Name: #02 Building Up
Start: 2023-02-28T18:00:00Z
End: 2023-02-28T20:00:00Z
Location: INESC-ID: Instituto de Engenharia de Sistemas e Computadores, Investigação e Desenvolvimento em Lisboa

OWASP Lisboa chapter meetup on February 28th, 2023, at 18:00, **supported by INESC-ID and AP2SI**.

The schedule is the following:
**18:00** \- Welcome notes by the OWASP Lisboa chapter leadership team
**18:15** \- Surface Security: The experience so far and the road ahead by Gustavo Silva
**19:00** \- Is it private\, is it public? Dependency Confusion by Francisco Santos

\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
**Talks**:

Title: **Surface Security: The experience so far and the road ahead**

Speaker:
Gustavo Silva

Abstract:
At Paddy Power Betfair (Blip.pt), throughout the years, we have developed a tool to help us have an inventory of all internal assets, from servers to DNS records to endpoint devices, but to also integrate other tools in it, like open source scanners to help us detect vulnerabilities, understand our exposure, weaknesses, and priorities, as well as leverage built-in notifications, a slack bot, and much more.
This talk is to talk about this project, which was open-sourced recently, and what the roadmap is for the future.

[Gustavo Silva](https://www.linkedin.com/in/gsilvapt/) Bio:
Software Developer by day, Security Researcher at night. I’m passionate about software security. The niche I am currently working on is engineering processes, tools, and internal interfaces to help companies secure their development lifecycles, do vulnerability management and increase overall awareness of the product's security risks.

\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-

Title: **Is it private, is it public? Dependency Confusion**

Speaker:
Francisco Santos

Abstract:
By 2021, the number of components in the average application rose 77 % from 298 to more than 500 open-source packages. Those components are hosted on public repositories such as GitHub, NPM, or PyPI, while some organizations choose to operate proprietary packages inside private registries of those repositories. Private or public, the management is done by CLI (like npm). The CLI imports private or public packages via a simple precedence algorithm: If the package resides inside the private registry, import it. If not, import the public component. How can a bad actor play this to his advantage?
The "is it private, is it public? Dependency Confusion" talk explains what dependency confusion is, and teaches ways of finding dependency confusion vulnerabilities in js files via BurpSuite with an automated tool called jsminer, a real example of a dependency confusion bug I found, and recommendations to mitigate those issues. By the end, breakers and makers should acquire a fresh new perspective on this issue.

[Francisco Santos](https://www.linkedin.com/in/francisco-santos-77917a210/) Bio:
I'm Francisco Santos, 23 years old. I always liked to think out of the box and find weird solutions to problems. I like logic and solving puzzles. I enjoy being a breaker, and I want to add value to that community.

Twitter: https://twitter.com/andr0idp4r4n0id

Nuno Loureiro

Tiago Mendo

Pedro Fortuna

Carlos Serrao

OWASP Lisboa Chapter

OWASP® Foundation 

Technology

Web Application

OWASP

Information Security

Application Security

Software Security

Cybersecurity

Open Web

Web Application Security

#02 Building Up

INESC-ID: Instituto de Engenharia de Sistemas e Computadores, Investigação e Desenvolvimento em Lisboa

Share

OWASP Lisboa Chapter

#02 Building Up

OWASP Lisboa Chapter

Details

Members are also interested in