Working Sessions

We passionately believe the hard problems and challenges that our industry faces can only be solved by working together, in a collaborative and open environment.

This Summit is such an event, where the community comes together, and works tirelessly on topics that they are passionate about.

As you can see from the tracks, outcomes, attendees and photos from last year’s Summit, this explosive combination of talent, challenges and enclosed location (venue and villas) creates a highly productive environment.

Where else in the world do you find 15 x Threat Modeling experts, thought-leaders and practitioners? The main authors of the OWASP Mobile testing guide working together in a room on the next version? A mix of OWASP leaders, developers, security engineers, security champions, pentesters, architects, risk experts, business analysts , heads of Security, CISOs, researchers (and many other roles) in the same room, all working together, sharing knowledge and creating tangible and usable outcomes.

The format of the Summit is based on Working Sessions, which are designed to maximise collaboration and participation. The focus and objectives of these sessions are determined by you (the onsite or remote participant), all we do is to set the stage for magic to happen!

See also the planned User Sessions

Summit Working Sessions

Here are the Working Sessions currently planned for the Summit

Title Track Description
API Threat Modeling Cheat Sheet Threat Model API Threat Modeling Cheat Sheet
Adding security to VSTS pipeline DevSecOps DevSecOps: adding security testing, review and configurations to a VSTS pipeline
Agile Practices for Security Teams DevSecOps Agile Practices for Security Teams
Application Security Verification Standard Owasp Projects Session on ASVS
Attack chains as TM technique Threat Model Threat Modeling Working Session
Automation of MASVS with BDD Owasp Projects Mobile Security Working Session
Back to the future with Threat Modeling Threat Model Back to the future with Threat Modeling
CISO Ask Me Anything (AMA) CISO Session on Risk Modeling
Cell based Structures for Security Maps and Graphs Spotify compliant organizational model in security domain
Consolidate and process all Security Quiz data Security Questions
Create .Net Security Questions Security Questions
Create AWS Security Questions Security Questions
Create Docker Security Questions Security Questions
Create Java Security Questions Security Questions
Create NodeJS Security Questions Security Questions
Create Owasp AWS Security Questions Security Questions
Create Owasp Top 10 Security Questions Security Questions
Create PHP Security Questions Security Questions
Create Perl Security Questions Security Questions
Create Security Economics Quiz Security Questions
Create Wardley Maps for multiple security scenarios Maps and Graphs Practical session on creating [Wardley Maps]
Create a Tech Radar for Security teams DevSecOps Session to consolidate and publish anonymised real-word playbooks
Create generic TM for CMS Threat Model
Create generic TM for CMS Threat Model
Creating a Steady-State Hypothesis Chaos Engineering Exploring the Chaos Toolkit's stead-state hypothesis and how one can be designed and constructed for DevSecOps concerns.
Creating a standard for GDPR patterns GDPR Working Session on reviewing and agreeing on a set of GDPR patterns
Creating an open 3rd Party Supplier Questionnaire and maturity model OWASP SAMM Create a common 3rd Party Supplier Maturity Model
Creating diagrams with DOT language Threat Model Creating diagrams with DOT language
Creation of Security Buttons Owasp Projects Agile Practices for Security Teams
Customising the Chaos Toolkit Chaos Engineering Practical Guide to Extending the Chaos Toolkit for DevSecOps concerns.
Cyber Insurance CISO Session on Cyber Insurance
Cyber Risk Modeling CISO Session on Risk Modeling
DPO how to become one GDPR What is the best way to become an DPO (Data Protection Officer)
DPO what to expect GDPR What should be expected of DPOs (Data Protection Officers)
Define an Open Risk Pattern format Threat Model Define a structure for defining re-usable risk patterns
