We passionately believe the hard problems and challenges that our industry faces can only be solved by working together, in a collaborative and open environment.
This Summit is such an event, where the community comes together, and works tirelessly on topics that they are passionate about.
As you can see from the tracks, outcomes, attendees and photos from last year’s Summit, this explosive combination of talent, challenges and enclosed location (venue and villas) creates a highly productive environment.
Where else in the world do you find 15 x Threat Modeling experts, thought-leaders and practitioners? The main authors of the OWASP Mobile testing guide working together in a room on the next version? A mix of OWASP leaders, developers, security engineers, security champions, pentesters, architects, risk experts, business analysts , heads of Security, CISOs, researchers (and many other roles) in the same room, all working together, sharing knowledge and creating tangible and usable outcomes.
The format of the Summit is based on Working Sessions, which are designed to maximise collaboration and participation. The focus and objectives of these sessions are determined by you (the onsite or remote participant), all we do is to set the stage for magic to happen!
Summit Working Sessions
Here are the Working Sessions currently planned for the Summit
| Title | Track | Description |
|---|---|---|
| Adding security to VSTS pipeline | DevSecOps | DevSecOps: adding security testing, review and configurations to a VSTS pipeline |
| Agile Practices for Security Teams | DevSecOps | Agile Practices for Security Teams |
| API Threat Modeling Cheat Sheet | Threat Model | API Threat Modeling Cheat Sheet |
| Application Security Verification Standard | Owasp Projects | Session on ASVS |
| Attack chains as TM technique | Threat Model | Threat Modeling Working Session |
| Automation of MASVS with BDD | Owasp Projects | Mobile Security Working Session |
| Back to the future with Threat Modeling | Threat Model | Back to the future with Threat Modeling |
| Cell based Structures for Security | Maps and Graphs | Spotify compliant organizational model in security domain |
| CISO Ask Me Anything (AMA) | CISO | Session on Risk Modeling |
| Consolidate and process all Security Quiz data | Security Questions | |
| Create .Net Security Questions | Security Questions | |
| Create a Tech Radar for Security teams | DevSecOps | Session to consolidate and publish anonymised real-word playbooks |
| Create AWS Security Questions | Security Questions | |
| Create Docker Security Questions | Security Questions | |
| Create generic TM for CMS | Threat Model | |
| Create generic TM for CMS | Threat Model | |
| Create Java Security Questions | Security Questions | |
| Create NodeJS Security Questions | Security Questions | |
| Create Owasp AWS Security Questions | Security Questions | |
| Create Owasp Top 10 Security Questions | Security Questions | |
| Create Perl Security Questions | Security Questions | |
| Create PHP Security Questions | Security Questions | |
| Create Security Economics Quiz | Security Questions | |
| Create Wardley Maps for multiple security scenarios | Maps and Graphs | Practical session on creating [Wardley Maps] |
| Creating a standard for GDPR patterns | GDPR | Working Session on reviewing and agreeing on a set of GDPR patterns |
| Creating a Steady-State Hypothesis | Chaos Engineering | Exploring the Chaos Toolkit's stead-state hypothesis and how one can be designed and constructed for DevSecOps concerns. |
| Creating an open 3rd Party Supplier Questionnaire and maturity model | OWASP SAMM | Create a common 3rd Party Supplier Maturity Model |
| Creating diagrams with DOT language | Threat Model | Creating diagrams with DOT language |
| Creation of Security Buttons | Owasp Projects | Agile Practices for Security Teams |
| Customising the Chaos Toolkit | Chaos Engineering | Practical Guide to Extending the Chaos Toolkit for DevSecOps concerns. |
| Cyber Insurance | CISO | Session on Cyber Insurance |
| Cyber Risk Modeling | CISO | Session on Risk Modeling |
| Define an Open Risk Pattern format | Threat Model | Define a structure for defining re-usable risk patterns |
| Defining a Security Champion | DevSecOps | |
| Describe different ways of implementing TM in agile organisations | Threat Model | |
| DevSecOps Maturity Model (DSOMM) | DevSecOps | DevSecOps Maturity Model (DSOMM) |
