have no experience with it yet. This session is mostly an introduction into the guide and the MASVS. It is not to guide contributors specifically, for this, we have the contributor onboarding session.\nWhat Introduction into the Mobile Application Security Verification Standard (MASVS). Introduction into the Mobile Security Testing Guide (structure, what it is about). Some demos of what we teach through the guide. Note the first hour will cover the introduction session, in the second hour, we will have the contributor onboarding session.\nWho Target audience are all interested users from Breaker, Builder and Defender communities alike!\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners.\nReferences OWASP Mobile Application Verification Standard (MASVS) OWASP Mobile Security Testing Guide (MSTG) ", "summary" : "Why Pick up session for all participants who are interested in the Mobile Security Testing Guide project but have no experience with it yet. This session is mostly an introduction into the guide and the MASVS. It is not to guide contributors specifically, for this, we have the contributor onboarding session.\nWhat Introduction into the Mobile Application Security Verification Standard (MASVS). Introduction into the Mobile Security Testing Guide (structure, what it is about).", "title" : "OWASP Mobile Security Testing Guide 101", "track" : "Mobile Security", "type" : "user-session", "word_count" : 141, "params" : {"description":"MSTG introduction for newbies","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-20T22:58:52+02:00","organizers":["Jeroen Willemsen","Carlos Holguera","Sven Schleier"],"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"OWASP Mobile Security Testing Guide 101","topics":null,"track":"Mobile Security","type":"user-session","when_day":"Mon, Wed","when_time":"AM-1"} } , { "id" : "00667d89af83db9edba17072fe1ae53b", "file_path" : "tracks/OWASP-Juice-Shop/_index.md", "last_modified" : "2019-02-11T18:16:09+01:00", "link" : "/tracks/owasp-juice-shop/", "content_plain" : "This track is focused on OWASP Juice Shop\n", "summary" : "This track is focused on OWASP Juice Shop", "title" : "OWASP Juice Shop", "track" : null, "type" : "track", "word_count" : 8, "params" : {"description":"Sessions focusing on OWASP Juice Shop","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-11T18:16:09+01:00","organizers":["Bjoern Kimminich"],"owasp-project":true,"session_slack":null,"title":"OWASP Juice Shop","type":"track","when_day":"Mon,Tue,Wed,Fri"} } , { "id" : "1f66573baae0718e5eb8a759b2375161", "file_path" : "tracks/OWASP-Juice-Shop/user-sessions/juice-shop-101.md", "last_modified" : "2019-02-13T09:53:05+01:00", "link" : "/tracks/owasp-juice-shop/user-sessions/juice-shop-101/", "content_plain" : " WHY Pick up session for all participants who are interested in the OWASP Juice Shop project but have no experience with it yet.\nWhat Target audience are all interested users from Breaker, Builder and Defender communities alike!\n Demo of the project Installation walk-through Advanced features (CTF mode, custom themes etc.) This is not an introduction into the code base or underlying technology! For this we recommend to participate in the Juice Shop Contributor Onboarding session and join any of the evening Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code events!\nReferences Part I - Hacking preparations of the online-readable companion guide eBook Pwning OWASP Juice Shop Online-viewable introduction slide deck ", "summary" : "WHY Pick up session for all participants who are interested in the OWASP Juice Shop project but have no experience with it yet.\nWhat Target audience are all interested users from Breaker, Builder and Defender communities alike!\n Demo of the project Installation walk-through Advanced features (CTF mode, custom themes etc.) This is not an introduction into the code base or underlying technology! For this we recommend to participate in the Juice Shop Contributor Onboarding session and join any of the evening Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code events!", "title" : "Juice Shop 101", "track" : "OWASP Juice Shop", "type" : "user-session", "word_count" : 105, "params" : {"description":"OWASP Juice Shop introduction for newbies","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-13T09:53:05+01:00","organizers":"Bjoern Kimminich","participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Juice Shop 101","topics":null,"track":"OWASP Juice Shop","type":"user-session","when_day":"Tue","when_time":"AM-1"} } , { "id" : "9c94cc81decd911b66c5149d33382808", "file_path" : "tracks/OWASP-Juice-Shop/working-sessions/juice-shop-challenge-refactoring.md", "last_modified" : "2019-04-23T21:15:34+02:00", "link" : "/tracks/owasp-juice-shop/working-sessions/juice-shop-challenge-refactoring/", "content_plain" : " WHY The Juice Shop offers 85+ hacking challenges spread across 6 difficulty levels. It is time to review their categories and difficulty ratings for overall consistency and possible improvements.\nWhat Discuss the need for more (or less?) challenge categories Map to additional existing vulnerability catalogs Discuss the need for more (or less?) difficulty levels Define criteria to map challenges to difficulties more easily (e.g. \u0026ldquo;Scripting needed?\u0026rdquo; or \u0026ldquo;Multi-step attack required?\u0026rdquo;) Map the existing challenge to the aligned difficulty levels References Current categories with OWASP/CWE mapping Current difficulty mapping of all challenges ", "summary" : "WHY The Juice Shop offers 85+ hacking challenges spread across 6 difficulty levels. It is time to review their categories and difficulty ratings for overall consistency and possible improvements.\nWhat Discuss the need for more (or less?) challenge categories Map to additional existing vulnerability catalogs Discuss the need for more (or less?) difficulty levels Define criteria to map challenges to difficulties more easily (e.g. \u0026ldquo;Scripting needed?", "title" : "Juice Shop Challenge Refactoring", "track" : "OWASP Juice Shop", "type" : "working-session", "word_count" : 91, "params" : {"description":"Refactoring the categories and difficulty ratings of the OWASP Juice Shop challenges","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-04-23T21:15:34+02:00","organizers":"Bjoern Kimminich","participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Juice Shop Challenge Refactoring","topics":null,"track":"OWASP Juice Shop","type":"working-session","when_day":"Wed","when_time":"AM-1"} } , { "id" : "bd3848bb7db2cc364df4f617ff29ff0b", "file_path" : "tracks/OWASP-Juice-Shop/user-sessions/juice-shop-contributor-onboarding.md", "last_modified" : "2019-02-13T09:53:05+01:00", "link" : "/tracks/owasp-juice-shop/user-sessions/juice-shop-contributor-onboarding/", "content_plain" : " WHY Pick up session for all participants who are interested in contributing to the OWASP Juice Shop project but have no experience with its code base yet.\nWhat Architecture overview Contribution guidelines How a hacking challenge is implemented and tested CI/CD pipeline (just briefly, for full intro join CI/CD for Open Source Projects) This is not a basic introduction into the project itself! For this we recommend to participate in the Juice Shop 101 session!\nReferences CONTRIBUTING.md Chapters Codebase 101 and Contribute to development of the online-readable companion guide eBook Pwning OWASP Juice Shop ", "summary" : "WHY Pick up session for all participants who are interested in contributing to the OWASP Juice Shop project but have no experience with its code base yet.\nWhat Architecture overview Contribution guidelines How a hacking challenge is implemented and tested CI/CD pipeline (just briefly, for full intro join CI/CD for Open Source Projects) This is not a basic introduction into the project itself! For this we recommend to participate in the Juice Shop 101 session!", "title" : "Juice Shop Contributor Onboarding", "track" : "OWASP Juice Shop", "type" : "user-session", "word_count" : 94, "params" : {"description":"OWASP Juice Shop introduction for new contributors","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-13T09:53:05+01:00","organizers":"Bjoern Kimminich","participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Juice Shop Contributor Onboarding","topics":null,"track":"OWASP Juice Shop","type":"user-session","when_day":"Tue","when_time":"PM-1"} } , { "id" : "c88ad06ddf6f6e14d51c6ae7cac074b8", "file_path" : "tracks/OWASP-Juice-Shop/working-sessions/juice-shop-hackathon1.md", "last_modified" : "2019-02-25T17:48:52+01:00", "link" : "/tracks/owasp-juice-shop/working-sessions/juice-shop-hackathon1/", "content_plain" : " WHY Develop new features and hacking challenges, beta-test those new challenges and improve the OWASP Juice Shop project across the board.\nWhat Builders work on functionality, bugfixes, new challenges, translations, documentation etc. Breakers try to solve challenges, help fine-tune them and might even write some hints/solutions Defenders use their own tools against the Juice Shop to see what they might miss and get ideas how to close gaps Outcomes This working session can result in e.g. * PRs being merged into the project\u0026rsquo;s repositories on GitHub * translations being improved on CrowdIn * the companion guide eBook being extended and improved\nReferences CONTRIBUTING.md Chapters Codebase 101 and Contribute to development of the online-readable companion guide eBook Pwning OWASP Juice Shop OWASP Juice Shop\u0026rsquo;s CrowdIn project for i18n Previous Juice Shop Contributor Onboarding user session ", "summary" : "WHY Develop new features and hacking challenges, beta-test those new challenges and improve the OWASP Juice Shop project across the board.\nWhat Builders work on functionality, bugfixes, new challenges, translations, documentation etc. Breakers try to solve challenges, help fine-tune them and might even write some hints/solutions Defenders use their own tools against the Juice Shop to see what they might miss and get ideas how to close gaps Outcomes This working session can result in e.", "title" : "Juice Shop Hack'n'Code I", "track" : "OWASP Juice Shop", "type" : "working-session", "word_count" : 134, "params" : {"description":"Coding for and hacking of the OWASP Juice Shop","draft":false,"featured":false,"iscjklanguage":false,"lastmod":"2019-02-25T17:48:52+01:00","organizers":"Bjoern Kimminich","participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Juice Shop Hack'n'Code I","topics":null,"track":"OWASP Juice Shop","type":"working-session","when_day":"Mon","when_time":"Eve-1"} } , { "id" : "0c7a2267f14b4ab3962bf0a7bc1c2d64", "file_path" : "tracks/OWASP-Juice-Shop/working-sessions/juice-shop-hackathon2.md", "last_modified" : "2019-02-25T17:48:52+01:00", "link" : "/tracks/owasp-juice-shop/working-sessions/juice-shop-hackathon2/", "content_plain" : " WHY Develop new features and hacking challenges, beta-test those new challenges and improve the OWASP Juice Shop project across the board.\nWhat Builders work on functionality, bugfixes, new challenges, translations, documentation etc. Breakers try to solve challenges, help fine-tune them and might even write some hints/solutions Defenders use their own tools against the Juice Shop to see what they might miss and get ideas how to close gaps Outcomes This working session can result in e.g. * PRs being merged into the project\u0026rsquo;s repositories on GitHub * translations being improved on CrowdIn * the companion guide eBook being extended and improved\nReferences CONTRIBUTING.md Chapters Codebase 101 and Contribute to development of the online-readable companion guide eBook Pwning OWASP Juice Shop OWASP Juice Shop\u0026rsquo;s CrowdIn project for i18n Previous Juice Shop Contributor Onboarding user session Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code I evening session ", "summary" : "WHY Develop new features and hacking challenges, beta-test those new challenges and improve the OWASP Juice Shop project across the board.\nWhat Builders work on functionality, bugfixes, new challenges, translations, documentation etc. Breakers try to solve challenges, help fine-tune them and might even write some hints/solutions Defenders use their own tools against the Juice Shop to see what they might miss and get ideas how to close gaps Outcomes This working session can result in e.", "title" : "Juice Shop Hack'n'Code II", "track" : "OWASP Juice Shop", "type" : "working-session", "word_count" : 140, "params" : {"description":"Coding for and hacking of the OWASP Juice Shop","draft":false,"featured":false,"iscjklanguage":false,"lastmod":"2019-02-25T17:48:52+01:00","organizers":"Bjoern Kimminich","participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Juice Shop Hack'n'Code II","topics":null,"track":"OWASP Juice Shop","type":"working-session","when_day":"Tue","when_time":"Eve-1"} } , { "id" : "82999489268aa37ee5b0c985d7fa27fd", "file_path" : "tracks/OWASP-Juice-Shop/working-sessions/juice-shop-hackathon3.md", "last_modified" : "2019-02-25T17:48:52+01:00", "link" : "/tracks/owasp-juice-shop/working-sessions/juice-shop-hackathon3/", "content_plain" : " WHY Develop new features and hacking challenges, beta-test those new challenges and improve the OWASP Juice Shop project across the board.\nWhat Builders work on functionality, bugfixes, new challenges, translations, documentation etc. Breakers try to solve challenges, help fine-tune them and might even write some hints/solutions Defenders use their own tools against the Juice Shop to see what they might miss and get ideas how to close gaps Outcomes This working session can result in e.g. * PRs being merged into the project\u0026rsquo;s repositories on GitHub * translations being improved on CrowdIn * the companion guide eBook being extended and improved\nReferences CONTRIBUTING.md Chapters Codebase 101 and Contribute to development of the online-readable companion guide eBook Pwning OWASP Juice Shop OWASP Juice Shop\u0026rsquo;s CrowdIn project for i18n Previous Juice Shop Contributor Onboarding user session Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code I evening session Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code II evening session ", "summary" : "WHY Develop new features and hacking challenges, beta-test those new challenges and improve the OWASP Juice Shop project across the board.\nWhat Builders work on functionality, bugfixes, new challenges, translations, documentation etc. Breakers try to solve challenges, help fine-tune them and might even write some hints/solutions Defenders use their own tools against the Juice Shop to see what they might miss and get ideas how to close gaps Outcomes This working session can result in e.", "title" : "Juice Shop Hack'n'Code III", "track" : "OWASP Juice Shop", "type" : "working-session", "word_count" : 146, "params" : {"description":"Coding for and hacking of the OWASP Juice Shop","draft":false,"featured":false,"iscjklanguage":false,"lastmod":"2019-02-25T17:48:52+01:00","organizers":"Bjoern Kimminich","participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Juice Shop Hack'n'Code III","topics":null,"track":"OWASP Juice Shop","type":"working-session","when_day":"Wed","when_time":"Eve-1"} } , { "id" : "61cde79087ab098c2083f063889f6650", "file_path" : "tracks/OWASP-Juice-Shop/working-sessions/juice-shop-hackathon4.md", "last_modified" : "2019-02-25T17:48:52+01:00", "link" : "/tracks/owasp-juice-shop/working-sessions/juice-shop-hackathon4/", "content_plain" : " WHY Develop new features and hacking challenges, beta-test those new challenges and improve the OWASP Juice Shop project across the board.