# Talks, events and workshops ## [Application Security Architecture: What's Next](https://drive.google.com/file/d/1oYwTKWP65p1DxTmIZHgLflisjQTuycO3/view?usp=sharing) Delivered a keynote presentation at SAI RESET IT 2025 in Brussels 🇧🇪 on the future of Application Security and Agentic AI. The talk looks at the past, the present and the future of how we build applications and how we integrate security, with a little twist at the end. **Davide Cioccia** **@**[**SAI RESET IT 2025**](https://www.sai.be/event/details/296/sai-reset-it-2025/) ## [Workshop | Hacking and Defending LLM Applications (OWASP LLM Top 10) ](https://events.pinetool.ai/3412/#sessions/111357?referrer%5Bpathname%5D=%2Fsessions\&referrer%5Bsearch%5D=\&referrer%5Btitle%5D=Sessions) Ready to hack and fix LLM applications? This workshop will take you through the OWASP LLM Top 10 via hands-on hacking labs. You will learn various techniques to exploit LLM applications vulnerabilities, and how to implement robust secure design patterns. Whether you are a builder or breaker of LLM applications this is for you! At the end of the day there will be an exciting attack-and- defense wargame. Plenty of learning and fun, guaranteed. **Davide Cioccia** **@Cyberwise Lithuania 2025** **@Bsides London 2025** **@BlackHat Europe Arsenal Lab 2025** ## [Backdooring LLMs on HuggingFace: Secure Coding Lessons](https://github.com/sectalks/sectalks/blob/master/talks/SIN0x02/Backdooring_LLMs_on_Hugging_Face_Secure_Coding_Lessons.pdf) **Davide Cioccia**\ **@ SecTalks Singapore 2025 (Singapore)** As open source large language models (LLMs) continue to gain traction, so too does the risk of supply chain attacks targeting platforms like Hugging Face. This talk explores the current threat landscape surrounding open source LLMs, focusing on how malicious actors can inject backdoors into models and associated code. We demonstrate practical techniques for bypassing Hugging Face’s existing security controls, revealing how seemingly benign models can conceal harmful behaviors. ## [GitArmor: Policy-as-Code for your GitHub environment](https://drive.google.com/file/d/1cx2ccv3ynQXHxtnlsjRWW1oqoAWhVpfC/view?usp=drive_link) **Davide Cioccia, Stefan Petrushevski** [**@ BlackHat Arsenal Asia 2025 (Singapore)** ](https://www.blackhat.com/asia-25/arsenal/schedule/index.html#gitarmor-policy-as-code-for-your-github-environment-44269) [**@ BlackHat Arsenal Asia 2024 (Singapore)** ](https://www.blackhat.com/asia-24/arsenal/schedule/index.html#gitarmor-policy-as-code-for-your-github-environment-37320) [**@ BlackHat Arsenal Europe 2024 (London)** ](https://www.blackhat.com/eu-24/arsenal/schedule/index.html#gitarmor-policy-as-code-for-your-github-environment-42200) GitArmor is an open source tool that intuitively transforms the security requirements and controls for your DevOps implementation into policies as code and enables you to run the checks against your GitHub environment.​ Here’s how GitArmor can be a game changer for you: 1. **Policy as Code** - Transform your DevOps platform security policies into GitArmor `yml` files. Stored centrally, these policies can be enforced with on-demand or periodic checks across your GitHub Organization, helping you pinpoint and prioritize areas for improvement. 2. **Security Assessments** - Perfect for Security Teams, GitArmor facilitates the reconnaissance phase of possible misconfigurations of the SCM environment. 3. **Dev Team Setup** - Ideal for startups, a small development team can utilize GitArmor along with the default policy to ensure their GitHub repositories and organization are securely configured. {% embed url="" %} ## [DevOps Meet Sec: Your Journey to Delivering Secure Code Fast](https://drive.google.com/file/d/1_Olok8oP0ZOM7Xdv-xQrinqHWZT6sIDx/view) **Davide Cioccia** **@ DevDays / DevPro Europe 2023 (Lithuania) online** **@ SECCON NL 2023 (Netherlands)** **@ TestCon Europe 2023 (Lithuania)** After spending the last 1 or 2 years getting your DevOps process right, here it comes the new security guy: "We need