#3 Is a Strike

OWASP Porto Chapter meetup: November 6th, 2024, at 18:00. With support from UPTEC and Blaze Information Security.

How to get there: The event will be at UPTEC Baixa (in Downtown Porto). See the event location below for the full address.

We are excited to bring you two great talks and hope you join us in our next meetup!

Schedule:

18:00 - Intro and Welcome by the OWASP Porto chapter leadership
18:15 - CVSS v4 – A Better Version of an Imperfect Solution by Mário Leitão-Teixeira
19:00 - Searching data on remote encrypted storages with privacy requirements by António Pinto
20:00 - Drinks & Dinner by Blaze Information Security.

-------------------------------------------------------------------------------------------------------
Talks:

Title: CVSS v4 – A Better Version of an Imperfect Solution
Speaker: Mário Leitão-Teixeira

Abstract:
The Common Vulnerability Scoring System (CVSS) is the number-one standard for attributing criticality scores to vulnerabilities to help organizations properly assess and prioritize their Vulnerability Management processes. Today, it plays a fundamental role in organizations and project maintainers worldwide, even more so with the general adoption of CVE. And with NVD as the go-to source for keeping track of new vulnerabilities. These bear a fundamental position in the Infosec community by keeping all information publicly available and easily accessible. We will explore key aspects of the new CVSS version, the challenges it intends to solve, and some persisting limitations, being one major challenge, how to optimize its pivotal role in Vulnerability. Management. Looking forward, I will discuss the future landscape and potential collaboration and open some questions for the journey ahead.

Bio:
I work as an Appsec Analyst at Checkmarx. 'Vulnerability' is part of my daily vocabulary, and I'm never sick of it. I dub myself a 'self-certified idiot' because I love learning and hatching ideas. So much that I've made brainstorming a hobby and kickstarted a team initiative to keep us on the pulse of InfoSec. I'm also currently studying to pass the CEH certification. Contributing to the AppSec Village at RSAC in San Francisco last year? Check. Beyond the keyboard, you catch me reading, writing, or practicing martial arts. As in cybersecurity, I seek constant learning.

Linkedin: https://www.linkedin.com/in/marioleitao-teixeira/

---

Title: Searching data on remote encrypted storages with privacy requirements
Speaker: António Pinto

Abstract:
A combined adoption of cloud-based infrastructure and applications, with the requirements imposed by legislation such as the General Data Protection Regulation (GDPR) create momentum for the greater adoption and use of data encryption.
When remote data confidentiality is required, the candidate solution is to use cryptography techniques to encrypt all data before transferring it to a remote cloud storage service. In some particular cases, the data sent can also be digitally signed to ensure its source trustworthiness and a cryptography hash can also be computed to assure data integrity and to prevent its manipulation while in transit. If searching within this remotely stored data is required, the simplest and trivial approach consists in transferring all data back to the client, so that it can be decrypted, allowing search operations to be performed over the clear text and at the client side. This presents efficiency and performance problems. The use of searchable encryption mechanisms can address some of these issues and take part of a secure, confidential and off-premises storage of data that is also capable of assuring the integrity and authenticity of the stored data while supporting server-side log searching and retrieval.
In this lecture we present the concept of searchable encryption of remotely stored encrypted data. We address the related concepts of trapdoor, index, reverse index and discuss the performance cost of these operations.

Bio:
António Pinto has a PhD from Porto University (2010). Currently, he is a Professor (Professor Coordenador com Agregação) at Escola Superior de Tecnologia e Gestão (ESTG) of the Polytechnic Institute of Porto. He gives courses on computer networks, data privacy, ethical hacking and digital forensics. He is also a researcher of CRACS at INESC TEC research institute. His current research interests include computer and network security, digital forensics, and data privacy. António Pinto has published 50+ papers and participated in 10+ research projects, including the European projects. He also holds both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor certifications.

Linkedin: https://www.linkedin.com/in/pintoantonio