This event is kindly hosted and sponsored by Amazon

Location: Amazon, 1 Principal Place, 115 Worship Street, EC2A 2FA, London

Nearest Tubes: Liverpool Street (6 minute walk), Old Street (11 minute walk), Shoreditch High Street Overground (8 minutes)

Doors Open at 6:00pm for registration, pizza, drinks and networking. The talks start at 6:30pm (we start on time)

Please register with downstairs reception upon arrival, you will be asked to wait in reception area first and then you will be escorted upstairs to the meeting room on the 2nd floor by a member of Amazon staff.

TALKS:

Welcome to Amazon London - Dhiraj Bhatt, Head of Security Engineering, Amazon Prime Video

OWASP Introduction, Welcome and News - Sam Stepanyan, Sherif Mansour
Welcome and a brief update on OWASP Projects, Events and Conferences from the OWASP London Chapter Leaders

"Introducing the OWASP ZAP Heads Up Display (HUD)" - Simon Bennetts (@psiinon)

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free and open source security tools. It has a powerful desktop UI, a highly functional API and is used by everyone from people new to security, including developers and QA, right up to professional pentesters. It’s also more complex for newcomers than we would like. We are therefore introducing a new Heads Up Display (HUD) interface which overlays data and controls for ZAP over the web based application being tested.

"Incident Response in Your Pyjamas" - Paco Hope (@pacohope)

When security incidents happen, you often have to respond in a hurry to gather forensic data from the resources that were involved. You might need to grab a bunch of hard drives and physically visit the data centre to capture data from the systems. Getting on airplanes and going to data centres means you have to get dressed, and that's a drag. When infrastructure is in the cloud, you have remote access and APIs for managing all your infrastructure, so you can respond to incidents with automation and do your forensic analysis in your bunny slippers. But is it as good as the capabilities you have in a data centre? Is getting dressed the price you have to pay for high quality forensics and incident response? In this talk Paco will explain the two major domains of cloud events (infrastructure domain and service domain) and describe the security and incident response techniques pioneered by AWS customers like Mozilla, Alfresco, and Netflix. He'll explain how to isolate resources to preserve the integrity of the data; get RAM dumps and disk image snapshots; and identify unauthorised changes to cloud resources using API tools and logs. And all of this while wearing pyjamas.

"Developers - The Lucrative Target for Social Engineers" - Stuart Peck (@cybersecstu)

Developers are a lucrative target for attackers, especially those with public profiles, active on social media, and working on either high profile application and open source projects. The recent attack against an NPM package with malicious code that targeted a popular Bitcoin wallet was subject to a social engineering attack, where the attacker was able to trick the maintainer to hand over ownership, is one of the many examples this is an ever increasing vector This talk looks to explore how exposed some developers are and the impacts this can have either through the supply chain and/or directly to organisations. During this talk will we will demonstrate and discuss:

* Open Source Intelligence- recon techniques
* Profiling targets, repos, developer backgrounds, coding style, digital footprint
* Pretext creation – building trust and establishing legitimacy
* Example Vishing calls, phishing emails, and case studies
* What developers can do to challenge and reduce the impact of Social Engineering

SPEAKERS:

Simon Bennetts (@psiinon)

Simon Bennetts is the OWASP Zed Attack Proxy (ZAP) Project Leader and works for Mozilla as part of the Cloud Services Security Team. He has talked about and demonstrated ZAP at conferences all over the world, including Blackhat, JavaOne, FOSDEM and OWASP AppSec EU, USA & AsiaPac. Prior to making the move into security he was a developer for 25 years and strongly believes that you cannot build secure web applications without knowing how to attack them.

Paco Hope (@pacohope)

Paco Hope is a Principal Consultant in Security, Risk, and Compliance for Amazon Web Services. He helps enterprise customers achieve compliance and secure their workloads on AWS. Based in London, he works with major enterprises across Europe and the UK migrating workloads and building new applications on AWS. Prior to his work with AWS he worked in application security, carrying out threat modelling, source code reviews, and architectural risk analysis for enterprises.

Stuart Peck (@cybersecstu)

From a background of threat intelligence, social engineering and incident response, Stuart Peck heads up Cyber Security Strategy for ZeroDayLab and co-founder and podcast host of The Many Hats Club, a large information security community. Stuart is passionate about educating organisations on the latest threat actor techniques and how to combat them. In addition, he has won awards for his education and training programs delivered to throughout the Europe and USA. As a practicing social engineer he managed large scale engagements in banking, gambling/gaming, retail, software, insurance etc. Stuart's key areas of expertise include: the dark and deep web, social engineering, incident response management, threat hunting, OSINT, OPSEC, and cyber-crime. He has also led investigations in many major security incidents, including global ransomware outbreaks. Stuart is a regular contributor on Social Engineering to many leading blogs including Security Affairs, Bleeping Computers, The State of Security and is published in many leading Journals including the ISSA and quoted in mainstream media.

TICKETS and PHOTO ID REQUIREMENT:

This event is free to attend for both members and non-members of OWASP and is open to anyone interested in application security and #cybersecurity.

Please note that you MUST book your place and get a ticket to be admitted to the event by the building security - your name will be checked against the guest list.

IMPORTANT: Amazon security rules require that all event attendees need to bring a form of Photo ID such as driving license or passport . The name on the ID document must match the name on the ticket.

CODE OF CONDUCT

We hope you enjoy our events, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of our chapter leaders if you have any feedback or would like to speak to us, we take these matters very seriously. You can find out more about our policies here: https://www.owasp.org/index.php/Governance/Conference_Policies