| Docker and Kubernetes Threat Modeling Cheat Sheet | Threat Model | Docker and Kubernetes Threat Modeling Cheat Sheet |
| DPO how to become one | GDPR | What is the best way to become an DPO (Data Protection Officer) |
| DPO what to expect | GDPR | What should be expected of DPOs (Data Protection Officers) |
| European GDPR variations | GDPR | Mapping out the multiple differences across the EU |
| Federated Login with Social Platforms Threat Modeling Cheat Sheet | Threat Model | Federated Login with Social Platforms Threat Modeling Cheat Sheet |
| From Threat Modeling to DevSecOps metrics | DevSecOps | |
| Gamification of GDPR compliance | GDPR | How to create positive feedback loops between the multiple teams aiming for GDPR Compliance |
| GDPR Appropriate Security Controls | GDPR | Map out what these are and what is the best way to measure them |
| GDPR Compliance what does it mean? | GDPR | Now that GDPR is in force, what does GDPR Compliance mean and how to measure it |
| Group Discussion on Learning from Digital Incidents | Misc | A group discussion with participants on their ideas about the state of art of the community in terms of policies and procedures for promoting learning from incidents |
| Hands-on JIRA Schema refactoring | Misc | How to use Jira for risk management, incident response and managing a team |
| Hands-on JIRA Schema refactoring (DS) | Misc | How to use Jira for risk management, incident response and managing a team |
| How do you define and measure the value of Threat Modeling? | Threat Model | How do you define and measure the value of Threat Modeling? |
| How to scale Threat Modeling. | Threat Model | How to scale Threat Modeling |
| How to Threat Model Features with Questionnaires | Threat Model | How to Threat Model Features with Questionnaires |
| Integrating Security into an Spotify Model (and using Squads for Security teams) | DevSecOps | Best practice cheat sheet for integrating Agile Security into the Spotify model |
| Integrating Security Tools in the SDL | DevSecOps | Integrate security tools as part of CI/CD pipeline to find/fix issues early in SDL |
| IoT Threat Modeling Cheat Sheet | Threat Model | IoT Threat Modeling Cheat Sheet |
| JIRA Risk Workflow | Misc | This Working Session should result in an improved JIRA Risk Workflow |
| Job Fair | Misc | Meet companies that are hiring at the Summit |
| Juice Shop Brainstorming | Owasp Projects | Brainstorming and designing new hacking challenges and other features for OWASP Juice Shop and its CTF-extension. |
| Juice Shop Coding Day | Owasp Projects | Hands-on coding session series to implement new challenges and other features in OWASP Juice Shop and its CTF-extension project. |
| Lessons learned from public bug bounties programmes | Misc | List of top 10 lessons from bug bounty experts and guidelines on improving bug bounty programmes |
| Meet the ICO | GDPR | If you could meet the ICO, what questions would you ask |
| Methodology / technique showcase | Threat Model | Methodology / technique showcase |
| MSc Appication Security | Misc | a core set of learning objectives for MSc level Application Security curricula (through online survey) |
| Owasp Cloud Security Workshop (BETA) | DevSecOps | A beta session of the OWASP Cloud Security Workshop (not to be scheduled on the Tuesday) |
| OWASP Collective Defence Cluster (CDC) - One year on | CISO | |
| OWASP Defect Dojo | DevSecOps | Working Sessions for Owasp Defect Dojo |
| OWASP DevSecOps Studio | DevSecOps | Working Sessions for Owasp DevSecOps Studio |
| Owasp Testing Guide v5 | Owasp Projects | Working Sessions for Owasp Testing Guide v5 |
| Owasp Top 5 Machine Learning risks | Owasp Projects | |
| Policies for the InfoSec industry | ||
| Policies for the security industry | GDPR | Map out what these are and what is the best way to measure them |
| Prepare Thursday Quiz session | Security Questions | |
| Present Security Quiz Data | Security Questions | |
| Real world Chaos Engineering | Chaos Engineering | An exploration and working session to characterise, explore and implement real-world DevSecOps chaos experiments. |
| Reboot Owasp Books Project | Owasp Projects | |
| Recruiting AppSec Talent | CISO | |
| Review quiz answers from Mon | Security Questions | |
| Review quiz answers from Thu | Security Questions | |
| Review quiz answers from Tue | Security Questions | |
| Review quiz answers from Wed | Security Questions | |
| SABSA and threat modeling | Threat Model | SABSA and threat modeling |