\nWhat Builders work on functionality, bugfixes, new challenges, translations, documentation etc. Breakers try to solve challenges, help fine-tune them and might even write some hints/solutions Defenders use their own tools against the Juice Shop to see what they might miss and get ideas how to close gaps Outcomes This working session can result in e.g. * PRs being merged into the project\u0026rsquo;s repositories on GitHub * translations being improved on CrowdIn * the companion guide eBook being extended and improved\nReferences CONTRIBUTING.md Chapters Codebase 101 and Contribute to development of the online-readable companion guide eBook Pwning OWASP Juice Shop OWASP Juice Shop\u0026rsquo;s CrowdIn project for i18n Previous Juice Shop Contributor Onboarding user session Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code I evening session Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code II evening session Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code III evening session ", "summary" : "WHY Develop new features and hacking challenges, beta-test those new challenges and improve the OWASP Juice Shop project across the board.\nWhat Builders work on functionality, bugfixes, new challenges, translations, documentation etc. Breakers try to solve challenges, help fine-tune them and might even write some hints/solutions Defenders use their own tools against the Juice Shop to see what they might miss and get ideas how to close gaps Outcomes This working session can result in e.", "title" : "Juice Shop Hack'n'Code IV", "track" : "OWASP Juice Shop", "type" : "working-session", "word_count" : 152, "params" : {"description":"Coding for and hacking of the OWASP Juice Shop","draft":false,"featured":false,"iscjklanguage":false,"lastmod":"2019-02-25T17:48:52+01:00","organizers":"Bjoern Kimminich","participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Juice Shop Hack'n'Code IV","topics":null,"track":"OWASP Juice Shop","type":"working-session","when_day":"Thu","when_time":"Eve-1"} } , { "id" : "2fe9914c646007069ddc1298e95bc375", "file_path" : "tracks/OWASP-Juice-Shop/user-sessions/juice-shop-release-night.md", "last_modified" : "2019-02-25T17:48:52+01:00", "link" : "/tracks/owasp-juice-shop/user-sessions/juice-shop-release-night/", "content_plain" : " WHY Publish the results of the Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code I, II, III and IV in a new Juice Shop release!\nWhat Wrap up all changes and perform final QA Update release notes and documentation Merge changes into master branch for final CI/CD run Tag new release and trigger automated deployment References The main repository\u0026rsquo;s release notes page Juice Shop CI/CD servers on Travis-CI and AppVeyor Previous Juice Shop Contributor Onboarding user session Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code I evening session Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code II evening session Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code III evening session Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code IV evening session ", "summary" : " WHY Publish the results of the Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code I, II, III and IV in a new Juice Shop release!\nWhat Wrap up all changes and perform final QA Update release notes and documentation Merge changes into master branch for final CI/CD run Tag new release and trigger automated deployment References The main repository\u0026rsquo;s release notes page Juice Shop CI/CD servers on Travis-CI and AppVeyor Previous Juice Shop Contributor Onboarding user session Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code I evening session Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code II evening session Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code III evening session Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code IV evening session ", "title" : "Juice Shop Release Night", "track" : "OWASP Juice Shop", "type" : "user-session", "word_count" : 96, "params" : {"description":"Go-live of new OWASP Juice Shop release","draft":false,"featured":false,"iscjklanguage":false,"lastmod":"2019-02-25T17:48:52+01:00","organizers":"Bjoern Kimminich","participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Juice Shop Release Night","topics":null,"track":"OWASP Juice Shop","type":"user-session","when_day":"Thu","when_time":"Eve-2"} } , { "id" : "054cde030d8769cad37606aa401f74ba", "file_path" : "tracks/OWASP-Juice-Shop/user-sessions/juice-shop-roundtable.md", "last_modified" : "2019-02-25T18:01:33+01:00", "link" : "/tracks/owasp-juice-shop/user-sessions/juice-shop-roundtable/", "content_plain" : " WHY Friendly get-together (possibly over lunch) to talk and exchange experience about the OWASP Juice Shop.\nWhat No agenda set in stone for this one. Just bring your questions, ideas, quirks and bugs with you to the open discussion! Some ideas others might be particularly interested in:\n Which is your favorite hacking challenge and why? How are you using Juice Shop in your company/university/\u0026hellip;? Are you using the \u0026ldquo;vanilla\u0026rdquo; theme or your own corporate theme? What experience have you made with running a CTF on the Juice Shop? \u0026hellip; ", "summary" : "WHY Friendly get-together (possibly over lunch) to talk and exchange experience about the OWASP Juice Shop.\nWhat No agenda set in stone for this one. Just bring your questions, ideas, quirks and bugs with you to the open discussion! Some ideas others might be particularly interested in:\n Which is your favorite hacking challenge and why? How are you using Juice Shop in your company/university/\u0026hellip;? Are you using the \u0026ldquo;vanilla\u0026rdquo; theme or your own corporate theme?", "title" : "Juice Shop Round Table", "track" : "OWASP Juice Shop", "type" : "user-session", "word_count" : 89, "params" : {"description":"Round table of OWASP Juice Shop users","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-25T18:01:33+01:00","organizers":"Bjoern Kimminich","participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Juice Shop Round Table","topics":null,"track":"OWASP Juice Shop","type":"user-session","when_day":"Wed","when_time":"DS-2"} } , { "id" : "564fb4c3efe5e2af81f71eeb50d856e3", "file_path" : "tracks/OWASP-projects/_index.md", "last_modified" : "2019-03-19T15:15:39+01:00", "link" : "/tracks/owasp-projects/", "content_plain" : "This track is focused on OWASP projects\n", "summary" : "This track is focused on OWASP projects", "title" : "OWASP Projects", "track" : null, "type" : "track", "word_count" : 7, "params" : {"description":"Sessions focusing on OWASP projects","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-03-19T15:15:39+01:00","organizers":["Pending"],"owasp-project":false,"session_slack":"https://os-summit.slack.com/messages/CAULHPHU2","title":"OWASP Projects","type":"track","when_day":"Mon,Wed,Fri"} } , { "id" : "da79a6ed5e4f1afdabde64f79b82bb97", "file_path" : "tracks/OWASP-projects/working-sessions/application-security-verification-standard.md", "last_modified" : "2019-04-30T22:09:08+01:00", "link" : "/tracks/owasp-projects/working-sessions/application-security-verification-standard/", "content_plain" : " The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and a list of requirements for secure development for developers.\nWhy The Application Security Verification Standard is a list of application security requirements or tests that can be used by architects, developers, testers, security professionals, and even consumers to define what a secure application is.\nASVS has two main goals: - to help organizations develop and maintain secure applications - to allow security service, security tools vendors, and consumers to align their requirements and offerings\nWhat Risk analysis is always subjective and this is why we expect that there will most likely never be a 100% agreement on this standard. However, keeping the standard up-to-date is certainly a step in the right direction and it will enhance the overall concepts introduced in this important industry standard.\nOutcomes This Working Session will result in a short summary which will include the list of items that need to be updated, added, or changed in order to make the standard more applicable to modern applications.\nWho The target audiences for this Working Session are: - Security champions - Security architects - DevOps Roles - CISOs\nWorking materials Here are the current \u0026lsquo;work in progress\u0026rsquo; materials for this session (please add as much information as possible before the sessions): - ASVS 3.1 in English (pdf) - ASVS GitHub\nPrevious Summit Working Session https://owaspsummit.org/Working-Sessions/Owasp-Projects/Application-Security-Verification-Standard.html\n", "summary" : "The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and a list of requirements for secure development for developers.\nWhy The Application Security Verification Standard is a list of application security requirements or tests that can be used by architects, developers, testers, security professionals, and even consumers to define what a secure application is.\nASVS has two main goals: - to help organizations develop and maintain secure applications - to allow security service, security tools vendors, and consumers to align their requirements and offerings", "title" : "Application Security Verification Standard", "track" : "OWASP Projects", "type" : "working-session", "word_count" : 237, "params" : {"description":"Session on ASVS","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-04-30T22:09:08+01:00","organizers":null,"participants":null,"room_id":"villa-3","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAU646WRE","status":"review-content","title":"Application Security Verification Standard","topics":["Owasp Project"],"track":"OWASP Projects","type":"working-session","when_day":"Wed","when_time":"AM-1"} } , { "id" : "44f828cdae9f3f3dd9369d3283e5ad19", "file_path" : "tracks/OWASP-projects/working-sessions/owasp-testing-guide.md", "last_modified" : "2019-04-30T22:09:08+01:00", "link" : "/tracks/owasp-projects/working-sessions/owasp-testing-guide/", "content_plain" : " OWASP Testing Guide provides a “low level” Penetration Testing guide describing tools \u0026amp; techniques used for testing the most common application security vulnerabilities. The Guide has become a de facto standard to perform Web Application Penetration Testing.\nWhen Starting the new OWASP Testing Guide Thu, Jun 7, 2018 2:00 PM - 3:00 PM London Time\nPlease join the meeting from your computer, tablet or smartphone. https://global.gotomeeting.com/join/898796925 First GoToMeeting? Let\u0026rsquo;s do a quick system check: https://link.gotomeeting.com/system-check\nYou can also dial in using your phone. United Kingdom: +44 20 3713 5011\nUnited States: +1 (571) 317-3117 Australia: +61 2 8355 1038 Austria: +43 7 2081 5337 Belgium: +32 28 93 7002 Canada: +1 (647) 497-9373 Denmark: +45 32 72 03 69 Finland: +358 923 17 0556 France: +33 170 950 590 Germany: +49 692 5736 7300 Ireland: +353 15 360 756 Italy: +39 0 230 57 81 80 Netherlands: +31 207 941 375 New Zealand: +64 9 282 9510 Norway: +47 24 05 54 97 Spain: +34 912 71 8488 Sweden: +46 853 527 818 Switzerland: +41 225 4599 60\nAccess Code: 898-796-925\nWhy Individuals and companies around the world are increasingly adopting OWASP Testing Guide as a standard for performing Application Penetration Testing. Hence, it is vital to maintain an updated project that represents the state of the art for WebAppSec. This Working Session aims to discuss and define the scope and content of OWASP Testing Guide v5.\nWhat There are usually a common pattern to detect and test for security vulnerabilities. These patterns don\u0026rsquo;t differ from application to application nor do we have hundreds of ways to detect such. Thus, OWASP Testing Guide aims standardize and list a common procedure to detect and test for most common web application security vulnerabilities. Keeping a standard up-to-date with new class of vulnerabilities and tools is a step toward right direction and help security professionals do the job right.\nOutcomes All sections in v4 reviewed Project aligned with the ASVS and OWASP Top 10 vulnerabilities A more readable guide created that eliminates sections that are not useful New testing techniques inserted\nWho The target audiences for this Working Session are: - Security professionals - Security aware individual and companies\nWorking materials https://github.com/OWASP/OWASP-Testing-Guide-v5/ http://www.owasp.org/index.php/OWASP_Testing_Project\n", "summary" : "OWASP Testing Guide provides a “low level” Penetration Testing guide describing tools \u0026amp; techniques used for testing the most common application security vulnerabilities. The Guide has become a de facto standard to perform Web Application Penetration Testing.\nWhen Starting the new OWASP Testing Guide Thu, Jun 7, 2018 2:00 PM - 3:00 PM London Time\nPlease join the meeting from your computer, tablet or smartphone. https://global.gotomeeting.com/join/898796925 First GoToMeeting? Let\u0026rsquo;s do a quick system check: https://link.", "title" : "Owasp Testing Guide v5", "track" : "OWASP Projects", "type" : "working-session", "word_count" : 370, "params" : {"categories":["OWASP Testing Guide"],"description":"Working Sessions for Owasp Testing Guide v5","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-04-30T22:09:08+01:00","organizers":["Matteo Meucci"],"participants":["Prakash Sharma","Goher Mohammad","John Killilea"],"room_id":"villa-3","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUN653QQ","status":"review-content","title":"Owasp Testing Guide v5","topics":["Owasp Project"],"track":"OWASP Projects","type":"working-session","when_day":"Thu","when_time":"PM-2,PM-3"} } , { "id" : "e6c34bece849110a8a88b925bf5b76bd", "file_path" : "tracks/OWASP-projects/working-sessions/owasp-top-5-machine-learning-risks.md", "last_modified" : "2019-04-30T22:09:08+01:00", "link" : "/tracks/owasp-projects/working-sessions/owasp-top-5-machine-learning-risks/", "content_plain" : " Why Deep Learning and Machine Learning become vital part of critical systems like self-driving cars, advanced authentication and automated detection of lesions/tumors. However, research shows that such technologies have inherent risks originated from the process of how the models are being learnt or used. In this session we will learn about OWASP project (Top 5 Machine Learning Risks) which tries to identify and document these risks in general, and then we will discuss one case study about specific risk and how to address it.\nWhat Top 5 Machine Learning Risks Project Introduction project team update about current state of document Developing attacks against machine learning models. Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning (Chen et al. 2017) Outcomes Define risk rating approach for this type of attacks and suggest defence techniques\nWho Application security professionals AI professionals Working materials project documentation file paper file https://arxiv.org/abs/1712.05526 https://www.owasp.org/index.php/OWASP_Top_5_Machine_Learning_Risks https://owaspsummit.org/Outcomes/machine-learning-and-security/machine-learning-and-security.html ", "summary" : "Why Deep Learning and Machine Learning become vital part of critical systems like self-driving cars, advanced authentication and automated detection of lesions/tumors. However, research shows that such technologies have inherent risks originated from the process of how the models are being learnt or used. In this session we will learn about OWASP project (Top 5 Machine Learning Risks) which tries to identify and document these risks in general, and then we will discuss one case study about specific risk and how to address it.", "title" : "Owasp Top 5 Machine Learning risks", "track" : "OWASP Projects", "type" : "working-session", "word_count" : 150, "params" : {"categories":["OWASP projects"],"description":"","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-04-30T22:09:08+01:00","organizers":["Talal Albacha","Jean-Noël Colin"],"participants":["Sebastien Deleersnyder"],"room_id":"room-2","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVABULJF","status":"review-content","technology":null,"title":"Owasp Top 5 Machine Learning risks","topics":["Owasp Project","AI \u0026 ML"],"track":"OWASP Projects","type":"working-session","when_day":"Fri","when_time":"AM-1"} } , { "id" : "3fbc6393f20797a4bbc25215f1241fb0", "file_path" : "tracks/OWASP-SAMM/_index.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/owasp-samm/", "content_plain" : "In addition to specific Maturity Models sessions, a large number of OWASP SAMM Working-Sessions will occur at the Summit.\nThe SAMM Summit is not a regular conference with speaking slots, but a summit where the participants work together in a 5-day sprint on SAMMv2. If you are interested in contributing to this, you are most welcome (knowledge of SAMM or other secure development methodology experience is a prerequisite).\nThis is an excellent opportunity to influence the direction of SAMM and exchange experiences with your peers.\n", "summary" : "In addition to specific Maturity Models sessions, a large number of OWASP SAMM Working-Sessions will occur at the Summit.\nThe SAMM Summit is not a regular conference with speaking slots, but a summit where the participants work together in a 5-day sprint on SAMMv2. If you are interested in contributing to this, you are most welcome (knowledge of SAMM or other secure development methodology experience is a prerequisite).\nThis is an excellent opportunity to influence the direction of SAMM and exchange experiences with your peers.", "title" : "OWASP SAMM", "track" : null, "type" : "track", "word_count" : 85, "params" : {"categories":["OWASP SAMM"],"description":"SAMM team working together in a 5-day sprint on SAMMv2","draft":false,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Sebastien Deleersnyder","Bart De Win"],"owasp-project":true,"session_slack":"https://os-summit.slack.com/messages/CAVHR0UN9","title":"OWASP SAMM","type":"track","when_day":"Tue,Wed,Thu"} } , { "id" : "a177d367e123777dc215a2bde88ae5f2", "file_path" : "tracks/OWASP-SAMM/user-sessions/OWASP-SAMM-tooling.md", "last_modified" : "2019-04-11T11:02:20-03:00", "link" : "/tracks/owasp-samm/user-sessions/owasp-samm-tooling/", "content_plain" : "", "summary" : "", "title" : "OWASP SAMM Tooling", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 0, "params" : {"categories":null,"description":"Practical session on using the OWASP Maturity Model tool","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-04-11T11:02:20-03:00","organizers":["Sebastien Deleersnyder"],"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"OWASP SAMM Tooling","topics":null,"track":"OWASP SAMM","type":"working-session","when_day":"Thu","when_time":"PM-1"} } , { "id" : "c14f151f805b13c2165c85a3ac6625ee", "file_path" : "tracks/OWASP-SAMM/user-sessions/SAMM-Best-Practices.md", "last_modified" : "2019-01-14T19:08:06Z", "link" : "/tracks/owasp-samm/user-sessions/samm-best-practices/", "content_plain" : "Sharing best practices on how to get the most out of Owasp SAMM\n", "summary" : "Sharing best practices on how to get the most out of Owasp SAMM", "title" : "SAMM - Best Practices", "track" : "OWASP SAMM", "type" : "user-session", "word_count" : 13, "params" : {"categories":null,"description":"User session on how to use Owasp SAMM","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-01-14T19:08:06Z","locked":true,"organizers":["Sebastien Deleersnyder"],"owasp-project":true,"participants":null,"room_id":"room-2","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CB04KLJ5P","status":"review-content","technology":null,"title":"SAMM - Best Practices","track":"OWASP SAMM","type":"user-session","when_day":"Mon","when_time":"PM-2"} } , { "id" : "c6ace543708819675b1fe0a204ea779b", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM2-DevOps.md", "last_modified" : "2019-04-10T21:17:32+02:00", "link" : "/tracks/owasp-samm/working-sessions/samm2-devops/", "content_plain" : "Go deep in the DevOps SAMM guidance \u0026hellip;\n", "summary" : "Go deep in the DevOps SAMM guidance \u0026hellip;", "title" : "SAMM DevOps Guidance", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 8, "params" : {"categories":null,"description":"Explain the SAMM DevOps guidance","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-04-10T21:17:32+02:00","locked":true,"organizers":["Sebastien Deleersnyder"],"participants":null,"room_id":"villa-1","session_slack":"https://os-summit.slack.com/messages/CAWERMEEB","status":"review-content","technology":null,"title":"SAMM DevOps Guidance","track":"OWASP SAMM","type":"working-session","when_day":"Mon","when_time":"Eve-1"} } , { "id" : "afa6a57fccf06f67d6c0959867df18e0", "file_path" : "tracks/OWASP-SAMM/user-sessions/SAMM-introduction.md", "last_modified" : "2019-01-14T19:08:06Z", "link" : "/tracks/owasp-samm/user-sessions/samm-introduction/", "content_plain" : "Crash course on SAMM as project and overview of the content/actions so far\n", "summary" : "Crash course on SAMM as project and overview of the content/actions so far", "title" : "SAMM Introduction", "track" : "OWASP SAMM", "type" : "user-session", "word_count" : 13, "params" : {"categories":null,"description":"Introduction session on SAMM for people who want to know more about the project","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-01-14T19:08:06Z","locked":true,"organizers":["Sebastien Deleersnyder"],"participants":null,"room_id":"room-2","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUTD195F","status":"review-content","technology":null,"title":"SAMM Introduction","track":"OWASP SAMM","type":"user-session","when_day":"Mon","when_time":"PM-1"} } , { "id" : "eb257529bea922075a16eb9b1f427d4d", "file_path" : "tracks/OWASP-SAMM/user-sessions/SAMM-Roundtable.md", "last_modified" : "2019-01-14T19:08:06Z", "link" : "/tracks/owasp-samm/user-sessions/samm-roundtable/", "content_plain" : "SAMM users sharing experiences with each other\n", "summary" : "SAMM users sharing experiences with each other", "title" : "SAMM Round Table", "track" : "OWASP SAMM", "type" : "user-session", "word_count" : 7, "params" : {"categories":null,"description":"Round table session with SAMM users","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-01-14T19:08:06Z","locked":true,"organizers":["Sebastien Deleersnyder"],"participants":null,"room_id":"room-2","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAXEB4GR2","status":"review-content","technology":null,"title":"SAMM Round Table","track":"OWASP SAMM","type":"user-session","when_day":"Mon","when_time":"PM-3"} } , { "id" : "62bb3827b07eb80a58948470af0fef89", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM2-Benchmarking.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/owasp-samm/working-sessions/samm2-benchmarking/", "content_plain" : "Define objectives for the SAMM benchmarking project as part of SAMMv2\n", "summary" : "Define objectives for the SAMM benchmarking project as part of SAMMv2", "title" : "SAMM benchmarking", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 11, "params" : {"categories":null,"description":"Define objectives for the SAMM benchmarking project as part of SAMMv2","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Sebastien Deleersnyder"],"participants":null,"room_id":"villa-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWES3Y8P","status":"review-content","technology":null,"title":"SAMM benchmarking","track":"OWASP SAMM","type":"working-session","when_day":"Thu","when_time":"PM-3"} } , { "id" : "ce06178674ba2af0e6f0b8025ea18c50", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM2-Document-Model.md", "last_modified" : "2019-01-14T19:08:06Z", "link" : "/tracks/owasp-samm/working-sessions/samm2-document-model/", "content_plain" : "The aim is to reach a consensus on which elements we need to have in order to be able to describe the document and to arrive at a YAML format.\n", "summary" : "The aim is to reach a consensus on which elements we need to have in order to be able to describe the document and to arrive at a YAML format.", "title" : "SAMMv2 Establish the Document Model", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 30, "params" : {"categories":null,"description":"Define SAMMv2 document Model","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-01-14T19:08:06Z","locked":true,"organizers":["Sebastien Deleersnyder"],"participants":null,"room_id":"villa-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVDD4NTU","status":"review-content","technology":null,"title":"SAMMv2 Establish the Document Model","track":"OWASP SAMM","type":"working-session","when_day":"Wed","when_time":"PM-3"} } , { "id" : "816c50a62e268abcc1a57c4f4b1775da", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM2-Measurement-Model.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/owasp-samm/working-sessions/samm2-measurement-model/", "content_plain" : " What Discussion about measuring according to coverage vs. quality. How do we want to measure in SAMM 2.0?\n", "summary" : "What Discussion about measuring according to coverage vs. quality. How do we want to measure in SAMM 2.0?", "title" : "SAMMv2 Measurement Model", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 18, "params" : {"categories":null,"description":"Define SAMMv2 measurement model","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","locked":true,"organizers":["Sebastien Deleersnyder"],"participants":["Yan Kravchenko"],"room_id":"villa-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWA8AEMC","status":"review-content","technology":null,"title":"SAMMv2 Measurement Model","track":"OWASP SAMM","type":"working-session","when_day":"Wed","when_time":"PM-2"} } , { "id" : "a0261f27a4464034d13c90f3272a8b46", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM2-Design.md", "last_modified" : "2019-01-14T19:08:06Z", "link" : "/tracks/owasp-samm/working-sessions/samm2-design/", "content_plain" : "One working session per business function. 1) Review the draft business function. 2) Identify received and on-site feedback (capture as issues). 3) Discuss and resolve the business function issues. 4) Create one Issue per business function with the agreed upon changes to be implemented.\n", "summary" : "One working session per business function. 1) Review the draft business function. 2) Identify received and on-site feedback (capture as issues). 3) Discuss and resolve the business function issues. 4) Create one Issue per business function with the agreed upon changes to be implemented.", "title" : "SAMMv2 working session - Design", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 44, "params" : {"categories":null,"description":"multiple working sessions on the new SAMMv2","draft":false,"featured":false,"iscjklanguage":false,"lastmod":"2019-01-14T19:08:06Z","locked":true,"organizers":["Sebastien Deleersnyder"],"participants":null,"room_id":"villa-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWETV4UF","status":"review-content","technology":null,"title":"SAMMv2 working session - Design","track":"OWASP SAMM","type":"working-session","when_day":"Tue","when_time":"PM-1"} } , { "id" : "905328e64ee0f41ef0f942af18e89840", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM2-Governance.md", "last_modified" : "2019-01-14T19:08:06Z", "link" : "/tracks/owasp-samm/working-sessions/samm2-governance/", "content_plain" : "One working session per business function. 1) Review the draft business function. 2) Identify received and on-site feedback (capture as issues). 3) Discuss and resolve the business function issues. 4) Create one Issue per business function with the agreed upon changes to be implemented.\n", "summary" : "One working session per business function. 1) Review the draft business function. 2) Identify received and on-site feedback (capture as issues). 3) Discuss and resolve the business function issues. 4) Create one Issue per business function with the agreed upon changes to be implemented.", "title" : "SAMMv2 working session - Governance", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 44, "params" : {"categories":null,"description":"multiple working sessions on the new SAMMv2","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-01-14T19:08:06Z","locked":true,"organizers":["Sebastien Deleersnyder"],"participants":["Yan Kravchenko","Mark-David McLaughlin"],"room_id":"villa-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMMv2 working session - Governance","track":"OWASP SAMM","type":"working-session","when_day":"Tue","when_time":"AM-1"} } , { "id" : "239ec95fc813a7bf9b93eb9a2e1b10c6", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM2-Implementation.md", "last_modified" : "2019-01-14T19:08:06Z", "link" : "/tracks/owasp-samm/working-sessions/samm2-implementation/", "content_plain" : "One working session per business function. 1) Review the draft business function. 2) Identify received and on-site feedback (capture as issues). 3) Discuss and resolve the business function issues. 4) Create one Issue per business function with the agreed upon changes to be implemented.\n", "summary" : "One working session per business function. 1) Review the draft business function. 2) Identify received and on-site feedback (capture as issues). 3) Discuss and resolve the business function issues. 4) Create one Issue per business function with the agreed upon changes to be implemented.", "title" : "SAMMv2 working session - Implementation", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 44, "params" : {"categories":null,"description":"multiple working sessions on the new SAMMv2","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-01-14T19:08:06Z","locked":true,"organizers":null,"participants":null,"room_id":"villa-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWA9CQ14","status":"review-content","technology":null,"title":"SAMMv2 working session - Implementation","track":"OWASP SAMM","type":"working-session","when_day":"Tue","when_time":"PM-2"} } , { "id" : "1213c7d8e6a66aa088e342243cd34850", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM2-Operations.md", "last_modified" : "2019-04-10T21:18:19+02:00", "link" : "/tracks/owasp-samm/working-sessions/samm2-operations/", "content_plain" : "One working session per business function. 1) Review the draft business function. 