to move to DevSecOps". This talk wants to share my personal experience, challenges, and successes as DevSecOps Architect in implementing DevSecOps in different DevOps processes. The talk starts with the main question: "Where do we start?" to then moves to topics like IaC security, the policy as code, SAST, SCA, SBOM, Security Champions, CI/CD security, supply chain security, logging and monitoring, and DevSecOps maturity. Don't look at it as a list but as a mix of connected resources that will increase automation and reduce manual bottlenecks. At the end of the talk, attendees should already be able to picture their DevSecOps journey ahead. ## [OWASP Crackme Android solutions ](https://mas.owasp.org/crackmes/Android/) **Davide Cioccia** **@ OWASP MAS** We provided a set of solutions to exploit the OWASP MAS Android Crackle challenges using Ghidra and Frida. Read our writeups [here](/research/owasp-mstg-crackme-1-writeup-android.md) ## [Attacking and defending GraphQL applications: a hands-on approach](https://drive.google.com/file/d/1V7urfbRZLs5i4k1YbYUqCzq9xSk6PT2z/view?usp=share_link) **Davide Cioccia & Stefan Petrushevski** **@ DevSecCon Boston 2019** "Attacking and Defending GraphQL Applications: A Hands-On Approach" is a workshop that provides practical knowledge on securing GraphQL applications. Participants engage in hands-on activities to identify, exploit, and mitigate vulnerabilities in GraphQL APIs. The workshop covers attack vectors specific to GraphQL and teaches defensive techniques such as authentication, input validation, and rate limiting. ## [Squatm3gator: 360° Cybersquatting](https://drive.google.com/file/d/16RFzYWUNugAP39t2uz6KeqQCe0BaXDt3/view?usp=share_link) **Davide Cioccia & Stefan Petrushevski** **@ BlackHat Asia 2019** We presented a new tool to automate cybersquatting attacks and indentify available websites to use in phishing campaigns. The tool also allows you to monitor existing domains for expiration date and buy it as soon as it becomes available. And .... it is opensource {% embed url="" %} ## [Squatm3: cybersquatting made easy](https://www.dropbox.com/s/8r9t16s4x94iczu/blackhat-eu18-arsenal.pptx?dl=0) **Davide Cioccia & Stefan Petrushevski @ BlackHat Arsenal London 2018** We presented a CLI tool to exploit, detect and prevent cybersquatting attacks. The tool is designed to be fast and give a quick feedback to companies and pentesters. ## [Automation of MASVS with BDD](https://2018.open-security-summit.org/outcomes/tracks/misc/user-sessions/automating-masvs/) **Davide Cioccia @ Open Security Sammit London 2018** The session has been focused on creating BDD tests to automated the OWASP MSTG test cases, in order to integrate those tests in the CI/CD pipeline\* ## [Mobile BDD security tests on steroids](https://drive.google.com/file/d/1pVwctehhQsGserss-WSCPRvZTokHIXoP/view?usp=share_link) **Davide Cioccia @ OWASP AppSec USA 2018** This talk introduces a new process and practical solution that achieves this – automation of mobile security tests. We are using a combination of existing penetration testing frameworks (Drozer and Needle), UI automation, underlying system commands available in the mobile OS for execution of tests and describe (write) tests in BDD fashion. In this way, you can cover all kind of security tests, such as testing for not encrypted PII, input validation, cryptography, network security, SQL injection and so on! Basically, the goal is to translate MASVS (and its sister project MSTG) into automated BDD security tests and give pentesters more time to focus on "crazy stuff" ## [BDD Mobile security testing with OWASP MASVS, OWASP MSTG and Calabash](https://drive.google.com/file/d/1zHjcxXcYBQQOZN_Q7FoMwlPWvfAFWyra/view?usp=share_link) **Davide Cioccia @ OWASP AppSec Romania 2017** A novel approach on automating OWASP MASVS and MSTG via unit and integration tests using BDD. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://1337.dcodx.com/research/talks-events-and-workshops.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.