About this Event
This event is kindly sponsored by Curity.
Raffle prizes are kindly sponsored by Curity and Fortbridge.
There is limited seating available for in-person attendees. Registration required.
This event will also be live-streamed on YouTube.
Recordings will be available on the
Venue Location: Civo Tech Junction, 32-37 Cowper Street, London EC2A 4AW
Nearest Tube Stations: Old Street, 2 min walk (take Cowper Street Exit)
Doors Open at 6pm for registration, pizza, drinks and networking. The talks start at 6:30pm (we start on time!).
TALKS:
OWASP Introduction, Welcome and News - Sam Stepanyan, Andra Lezza, Sherif Mansour - OWASP London Chapter Leaders
"North Korea: The Great Recruitment Firewall" - Mariya Hristova
North Korean spies are lurking everywhere, but especially in the hiring pipeline. Disguised as the perfect candidate to try and snag a position in a company where they can espionage away!
Recruitment is the first point of contact for all candidates so in this talk I will go over how I recognise fraudulent candidates without descending into unfounded bias. I’ll go over some recent examples and give some practical guidance of what you can do if you are not sure that the person opposite you is who they say they are.
Guest Lightning Talk - "The Realities of AppSec Risk Management using CVEs" - Aram Hovsepyan
Are CVEs truly reliable and objective indicators of risk? In this lightning talk, I challenge this core assumption underlying many modern application security programs. Organizations build dashboards, SLAs, and KPIs around CVE counts. Yet the CVE ecosystem is shaped by structural incentive misalignments, unclear validation standards, and a nearly impossible dispute process. Empirical research suggests that a substantial portion of published CVEs are unconfirmed, disputed, or duplicated. The result is a vulnerability database that contains measurable noise. However we all treat it as ground truth. This talk argues that an effective AppSec program must treat CVEs as signals rather than authoritative facts that automatically drive prioritization and exhaust engineering teams.
"Vesta Admin Takeover - Exploiting reduced seed entropy in bash $RANDOM" - Adrian Tiron
Vesta is a lightweight, web-based control panel that simplifies Linux server management, appealing to users seeking an intuitive alternative to traditional platforms like cPanel and Plesk. This presentation will examine a critical flaw in Vesta: an admin takeover exploit resulting from reduced seed entropy in the Bash $RANDOM variable. By transforming what was once a theoretical attack into a practical one, we successfully reduced the brute force domain of the seed by over 98%. This allows attackers to generate predictable random values, compromising the security of passwords and tokens. We will discuss the implications of this vulnerability and highlight best practices for enhancing server security in real-world applications.
"Securing AI Agents: Identity Strategies for Safe API Access" - Gary Archer
As organizations adopt AI-driven tools and workflows, new security challenges arise around how AI agents securely access APIs. In this session, Gary explores how best practices for connecting AI agents to APIs are evolving, and outlines the essential identity and security building blocks organizations should put in place for the emerging AI era. The talk focuses on architectural principles and patterns rather than specific vendors or products.
SPEAKERS:
Mariya Hristova
A People and Talent Leader who has been building tech teams across large orgs and startups for 10 years. An enthusiastic amateur in all things tech, but with a personal crusade to help improve UX and UI in open source tools. If we want to usher in the year of the penguin, we have to pay attention to that stuff! In my spare time I like to break HR Tech or volunteer my time and knowledge to help companies and candidates/employees meet each other in right way.
Aram Hovsepyan
Aram is the founder and the CEO of Codific. With over 15 years of experience, he has a proven track record in building complex software systems by explicitly focusing on software security. Aram has a PhD in cybersecurity from DistriNet KU Leuven. His contributions to the refinement and streamlining of the LINDDUN privacy engineering methodology have been incorporated into ISO and NIST standards. Aram is also a core contributor to OWASP SAMM project and the architecture and security mentor for all our teams.
Adrian Tiron
Adrian Tiron is a Co-Founder & Principal Pentester/Red Teamer at FORTBRIDGE with 20 years of experience in cybersecurity. He has a proven track record of success working with top companies in the UK, US, and Europe. As a dedicated researcher and blog author, Adrian has uncovered multiple critical vulnerabilities in open-source and commercial software, contributing significantly to improving online security.
Gary Archer
Gary Archer is a Product Marketing Engineer at Curity with over 20 years’ experience as a lead developer and architect delivering investment banking solutions. His work includes leading OAuth-based migrations, designing distributed security architectures, and supporting complex business systems. At Curity, Gary focuses on teaching end-to-end security flows across web, mobile, and API environments, helping teams understand both the benefits and learning curve of modern identity architectures.
RAFFLE - win a prize (or two!) kindly donated by our sponsors!
TICKETS:
OWASP meetups are free and open to anyone interested in application security. Please note that you MUST book your place to be admitted to the event by the building security. Your name will be checked against the guest list
CODE OF CONDUCT:
We hope you enjoy the event, we care deeply about inclusivity and diversity so that OWASP is a comfortable and welcoming community for everyone. Please reach out to one of our chapter leaders if you have any feedback/concerns or would like to speak to us, we take these matters very seriously. OWASP Code Of Conduct: https://owasp.org/www-policy/operational/code-of-conduct
PHOTOGRAPHY:
Please note that OWASP events are open to the public, and OWASP does not restrict attendees (including OWASP staff, volunteers, sponsors, and media) from taking photos or videos at our events.
The talks will be video recorded.
By attending OWASP events, you acknowledge that you are in a public space and that attendees (including OWASP staff, volunteers, sponsors, and media) may capture your image in photos and videos. Nevertheless, OWASP encourages event attendees to exercise common sense and good judgment and respect the wishes of other attendees who do not wish to be photographed at the Events.
SPONSORS
This event is kindly sponsored by Curity.io and kindly hosted by Civo Tech Junction.
Additional Raffle prize sponsored by Fortbridge
Event Venue & Nearby Stays
Civo Tech Junction, 32-37 Cowper Street, London, United Kingdom
GBP 0.00
