OWASP Global AppSec US 2021

Credential stuffing, payment attacks, and other types of automated fraud aren't going away any time soon. How do you go from 0 to 100 in protecting your attack surface from bots and malicious automation? Vendors line up to promise in-house product security and operations teams their cure-all for this problem. In this talk, we'll take a holistic and vendor-agnostic approach to defending against bot attacks. We profile the threat together before going over tools for your stack -- including all open-source solutions! You can not only survive but thrive on $0 of vendor spend. Defensive maneuvers, architectural patterns, and product security recommendations will be covered. There are manual, reactive things you can do with your existing tools right now to thwart attackers. We'll build towards long-term and proactive controls. How to get management or developer buy-in will be explored in case that's a blocker today. At the end of this session, you will be a formidable bot hunter that humankind can be proud of -- plus a really informed product security person too!