Defining a Security Champion DevSecOps
Describe different ways of implementing TM in agile organisations Threat Model
DevSecOps Maturity Model (DSOMM) DevSecOps DevSecOps Maturity Model (DSOMM)
Docker and Kubernetes Threat Modeling Cheat Sheet Threat Model Docker and Kubernetes Threat Modeling Cheat Sheet
European GDPR variations GDPR Mapping out the multiple differences across the EU
Federated Login with Social Platforms Threat Modeling Cheat Sheet Threat Model Federated Login with Social Platforms Threat Modeling Cheat Sheet
From Threat Modeling to DevSecOps metrics DevSecOps
GDPR Appropriate Security Controls GDPR Map out what these are and what is the best way to measure them
GDPR Compliance what does it mean? GDPR Now that GDPR is in force, what does GDPR Compliance mean and how to measure it
Gamification of GDPR compliance GDPR How to create positive feedback loops between the multiple teams aiming for GDPR Compliance
Group Discussion on Learning from Digital Incidents Misc A group discussion with participants on their ideas about the state of art of the community in terms of policies and procedures for promoting learning from incidents
Hands-on JIRA Schema refactoring Misc How to use Jira for risk management, incident response and managing a team
Hands-on JIRA Schema refactoring (DS) Misc How to use Jira for risk management, incident response and managing a team
How do you define and measure the value of Threat Modeling? Threat Model How do you define and measure the value of Threat Modeling?
How to Threat Model Features with Questionnaires Threat Model How to Threat Model Features with Questionnaires
How to scale Threat Modeling. Threat Model How to scale Threat Modeling
Integrating Security Tools in the SDL DevSecOps Integrate security tools as part of CI/CD pipeline to find/fix issues early in SDL
Integrating Security into an Spotify Model (and using Squads for Security teams) DevSecOps Best practice cheat sheet for integrating Agile Security into the Spotify model
IoT Threat Modeling Cheat Sheet Threat Model IoT Threat Modeling Cheat Sheet
JIRA Risk Workflow Misc This Working Session should result in an improved JIRA Risk Workflow
Job Fair Misc Meet companies that are hiring at the Summit
Juice Shop Brainstorming Owasp Projects Brainstorming and designing new hacking challenges and other features for OWASP Juice Shop and its CTF-extension.
Juice Shop Coding Day Owasp Projects Hands-on coding session series to implement new challenges and other features in OWASP Juice Shop and its CTF-extension project.
Lessons learned from public bug bounties programmes Misc List of top 10 lessons from bug bounty experts and guidelines on improving bug bounty programmes
MSc Appication Security Misc a core set of learning objectives for MSc level Application Security curricula (through online survey)
Meet the ICO GDPR If you could meet the ICO, what questions would you ask
Methodology / technique showcase Threat Model Methodology / technique showcase
OWASP Collective Defence Cluster (CDC) - One year on CISO
OWASP Defect Dojo DevSecOps Working Sessions for Owasp Defect Dojo
OWASP DevSecOps Studio DevSecOps Working Sessions for Owasp DevSecOps Studio
Owasp Cloud Security Workshop (BETA) DevSecOps A beta session of the OWASP Cloud Security Workshop (not to be scheduled on the Tuesday)
Owasp Testing Guide v5 Owasp Projects Working Sessions for Owasp Testing Guide v5
Owasp Top 5 Machine Learning risks Owasp Projects
Policies for the InfoSec industry
Policies for the security industry GDPR Map out what these are and what is the best way to measure them
Prepare Thursday Quiz session Security Questions
Present Security Quiz Data Security Questions
Real world Chaos Engineering Chaos Engineering An exploration and working session to characterise, explore and implement real-world DevSecOps chaos experiments.
Reboot Owasp Books Project Owasp Projects
Recruiting AppSec Talent CISO
Review quiz answers from Mon Security Questions
Review quiz answers from Thu Security Questions
Review quiz answers from Tue Security Questions
Review quiz answers from Wed Security Questions
