Working Sessions

We passionately believe the hard problems and challenges that our industry faces can only be solved by working together, in a collaborative and open environment.

This Summit is such an event, where the community comes together, and works tirelessly on topics that they are passionate about.

As you can see from the tracks, outcomes, attendees and photos from last year’s Summit, this explosive combination of talent, challenges and enclosed location (venue and villas) creates a highly productive environment.

Where else in the world do you find 15 x Threat Modeling experts, thought-leaders and practitioners? The main authors of the OWASP Mobile testing guide working together in a room on the next version? A mix of OWASP leaders, developers, security engineers, security champions, pentesters, architects, risk experts, business analysts , heads of Security, CISOs, researchers (and many other roles) in the same room, all working together, sharing knowledge and creating tangible and usable outcomes.

The format of the Summit is based on Working Sessions, which are designed to maximise collaboration and participation. The focus and objectives of these sessions are determined by you (the onsite or remote participant), all we do is to set the stage for magic to happen!

See also the planned User Sessions

Summit Working Sessions

Here are the Working Sessions currently planned for the Summit

TitleTrackDescription
Adding security to VSTS pipelineDevSecOpsDevSecOps: adding security testing, review and configurations to a VSTS pipeline
Agile Practices for Security TeamsDevSecOpsAgile Practices for Security Teams
API Threat Modeling Cheat SheetThreat ModelAPI Threat Modeling Cheat Sheet
Application Security Verification StandardOwasp ProjectsSession on ASVS
Attack chains as TM techniqueThreat ModelThreat Modeling Working Session
Automation of MASVS with BDDOwasp ProjectsMobile Security Working Session
Back to the future with Threat ModelingThreat ModelBack to the future with Threat Modeling
Cell based Structures for SecurityMaps and GraphsSpotify compliant organizational model in security domain
CISO Ask Me Anything (AMA)CISOSession on Risk Modeling
Consolidate and process all Security Quiz dataSecurity Questions
Create .Net Security QuestionsSecurity Questions
Create a Tech Radar for Security teamsDevSecOpsSession to consolidate and publish anonymised real-word playbooks
Create AWS Security QuestionsSecurity Questions
Create Docker Security QuestionsSecurity Questions
Create generic TM for CMSThreat Model
Create generic TM for CMSThreat Model
Create Java Security QuestionsSecurity Questions
Create NodeJS Security QuestionsSecurity Questions
Create Owasp AWS Security QuestionsSecurity Questions
Create Owasp Top 10 Security QuestionsSecurity Questions
Create Perl Security QuestionsSecurity Questions
Create PHP Security QuestionsSecurity Questions
Create Security Economics QuizSecurity Questions
Create Wardley Maps for multiple security scenariosMaps and GraphsPractical session on creating [Wardley Maps]
Creating a standard for GDPR patternsGDPRWorking Session on reviewing and agreeing on a set of GDPR patterns
Creating a Steady-State HypothesisChaos EngineeringExploring the Chaos Toolkit's stead-state hypothesis and how one can be designed and constructed for DevSecOps concerns.
Creating an open 3rd Party Supplier Questionnaire and maturity modelOWASP SAMMCreate a common 3rd Party Supplier Maturity Model
Creating diagrams with DOT languageThreat ModelCreating diagrams with DOT language
Creation of Security ButtonsOwasp ProjectsAgile Practices for Security Teams
Customising the Chaos ToolkitChaos EngineeringPractical Guide to Extending the Chaos Toolkit for DevSecOps concerns.
Cyber InsuranceCISOSession on Cyber Insurance
Cyber Risk ModelingCISOSession on Risk Modeling
Define an Open Risk Pattern formatThreat ModelDefine a structure for defining re-usable risk patterns
Defining a Security ChampionDevSecOps
Describe different ways of implementing TM in agile organisationsThreat Model
