What we're about

This is the meetup headquarters for the Bay Area chapter of the Open Web Application Security Project (OWASP). This group is dedicated to bringing together the massive amount of Bay Area web application security talent and interest in the form of presentations, talks, conferences, and any other kind of get-together we want to come up with.

We're looking to facilitate all types of meetings between members, from formal conferences to little meetups at a Bay Area coffee shop. The key advantage of meetup.com is that we can benefit from the shared calendar, which is available via iCal, Google Calendar, etc.

We encourage you to get involved in every way possible. Recommend events, put together a local meetup at a coffee shop, restaurant, or bar, or put together a talk to present at one of these venues.

We look forward to hearing from you and seeing you at a local event!

Upcoming events (1)

Bay Area Sep '21 Meetup

Online event

Get ready for a set of 2 new exciting talks brought by experienced speakers in the security industry!

Talk#1: A New Class of DNS Vulnerabilities Affecting Many DNS-as-Service Platforms

Abstract:
We present a novel class of DNS vulnerabilities that affect multiple DNS-as-a-Service (DNSaaS) providers. The vulnerabilities have been proven and successfully exploited on three major cloud providers including AWS Route 53 and may affect many others. Successful exploitation of the vulnerabilities may allow exfiltration of sensitive information from service customers' corporate networks. The leaked information contains internal and external IP addresses, computer names, and sometimes NTLM / Kerberos tickets. The root cause of the problem is the non-standard implementation of DNS resolvers that, when coupled with specific unintended edge cases on the DNS service provider's side, cause major information leakage from internal corporate networks.

In this research, we detail a specific vulnerability that is common across many major DNS service providers that leads to information leakage in connected corporate networks. Specifically, we show how Microsoft Windows endpoints reveal sensitive customer information when performing DNS update queries. The security risk is high. If an organization's DNS Updates are leaked to a malicious 3rd party, they reveal sensitive network information that can be used to map the organization and make operational goals. Internal IP addresses reveal the network segments of the organization; computer names hint at the potential content they may hold; external IP addresses expose geographical locations and the organization's sites throughout the world; and internal IPv6 addresses are sometimes accessible from the outside and allow an entry point into the organization. The impact is huge. Out of six major DNSaaS providers we examined, three were vulnerable to nameserver registration.

Speaker: Shir Tamari, Head of Research at Wiz
Shir Tamari is an experienced security and technology researcher specializing in vulnerability research and practical hacking. Shir is currently Head of Research of the cloud security company Wiz. In the past, he served as a consultant to a variety of security companies in the fields of research, development and product. Shir is also a member of the 5BC CTF team.

Talk #2: Redefining Threat Modeling: Security team goes on vacation

Abstract:
Threat Modeling is an important part of every company's Security Development Lifecycle, but as development teams grow bigger Security will either have to choose which features they want to Threat Model or they will become a bottleneck for the development organization.

What if I told you, you can have your cake and eat it too. It is possible to scale your threat modeling program to *every* feature and you don't have to be a bottleneck to the development organization. What if I also told you that the Threat Models in this utopia are also of higher quality as well.
In this utopian world, Threat Modeling is no longer the Application Security team's responsibility. The responsibility now lies with the development teams. Self-serve Threat Modeling is the way of the future.

Speaker:- Jeevan Singh, Engineering Manager, Application security at Segment

Past events (119)

Bay Area May '21 Meetup

Online event

Photos (178)

Find us also at