Invitation to OWASP Stammtisch Hamburg double feature: A beginner's guide to SSO (mis)configuration | Omnipresent Biometric Surveillance by Matthias Marx

Skip to first unread message

Dirk W

Jan 31, 2024, 2:43:51 PMJan 31
Moin ^W Hello out there!

You’re cordially invited to our next round of talks. Yes, there will be two of them: Adina will talk about intricacies of SSO and IdPs. Matthias will present useful insights on his research and privacy implications on several aspects of facial recognition. Both talks will be held in English.

The evening is hosted by @ New Work (formerly known as XING). Important: if you’re planning to attend drop me an e-mail OR leave your RSVP at Meetup ( as the host’s security check folks at the entrance.

Doors are open on 18:00 CEST on and we will begin with the presentations at 18:30 CEST!

In a nutshell
Location: Strandkai 1, 20457 Hamburg @ New Work
Start: Doors open @ 6:00 CEST, February 7th. 6:30 pm sharp start the talks
Title: A beginner's guide to SSO (mis)configuration by Adina Bogert-O'Brien
Title: Omnipresent Biometric Surveillance by Matthias Marx
Networking: Stay there or depending on our mood we'll have an after-talk beer somewhere in the vicinity of the venue
Formal registration required

Abstract: A beginner's guide to SSO (mis)configuration

SSO is sold as a way to
• centralize managing your organization’s users,
• make life easier for your colleagues, and
• enforce consistent security standards.

But SSO protocols are just ways for an identity provider to share information about an authenticated identity with another service. Me having a way to tell my vendor “yeah, that’s Bob” doesn’t tell me what the vendor does with this information, or if the vendor always asks me who’s coming in the door.
A bad SSO implementation can make you think you’re safer, while hiding all the new and fun things that have gone wrong.
To get the most out of implementing SSO, I need to know what I’m trying to accomplish and what steps I need to follow to get there. To illustrate why SSO needs to be set up carefully, for each of the things you need to do right, I’ll give you some fun examples of creative ways you and your vendor can do this wrong. We all learn from failure, right???

I’m sharing this info because this year I got deeply involved in the SSO setup for several vendors at work. It turns out that I’m good at asking weird questions, and it’s an extremely valuable thing to do. If you know how things should be, then you know where they could be broken, and you can ask your vendors (and your colleagues!) “weird questions” before an adversary does.

I'm especially interested in what the OWASP Hamburg group has to say about these misconfigurations: how does OWASP documentation cover things like this?

Abstract: Omnipresent Biometric Surveillance

Biometric surveillance is ever-present in Germany and many of us have not realized this. Facial recognition search engines like Clearview AI and Pimeyes feed our faces to their gigantic search indexes without our explicit consent. Matthias shares his experiences attempting to uphold privacy through GDPR, shedding light on the associated challenges.

Hey, I’m Adina! I am incessantly curious, work in renewable energy, and sometimes find vulnerabilities when I’m bored. I co-founded a hackerspace over a decade ago but have only just accepted that security is more than a hobby. At work, I’m a business architect with security leanings working in knowledge management for a major renewable energy company.
Matthias is IT security researcher from Hamburg. He runs Tor exit nodes, enjoys reporting data leaks, and is not a fan of face search engines.

Our OWASP "Stammtisch"
Our meeting is about web applications and their (in)security and/or about IT security in general. People come together who care as a hobby or in their job about information security: developers, managers, pen testers and everybody else who's interested. The atmosphere is open and relaxed. Who's coming to sell products or services: Move on, this is not the right place. OWASP is about education and sharing (mostly) technical information.
Feel free to forward our meetup URL to your colleagues or friends. They are welcome, too. Participation is free and open -- as the O in OWASP.

Cheers, Dirk

OWASP Volunteer
Send me encrypted mails (Key ID 0x4D9CA7F2E2FA20B3)

Dirk Wetter

Feb 6, 2024, 9:45:30 AMFeb 6

this is the usual reminder for tomorrow.

If you still would like to participate, drop me line.

Cheers, Dirk
Reply all
Reply to author
0 new messages