Working Sessions

We passionately believe the hard problems and challenges that our industry faces can only be solved by working together, in a collaborative and open environment.

This Summit is such an event, where the community comes together, and works tirelessly on topics that they are passionate about.

As you can see from the tracks, outcomes, attendees and photos from last year’s Summit, this explosive combination of talent, challenges and enclosed location (venue and villas) creates a highly productive environment.

Where else in the world do you find 15 x Threat Modeling experts, thought-leaders and practitioners? The main authors of the OWASP Mobile testing guide working together in a room on the next version? A mix of OWASP leaders, developers, security engineers, security champions, pentesters, architects, risk experts, business analysts , heads of Security, CISOs, researchers (and many other roles) in the same room, all working together, sharing knowledge and creating tangible and usable outcomes.

The format of the Summit is based on Working Sessions, which are designed to maximise collaboration and participation. The focus and objectives of these sessions are determined by you (the onsite or remote participant), all we do is to set the stage for magic to happen!

See also the planned User Sessions

Summit Working Sessions

Here are the Working Sessions currently planned for the Summit

Title Track Description
Agile Practices for Security Teams DevSecOps Agile Practices for Security Teams
Android and iOS Security Enhancements and Crackme Apps Mobile Security Updating the content of the MSTG
Application Security Verification Standard OWASP Projects Session on ASVS
Azure Serverless for security Serverless
Best practices for the security of online Gaming platforms Children Game Safety Online gaming platforms manage large volumes of sensitive data which needs to protected and managed securely
CISO Ask Me Anything (AMA) CISO Session on Risk Modeling
Cell based Structures for Security Wardley Maps Spotify compliant organizational model in security domain
Creating a Security Champions network DevSecOps
Creating a Threat Library Threat Library Working Session
Creating an iOS build pipeline with security checks Mobile Security Brainstorming for a iOS pipeline with security checks
Customising the Chaos Engineering Toolkit API Security Practical Guide to Extending the Chaos Toolkit for DevSecOps concerns.
Cyber Insurance Cyber Insurance Session on Cyber Insurance
Cyber Insurance - Round Table Cyber Insurance Round table by multiple industry experts and players on how to improve the current state of Cyber Insurance
Cyber Risk Modeling CISO Session on Risk Modeling
Cynefin Framework for Security Maps and Graphs Cynefin Framework for Security
Dealing with DevSecOps Findings Security Automation How to deal with the security findings in an appsec pipeline and drive continuous improvement of the testing policies
Describe different ways of implementing TM in agile organisations Threat Model
DevSecOps Maturity Model (DSOMM) DevSecOps DevSecOps Maturity Model (DSOMM)
From Threat Modeling to DevSecOps metrics DevSecOps
GCP Serverless for security Serverless
GDPR Implications for Online Games (for players, parents and platform owners) Children Game Safety What are the GDPR implications for online gaming platforms? What are the platform developers responsibilities? What are the users (and parents rights?)
Hacking ML Applications Machine Learning
Hand's on Cynefin Framework creation (Training Session) Cynefin Framework What to know more about Cynefin Framework? This training session will give you hands on experience in creating maps for multiple scenarios
Hand's on Wardley Maps creation (Training Session) Wardley Maps Want to have a go at creating your own Wardley maps? This training session will give you hands on experience in creating maps for multiple scenarios, with experienced practitioners on hand to guide and help you.
How can OWASP and OSS help with Cyber Insurance Cyber Insurance OWASP and OSS (Open Security Summit) community sit at the center of a large community that has all the players and resources required to find good solutions
