Jump to: navigation, search

OWASP Scotland

Welcome to the Scotland chapter homepage. The chapter leaders are Sean Wright and Rob Jansson.
Click here to join the local chapter mailing list.


OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.


Btn donate SM.gif to this chapter or become a local chapter supporter.

Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

Local News

Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above).

You can also now follow us on Twitter (@OWASPScotland).


A big thank you to FanDuel for hosting our September 2018 event. As well as providing the beer and pizza!

Upcoming Events

Signup to the chapter mailing list to be informed of upcoming events.

Thursday, 20 September 2018

Time: 18:00 - 20:00

Location: FanDuel, Quartermile One, Level 4, 15 Lauriston Place, Edinburgh, EH39EP

The next OWASP Scotland Chapter meeting pencilled in the diary for Thursday 20th September. Many thanks to Fanduel, who has kindly offered to host this event for us.  They will also be providing pizza and beer!

For attending this event you will be able to claim 2 CPE points.

Tickets available on Eventbrite:

DNS over TLS / DNS over HTTPS - The privacy magic bullet?

Speaker: Sean Wright

ith the introduction of Cloudflares new DNS service there was much hype around how it supported DNS over HTTPS and how this would help privacy. This talk investigates some potential short comings with this technology and how it is still possible in some cases to have information leaked about what site is being visited.

Raising Organisational Security Awareness with CTFs

Speaker: Rob Jansson

Capture the Flag (CTF) events are run frequently throughout the security community and conferences around the globe. Outside of security this is commonly unknown territory and means little to Joe Bloggs. Everyone within an organisation is responsible for security, whether it be data entry, developers, infrastructure / hosting services etc.; and security is often seen a blocker or some sort of black magic. This talk will walk you through how a CTF event was run within an organisation to raise security awareness amongst its employees, the challenges, successes and failures encountered. At the end of the talk you should have a good idea how to get one setup and whether you’d want to incorporate this into your organisation’s security programme.

Past Events

Monday, 21 May 2018

Time: 18:00 - 20:00

Location: Ernst & Young,144 Morrison St, Edinburgh EH3 8EX

We are pleased to let you know we have the second 2018 OWASP Scotland Chapter meeting pencilled in the diary for Monday 21st of May. Many thanks to EY who has kindly offered to host this event for us.

On this occasion we have the pleasure of having Tal Mozes do a talk on ‘Cyber Terror’. Tal comes from an impressive background in information security; and is currently a Partner at EY leading their Hacktics Cyber Security Center.

In the second talk Rob will be presenting on ‘Responsible Disclosure – The Good, the Bad and the Ugly’.

For attending this event you will be able to claim 2 CPE points.

Tickets available on Eventbrite:

Cyber Terror

Speaker: Tal Mozes

Most of us, cyber security professionals, help in the fighting of cybercrime. 

Most of our threat agents are opportunists, ideologists, organized crime and other Advanced Adversaries. But between those threat agents there are also terrorists, which are using the latest technologies to plant terror. From information warfare, to targeted attacks, what motivates them, what can they do and how can we all help in preventing the next digital terror attack.

Responsible Disclosure – The Good, the Bad and the Ugly

Speaker: Rob Jansson

What is responsible disclosure and is it something that would help protect your company from cyber attack? In this talk we will examine the benefits of having a responsible disclosure policy in place, what can go wrong and get ugly (really fast!).

Wednesday, 14 March 2018

Time: 18:00 - 20:00

Location: PwC offices, 144 Morrison Street, Edinburgh, EH3 8EX 

We are pleased to let you know we have the first 2018 OWASP Scotland Chapter meeting pencilled in the diary for Wednesday 14th March. Many thanks to PwC who has kindly offered to host this event for us.

We are still confirming speakers so please save the date and await further information in the near future.

If you would like to present, please drop Sean or Rob an email with a brief blurb of the proposed subject. We will review all submissions and get back to you.

For attending this event you will be able to claim 2 CPE points.

Website Discovery & Managing the Shadow Estate

Speaker: James Penny

There’s been a lot of writing and talks about the problem of Shadow IT – where users are working on their own cloud services, devices, and using unapproved software to get around “restrictive” or unresponsive controls.

A variation on this theme that’s talked about less is the “Shadow Estate” – services and websites that are launched without proper oversight and assent from departments that should be vital stakeholders. The core issue remains the same: the more controls we try to implement, the more project teams who don’t share our priorities will attempt to avoid them.

This talk explores a few possible reasons for this phenomenon, and the steps we in security can and have been taking to mitigate it.

Analyst, Engineer or Consultant?

Speaker:Harry McLaren

A looks at common roles with cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.

Tickets available on Eventbrite:

Wednesday, 4 October 2017

Time: 18:00

Location: Secureworks, 

1 Tanfield, 



To attend, please register here for the event Places are limited, so please only register if you will definitely be attending.

* Please note that if your name is not on the list, you will be unlikely to enter the venue.

Revocation is broken, here's how we're fixing it

Speaker: Scott Helme

The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.

Thursday, 31 August 2017

Hope everyone is enjoying the summer and ready for the next OWASP Scotland Chapter meeting as we have secured two great talks for you. Please see blurbs below for details and Edinburgh University are again very kindly providing us with meeting space. 

We have had great feedback from the previous event and look forward to seeing you all at the end of August. Very likely to be networking opportunities after the talks over a refreshment at a nearby watering hole.

Time: 18:30

Location:  MF2 on the 4th floor,

Informatics Forum,

10 CrichtonStreet,



Deconstructing WannaCry

Speaker: James Slaughter

- Who, What, Where, Why and How.

-  Or, how I actioned the incident and learned more about the malware to help our organization weather one of the largest malware events to occur in recent history.

Driving Remediation in Large Organisations

Speaker: Andrew Scott

Congratulations!  Your vulnerability scanning, penetration testing and bug bounty programmes are all running really well.  But what about remediation?  When it comes to fixing the problems identified by the various assurance programmes it’s easy to become swamped by the sheer volume and not make enough progress on actual fixes.  How do you sort the must fixes from the nice to haves and how do you push the fix rate up and the time to fix down?  I’ll look at a number of the challenges here and some solutions.


If you would like to sponsor the OWASP Scotland chapter, please get in contact with Sean Wright or Rob Jansson.