2) Identify received and on-site feedback (capture as issues). 3) Discuss and resolve the business function issues. 4) Create one Issue per business function with the agreed upon changes to be implemented.\n", "summary" : "One working session per business function. 1) Review the draft business function. 2) Identify received and on-site feedback (capture as issues). 3) Discuss and resolve the business function issues. 4) Create one Issue per business function with the agreed upon changes to be implemented.", "title" : "SAMMv2 working session - Operations", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 44, "params" : {"categories":null,"description":"multiple working sessions on the new SAMMv2","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-04-10T21:18:19+02:00","locked":true,"organizers":null,"participants":null,"room_id":"villa-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWA9CQ14","status":"review-content","technology":null,"title":"SAMMv2 working session - Operations","track":"OWASP SAMM","type":"working-session","when_day":"Tue","when_time":"Eve-1"} } , { "id" : "ad8c9808a711db8bf07b79340e7deb01", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM2-Verification.md", "last_modified" : "2019-04-10T21:15:15+02:00", "link" : "/tracks/owasp-samm/working-sessions/samm2-verification/", "content_plain" : "One working session per business function. 1) Review the draft business function. 2) Identify received and on-site feedback (capture as issues). 3) Discuss and resolve the business function issues. 4) Create one Issue per business function with the agreed upon changes to be implemented.\n", "summary" : "One working session per business function. 1) Review the draft business function. 2) Identify received and on-site feedback (capture as issues). 3) Discuss and resolve the business function issues. 4) Create one Issue per business function with the agreed upon changes to be implemented.", "title" : "SAMMv2 working session - Verification", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 44, "params" : {"categories":null,"description":"multiple working sessions on the new SAMMv2","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-04-10T21:15:15+02:00","locked":true,"organizers":null,"participants":null,"room_id":"villa-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWA9CQ14","status":"review-content","technology":null,"title":"SAMMv2 working session - Verification","track":"OWASP SAMM","type":"working-session","when_day":"Tue","when_time":"PM-3"} } , { "id" : "4cc7734d8a1849df544c0a8e5d9e00dd", "file_path" : "tracks/OWASP-ZAP/_index.md", "last_modified" : "2019-04-11T09:59:10+02:00", "link" : "/tracks/owasp-zap/", "content_plain" : "The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.\nhttps://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project\n", "summary" : "The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.\nhttps://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project", "title" : "OWASP ZAP", "track" : null, "type" : "track", "word_count" : 60, "params" : {"categories":null,"description":"ZAP team working together in a 2-day sprint on-site and remote","draft":false,"iscjklanguage":false,"lastmod":"2019-04-11T09:59:10+02:00","organizers":["Simon Bennetts"],"owasp-project":true,"session_slack":null,"title":"OWASP ZAP","type":"track","when_day":"Tue,Wed"} } , { "id" : "b3e8d911fda9049ce9f3c36ed053cf36", "file_path" : "tracks/OWASP-ZAP/working-sessions/ZAP-session1.md", "last_modified" : "2019-04-12T11:33:35+01:00", "link" : "/tracks/owasp-zap/working-sessions/zap-session1/", "content_plain" : "An interactive working session for people to discuss and learn how best to automate ZAP.\n", "summary" : "An interactive working session for people to discuss and learn how best to automate ZAP.", "title" : "ZAP working session - automation", "track" : "OWASP ZAP", "type" : "working-session", "word_count" : 15, "params" : {"categories":null,"description":"Working session on ZAP automation","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-04-12T11:33:35+01:00","locked":true,"organizers":["Simon Bennetts"],"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"ZAP working session - automation","track":"OWASP ZAP","type":"working-session","when_day":"Tue","when_time":"AM-1"} } , { "id" : "918000647816bca690723e23ae4ae604", "file_path" : "tracks/OWASP-ZAP/working-sessions/ZAP-session3.md", "last_modified" : "2019-04-12T11:33:35+01:00", "link" : "/tracks/owasp-zap/working-sessions/zap-session3/", "content_plain" : "An interactive working session for people to discuss and suggest where ZAP could go in the future.\n", "summary" : "An interactive working session for people to discuss and suggest where ZAP could go in the future.", "title" : "ZAP working session - future plans", "track" : "OWASP ZAP", "type" : "working-session", "word_count" : 17, "params" : {"categories":null,"description":"Working sessions on ZAP future plans","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-04-12T11:33:35+01:00","locked":true,"organizers":["Simon Bennetts"],"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"ZAP working session - future plans","track":"OWASP ZAP","type":"working-session","when_day":"Wed","when_time":"AM-1"} } , { "id" : "56e83c0b2fd3461da0152e8c74adca72", "file_path" : "tracks/OWASP-ZAP/working-sessions/ZAP-session2.md", "last_modified" : "2019-04-12T11:33:35+01:00", "link" : "/tracks/owasp-zap/working-sessions/zap-session2/", "content_plain" : "An interactive working session for people to learn about the new ZAP Heads Up Display (HUD) including how it can be used and how it can be extended. It is recommended that attendees who would like to try extending the HUD should have the ZAP HUD repo cloned locally.\n", "summary" : "An interactive working session for people to learn about the new ZAP Heads Up Display (HUD) including how it can be used and how it can be extended. It is recommended that attendees who would like to try extending the HUD should have the ZAP HUD repo cloned locally.", "title" : "ZAP working session - the HUD", "track" : "OWASP ZAP", "type" : "working-session", "word_count" : 49, "params" : {"categories":null,"description":"Working session on the ZAP HUD","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-04-12T11:33:35+01:00","locked":true,"organizers":["Simon Bennetts"],"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"ZAP working session - the HUD","track":"OWASP ZAP","type":"working-session","when_day":"Tue","when_time":"PM-1"} } , { "id" : "8a656b1c03a307ef85e8560cdad0d699", "file_path" : "tracks/OWASP-ZAP/user-session/zap-how-to-use-it-session-1.md", "last_modified" : "2019-05-05T16:36:58+01:00", "link" : "/tracks/owasp-zap/user-session/zap-how-to-use-it-session-1/", "content_plain" : "", "summary" : "", "title" : "Zap - How to use it (session 1)", "track" : "OWASP ZAP", "type" : "user-session", "word_count" : 0, "params" : {"description":"User session to help ZAP users","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-05T16:36:58+01:00","organizers":null,"owasp-project":true,"room_id":null,"room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUP27C2C","status":"draft","title":"Zap - How to use it (session 1)","topics":["Owasp Project"],"track":"OWASP ZAP","type":"user-session","when_day":"Mon","when_time":"Eve-1"} } , { "id" : "5753344f8e9b96793e60c64f7916dc6e", "file_path" : "tracks/OWASP-ZAP/user-session/zap-how-to-use-it-session-2.md", "last_modified" : "2019-05-05T16:38:37+01:00", "link" : "/tracks/owasp-zap/user-session/zap-how-to-use-it-session-2/", "content_plain" : "", "summary" : "", "title" : "Zap - How to use it (session 2)", "track" : "OWASP ZAP", "type" : "user-session", "word_count" : 0, "params" : {"description":"User session to help ZAP users","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-05T16:38:37+01:00","organizers":null,"owasp-project":true,"room_id":null,"room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUP27C2C","status":"draft","title":"Zap - How to use it (session 2)","topics":["Owasp Project"],"track":"OWASP ZAP","type":"user-session","when_day":"Tue","when_time":"Eve-1"} } , { "id" : "8e872413a2ea77e52485bff35ae62e57", "file_path" : "tracks/OWASP-ZAP/user-session/zap-how-to-use-it-session-3.md", "last_modified" : "2019-05-05T16:36:58+01:00", "link" : "/tracks/owasp-zap/user-session/zap-how-to-use-it-session-3/", "content_plain" : "", "summary" : "", "title" : "Zap - How to use it (session 3)", "track" : "OWASP ZAP", "type" : "user-session", "word_count" : 0, "params" : {"description":"User session to help ZAP users","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-05T16:36:58+01:00","organizers":null,"owasp-project":true,"room_id":null,"room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUP27C2C","status":"draft","title":"Zap - How to use it (session 3)","topics":["Owasp Project"],"track":"OWASP ZAP","type":"user-session","when_day":"Wed","when_time":"Eve-1"} } , { "id" : "5ba449a8c9cdd26d156caf622125dcfe", "file_path" : "tracks/PSD2_GDPR/_index.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/psd2_gdpr/", "content_plain" : "Sessions focusing on the new PSD2 standard and GDPR\n", "summary" : "Sessions focusing on the new PSD2 standard and GDPR", "title" : "PSD2 and GDPR", "track" : null, "type" : "track", "word_count" : 9, "params" : {"description":"Sessions focusing on the new PSD2 standard and GDPR","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Pending"],"owasp-project":false,"session_slack":"https://os-summit.slack.com/messages/CAULHPHU2","title":"PSD2 and GDPR","type":"track","when_day":"Mon"} } , { "id" : "a4c04207026899ad31c9d4d4967a6709", "file_path" : "tracks/PSD2_GDPR/user-sessions/ask-me-anything-on-gdpr.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/psd2_gdpr/user-sessions/ask-me-anything-on-gdpr/", "content_plain" : "\u0026lsquo;Ask Me Anything\u0026rsquo; session where tech and non-tech people can ask anything someone who is from the industry relating to GDPR\n", "summary" : "\u0026lsquo;Ask Me Anything\u0026rsquo; session where tech and non-tech people can ask anything someone who is from the industry relating to GDPR", "title" : "Ask me anything (AMA) on GDPR", "track" : "PSD2 and GDPR", "type" : "user-session", "word_count" : 21, "params" : {"categories":null,"description":"Ask all the burning questions you have on GDPR","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Tony Richards"],"participants":null,"room_id":null,"room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAXGQ98RK","status":"review-content","technology":null,"title":"Ask me anything (AMA) on GDPR","track":"PSD2 and GDPR","type":"user-session","when_day":"Tue","when_time":"PM-1"} } , { "id" : "4b7b4044dd6bd80f9b9759a86cb8d2e2", "file_path" : "tracks/PSD2_GDPR/working-sessions/meet-the-ico.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/psd2_gdpr/working-sessions/meet-the-ico/", "content_plain" : "", "summary" : "", "title" : "Meet the ICO", "track" : "PSD2 and GDPR", "type" : "working-session", "word_count" : 0, "params" : {"categories":null,"description":"If you could meet the ICO, what questions would you ask","draft":false,"featured":false,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVH5J485","status":"review-content","technology":null,"title":"Meet the ICO","track":"PSD2 and GDPR","type":"working-session","when_day":"Thu","when_time":"DS-2"} } , { "id" : "0c9aab7dab7364e7457eb0e0356895e4", "file_path" : "tracks/PSD2_GDPR/working-sessions/psd2-security.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/psd2_gdpr/working-sessions/psd2-security/", "content_plain" : "", "summary" : "", "title" : "PSD2 Security", "track" : "PSD2 and GDPR", "type" : "working-session", "word_count" : 0, "params" : {"categories":null,"description":"Security implications of the new PSD2 standard","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"PSD2 Security","track":"PSD2 and GDPR","type":"working-session","when_day":"Thu","when_time":"DS-2"} } , { "id" : "a0af2c84d131e7e4388c17a5c3f87cb4", "file_path" : "tracks/PSD2_GDPR/working-sessions/share-your-polices-and-release-them-under-cc.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/psd2_gdpr/working-sessions/share-your-polices-and-release-them-under-cc/", "content_plain" : "", "summary" : "", "title" : "Share your security polices and release them under CC", "track" : "PSD2 and GDPR", "type" : "working-session", "word_count" : 0, "params" : {"categories":null,"description":"Map out what these are and what is the best way to measure them","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Goher Mohammad"],"participants":["Ante Gulam","Neil Barlow","Kevin Fielder","Wayne Moore","Mark Regensberg","Naushad Saboor"],"room_id":"table-2","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CB0E7KB7E","status":"draft","technology":null,"title":"Share your security polices and release them under CC","topics":["GDPR"],"track":"PSD2 and GDPR","type":"working-session","when_day":"Tue","when_time":"DS-3"} } , { "id" : "e219ff47fa9246461e3429f82a32ab81", "file_path" : "tracks/PSD2_GDPR/user-sessions/using-threat-models-for-gdpr.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/psd2_gdpr/user-sessions/using-threat-models-for-gdpr/", "content_plain" : "Hands on user session on how to use Threat Models in GDPR mappings\nThis session will take place in the Photobox villa and not the SAMM villa!!!\nThis is villa 317\n", "summary" : "Hands on user session on how to use Threat Models in GDPR mappings\nThis session will take place in the Photobox villa and not the SAMM villa!!!\nThis is villa 317", "title" : "Using Threat Models for GDPR", "track" : "PSD2 and GDPR", "type" : "working-session", "word_count" : 31, "params" : {"description":"Hands on user session on how to use Threat Models in GDPR mappings","draft":false,"featured":false,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","locked":true,"organizers":null,"participants":null,"room_id":"villa-5","session_slack":"https://os-summit.slack.com/messages/CAVB49FRR","status":"review-content","title":"Using Threat Models for GDPR","topics":["GDPR"],"track":"PSD2 and GDPR","type":"working-session","when_day":"Tue","when_time":"Eve-2"} } , { "id" : "d1a3d73ec59e952d5a015efdcc83a8ff", "file_path" : "tracks/PSD2_GDPR/user-sessions/using-graphs-for-gdpr-mappings.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/psd2_gdpr/user-sessions/using-graphs-for-gdpr-mappings/", "content_plain" : "Create graphs as shows in the https://github.com/pbx-gs/gdpr-patterns project\n", "summary" : "Create graphs as shows in the https://github.com/pbx-gs/gdpr-patterns project", "title" : "Using graphs for GDPR mappings and visualisations", "track" : "PSD2 and GDPR", "type" : "user-session", "word_count" : 8, "params" : {"description":"Hands on sessions of mapping GDPR data to graphs","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Dinis Cruz"],"participants":["Mario Platt","Goher Mohammad","Orid Ahmed","Jim Newman"],"room_id":null,"room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWFGK7K9","status":"review-content","title":"Using graphs for GDPR mappings and visualisations","topics":["GDPR"],"track":"PSD2 and GDPR","type":"user-session","when_day":"Thu","when_time":"PM-3"} } , { "id" : "412e08a944b6cbf13811ef8412bf9773", "file_path" : "tracks/Product-Sessions/_index.md", "last_modified" : "2019-05-08T18:09:48+01:00", "link" : "/tracks/product-sessions/", "content_plain" : " These sessions are based around commercial products or services (i.e. not freely available)\nThese sessions are designed to provide an environment to share real-world insights about these products, to learn more about how to use them and to engage directly with the vendor.