How can OWASP and OSS help with Online Game Safety Children Game Safety OWASP and OSS (Open Security Summit) community sit at the center of a large community that has all the players and resources required to find good solutions
How do we persist the information from the TM Slack channel? Threat Model How do we persist the information from the TM Slack channel?
How to scale Threat Modeling. Threat Model How to scale Threat Modeling
Integrating Security Tools in the SDL Security Automation Integrate security tools as part of CI/CD pipeline to find/fix issues early in SDL
Introduction to Cynefin Framework (Training Session) Cynefin Framework New to Cynefin Framework? This session is for you
Introduction to Wardley Maps (Training Session) Wardley Maps New to Wardley maps? This session is for you
Jira Schemas
Juice Shop Challenge Refactoring OWASP Juice Shop Refactoring the categories and difficulty ratings of the OWASP Juice Shop challenges
Juice Shop Hack'n'Code I OWASP Juice Shop Coding for and hacking of the OWASP Juice Shop
Juice Shop Hack'n'Code II OWASP Juice Shop Coding for and hacking of the OWASP Juice Shop
Juice Shop Hack'n'Code III OWASP Juice Shop Coding for and hacking of the OWASP Juice Shop
Juice Shop Hack'n'Code IV OWASP Juice Shop Coding for and hacking of the OWASP Juice Shop
Lightweight privacy threat modeling using LINDDUN Threat Model Lightweight privacy threat modeling using LINDDUN
ML for Scaling Security Analysis Machine Learning
Making Online Gaming Safer for Children Children Game Safety Setting the scene and direction on how to make Online Gaming Safer for Children (and how the community can help)
Mapping OWASP DevSecOps Maturity Model to SAMMv2 OWASP SAMM multiple working sessions on the new SAMMv2
Maturity Model for Cyber Insurance Cyber Insurance Use the Maturity Model created by the Owasp SAMM project to create a first pass a standard way to review Cyber Insurance
Maturity Model for Online Game Safety (based on SAMM) Children Game Safety Use the Maturity Model created by the Owasp SAMM project to create a first pass a stardard way to measure the Safety of Online Games
Meet the ICO PSD2 and GDPR If you could meet the ICO, what questions would you ask
Mobile AppSec Verification Standard (MASVS) Mobile Security Work on the open issues of the MASVS
Mobile Basic Security Testing and Reverse Engineering Mobile Security Work on the Mobile Basic Security Testing and Reverse Engineering topics with focus on restructuring the contents of the MSTG
OWASP Application Security Curriculum Project Education
OWASP Collective Defence Cluster (CDC) - two years on CISO
OWASP HoneyPot OWASP Projects Session on OWASP Honeypot
Online Game Safety - Round Table Children Game Safety Round table by multiple industry experts and players on how to improve the current state of Online Game Safety
Open Session Threat Model Threat Modeling Open Working Session
Open Session - Run over session Threat Model Threat Modeling Open Working Session
Owasp Testing Guide v5 OWASP Projects Working Sessions for Owasp Testing Guide v5
Owasp Top 5 Machine Learning risks OWASP Projects
PSD2 Security PSD2 and GDPR Security implications of the new PSD2 standard
Real world Chaos Engineering API Security An exploration and working session to characterise, explore and implement real-world DevSecOps chaos experiments.
Real world ML case-studies Machine Learning
SAMM - Agile guidance OWASP SAMM Discussing the support for Agile development based on SAMM v2
SAMM - Alignment with Threat Modeling OWASP SAMM Aligning the SAMM model with the Threat Modeling project.
SAMM - Alignment with other OWASP projects OWASP SAMM Aligning the model with other OWASP projects.
SAMM - Alignment with other OWASP projects OWASP SAMM Aligning the model with other OWASP projects.
SAMM - Alignment with other OWASP projects OWASP SAMM Aligning the model with other OWASP projects.
SAMM - Any Other Business OWASP SAMM Spare session to cover any other topics
SAMM - DevOps guidance OWASP SAMM Discussing the support for DevOps development based on SAMM v2
SAMM - Editing agreements and parallel editing OWASP SAMM Parallel editing session to improve the content of the current model
SAMM - Measurement model OWASP SAMM Discussion on the new measurement model for the SAMM v2 project
SAMM - Measurement model OWASP SAMM Discussion on the new measurement model for the SAMM v2 project
