#1 Kickoff!

OWASP Porto Chapter meetup: March 6th, 2024, at 18:00, with support from Boost IT.

We are excited to start the Chapter's activities with two excellent talks and, most importantly, your presence!

Schedule:
18:00 - Intro and Welcome by the OWASP Porto chapter leadership
18:15 - The Security of Large Language Models by Nuno Pereira
19:10 - SBOM, SBOM, you're an SBOM by Diogo Sousa
20:00 - Drinks & Dinner by Boost IT

(scroll down for venue details)
-------------------------------------------------------------------------------------------------------
Talks:

Title: The Security of Large Language Models
Presenter: Nuno Pereira

Abstract:
Large Language Models (LLMs) received a lot of attention recently and it is possible to find them integrated into various applications, from well-known chat applications to content creation, search, translation and much more. We will overview LLMs and delve into some details to better understand known attacks.

Bio:
Nuno Pereira taught cybersecurity-related topics for more than 15 years. Between 2019-2022, he was a Visiting Scholar at the CyLab Security & Privacy Institute of Carnegie Mellon University in Pittsburgh, United States.

Title: SBOM, SBOM, you're an SBOM
Speaker: Diogo Sousa

Abstract:
Software Bill of Materials (SBOM) is a concept that recently has been making waves in SDLC spaces but it isn't entirely new. Most mature languages have a (sometimes) mature package management system, either built-in (e.g., Rust's cargo) or de facto (e.g., Maven) that allows developers to define dependencies, resolve conflicts and do composition analysis.

SBOMs, however, allow you to take this one step further, making it language-agnostic and allowing components from different ecosystems to use a common language for comparisons and analysis. However, we don't get those features out of the box. For example, consider common libraries in different package repositories - are all OpenSSL packages created equally and equivalent?

OWASP is playing a part in this via its support for projects like CycloneDX which aims to provide a full-stack BOM standard to cover specific scopes such as the CBOM (Cryptography) and HBOM (Hardware) among others.
This shift towards software being more transparent and traceable is not without its detractors, as entire business models are predicated on customers using purely opaque boxes.

In the spirit of the topic, here is a Talk Bill of Topics:
- Are BOM requirements burdensome?
- Are we revealing too much of the "secret sauce"?
- Does having an SBOM instantly make a piece of software more secure?
- If we take a piece of software and replace every entry in its BOM with fully equivalent packages, one by one, is it still the same software in the end?

This talk targets a beginner to intermediate audience and will provide an overview of (S)BOMs, their ongoing challenges, and what they can bring to the table in terms of security.

Bio:
An opinionated individual with an interest in cryptography and its intersection with secure software development.

LinkedIn: https://www.linkedin.com/in/0xdsousa/

-------------------------------------------------------------------------------------------------------
How to get there

Boost IT. Rua de Vilar 235, 3º Esquerdo.

The venue is in the "Instituto Nacional Estatística - INE, Porto" building at the address above. The meetup event photos include a photo of the building.

Once inside the building, you will find the elevators down the hallway to the left, past the reception desk. On the third floor, find BoostIT to your left as you leave the elevator.