SABSA and threat modeling Threat Model SABSA and threat modeling
SAMM DevSecOps Version OWASP SAMM Create a totally new SAMM DevSecOps version
SAMM Project Meeting OWASP SAMM Project meeting to review the status and update the plan for SAMM2
SAMM benchmarking OWASP SAMM Define objectives for the SAMM benchmarking project as part of SAMMv2
SAMM2 Kickoff OWASP SAMM Kickoff session for the summit
SAMMv2 Establish the Document Model OWASP SAMM Define SAMMv2 document Model
SAMMv2 Measurement Model OWASP SAMM Define SAMMv2 measurement model
SAMMv2 working session - Design OWASP SAMM multiple working sessions on the new SAMMv2
SAMMv2 working session - Governance OWASP SAMM multiple working sessions on the new SAMMv2
SAMMv2 working session - Implementation OWASP SAMM multiple working sessions on the new SAMMv2
SAMMv2 working session - Operations OWASP SAMM multiple working sessions on the new SAMMv2
SAMMv2 working session - Verification OWASP SAMM multiple working sessions on the new SAMMv2
SOC Monitoring Visualisation DevSecOps AppSec SOC Monitoring Visualisation
Securing GitHub Integrations DevSecOps How to secure Github Integrations
Securing the CI Pipeline DevSecOps Secure the CI/CD pipeline
Security Buttons Extended Misc Creating security buttons
Security Crowdsourcing DevSecOps Working Sessions for Security Crowdsourcing
Security Ethics Checklist Misc
Security Questions workshop Security Questions
Share your Threat Models diagrams and create a Book Threat Model
Share your playbooks and release them under Creative Commons DevSecOps Session to consolidate and publish anonymised real-word playbooks
Share your security polices and release them under Creative Commons GDPR Map out what these are and what is the best way to measure them
Squad Modelling and Cross Functional Teams Misc How to use AI and ML for incident response
Threat Model training through Gamification Threat Model Threat Model training through Gamification
Threat Modeling Website Structure Threat Model
Threat model cheat sheets Threat Model Threat Modeling Working Session
Threat model closing session Threat Model Threat Modeling Working Session
Threat model guide Threat Model Threat model guide with levels
Threat model track opening session Threat Model Threat Modeling track opening
Transform OWASP Exam into Security Questions Security Questions
Update MSTG with changes in Android 8 (Oreo) Owasp Projects Mobile Security Working Session
Update MSTG with changes in iOS 11 Owasp Projects Mobile Security Working Session
Using AI and ML for incident response Misc How to use AI and ML for incident response
Using Data Science for log analysis Maps and Graphs Find out ways to use Data Science for log analysis
Using JIRA-NeoVis to create graphical representations of JIRA data Maps and Graphs Practical session on using the JIRA-NeoVis tool
Using JIRA-NeoVis to graph GDPR Data Journeys Maps and Graphs Practical session on using the JIRA-NeoVis tool
Using JIRA-NeoVis to graph Threat Models Maps and Graphs Practical session on using the JIRA-NeoVis tool
Using Jira to handle Incident Response - simulations Misc Incident response simulations and role play scenarios
Using User Story Mapping for effective communication Maps and Graphs
Using maps to define how to capture, detect and prevent 6 real-world security incidents Maps and Graphs Hands on session on how to use Wardley maps
Using press-releases as improved project's briefs Misc Explore the press release concept for project definition
Vulnerability Intelligence Working Group CISO Working session with OWASP leaders, MITRE, NIST, and other agencies
Want to become a CISO? CISO Working Session for CISOs
Web Application Honeypot DevSecOps
WebAuthn - Getting started workshop DevSecOps
Women in Cyber-security: improving the gender balance Misc Why is there a persistent gap when it comes to gender balance in security? How can we as security professionals ensure there is a fair chance and representation for all?

Pre-Summit Working Sessions

A number of Working Sessions are happening before the Summit, please see the details below and participate

Title Track Description