\nVendors are key players in the Security landscape and these sessions (all happening during the Evening) allow customers and potential customers to interact directly with the knowledgeable vendor\u0026rsquo;s SMEs.\nThis is the only time and place where non-open-source behaviour is allowed inside the Summit environment, and if you (as participant) don\u0026rsquo;t want to hear it, then don\u0026rsquo;t turn up at the villa :)\n", "summary" : "These sessions are based around commercial products or services (i.e. not freely available)\nThese sessions are designed to provide an environment to share real-world insights about these products, to learn more about how to use them and to engage directly with the vendor.\nVendors are key players in the Security landscape and these sessions (all happening during the Evening) allow customers and potential customers to interact directly with the knowledgeable vendor\u0026rsquo;s SMEs.", "title" : "Product Sessions", "track" : null, "type" : "track", "word_count" : 106, "params" : {"draft":false,"iscjklanguage":false,"lastmod":"2019-05-08T18:09:48+01:00","title":"Product Sessions","type":"track"} } , { "id" : "563857cc1ff2d5c72c8a78c7ba0a5560", "file_path" : "tracks/Product-Sessions/akamai-understanding-and-meauring-what-it-is-doing.md", "last_modified" : "2019-05-08T18:09:48+01:00", "link" : "/tracks/product-sessions/akamai-understanding-and-meauring-what-it-is-doing/", "content_plain" : "", "summary" : "", "title" : "Akamai - Understanding and measuring what it is doing", "track" : "Product Sessions", "type" : "product-session", "word_count" : 0, "params" : {"categories":null,"description":"","draft":false,"featured":true,"hidden":true,"host_link":null,"host_text":null,"iscjklanguage":false,"lastmod":"2019-05-08T18:09:48+01:00","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"session_type":"public","status":"draft","technology":null,"title":"Akamai - Understanding and measuring what it is doing","track":"Product Sessions","type":"product-session","when_day":null,"when_time":null} } , { "id" : "498620d627a7c1d0ef948f3d0f601c81", "file_path" : "tracks/Product-Sessions/crowdstrike-api-and-workflow-automation.md", "last_modified" : "2019-05-08T18:09:48+01:00", "link" : "/tracks/product-sessions/crowdstrike-api-and-workflow-automation/", "content_plain" : "", "summary" : "", "title" : "Crowdstrike - API and Workflows automation", "track" : "Product Sessions", "type" : "product-session", "word_count" : 0, "params" : {"categories":null,"description":"","draft":false,"featured":true,"hidden":true,"host_link":null,"host_text":null,"iscjklanguage":false,"lastmod":"2019-05-08T18:09:48+01:00","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"session_type":"public","status":"draft","technology":null,"title":"Crowdstrike - API and Workflows automation","track":"Product Sessions","type":"product-session","when_day":null,"when_time":null} } , { "id" : "0da516a024a1ec812f563d6194c44629", "file_path" : "tracks/Product-Sessions/darktrace-consuming-apis-using-aws.md", "last_modified" : "2019-05-08T19:28:02+01:00", "link" : "/tracks/product-sessions/darktrace-consuming-apis-using-aws/", "content_plain" : "", "summary" : "", "title" : "Darktrace - Consuming APIs using AWS", "track" : "Product Sessions", "type" : "product-session", "word_count" : 0, "params" : {"categories":null,"description":"","draft":false,"featured":true,"hidden":true,"host_link":null,"host_text":null,"iscjklanguage":false,"lastmod":"2019-05-08T19:28:02+01:00","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"session_type":"public","status":"draft","technology":null,"title":"Darktrace - Consuming APIs using AWS","track":"Product Sessions","type":"product-session","when_day":null,"when_time":null} } , { "id" : "159db02d92d13d2b7f4577e780159812", "file_path" : "tracks/Product-Sessions/jira-automation.md", "last_modified" : "2019-05-08T18:09:48+01:00", "link" : "/tracks/product-sessions/jira-automation/", "content_plain" : "", "summary" : "", "title" : "Jira - Workflows and Automation", "track" : "Product Sessions", "type" : "product-session", "word_count" : 0, "params" : {"categories":null,"description":"","draft":false,"featured":true,"hidden":true,"host_link":null,"host_text":null,"iscjklanguage":false,"lastmod":"2019-05-08T18:09:48+01:00","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"session_type":"public","status":"draft","technology":null,"title":"Jira - Workflows and Automation","track":"Product Sessions","type":"product-session","when_day":null,"when_time":null} } , { "id" : "9938859aec4d689fb601d15a03e80dc9", "file_path" : "tracks/Product-Sessions/_template.md", "last_modified" : "2019-05-08T18:09:48+01:00", "link" : "/tracks/product-sessions/_template/", "content_plain" : "", "summary" : "", "title" : "Product Session Template", "track" : null, "type" : "product-session", "word_count" : 0, "params" : {"categories":null,"description":"","draft":false,"featured":null,"hidden":true,"host_link":null,"host_text":null,"iscjklanguage":false,"lastmod":"2019-05-08T18:09:48+01:00","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"session_type":"public","status":"draft","technology":null,"title":"Product Session Template","track":null,"type":"product-session","when_day":null,"when_time":null} } , { "id" : "863f1f74f27fcb3638c858860366b432", "file_path" : "tracks/Product-Sessions/Slack-creating-security-workflows.md", "last_modified" : "2019-05-08T18:09:48+01:00", "link" : "/tracks/product-sessions/slack-creating-security-workflows/", "content_plain" : "", "summary" : "", "title" : "Slack - Creating Security Workflows", "track" : "Product Sessions", "type" : "product-session", "word_count" : 0, "params" : {"categories":null,"description":"","draft":false,"featured":true,"hidden":true,"host_link":null,"host_text":null,"iscjklanguage":false,"lastmod":"2019-05-08T18:09:48+01:00","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"session_type":"public","status":"draft","technology":null,"title":"Slack - Creating Security Workflows","track":"Product Sessions","type":"product-session","when_day":null,"when_time":null} } , { "id" : "f7e7cb98269826243cbe7463241e59da", "file_path" : "tracks/Product-Sessions/symatect-av-apis-automation-and-visulalisation.md", "last_modified" : "2019-05-08T18:09:48+01:00", "link" : "/tracks/product-sessions/symatect-av-apis-automation-and-visulalisation/", "content_plain" : "", "summary" : "", "title" : "Symantec AV - Apis, Automation and Visualisations", "track" : "Product Sessions", "type" : "product-session", "word_count" : 0, "params" : {"categories":null,"description":"","draft":false,"featured":true,"hidden":true,"host_link":null,"host_text":null,"iscjklanguage":false,"lastmod":"2019-05-08T18:09:48+01:00","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"session_type":"public","status":"draft","technology":null,"title":"Symantec AV - Apis, Automation and Visualisations","track":"Product Sessions","type":"product-session","when_day":null,"when_time":null} } , { "id" : "cbad0a3f6063542c0c95192ec9cabf7b", "file_path" : "tracks/Security-Automation/_index.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/security-automation/", "content_plain" : "This track is focused on Automation\n", "summary" : "This track is focused on Automation", "title" : "Security Automation", "track" : null, "type" : "track", "word_count" : 6, "params" : {"description":"Sessions focusing on Automation","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Pending"],"owasp-project":false,"session_slack":"https://os-summit.slack.com/messages/CAULHPHU2","title":"Security Automation","type":"track","when_day":"Tue"} } , { "id" : "5a44ef6376b40da392a85c9b50e5e76e", "file_path" : "tracks/Security-Automation/creating-appsec-metrics-and-visualisation.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/security-automation/creating-appsec-metrics-and-visualisation/", "content_plain" : " Why You can\u0026rsquo;t improve what you don\u0026rsquo;t measure. Its important to measure the activities as part of SDL and drive future improvements to the application security program. Metrics show business value to stakeholders and help drive further investments in the program. Metrics also help in figuring out whats working and whats not.\nMetrics used should be meaningful and not there for the sake of just metrics (metric fatigue?).\nWhat The goal of this User Session is to find ways to create meaningful metrics and dashboards for AppSec Professionals like Mean Time To Remediate, Mean Time To Find etc.,\nThis session also works what metrics are effective and meaningful. What can you do to get started and different challenges, you might come across.\nContent What is the difference between metrics and measurement. How to get started and different challenges. What are the best practices for using tools like ELK or prometheus? How to visualise the data collected in actionable/meaningful graphs. Learning curve of tools like graphviz, dot format, etc., Outcomes This Working Session will publish:\n A list of meaningful metrics to measure application security program A guide on how to calculate them using open source tools. Who The target audience for this Working Session is: - Developers - Security professionals - DevSecOps - Security champions\nReferences https://medium.com/@smnbss/how-we-use-activity-oriented-metrics-6d85c6f9d400 https://www.owasp.org/index.php/CISO_AppSec_Guide:_Metrics_For_Managing_Risks_%26_Application_Security_Investments https://www.owasp.org/images/7/77/Magic_Numbers_-_5_KPIs_for_Measuring_WebAppSec_Program_Success_v3.2.pdf https://www.veracode.com/sites/default/files/Resources/Whitepapers/using-metrics-to-manage-your-application-security-program-sans-veracode.pdf https://www.csoonline.com/article/2123361/metrics-budgets/security-metrics--critical-issues.html ", "summary" : "Why You can\u0026rsquo;t improve what you don\u0026rsquo;t measure. Its important to measure the activities as part of SDL and drive future improvements to the application security program. Metrics show business value to stakeholders and help drive further investments in the program. Metrics also help in figuring out whats working and whats not.\nMetrics used should be meaningful and not there for the sake of just metrics (metric fatigue?).\nWhat The goal of this User Session is to find ways to create meaningful metrics and dashboards for AppSec Professionals like Mean Time To Remediate, Mean Time To Find etc.", "title" : "Creating Appsec metrics and visualisation", "track" : "Security Automation", "type" : "user-session", "word_count" : 220, "params" : {"categories":null,"description":"AppSec Metrics and Visualisation","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Imran Mohammed A"],"participants":["Francois Raynaud","Timo Pagel","Jim Newman"],"room_id":"room-5","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVDU1W4S","status":"done","technology":null,"title":"Creating Appsec metrics and visualisation","topics":["Visualisation"],"track":"Security Automation","type":"user-session","when_day":"Wed","when_time":"PM-1"} } , { "id" : "7e5a42d870d83031e6a0b77ae0d43053", "file_path" : "tracks/Security-Automation/dealing-with-security-findings.md", "last_modified" : "2019-05-21T11:39:39+01:00", "link" : "/tracks/security-automation/dealing-with-security-findings/", "content_plain" : " Security testing is vital to validate the correct implementation of controls and that security requirements. To scale securty testing to often hundreds of different software products, many organisations now implement automated tools to scale security testing practices. In this hands-on working session we\u0026rsquo;ll learn how to build a working DevSecOps POC and, more importantly, how to deal with the myriad of security findings it generates.\nWhy Thanks to the proliferation of automated security scanning tools we are generating a phenomenal amount of security findings. As part of this session we tackle the following goals.\n Increase Visibility - Can\u0026rsquo;t secure what you don\u0026rsquo;t see. Why is important to test early in the SDL and map tests to QA business flows. Define Accountability - Creating a feedback loop with your Devs. Why is important to flag findings to their respective owners and incorporate Devs feedback into testing policies. Improve Noise Removal - Accuracy drives credibility. Devs are more likely to triage and action reputable findings, starting with tighter scan policies. Achieve Scalability - Running tools and managing processes manually is not an option when dealing with hundreds of products. How to scale generation, collection and triaging of security findings. What Explore the automated testing workflow, participants will be encouraged to take part and share their experience. What selection of tools and test types should be used to generate security findings as part of a DevSecOps program. Reccommended security testing approaches for: \u0026ndash; Frontend vs backend applications \u0026ndash; Static vs runtime Why is important to have a single source of truth for multiple testing tools AppSec testing integration with QA - user stories vs abuse cases and how to leverage QA processes to drive ZAP. Integration with Jira - how to raise and populate SEC type tickets and track their lifecycle. Continuous improvement - how to tune security policies as result of the triage process Outcomes Build and run a working DevSecOps POC lab from open source tools Define ruleset for programmatic removal of noise (e.g. duplicates, fixes in progress and easy to spot false positives) Learn how to adapt/hack OSS tools like ZAP and Defect Dojo for enterprise level automation. Define roles and responsibilities for an appsec pipeline based on common industry roles (QA, Del Svcs, Engineering etc.) Create CD scripts to automate generation, collection and allocation of findings. Generation of: \u0026ndash; ZAP scan policies, contexts and ZEST scripts \u0026ndash; SAST SonarQube quality profiles \u0026ndash; Dependency Check Configuration \u0026ndash; Defect Dojo/Jira integration Scripts \u0026ndash; Jenkins groovy scripts to tie it all together .. Who The target audience for this Working Session is:\n Developers Security professionals DevOps / DevSecOps Security champions AppSec leaders Working materials Here are the current materials for this session:\n The Security Development Lifecycle SDL in Practice Defect Dojo OWASP ZAP Dependency Check Selenium Previous Summit Working Session ", "summary" : "Security testing is vital to validate the correct implementation of controls and that security requirements. To scale securty testing to often hundreds of different software products, many organisations now implement automated tools to scale security testing practices. In this hands-on working session we\u0026rsquo;ll learn how to build a working DevSecOps POC and, more importantly, how to deal with the myriad of security findings it generates.