DevSecOps Maturity Model (DSOMM)DevSecOpsDevSecOps Maturity Model (DSOMM)
Docker and Kubernetes Threat Modeling Cheat SheetThreat ModelDocker and Kubernetes Threat Modeling Cheat Sheet
DPO how to become oneGDPRWhat is the best way to become an DPO (Data Protection Officer)
DPO what to expectGDPRWhat should be expected of DPOs (Data Protection Officers)
European GDPR variationsGDPRMapping out the multiple differences across the EU
Federated Login with Social Platforms Threat Modeling Cheat SheetThreat ModelFederated Login with Social Platforms Threat Modeling Cheat Sheet
From Threat Modeling to DevSecOps metricsDevSecOps
Gamification of GDPR complianceGDPRHow to create positive feedback loops between the multiple teams aiming for GDPR Compliance
GDPR Appropriate Security ControlsGDPRMap out what these are and what is the best way to measure them
GDPR Compliance what does it mean?GDPRNow that GDPR is in force, what does GDPR Compliance mean and how to measure it
Group Discussion on Learning from Digital IncidentsMiscA group discussion with participants on their ideas about the state of art of the community in terms of policies and procedures for promoting learning from incidents
Hands-on JIRA Schema refactoringMiscHow to use Jira for risk management, incident response and managing a team
Hands-on JIRA Schema refactoring (DS)MiscHow to use Jira for risk management, incident response and managing a team
How do you define and measure the value of Threat Modeling?Threat ModelHow do you define and measure the value of Threat Modeling?
How to scale Threat Modeling.Threat ModelHow to scale Threat Modeling
How to Threat Model Features with QuestionnairesThreat ModelHow to Threat Model Features with Questionnaires
Integrating Security into an Spotify Model (and using Squads for Security teams)DevSecOpsBest practice cheat sheet for integrating Agile Security into the Spotify model
Integrating Security Tools in the SDLDevSecOpsIntegrate security tools as part of CI/CD pipeline to find/fix issues early in SDL
IoT Threat Modeling Cheat SheetThreat ModelIoT Threat Modeling Cheat Sheet
JIRA Risk WorkflowMiscThis Working Session should result in an improved JIRA Risk Workflow
Job FairMiscMeet companies that are hiring at the Summit
Juice Shop BrainstormingOwasp ProjectsBrainstorming and designing new hacking challenges and other features for OWASP Juice Shop and its CTF-extension.
Juice Shop Coding DayOwasp ProjectsHands-on coding session series to implement new challenges and other features in OWASP Juice Shop and its CTF-extension project.
Lessons learned from public bug bounties programmesMiscList of top 10 lessons from bug bounty experts and guidelines on improving bug bounty programmes
Meet the ICOGDPRIf you could meet the ICO, what questions would you ask
Methodology / technique showcaseThreat ModelMethodology / technique showcase
MSc Appication SecurityMisca core set of learning objectives for MSc level Application Security curricula (through online survey)
Owasp Cloud Security Workshop (BETA)DevSecOpsA beta session of the OWASP Cloud Security Workshop (not to be scheduled on the Tuesday)
OWASP Collective Defence Cluster (CDC) - One year onCISO
OWASP Defect DojoDevSecOpsWorking Sessions for Owasp Defect Dojo
OWASP DevSecOps StudioDevSecOpsWorking Sessions for Owasp DevSecOps Studio
Owasp Testing Guide v5Owasp ProjectsWorking Sessions for Owasp Testing Guide v5
Owasp Top 5 Machine Learning risksOwasp Projects
Policies for the InfoSec industry
Policies for the security industryGDPRMap out what these are and what is the best way to measure them
Prepare Thursday Quiz sessionSecurity Questions
Present Security Quiz DataSecurity Questions
Real world Chaos EngineeringChaos EngineeringAn exploration and working session to characterise, explore and implement real-world DevSecOps chaos experiments.
Reboot Owasp Books ProjectOwasp Projects
Recruiting AppSec TalentCISO
Review quiz answers from MonSecurity Questions
Review quiz answers from ThuSecurity Questions
Review quiz answers from TueSecurity Questions
