OWASP Leiria

History

The OWASP Leiria Chapter started its activities in January 2025.

First Event

#0 - The Castle: February 6th, 2025 @ synvert xgeeks

Talk: Do Not Live in the Shadows (APIs) by Teresa Pereira (Cyber Threat Hunter @ Siemens Energy & OWASP Leiria Co-Organizer)

Abstract: This talk explores the concept of Shadow APIs, starting with a clear definition and their origins, and examines the multifaceted risks they introduce to software development. Through real-world examples, we will highlight the potential consequences of ignoring these “hidden doors” and discuss strategies for their identification, management, and mitigation. By the end of this session, you will gain actionable insights and strategies to reduce the risks posed by Shadow APIs and build more resilient, secure, and compliant systems.

Second Event

#1 - Leiria Pine Forest: April 10th, 2025 @ FNAC Auditório, LeiriaShopping

Talk: HTML Smuggling to EDR Bypass by Milton Araújo (Security Researcher @ Secure Tecnologia)

Abstract: Delve into how cybercriminals utilize HTML Smuggling to circumvent traditional security measures like Antivirus (AV) and Endpoint Detection and Response (EDR) solutions. This session will explore the nuances of this stealthy attack method, showcasing how malicious payloads can be discreetly delivered to target devices via browsers while evading standard security protocols.

Third Event

#3 - The Old Glass Factory: September 19th, 2025 @ HLink offices (Marinha Grande)

Talk 1: Build Your Software Like a Fortress: Secure Configurations as Your First Line of Defense by Daniel Pinto (CTO & Senior Software Engineer @ Setwin)

Abstract: When building modern web applications and APIs, many developers focus on writing secure code — but overlook the crucial impact of deployment configurations. From authentication layers to RBAC, from HTTPS enforcement to header settings and firewall rules, misconfigurations remain one of the top causes of security breaches today. In this talk, we’ll explore how simple configuration decisions can have a massive impact on your application’s security posture. We’ll walk through real-world examples, common pitfalls, and practical strategies to harden your software during deployment — without introducing complexity or slowing down development. Whether you’re a developer or part of a DevSecOps team, you’ll leave with actionable insights to help you build secure-by-default systems from the ground up.

Talk 2: AI-Driven Offense: Enhancing Every Phase of Web Testing by José Irio (Cybersecurity Consultant @ VisionWare)

Abstract: Artificial Intelligence is rapidly reshaping offensive security. In this talk, we’ll explore how AI can be practically applied to improve web application testing. We’ll break down each phase of a typical assessment (reconnaissance, exploitation, and reporting) and highlight existing AI-powered tools developed by the security community. From automating tedious tasks to uncovering insights that might otherwise be missed, these tools demonstrate how AI can help testers improve both the efficiency and depth of web app security assessments.

Fourth Event

#4 - Leiria Does Not Exist: December 18th, 2025 @ Online (StreamYard)

Talk 1: Instant API Hacker by Corey Ball (CEO & Founder @ hAPI Labs, APIsec University Founder)

Abstract: “Instant API Hacker” is a fast-paced, 30-minute presentation that demonstrates how quickly someone can learn to identify and exploit API vulnerabilities. Led by Corey Ball, author of “Hacking APIs” and founder of APIsec University and hAPI Labs. This talk provides a practical introduction to API security testing using real-world tools and techniques. Attendees will witness the exploitation of critical vulnerabilities from the OWASP API Security Top 10, including broken authentication, authorization flaws (BOLA), and excessive data exposure. Through live demos using the crAPI vulnerable lab, participants will see firsthand how APIs can be compromised and gain actionable insights they can apply immediately. The presentation concludes with free resources for continued learning, including access to vulnerable labs and APIsec University courses.

Talk 2: The AppSec Poverty Line: Minimal Viable Security by Tanya Janca (Trainer, Keynote Speaker, Best Selling Author - Alice and Bob Learn Secure Coding & Application Security)

Abstract: Not every team has a security budget. Not every project has a dedicated AppSec engineer. But every product exposed to the internet needs some level of security to survive. This talk explores what I call “The AppSec Poverty Line” also known as ‘Minimal Viable Security” — the minimum viable set of practices, tools, and cultural shifts that under-resourced dev teams can adopt to meaningfully improve application security. Whether you’re a startup with no security hires, an independent dev, or part of a team that doesn’t have a security budget, this talk will help you prioritize what actually matters. We’ll cover practical approaches to getting from zero to secure-ish, with a focus on:

• Training developers to write more secure code, and spot unsafe code

• Cultivating a security-positive culture

• Leveraging open-source tools that punch above their weight

• Knowing when “good enough” really is enough — and when it’s not

Attendees will leave with a roadmap for building real-world security into their product lifecycle — without breaking the bank or burning out the team. Because even if you’re below the AppSec poverty line, you don’t have to be defenseless.