\nWhy Thanks to the proliferation of automated security scanning tools we are generating a phenomenal amount of security findings.", "title" : "Dealing with DevSecOps Findings", "track" : "Security Automation", "type" : "working-session", "word_count" : 468, "params" : {"categories":null,"description":"How to deal with the security findings in an appsec pipeline and drive continuous improvement of the testing policies","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-21T11:39:39+01:00","organizers":"Claudio Camerino, Francisco Novo, Rafael Jimenez","participants":null,"room_id":"room-5","room_layout":null,"session_slack":null,"status":"review-content","technology":"Dependency Check, FindSecBugs, ZAP, Jenkins, Defect Dojo, Selenium, Jira, Juice Shop","title":"Dealing with DevSecOps Findings","topics":["SDL"],"track":"Security Automation","type":"working-session","when_day":"Tue","when_time":"PM-1,PM-2"} } , { "id" : "666a21d7eacb8ebaf06a114c5e8cd305", "file_path" : "tracks/Security-Automation/integrating-security-tools-in-the-sdl.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/security-automation/integrating-security-tools-in-the-sdl/", "content_plain" : " Most of today´s application security problems can be traced to flaws in the code. It does not matter whether security issues affect operating system components, client applications, web applications, or other systems, most well-known vulnerabilities are caused by coding errors and implementation issues.\nThe question here is why so many bugs and coding errors continue to cause major security issues when we have had years to deal with these and other common vulnerabilities that are still found in applications today.\nWhy The best way to make security ‘just happen’ is to integrate it within the normal SDL (Software Development Lifecycle) practices. Security teams can focus on confidentiality and integrity of data which often requires development teams to slow down and assess code differently. Similarly, businesses want developers to write and revise code faster than ever, which often results in the developers focusing on what works best instead of on what is secure.\nWhat How Microsoft adapted its SDLC after a large number of vulnerabilities was found between 1999 and 2003? SDLC in Agile? Policies and Procedures (SANSA by SANS) Bringing it all together Outcomes The goal of this Working Session is to\n Identify common areas where security and development can work together to make improvements. Document identified areas like culture, automation, measurement and sharing in OWASP wiki page. Who The target audience for this Working Session is:\n Developers Security professionals DevSecOps Security champions Working materials Here are the current \u0026lsquo;work in progress\u0026rsquo; materials for this session (please add as much information as possible before the sessions):\n The Security Development Lifecycle SDL in Practice Previous Summit Working Session https://owaspsummit.org/Working-Sessions/DevSecOps/Integrating-Security-Tools-in-SDL.html\n", "summary" : "Most of today´s application security problems can be traced to flaws in the code. It does not matter whether security issues affect operating system components, client applications, web applications, or other systems, most well-known vulnerabilities are caused by coding errors and implementation issues.\nThe question here is why so many bugs and coding errors continue to cause major security issues when we have had years to deal with these and other common vulnerabilities that are still found in applications today.", "title" : "Integrating Security Tools in the SDL", "track" : "Security Automation", "type" : "working-session", "word_count" : 268, "params" : {"categories":null,"description":"Integrate security tools as part of CI/CD pipeline to find/fix issues early in SDL","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":"Imran Mohammed A","participants":"Francois Raynaud","room_id":"room-5","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUSF58HF","status":"review-content","technology":null,"title":"Integrating Security Tools in the SDL","topics":["SDL"],"track":"Security Automation","type":"working-session","when_day":"Thu","when_time":"AM-1, PM-1"} } , { "id" : "21caa97a7dd0bd9c9532fa5113409186", "file_path" : "tracks/Security-Automation/appsec-soc-monitoring-visualisation.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/security-automation/appsec-soc-monitoring-visualisation/", "content_plain" : " Why Capturing logs and visualising them in a SOC (Security Operation Center) is a key activity in the asymmetric arms race against malicious actors and bugs.\nIn addition to providing high-value actionable information, a good SOC will provide a wealth of valuable metrics and visualisations for the business, from user activities and behaviour to system performance.\nThe Working Session will assess the role, the work, and the importance of a SOC within a business.\nWhat What are the key technical and operational components of SOCs? Map examples of SOC implementations (people, processes and technologies) What are the best practices for capturing logs and feeding them into central locations? What is the business case for a larger SOC which is sponsored by another business unit (i.e. not just Security)? What are the best practices for using tools like ELK or Splunk? How to secure SOCs data and infrastructure How to visualise the data collected in actionable/meaningful graphs How to use Machine Learning and AI to improve data capture and analysis How to use Business Intelligence Techniques and Big Data tools to improve analysis and visualisations Using AppSensor to feed data into SOC and to respond to analysis results Exploring specific security incidents: Malware infection Web Injection attack Account Brute Force attacks Login/activities from non-common locations Business logic exploitation Data extraction How does SOC help with GDPR requirements What to look for - tricks, tips and ideas Outcomes This Working Session will publish a document containing the following:\n List of best practices for capturing logs and feeding them into central locations List of best practices for using tools like ELK or Splunk Guidelines for visualising SOC data collected in actionable/meaningful graphs Tricks, tips and ideas Synopsis and Takeaways List of best practices for capturing logs and feeding them into central locations\nWhat do we put on a list of best practices? (discussion)\n Good RegEx tutorials Plug-ins pages links for parservs Syslog integration procedure Read the meta data, process for understanding Feed MISP with threat intelligence information Best Practice list\n Check time synchronisation of NTP servers Evaluate which alerts can be converted into automatic or manual actions Send your CI / CD information to the SOC Guidelines for visualising SOC data collected in actionable/meaningful graphs\n Correlation of events Out of bounds activities Main DC KPPI Availability monitoring False positive feedback and deeper understanding From Dev perspective, false positives cause delays, visualising them makes them easier to filter Modify test/ alerts for improvement Provide feedback for not-fixed alerts Add some risk management accept, mitigate, or transfer Generate and maintain a baseline Detect anomalies Who The target audience for this Working Session is:\n SOC and Network Operations teams InfoSec and AppSec professionals Business analysts CISOs Previous Summit Working Session https://owaspsummit.org/Working-Sessions/DevSecOps/AppSec-SoC-Monitoring-Visualisation.html\n", "summary" : "Why Capturing logs and visualising them in a SOC (Security Operation Center) is a key activity in the asymmetric arms race against malicious actors and bugs.\nIn addition to providing high-value actionable information, a good SOC will provide a wealth of valuable metrics and visualisations for the business, from user activities and behaviour to system performance.\nThe Working Session will assess the role, the work, and the importance of a SOC within a business.", "title" : "SOC Monitoring Visualisation", "track" : "Security Automation", "type" : "working-session", "word_count" : 455, "params" : {"categories":null,"description":"AppSec SOC Monitoring Visualisation","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":"Madhu Akula","participants":["Francois Raynaud","Orid Ahmed"],"room_id":"room-5","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUAJ8GQH","status":"review-content","technology":null,"title":"SOC Monitoring Visualisation","topics":["Visualisation"],"track":"Security Automation","type":"working-session","when_day":"Wed","when_time":"PM-2"} } , { "id" : "c73628ccd202e29d9ac9f0596e76daaa", "file_path" : "tracks/Serverless/_index.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/serverless/", "content_plain" : "This track is focused on Serverless Security\n", "summary" : "This track is focused on Serverless Security", "title" : "Serverless", "track" : null, "type" : "track", "word_count" : 7, "params" : {"description":"Sessions focusing on Serverless Securitys","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Pending"],"owasp-project":false,"session_slack":"https://os-summit.slack.com/messages/CAUNNK1S4","title":"Serverless","type":"track","when_day":"Mon,Tue"} } , { "id" : "f92f39f29ab153f1b4a594ff409b8687", "file_path" : "tracks/Serverless/azure-serverless-for-security-analysis.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/serverless/azure-serverless-for-security-analysis/", "content_plain" : "", "summary" : "", "title" : "Azure Serverless for security", "track" : "Serverless", "type" : "working-session", "word_count" : 0, "params" : {"categories":null,"description":"","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Azure Serverless for security","track":"Serverless","type":"working-session","when_day":"Thu","when_time":"DS-2"} } , { "id" : "8dc6f087adc96c5e9b272fc2e768f305", "file_path" : "tracks/Serverless/gcp-serverless-for-security-analysis.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/serverless/gcp-serverless-for-security-analysis/", "content_plain" : "", "summary" : "", "title" : "GCP Serverless for security", "track" : "Serverless", "type" : "working-session", "word_count" : 0, "params" : {"categories":null,"description":"","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"GCP Serverless for security","track":"Serverless","type":"working-session","when_day":"Thu","when_time":"DS-2"} } , { "id" : "9a980e7cde5a5ccb62000b0d5807f244", "file_path" : "tracks/Serverless/securing-serverless-applications.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/serverless/securing-serverless-applications/", "content_plain" : "", "summary" : "", "title" : "Securing Serverless applications", "track" : "Serverless", "type" : "working-session", "word_count" : 0, "params" : {"categories":null,"description":"","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Securing Serverless applications","track":"Serverless","type":"working-session","when_day":"Thu","when_time":"DS-2"} } , { "id" : "9b807381ecba401e9e10bd840907bc8a", "file_path" : "tracks/Serverless/using-lambda-to-scale-security-teams.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/serverless/using-lambda-to-scale-security-teams/", "content_plain" : "", "summary" : "", "title" : "Using Lambda functions to scale security teams", "track" : "Serverless", "type" : "working-session", "word_count" : 0, "params" : {"categories":null,"description":"","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Using Lambda functions to scale security teams","track":"Serverless","type":"working-session","when_day":"Thu","when_time":"DS-2"} } , { "id" : "bc099d8b73627d07f15c514b78bd4bd2", "file_path" : "tracks/Threat-modelling/_index.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/threat-modelling/", "content_plain" : "This track is focused on Threat modelling\n", "summary" : "This track is focused on Threat modelling", "title" : "Threat Model", "track" : null, "type" : "track", "word_count" : 7, "params" : {"description":"Sessions focusing on Threat modelling","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","organizers":["Pending"],"owasp-project":false,"session_slack":"https://os-summit.slack.com/messages/CAUNNK1S4","title":"Threat Model","type":"track","when_day":"Wed,Thu"} } , { "id" : "f8322a9b2847c819878c6221e444aece", "file_path" : "tracks/Threat-modelling/working-sessions/TM-threat-library.md", "last_modified" : "2019-02-25T22:37:58Z", "link" : "/tracks/threat-modelling/working-sessions/tm-threat-library/", "content_plain" : " WHY When creating a threat model there are a variation of thechniques that we use to define the threats. A threat library (threat catalogue) helps identifying threats that can be applied to the model. There is a beginning made with the OWASP Cloud Security, but that is focussed to just cloud.\nWhat Create an threat library.\nOutcomes A Threat Modeling library\nReferences OWASP Cloud Security\n", "summary" : "WHY When creating a threat model there are a variation of thechniques that we use to define the threats. A threat library (threat catalogue) helps identifying threats that can be applied to the model. There is a beginning made with the OWASP Cloud Security, but that is focussed to just cloud.\nWhat Create an threat library.\nOutcomes A Threat Modeling library\nReferences OWASP Cloud Security", "title" : "Creating a Threat Library", "track" : null, "type" : "working-session", "word_count" : 65, "params" : {"categories":null,"description":"Threat Library Working Session","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-02-25T22:37:58Z","organizers":["Steven van der Baan"],"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"draft","technology":"Threat Model","title":"Creating a Threat Library","type":"working-session","when_day":null,"when_time":null} } , { "id" : "9aecce3009ebff13c645ef0ad8314eea", "file_path" : "tracks/Threat-modelling/working-sessions/Implementing-tm-in-agile-organisations.md", "last_modified" : "2019-04-24T10:30:38+02:00", "link" : "/tracks/threat-modelling/working-sessions/implementing-tm-in-agile-organisations/", "content_plain" : " WHY Many organisations are struggling to fit threat modeling to their agile way of working.\nWhat We will describe one of more ways to implement the different building blocks of threat modeling in the different actions of SCRUM and Kanban. What \u0026ldquo;deliverables\u0026rdquo; make sense in agile? For example, when during the SCRUM process would you update the model of what\u0026rsquo;s being worked on? When do you discover new threats? Who will perform what actions to get all of this done?\nOutcomes Describe a typical SCRUM and Kanban process and show where threat model related building blocks fit. Describe why the specific action is done during that specific phase of the agile methodology.\nReferences https://owaspsummit.org/Working-Sessions/Threat-Model/Lightweight-Threat-Modeling-Process.html\n", "summary" : "WHY Many organisations are struggling to fit threat modeling to their agile way of working.