| SAMM benchmarking | OWASP SAMM | Define objectives for the SAMM benchmarking project as part of SAMMv2 |
| SAMM DevSecOps Version | OWASP SAMM | Create a totally new SAMM DevSecOps version |
| SAMM Project Meeting | OWASP SAMM | Project meeting to review the status and update the plan for SAMM2 |
| SAMM2 Kickoff | OWASP SAMM | Kickoff session for the summit |
| SAMMv2 Establish the Document Model | OWASP SAMM | Define SAMMv2 document Model |
| SAMMv2 Measurement Model | OWASP SAMM | Define SAMMv2 measurement model |
| SAMMv2 working session - Design | OWASP SAMM | multiple working sessions on the new SAMMv2 |
| SAMMv2 working session - Governance | OWASP SAMM | multiple working sessions on the new SAMMv2 |
| SAMMv2 working session - Implementation | OWASP SAMM | multiple working sessions on the new SAMMv2 |
| SAMMv2 working session - Operations | OWASP SAMM | multiple working sessions on the new SAMMv2 |
| SAMMv2 working session - Verification | OWASP SAMM | multiple working sessions on the new SAMMv2 |
| Securing GitHub Integrations | DevSecOps | How to secure Github Integrations |
| Securing the CI Pipeline | DevSecOps | Secure the CI/CD pipeline |
| Security Buttons Extended | Misc | Creating security buttons |
| Security Crowdsourcing | DevSecOps | Working Sessions for Security Crowdsourcing |
| Security Ethics Checklist | Misc | |
| Security Questions workshop | Security Questions | |
| Share your playbooks and release them under Creative Commons | DevSecOps | Session to consolidate and publish anonymised real-word playbooks |
| Share your security polices and release them under Creative Commons | GDPR | Map out what these are and what is the best way to measure them |
| Share your Threat Models diagrams and create a Book | Threat Model | |
| SOC Monitoring Visualisation | DevSecOps | AppSec SOC Monitoring Visualisation |
| Squad Modelling and Cross Functional Teams | Misc | How to use AI and ML for incident response |
| Threat model cheat sheets | Threat Model | Threat Modeling Working Session |
| Threat model closing session | Threat Model | Threat Modeling Working Session |
| Threat model guide | Threat Model | Threat model guide with levels |
| Threat model track opening session | Threat Model | Threat Modeling track opening |
| Threat Model training through Gamification | Threat Model | Threat Model training through Gamification |
| Threat Modeling Website Structure | Threat Model | |
| Transform OWASP Exam into Security Questions | Security Questions | |
| Update MSTG with changes in Android 8 (Oreo) | Owasp Projects | Mobile Security Working Session |
| Update MSTG with changes in iOS 11 | Owasp Projects | Mobile Security Working Session |
| Using AI and ML for incident response | Misc | How to use AI and ML for incident response |
| Using Data Science for log analysis | Maps and Graphs | Find out ways to use Data Science for log analysis |
| Using Jira to handle Incident Response - simulations | Misc | Incident response simulations and role play scenarios |
| Using JIRA-NeoVis to create graphical representations of JIRA data | Maps and Graphs | Practical session on using the JIRA-NeoVis tool |
| Using JIRA-NeoVis to graph GDPR Data Journeys | Maps and Graphs | Practical session on using the JIRA-NeoVis tool |
| Using JIRA-NeoVis to graph Threat Models | Maps and Graphs | Practical session on using the JIRA-NeoVis tool |
| Using maps to define how to capture, detect and prevent 6 real-world security incidents | Maps and Graphs | Hands on session on how to use Wardley maps |
| Using press-releases as improved project's briefs | Misc | Explore the press release concept for project definition |
| Using User Story Mapping for effective communication | Maps and Graphs | |
| Vulnerability Intelligence Working Group | CISO | Working session with OWASP leaders, MITRE, NIST, and other agencies |
| Want to become a CISO? | CISO | Working Session for CISOs |
| Web Application Honeypot | DevSecOps | |
| WebAuthn - Getting started workshop | DevSecOps | |
| Women in Cyber-security: improving the gender balance | Misc | Why is there a persistent gap when it comes to gender balance in security? How can we as security professionals ensure there is a fair chance and representation for all? |
Pre-Summit Working Sessions
A number of Working Sessions are happening before the Summit, please see the details below and participate
| Title | Track | Description |
|---|