SAMM - Model Challenges OWASP SAMM Discussing outstanding model challenges
SAMM - Model Challenges OWASP SAMM Discussing outstanding model challenges
SAMM - Model discussions OWASP SAMM Parallel editing session to improve the content of the current model
SAMM - Model discussions OWASP SAMM Parallel editing session to improve the content of the current model
SAMM - Outreach program OWASP SAMM Discussing the outreach for the OWASP SAMM project
SAMM - Outreach program OWASP SAMM Discussing the outreach for the OWASP SAMM project
SAMM - Outreach wrap-up OWASP SAMM Deciding on the objectives and plans for outreach for the OWASP SAMM project
SAMM - Parallel editing OWASP SAMM Discussion on the different SAMM documents and content editing.
SAMM - Parallel editing OWASP SAMM Discussion on the different SAMM documents and content editing.
SAMM - Parallel editing OWASP SAMM Parallel editing session to improve the content of the current model
SAMM - Parallel editing OWASP SAMM Parallel editing session to improve the content of the current model
SAMM - Planning and Roadmap OWASP SAMM Spare session to cover any other topics
SAMM - SAMM benchmarking OWASP SAMM Discussion on data collection and bench marking
SAMM - SAMM documents and parallel editing OWASP SAMM Discussion on the different SAMM documents and content editing.
SAMM - Tooling OWASP SAMM Discussion on the tools that we're making available for SAMM
SAMMv2 - Threat Modeling Threat Model Discuss the SAMM threat modeling practice together with the SAMM team
SOC Monitoring Visualisation Security Automation AppSec SOC Monitoring Visualisation
Scaling API Security API Security
Secrets Management DevSecOps Secrets Management in a DevSecOps world
Securing Kubernete's hosted APIs API Security
Securing Serverless applications Serverless
Securing the CI Pipeline DevSecOps Secure the CI/CD pipeline
Security Challenges - An Introduction Introduction and overview
Security Challenges - Analyse others What strategies are already in use?
Security Challenges - Analysis, Analogies Next step, analyse cyber security in very general terms
Security Challenges - Collate others' strategies and assumptions Collate results from Wednesday.
Security Challenges - Next step Is this viable? Where do we go?
Share your Threat Models diagrams and create a Book Threat Model
Share your playbooks and release them under Creative Commons DevSecOps Session to consolidate and publish anonymised real-word playbooks
Share your security polices and release them under CC PSD2 and GDPR Map out what these are and what is the best way to measure them
Simon Session 1 Wardley Maps TBD - Session
Simon Session 2 Wardley Maps TBD - Session
Simon Session 3 Wardley Maps TBD - Session
State and future of threat modeling Threat Model What is the current state of TM and where do we need to go?
Towards a unified way of describing threat models Threat Model A presentation and discussion of a new language to describe a threat model
Using Cynefin Framework for Security Cynefin Framework Session on how to use the Cynefin Framework in the Security Domain
Using Cynefin Framework for Weak Signal Detection Cynefin Framework Session on how to use the Cynefin Framework for Weak Signal Detection
Using Cynefin Framework making strategic security decisions Cynefin Framework Session on how to use Cynefin Framework making strategic security decisions
Using Data Science for log analysis Maps and Graphs Find out ways to use Data Science for log analysis
Using Lambda functions to scale security teams Machine Learning
Using Lambda functions to scale security teams Serverless
Using Threat Models for GDPR PSD2 and GDPR Hands on user session on how to use Threat Models in GDPR mappings
Using User Story Mapping for effective communication Maps and Graphs
Using tools to create Wardley Maps (Training Session) Wardley Maps Learn the best ways to create manually and programatically Wardley Maps
ZAP working session - automation OWASP ZAP Working session on ZAP automation
ZAP working session - future plans OWASP ZAP Working sessions on ZAP future plans
ZAP working session - the HUD OWASP ZAP Working session on the ZAP HUD

Pre-Summit Working Sessions

A number of Working Sessions are happening before the Summit, please see the details below and participate

Title Track Description