\nWhat We will describe one of more ways to implement the different building blocks of threat modeling in the different actions of SCRUM and Kanban. What \u0026ldquo;deliverables\u0026rdquo; make sense in agile? For example, when during the SCRUM process would you update the model of what\u0026rsquo;s being worked on? When do you discover new threats? Who will perform what actions to get all of this done?", "title" : "Describe different ways of implementing TM in agile organisations", "track" : "Threat Model", "type" : "working-session", "word_count" : 114, "params" : {"categories":null,"description":"","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-04-24T10:30:38+02:00","locked":true,"organizers":["Steven Wierckx"],"participants":null,"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAV9Y0B43","status":"done","technology":null,"title":"Describe different ways of implementing TM in agile organisations","track":"Threat Model","type":"working-session","when_day":"Wed","when_time":"PM-1"} } , { "id" : "919393add1865824db6476df06991d33", "file_path" : "tracks/Threat-modelling/working-sessions/TM-FAQ.md", "last_modified" : "2019-03-26T09:12:11+01:00", "link" : "/tracks/threat-modelling/working-sessions/tm-faq/", "content_plain" : " Why We all love the threat model slack channel. There is a lot of useful information being presented. We need to somehow persist that in a more searchable format, preferably on the OWASP TM wiki pages.\nWhat How are we going to persist this data? Who is going to reduce the backlog? Outcomes A description on how the data from Slack can be peristed in the form of a series of FAQ.\n", "summary" : "Why We all love the threat model slack channel. There is a lot of useful information being presented. We need to somehow persist that in a more searchable format, preferably on the OWASP TM wiki pages.\nWhat How are we going to persist this data? Who is going to reduce the backlog? Outcomes A description on how the data from Slack can be peristed in the form of a series of FAQ.", "title" : "How do we persist the information from the TM Slack channel?", "track" : "Threat Model", "type" : "working-session", "word_count" : 72, "params" : {"categories":null,"description":"How do we persist the information from the TM Slack channel?","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-03-26T09:12:11+01:00","locked":true,"organizers":["Steven Wierckx"],"participants":null,"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVPAADAA","status":"review-content","technology":null,"title":"How do we persist the information from the TM Slack channel?","topics":null,"track":"Threat Model","type":"working-session","when_day":"Wed","when_time":"PM-1"} } , { "id" : "1aacdd7d8d54d9501f8cf631041a3491", "file_path" : "tracks/Threat-modelling/working-sessions/TM-scale-threat-modeling.md", "last_modified" : "2019-05-17T12:43:23+01:00", "link" : "/tracks/threat-modelling/working-sessions/tm-scale-threat-modeling/", "content_plain" : " Why Manual threat modeling is typically a workshop exercise done with a whiteboard and is led by a member of the security team and some key members of the developer (and sometimes operations) team.\nOrganizations face three main challenges integrating Threat Modeling activities in the SDLC: - The ratio of developers to security is 100:1. Security can be a bottleneck. - Continuous delivery is part of the Agile recipe. Security can be a bottleneck for each sprint. - Microservice architecture has grown in popularity in recent years. The number of potential Apps that require Threat Modeling activities grows exponentially. Security can be a bottleneck for much more applications.\nWhat We need a model to get the most of the resources available in terms of risk mitigation. Some of the most popular initiatives to tackle this challenges are: - Create Security Champion programs that help to spread the security mindset to developers and architects. - Create a Self-Service Threat Model so that developers can create an architecture-based Threat Model to get a set of security requirements before a single line of code was written. - Automation of Security Activities. Depending of the result of this initial threat model more security activities can be automatically triggered. For example: create a more detailed Threat Model if the business risk is high, set an appropriate pipeline for security testing activities (SAST, SAST+DAST, SAST+DAST+Pentesting\u0026hellip;).\nOpen discussion: What other initiatives are you using in your companies to tackle this challenges? How could we scale the Threat Modeling activity? How could we do the follow up of thousands of Threat Models with a reduced team?\nOutcomes This Working Session will publish a document (white paper) gathering the conclussions.\n", "summary" : "Why Manual threat modeling is typically a workshop exercise done with a whiteboard and is led by a member of the security team and some key members of the developer (and sometimes operations) team.\nOrganizations face three main challenges integrating Threat Modeling activities in the SDLC: - The ratio of developers to security is 100:1. Security can be a bottleneck. - Continuous delivery is part of the Agile recipe. Security can be a bottleneck for each sprint.", "title" : "How to scale Threat Modeling.", "track" : "Threat Model", "type" : "working-session", "word_count" : 281, "params" : {"categories":null,"description":"How to scale Threat Modeling","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-17T12:43:23+01:00","locked":true,"organizers":["Steven Wierckx"],"participants":["Manish Saindane","Adam Shostack","Orid Ahmed","Irene Michlin"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUMZ7NQY","status":"review-content","technology":null,"title":"How to scale Threat Modeling.","track":"Threat Model","type":"working-session","when_day":"Thu","when_time":"PM-2"} } , { "id" : "c3304639ffab2470df7448d66851adc0", "file_path" : "tracks/Threat-modelling/working-sessions/TM-LINDUNN.md", "last_modified" : "2019-04-29T10:19:26-03:00", "link" : "/tracks/threat-modelling/working-sessions/tm-lindunn/", "content_plain" : " Why Privacy by design is important; it is even required by EU data protection legislation. It however goes beyond the quick fixes that are typically associated with it (e.g. consent for newsletters) and requires a thorough analysis upfront of potential privacy issues in the system. LINDDUN privacy threat modeling can aid the analyst in this process to systematically elicit and mitigate privacy threats in software architectures.\nWhat This session will be twofold. First, we will highlight the differences between privacy and security threat modeling, introduce privacy properties and provide an overview of the LINDDUN threat modeling framework. Second, we will dive into the ongoing LINDDUN privacy threat modeling research, including the lightweight application of LINDDUN.\nOutcomes Input for a lightweight application of privacy threat modeling\n", "summary" : "Why Privacy by design is important; it is even required by EU data protection legislation. It however goes beyond the quick fixes that are typically associated with it (e.g. consent for newsletters) and requires a thorough analysis upfront of potential privacy issues in the system. LINDDUN privacy threat modeling can aid the analyst in this process to systematically elicit and mitigate privacy threats in software architectures.\nWhat This session will be twofold.", "title" : "Lightweight privacy threat modeling using LINDDUN", "track" : "Threat Model", "type" : "working-session", "word_count" : 125, "params" : {"categories":null,"description":"Lightweight privacy threat modeling using LINDDUN","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-04-29T10:19:26-03:00","locked":true,"organizers":["Steven Wierckx","Kim Wuyts"],"participants":null,"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVPAADAA","status":"review-content","technology":null,"title":"Lightweight privacy threat modeling using LINDDUN","topics":null,"track":"Threat Model","type":"working-session","when_day":"Mon","when_time":"PM-2"} } , { "id" : "9e9ef0fe75030f93a4da6fd74a3d7add", "file_path" : "tracks/Threat-modelling/working-sessions/TM-open-session.md", "last_modified" : "2019-03-26T09:26:18+01:00", "link" : "/tracks/threat-modelling/working-sessions/tm-open-session/", "content_plain" : " WHY This is your summit! Whatever it is you want to work on, we will do. We decide at the beginning of the session what the topic will be and work on that.\nWhat Bring a good idea and get things done :-)\nOutcomes A description of the topic and the work done as well as the next steps.\n", "summary" : "WHY This is your summit! Whatever it is you want to work on, we will do. We decide at the beginning of the session what the topic will be and work on that.\nWhat Bring a good idea and get things done :-)\nOutcomes A description of the topic and the work done as well as the next steps.", "title" : "Open Session", "track" : "Threat Model", "type" : "working-session", "word_count" : 59, "params" : {"categories":null,"description":"Threat Modeling Open Working Session","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-03-26T09:26:18+01:00","locked":true,"organizers":["Steven Wierckx"],"participants":null,"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUSLQKRQ","status":"done","technology":null,"title":"Open Session","track":"Threat Model","type":"working-session","when_day":"Mon","when_time":"PM-2"} } , { "id" : "336824e894032abc045dc8dee5169779", "file_path" : "tracks/Threat-modelling/working-sessionsTM-run-over.md", "last_modified" : "2019-04-24T10:34:38+02:00", "link" : "/tracks/threat-modelling/working-sessionstm-run-over/", "content_plain" : " WHY This is your summit! Whatever it is you want to work on, we will do. We decide at the beginning of the session what the topic will be and work on that. This session is meant to go deeper into one of the session from Moday.\nThis will either be the TM SDL or the lightweight privacy threat modeling. This session is sheduled so that the organisers and main participants of these two sessions are present.\nWhat Bring a good idea and get things done :-) We will vote at the beginning of the session on which topic we will work.\nOutcomes A description of the topic and the work done as well as the next steps.\n", "summary" : "WHY This is your summit! Whatever it is you want to work on, we will do. We decide at the beginning of the session what the topic will be and work on that. This session is meant to go deeper into one of the session from Moday.\nThis will either be the TM SDL or the lightweight privacy threat modeling. This session is sheduled so that the organisers and main participants of these two sessions are present.", "title" : "Open Session - Run over session", "track" : "Threat Model", "type" : "working-session", "word_count" : 118, "params" : {"categories":null,"description":"Threat Modeling Open Working Session","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-04-24T10:34:38+02:00","locked":true,"organizers":["Steven Wierckx"],"participants":null,"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUSLQKRQ","status":"done","technology":null,"title":"Open Session - Run over session","track":"Threat Model","type":"working-session","when_day":"Tue","when_time":"AM-1"} } , { "id" : "250319c80a06d83e64969505a620aa86", "file_path" : "tracks/Threat-modelling/working-sessions/TM-share-your-threat-models-diagrams-and-create-a-book.md", "last_modified" : "2019-02-04T18:27:30Z", "link" : "/tracks/threat-modelling/working-sessions/tm-share-your-threat-models-diagrams-and-create-a-book/", "content_plain" : "Discuss the possibility and usefulness of combining all knowledge captured on the website into a book somewhat similar to the tseting guide.\n", "summary" : "Discuss the possibility and usefulness of combining all knowledge captured on the website into a book somewhat similar to the tseting guide.", "title" : "Share your Threat Models diagrams and create a Book", "track" : "Threat Model", "type" : "working-session", "word_count" : 22, "params" : {"description":"","draft":false,"featured":false,"iscjklanguage":false,"lastmod":"2019-02-04T18:27:30Z","locked":true,"organizers":["Steven Wierckx"],"participants":["Adam Shostack"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CB1HM2B7Y","status":"done","title":"Share your Threat Models diagrams and create a Book","topics":null,"track":"Threat Model","type":"working-session","when_day":"Fri","when_time":"PM-1"} } , { "id" : "a0fa0720327fcf891270409dea23bcc2", "file_path" : "tracks/Threat-modelling/working-sessions/TM-state.md", "last_modified" : "2019-05-17T12:41:12+01:00", "link" : "/tracks/threat-modelling/working-sessions/tm-state/", "content_plain" : " Why What is the current state of threat modeling? Are there any new and exciting things happening? What is needed for the future?\nOutcomes A curated note of the content discussed.\n", "summary" : "Why What is the current state of threat modeling? Are there any new and exciting things happening? What is needed for the future?\nOutcomes A curated note of the content discussed.", "title" : "State and future of threat modeling", "track" : "Threat Model", "type" : "working-session", "word_count" : 31, "params" : {"categories":null,"description":"What is the current state of TM and where do we need to go?","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-17T12:41:12+01:00","locked":true,"organizers":["Steven Wierckx"],"participants":["Irene Michlin"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVPAADAA","status":"review-content","technology":null,"title":"State and future of threat modeling","topics":null,"track":"Threat Model","type":"working-session","when_day":"Thu","when_time":"AM-1"} } , { "id" : "14ed6bc4f0de60e847793f9cbd453907", "file_path" : "tracks/Threat-modelling/working-sessions/TM-SDL.md", "last_modified" : "2019-03-26T20:04:39+01:00", "link" : "/tracks/threat-modelling/working-sessions/tm-sdl/", "content_plain" : " Why We need a unified way to describe threat models so they can be compared, easy to understand and easy to keep up to date.\nWhat Presentation of an SDL to describe threat models What needs to be done? Discussion Call to action Outcomes A list of improvements for the SDL.\n", "summary" : "Why We need a unified way to describe threat models so they can be compared, easy to understand and easy to keep up to date.\nWhat Presentation of an SDL to describe threat models What needs to be done? Discussion Call to action Outcomes A list of improvements for the SDL.", "title" : "Towards a unified way of describing threat models", "track" : "Threat Model", "type" : "working-session", "word_count" : 51, "params" : {"categories":null,"description":"A presentation and discussion of a new language to describe a threat model","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-03-26T20:04:39+01:00","locked":true,"organizers":["Steven Wierckx"],"participants":null,"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVPAADAA","status":"review-content","technology":null,"title":"Towards a unified way of describing threat models","topics":null,"track":"Threat Model","type":"working-session","when_day":"Mon","when_time":"PM-1"} } , { "id" : "3bacd17cc74e44ac76f1dd7c69306a55", "file_path" : "tracks/Wardley-Maps/_index.md", "last_modified" : "2019-05-08T18:09:48+01:00", "link" : "/tracks/wardley-maps/", "content_plain" : " Sessions focusing on the use of Wardley Maps in Security.