APISecure 2022

  • Title: Evolution of the OWASP API Security Top 10
  • Speakers: Paulo Silva
  • Date: April 2022

APISecure 2022

  • Title: Hacking APIs 101 with MindAPI
  • Speakers: David Sopas
  • Date: April 2022
RSA Conference 2021

RSA Conference 2021

Participants in this session will get a walk-through on MindAPI - an online mind-map that combines years of experience in API security testing. It's divided into two sections. Reconnaissance and Testing (Follows OWASP API Security Top 10 guidelines and other security guides). Get a tuned methodology, documentation and open-source tools to get help on the path of securing APis.

  • Title: MindAPI - Bringing Organization to API Security Testing
  • Speakers: David Sopas
  • Date: May 2021

Cyber & Cloud Expo - WebConference

Assista à Conferência de David Sopas sobre o "Na segurança, o elo mais fraco somos nós”, que decorreu no dia 9 de Outubro de 2020.

  • Title: Na segurança, o elo mais fraco somos nós
  • Speakers: David Sopas
  • Date: November 2020

DEF CON 28SM AppSec Village

In this session, we will analyze four real-world examples of different high impact android vulnerabilities. We will show how we discover, developed, and leveraged the vulnerabilities into a fully working proof-of-concept, devised meaningful attack scenarios (demos included), and how our work was approached by the different vendors.

  • Title: Android Bug Foraging
  • Speakers: Pedro Umbelino | João Morais
  • Date: August 2020

DEF CON 28SM AppSec Village

Do you speak API? Surely you do, even if you don't notice them in your world wide web everyday use. APIs are proved to be beneficial for business, but with great power comes great responsibility and some of them have serious problems. Last year we put a lot of effort to build and release the OWASP API Security Top 10 project. Then, we decided to go wild and have some fun. Now we will present our findings, from OWASP API Security Top 10 to lots of fun and profit. Join us to learn common API pitfalls: how to find and abuse them. It won't hurt. Unless your data is in there...

  • Title: API (in)Security TOP 10: Guided tour
  • Speakers: David Sopas | Paulo Silva
  • Date: August 2020

BSides Lisbon 2018

This talk is based on our research on airgap systems and covert channel exfiltration methods. Nation state spying users seems pretty common these days and we will show the audience how to implement these covert channels using NFC and visible light.

The presentation will be divided into two parts. Starting with a brief explanation on airgaps and data exfiltration, moving on to some of the existing techniques and finishing it with some of our own unpublished research, live demos included.

The speakers will show how is possible to exfiltrate information using two different methods. First by abusing an IoT Bluetooth Low Energy light bulb and retrieve the information reflected off a wall or any other surface with an off-the-shelf smartphone. Then a different approach on NFC will be shown. What if you can use the NFC chip of a device with a longer range? And transmit information even behind walls?

By the way, the speakers are not responsible for feds getting ideas on this talk. This is kind of a disclaimer.

  • Title: Exfiltrate All The Things!
  • Speakers: David Sopas | Pedro Umbelino
  • Date: December 2018


Cheaper devices that consume less power - What more can you ask for? SECURITY!. Based on multiple tests we have done across a variety of devices, we can conclude that there are still many vendors who lack the security awareness and fail to protect their users. All tested devices were vulnerable to various degrees: A smart scale, a smart lock, a smart band, a smart light bulb and even Amazon’s Alexa. Live demos included!

  • Title: Your Smart Scale is Leaking More than Your Weight
  • Speakers: Erez Yalon | David Sopas
  • Date: November 2018

Hack.lu 2018

  • Title: Mind The (Air)Gap
  • Speakers: Erez Yalon | Pedro Umbelino
  • Date: October 2018

BSides Lisbon 2017

In this talk, the author will present real case scenarios (aka hacking to PoC) showing the danger of large organizations ignoring high and critical security issues, with repercussions that would affect millions should the security threats fall into the wrong hands. Additionally, this talk will share tips on how to properly disclose bugs to companies without being a real Trump.

  • Title: GTFO Mr. User
  • Speakers: David Sopas
  • Date: November 2017

BSides Lisbon 2016

"The way of the bounty" tells the experience that I had in the last year regarding bug bounty programs. I'll give a brief introduction to what bug bounties is but my main focus will be to deliver the best and most of the common vulnerabilities I found on bug bounty programs. Where to search? Can I still find issues on public programs? Does bug bounty affects the security industry in some way?

  • Title: The way of the bounty
  • Speakers: David Sopas
  • Date: November 2016