Review quiz answers from WedSecurity Questions
SABSA and threat modelingThreat ModelSABSA and threat modeling
SAMM benchmarkingOWASP SAMMDefine objectives for the SAMM benchmarking project as part of SAMMv2
SAMM DevSecOps VersionOWASP SAMMCreate a totally new SAMM DevSecOps version
SAMM Project MeetingOWASP SAMMProject meeting to review the status and update the plan for SAMM2
SAMM2 KickoffOWASP SAMMKickoff session for the summit
SAMMv2 Establish the Document ModelOWASP SAMMDefine SAMMv2 document Model
SAMMv2 Measurement ModelOWASP SAMMDefine SAMMv2 measurement model
SAMMv2 working session - DesignOWASP SAMMmultiple working sessions on the new SAMMv2
SAMMv2 working session - GovernanceOWASP SAMMmultiple working sessions on the new SAMMv2
SAMMv2 working session - ImplementationOWASP SAMMmultiple working sessions on the new SAMMv2
SAMMv2 working session - OperationsOWASP SAMMmultiple working sessions on the new SAMMv2
SAMMv2 working session - VerificationOWASP SAMMmultiple working sessions on the new SAMMv2
Securing GitHub IntegrationsDevSecOpsHow to secure Github Integrations
Securing the CI PipelineDevSecOpsSecure the CI/CD pipeline
Security Buttons ExtendedMiscCreating security buttons
Security CrowdsourcingDevSecOpsWorking Sessions for Security Crowdsourcing
Security Ethics ChecklistMisc
Security Questions workshopSecurity Questions
Share your playbooks and release them under Creative CommonsDevSecOpsSession to consolidate and publish anonymised real-word playbooks
Share your security polices and release them under Creative CommonsGDPRMap out what these are and what is the best way to measure them
Share your Threat Models diagrams and create a BookThreat Model
SOC Monitoring VisualisationDevSecOpsAppSec SOC Monitoring Visualisation
Squad Modelling and Cross Functional TeamsMiscHow to use AI and ML for incident response
Threat model cheat sheetsThreat ModelThreat Modeling Working Session
Threat model closing sessionThreat ModelThreat Modeling Working Session
Threat model guideThreat ModelThreat model guide with levels
Threat model track opening sessionThreat ModelThreat Modeling track opening
Threat Model training through GamificationThreat ModelThreat Model training through Gamification
Threat Modeling Website StructureThreat Model
Transform OWASP Exam into Security QuestionsSecurity Questions
Update MSTG with changes in Android 8 (Oreo)Owasp ProjectsMobile Security Working Session
Update MSTG with changes in iOS 11Owasp ProjectsMobile Security Working Session
Using AI and ML for incident responseMiscHow to use AI and ML for incident response
Using Data Science for log analysisMaps and GraphsFind out ways to use Data Science for log analysis
Using Jira to handle Incident Response - simulationsMiscIncident response simulations and role play scenarios
Using JIRA-NeoVis to create graphical representations of JIRA dataMaps and GraphsPractical session on using the JIRA-NeoVis tool
Using JIRA-NeoVis to graph GDPR Data JourneysMaps and GraphsPractical session on using the JIRA-NeoVis tool
Using JIRA-NeoVis to graph Threat ModelsMaps and GraphsPractical session on using the JIRA-NeoVis tool
Using maps to define how to capture, detect and prevent 6 real-world security incidentsMaps and GraphsHands on session on how to use Wardley maps
Using press-releases as improved project's briefsMiscExplore the press release concept for project definition
Using User Story Mapping for effective communicationMaps and Graphs
Vulnerability Intelligence Working GroupCISOWorking session with OWASP leaders, MITRE, NIST, and other agencies
Want to become a CISO?CISOWorking Session for CISOs
Web Application HoneypotDevSecOps
WebAuthn - Getting started workshopDevSecOps
Women in Cyber-security: improving the gender balanceMiscWhy is there a persistent gap when it comes to gender balance in security? How can we as security professionals ensure there is a fair chance and representation for all?

Pre-Summit Working Sessions

A number of Working Sessions are happening before the Summit, please see the details below and participate

TitleTrackDescription