\nFollowing his participation in the 2018 Summit, Simon Wardley will be back :)\nWardley maps videos from 2018 Summit Wardley maps - part 1 of 2 Wardley maps - part 2 of 2 Presentations from 2018 Summit 2018 Outcomes: Create Wardley Maps for multiple security scenarios How how different groups mapped “Making Tea” and “AWS Attack” scenarios\nSee outcomes here\n Wardley Maps: Cell Bases structures for Security Crossing the river by feeling the stones Wardley Maps: practical session - 2 hour ", "summary" : "Sessions focusing on the use of Wardley Maps in Security.\nFollowing his participation in the 2018 Summit, Simon Wardley will be back :)\nWardley maps videos from 2018 Summit Wardley maps - part 1 of 2 Wardley maps - part 2 of 2 Presentations from 2018 Summit 2018 Outcomes: Create Wardley Maps for multiple security scenarios How how different groups mapped “Making Tea” and “AWS Attack” scenarios", "title" : "Wardley Maps", "track" : null, "type" : "track", "word_count" : 91, "params" : {"description":"Sessions focusing on the use of Wardley Maps in Security","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-08T18:09:48+01:00","organizers":["Pending"],"owasp-project":false,"session_slack":"https://os-summit.slack.com/messages/CAULHPHU2","title":"Wardley Maps","type":"track","when_day":"Mon,Tue,Wed"} } , { "id" : "96e9b46b056feeef6420d948ecd52375", "file_path" : "tracks/Wardley-Maps/working-sessions/cell-based-structures-for-security.md", "last_modified" : "2019-05-08T08:56:32+01:00", "link" : "/tracks/wardley-maps/working-sessions/cell-based-structures-for-security/", "content_plain" : " With the widespread adoption of agile development and more organisations looking to organise themselves along the lines of the Spotify Model (Squads, Tribes, Chapters and Guides), how can security functions within those organisations take advantage of Cell Based Structures to be more responsive to the business needs, while incorporating the aptitudes and attitudes of Pioneers, Settlers and Town Planners to better meet those needs.\nWHY Many of the issues that businesses suffer with, from business alignment to various forms of inertia, to one size fits all to the perils of outsourcing, are a consequence of how we organize ourselves. Most the time we break companies down into silos grouped around type – i.e. type of activity, practice or data. Hence, we have Finance departments, IT departments and Security departments. Each of these silos consist of many activities, all at different stages of evolution. It is easy for a single department to adopt a one size fits all technique that invariably creates alignment issues with other groups. “We need Security to be more efficient” will be the chant of one group whilst another declares, “We need Security to be more innovative”. The more silos of this type, the more likely that alignment issues will occur. A more effective approach (used by the Next Generation companies) is to break the organization into cells connected by services. The cell-based approach based around grouping components in small teams resolves the problems of one-size fits all and many alignment issues. An example of this can be found with Amazon’s two-pizza model of working in which no team is bigger than can be fed by two pizzas (12 people). Such cell-based approaches are diffusing but are still infrequent in occurrence. The components continue to evolve and as they do so their characteristics change. Which leads to a question. Even if an organization is broken down into small cells, are the right people involved? A two-pizza approach takes advantage of componentization with each group not only providing components to others but also relying on components provided by others. The components continue to evolve and as they do so their characteristics change. Which leads to a question. Even if an organization is broken down into small cells, are the right people involved?\nWhat Cell Based Structures The rules of Cell Based Structures Fitness functions and co-ordination criteria Outcomes Define Security Chapters and the Aptitudes expected Define what is needed to co-ordinate Cell Based Security Organisations Define the Fitness Functions or criteria for security cells Identify the Attitudes of Security professionals across Pioneers, Settlers and Town Planners Who The target audience for this Working Session is: - CISO’s - Security professionals - DevSecOps - Security champions\nReferences Squads, Chapters, Tribes and Guides Simon Wardley – On Structure Notes on organisation - Aptitude and Attitude Pioneers, Settlers and Town Planners Designing for Constant Evolution ", "summary" : "With the widespread adoption of agile development and more organisations looking to organise themselves along the lines of the Spotify Model (Squads, Tribes, Chapters and Guides), how can security functions within those organisations take advantage of Cell Based Structures to be more responsive to the business needs, while incorporating the aptitudes and attitudes of Pioneers, Settlers and Town Planners to better meet those needs.\nWHY Many of the issues that businesses suffer with, from business alignment to various forms of inertia, to one size fits all to the perils of outsourcing, are a consequence of how we organize ourselves.", "title" : "Cell based Structures for Security", "track" : "Wardley Maps", "type" : "working-session", "word_count" : 474, "params" : {"categories":["CISO"],"description":"Spotify compliant organizational model in security domain","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-08T08:56:32+01:00","organizers":["Tony Richards","Simon Wardley"],"participants":["Phil Huggins"],"room_id":"room-3","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVCFHYG2","status":"done","title":"Cell based Structures for Security","topics":["Wardley Maps"],"track":"Wardley Maps","type":"working-session","when_day":"Thu","when_time":"PM-1"} } , { "id" : "a9b838aa0b249cedca31278d51887caa", "file_path" : "tracks/Wardley-Maps/training-session/hands-on-wardley-maps-creation.md", "last_modified" : "2019-05-08T08:56:32+01:00", "link" : "/tracks/wardley-maps/training-session/hands-on-wardley-maps-creation/", "content_plain" : "", "summary" : "", "title" : "Hand's on Wardley Maps creation (Training Session)", "track" : "Wardley Maps", "type" : "working-session", "word_count" : 0, "params" : {"description":"What to know more about Wardley maps? This training session will give you hands on experience in creating maps for multiple scenarios","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-08T08:56:32+01:00","organizers":["Tony Richards"],"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"Hand's on Wardley Maps creation (Training Session)","topics":null,"track":"Wardley Maps","type":"working-session","when_day":"Mon","when_time":"PM-3"} } , { "id" : "4c723bca712cfd805c44102d458753bf", "file_path" : "tracks/Wardley-Maps/training-session/introduction-to-wardley-maps.md", "last_modified" : "2019-05-08T08:56:32+01:00", "link" : "/tracks/wardley-maps/training-session/introduction-to-wardley-maps/", "content_plain" : "", "summary" : "", "title" : "Introduction to Wardley Maps (Training Session)", "track" : "Wardley Maps", "type" : "working-session", "word_count" : 0, "params" : {"description":"New to Wardley maps? This session is for you","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-08T08:56:32+01:00","organizers":["Tony Richards"],"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"Introduction to Wardley Maps (Training Session)","topics":null,"track":"Wardley Maps","type":"working-session","when_day":"Mon","when_time":"PM-1"} } , { "id" : "2e261ce6b087e5e646897ce8d1195a9a", "file_path" : "tracks/Wardley-Maps/working-sessions/Simon-Session-1.md", "last_modified" : "2019-05-08T08:56:32+01:00", "link" : "/tracks/wardley-maps/working-sessions/simon-session-1/", "content_plain" : "", "summary" : "", "title" : "Simon Session 1", "track" : "Wardley Maps", "type" : "working-session", "word_count" : 0, "params" : {"description":"TBD - Session","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-08T08:56:32+01:00","organizers":["Simon Wardley"],"participants":["Phil Huggins"],"room_id":null,"room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"Simon Session 1","topics":null,"track":"Wardley Maps","type":"working-session","when_day":"Wed","when_time":"AM-1"} } , { "id" : "6968217c5ad9c77030f0aaab09c395c9", "file_path" : "tracks/Wardley-Maps/working-sessions/Simon-Session-2.md", "last_modified" : "2019-05-08T08:56:32+01:00", "link" : "/tracks/wardley-maps/working-sessions/simon-session-2/", "content_plain" : "", "summary" : "", "title" : "Simon Session 2", "track" : "Wardley Maps", "type" : "working-session", "word_count" : 0, "params" : {"description":"TBD - Session","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-08T08:56:32+01:00","organizers":["Simon Wardley"],"participants":["Phil Huggins"],"room_id":null,"room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"Simon Session 2","topics":null,"track":"Wardley Maps","type":"working-session","when_day":"Wed","when_time":"PM-1"} } , { "id" : "f3462b6570d6eb7d5349091b8eeed837", "file_path" : "tracks/Wardley-Maps/working-sessions/Simon-Session-3.md", "last_modified" : "2019-05-08T08:56:32+01:00", "link" : "/tracks/wardley-maps/working-sessions/simon-session-3/", "content_plain" : "", "summary" : "", "title" : "Simon Session 3", "track" : "Wardley Maps", "type" : "working-session", "word_count" : 0, "params" : {"description":"TBD - Session","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-08T08:56:32+01:00","organizers":["Simon Wardley"],"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"Simon Session 3","topics":null,"track":"Wardley Maps","type":"working-session","when_day":"Wed","when_time":"PM-2"} } , { "id" : "6980f68ad425ebd1c66250ef5b731006", "file_path" : "tracks/Wardley-Maps/user-sessions/using-wardley-maps-and-cynefin-for-security.md", "last_modified" : "2019-05-08T17:58:53+01:00", "link" : "/tracks/wardley-maps/user-sessions/using-wardley-maps-and-cynefin-for-security/", "content_plain" : "", "summary" : "", "title" : "Using Wardley Maps and Cynefin for Security", "track" : "Wardley Maps", "type" : "user-session", "word_count" : 0, "params" : {"description":"session on the intersection of Wardley Maps and Cynefin Framework for Security","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-08T17:58:53+01:00","organizers":["Simon Wardley","Dave Snowden"],"participants":["Phil Huggins"],"room_id":null,"room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"Using Wardley Maps and Cynefin for Security","topics":null,"track":"Wardley Maps","type":"user-session","when_day":"Thu","when_time":"AM-1"} } , { "id" : "806dcb7effb2bf99f39e696c2c8ffb50", "file_path" : "tracks/Wardley-Maps/user-sessions/soc-value-chain-using-wardley-maps.md", "last_modified" : "2019-05-08T17:58:53+01:00", "link" : "/tracks/wardley-maps/user-sessions/soc-value-chain-using-wardley-maps/", "content_plain" : "How to apply Wardley maps to an SOC (Securty Operations Center).\nHere is an example of what this looks like: SOC Value Chain \u0026amp; Delivery Models\nSame example mapped to in-house vs outsource:\n", "summary" : "How to apply Wardley maps to an SOC (Securty Operations Center).\nHere is an example of what this looks like: SOC Value Chain \u0026amp; Delivery Models\nSame example mapped to in-house vs outsource:", "title" : "Using Wardley maps on SOC", "track" : "Wardley Maps", "type" : "user-session", "word_count" : 33, "params" : {"description":"","draft":false,"featured":true,"invited":["Simon Wardley"],"iscjklanguage":false,"lastmod":"2019-05-08T17:58:53+01:00","organizers":["Tony Richards"],"participants":["Dinis Cruz","Jemma Davis-Smith","James Wharton","Phil Huggins"],"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Using Wardley maps on SOC","topics":null,"track":"Wardley Maps","type":"user-session","when_day":"Tue","when_time":"PM-3"} } , { "id" : "52c535de82f4a2866d19c3a38b88d4fc", "file_path" : "tracks/Wardley-Maps/training-session/using-tools-to-create-wardley-maps.md", "last_modified" : "2019-05-08T08:56:32+01:00", "link" : "/tracks/wardley-maps/training-session/using-tools-to-create-wardley-maps/", "content_plain" : "", "summary" : "", "title" : "Using tools to create Wardley Maps (Training Session)", "track" : "Wardley Maps", "type" : "working-session", "word_count" : 0, "params" : {"description":"Learn the best ways to create manually and programatically Wardley Maps","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-08T08:56:32+01:00","organizers":["Tony Richards"],"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"Using tools to create Wardley Maps (Training Session)","topics":null,"track":"Wardley Maps","type":"working-session","when_day":"Mon","when_time":"PM-2"} } , { "id" : "af6980dbe95d6977b396dc85d2a11038", "file_path" : "tracks/Wardley-Maps/user-sessions/create-wardley-mappings-for-multiple-security-scenarios.md", "last_modified" : "2019-05-08T17:58:53+01:00", "link" : "/tracks/wardley-maps/user-sessions/create-wardley-mappings-for-multiple-security-scenarios/", "content_plain" : "Wardley Maps are very useful for mapping out strategies along with terrain to advance security controls and efforts. For those not familiar with this concept, it was developed by Simon Wardley (@swardley) and has derived into a very useful tool for prioritizing the right work at the right time to increase the odds of successfully completing a mission.\nIf you are interested in learning more about this tool and how to build a Wardley Map there is great information here: Wardley Blog\nPractical session on creating Wardley Maps\nThe DevSecOps tribe is using this format to begin an effort that helps security teams to uplevel their security programs and share forward momentum without getting lost in minutia.\nIn order to get the ball rolling, we have developed the following map to show the changing landscape for security with the emergence of DevOps, Mobile, and greater demands for security in software.\nWe\u0026rsquo;re completely open to feedback on this map and will continue to develop greater depth via add-on maps to further illustrate community efforts towards transforming security to meet the demands of DevOps.\n![](https://github.com/devsecops/wardley-maps/raw/master/wardley-devsecops-1.0.png\n(text from https://github.com/devsecops/wardley-maps)\n", "summary" : "Wardley Maps are very useful for mapping out strategies along with terrain to advance security controls and efforts. For those not familiar with this concept, it was developed by Simon Wardley (@swardley) and has derived into a very useful tool for prioritizing the right work at the right time to increase the odds of successfully completing a mission.\nIf you are interested in learning more about this tool and how to build a Wardley Map there is great information here: Wardley Blog", "title" : "Wardley Maps for Security", "track" : "Wardley Maps", "type" : "user-session", "word_count" : 186, "params" : {"categories":null,"description":"Practical session on using Wardley Maps for Security","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-08T17:58:53+01:00","locked":true,"organizers":["Mario Platt","Tony Richards"],"participants":["Phil Huggins"],"room_id":null,"session_slack":"https://os-summit.slack.com/messages/CB1HGSDHU","status":"review-content","technology":null,"title":"Wardley Maps for Security","track":"Wardley Maps","type":"user-session","when_day":"Tue","when_time":"PM-2"} } ]