Loading…
OWASP Global AppSec US 2021
Attending this event?

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Thursday, November 11
 

9:00am PST

25 Years in AppSec: Looking Back, Looking Forward
Speakers
avatar for Adam Shostack

Adam Shostack

President, Shostack + Associates


Thursday November 11, 2021 9:00am - 10:00am PST
On-Line
  Keynote

10:00am PST

Ensuring Git & CI/CD Pipeline Security & Integrity
With the build-time attack used against SolarWinds and the malicious PHP code commits, we need new methods of ensuring the security of our SDLC. Learn about the reverse engineering techniques required to identify code insertion attacks and how anomaly detection can be used to detect and prevent unauthorized code commits.

Speakers
avatar for Moshe Zioni

Moshe Zioni

VP, Security Research, Apiiro
Listed in “27 influential penetration testers in 2020” by Peerlyst.Moshe has been researching security for over 20 years in multiple industries, specializing in penetration testing, detection algorithms and incident response; a constant contributor to the hacking community and... Read More →



Thursday November 11, 2021 10:00am - 10:30am PST
On-Line

10:00am PST

We’re not in HTTP anymore: Investigating WebSocket Server Security
While HTTP is the primary target of today’s web security research, the WebSockets protocol is extremely widespread. Since it was first created in 2010, WebSockets now appear in most web messaging platforms, finance websites, chat bots, real time mapping applications, and even the Kubernetes API. WebSocket servers are distinct from traditional web servers, but WebSocket servers have escaped the security scrutiny that traditional web servers have received.

Past security talks about WebSockets security have focused on the protocol itself or on proxy bypassing (smuggling). This talk will be the first to focus on WebSocket endpoints as targets, analyzing implementation-level differences in different open-source libraries. A new tool suite will be released to support future WebSockets research.

This talk will fill multiple gaps or roadblocks that have existed in the security research of WebSockets by providing 3 new open-source utilities to:

1. Discover WebSocket server endpoints (scanning 5,000+ URLs per second)
2. Fingerprint the WebSocket server (using identifiers discovered in the research being presented)
3. Detect vulnerable WebSocket servers using known exploit vectors

Speakers
avatar for Erik Elbieh

Erik Elbieh

Security Researcher and Consultant, Palindrome Technologies
Erik Elbieh (OSCP) is a Security Researcher and Consultant at Palindrome Technologies, where he works on the latest in secure telecom solutions and cutting-edge technologies. Erik enjoys penetration testing nearly anything, from web apps to IoT gadgets to cloud environments, and he... Read More →


Thursday November 11, 2021 10:00am - 11:00am PST
On-Line

10:00am PST

Data at Rest Encryption - Going Beyond the Basics to Address Modern Attacks
Data encryption has long been a major component of information security. Data in transit is well protected by the Transport Layer Security (TLS) open cryptographic standard and its predecessors, but unfortunately the same cannot be said for data at rest. The current, common approach for encryption of data at rest is to rely on low-level mechanisms that satisfy compliance requirements, but do not address modern security concerns. This session will discuss shortcomings of encryption at the disk, bucket, file, and database levels and provide alternatives that offer additional protection against ransomware, data theft, insider threat, and application layer attacks such as SQL injection. Technologies and techniques covered will include Application-Level Encryption (ALE), Transparent Data Encryption (TDE), Field-Level Encryption (FLE), client-side encryption, and custom implementations.

Thursday November 11, 2021 10:00am - 11:00am PST
On-Line

10:00am PST

Demystifying the Digital Pandemic
The obsessive need or desire to stay updated with factual information has been on the rise in the digital age and there is an unprecedented growth in the cyber population. The continuous lookout for information, termed as ‘Infomania’ often results in what is being coined as ‘Continuous Partial Attention’ by Linda Stone, a researcher from Microsoft. In such a situation, one’s attention is divided among many sources of incoming information.
The excessive amount of information usually consists of the facts as well as mis and dis – information. Due to the information overload, it becomes difficult to figure what the right information is. With social media and other fast spreading means, the unreliable information spread so rapidly that it becomes close to impossible to curb the spread in real time. The COVID-19 time saw an exponential growth in the spread of misinformation in forms like health advices, cures, conspiracy theories etc.
Often closed messaging apps act as a breeding ground for the spread of false information. The close circles in messaging apps including family, close friends etc. are places where one does not shy away from or have a second thought before sharing unverified information. This is because we feel that these people will not judge us and we are freer to converse with them. The commonly seen trend is that genuine content might be tweaked to propagate a misinformation. Usually, visual/video content is difficult to be checked for misinformation, hate content and other policy violations than textual content. An information disorder can come in various forms like imposter content (where genuine sources are impersonated), fabricated content (completely made-up information), false context (genuine information in a wrong context) or manipulated content (genuine information altered to convey different message). Information disorder spreads mainly through social media, where anyone can act as a publisher of information. When the world was anxious and on the lookout for information, this increasingly unverified publishing has created what WHO calls - an Infodemic.
Misinformation is also often used to hook people by online fraudsters. Tricking someone to divulge confidential information is known as Social Engineering. It refers to psychological manipulation of people into performing actions or divulging confidential information. There are different types of social engineering attacks, which can be used alone or as a combination. Phishing, Pretexting, Baiting/Quid Pro Quo and Tailgating/Piggybacking are the different types. Recent trends show that, most of the cyber-attacks begin with social engineering tactics. Phishing is one of the popular types of Social Engineering attacks.
Good information hygiene practices are essential to curb the spread of misinformation. This includes verifying the sources from which we consume information. Using our own critical thinking abilities can act as a first defense against misinformation. Checking the urge to share any and every information we come across adds to the information confusion. Just like virus, we should be careful of the information we consume and also take care not to spread misinformation to others from us.

Speakers
avatar for Greeshma M R

Greeshma M R

Ecoloop360
Greeshma is an entrepreneur, author and a freelance writer. She is also one of the co-founders of Ecoloop360, a startup focused on sustainable solutions and knowledge management. She has an educational background in Information Technology and Translational engineering and her interest... Read More →


Thursday November 11, 2021 10:00am - 11:00am PST
On-Line

10:00am PST

Who’s in control: Human or Machine?
Protecting critical web APIs continues to be more challenging than ever, as attackers constantly learn to adapt to the evolution of the defenses that are in place on popular websites. Critical APIs in this context include login, account registration, password recovery, add to cart, checkout for most commerce, banking and gaming websites, but also seat / bed / stateroom availability check on travel and hospitality websites. In order to make the attack cost effective and efficient, attackers have long ago adopted the power of automation and built botnets that are capable of sending large numbers of requests at scale. For the most part, attackers have mastered the art of impersonating known good systems, like a MacBook running the latest versions of Google on recent OS X. They also have learned to spread their attack by taking advantage of the wide variety of proxy services available for a fee, in order to to make their activity less obvious. These common attack techniques can generally be detected using methods that take advantage of device and browser characteristics collected on the client side (device intelligence) or reputation systems (IP intelligence).

However, some attackers have become significantly more advanced and subtle and are able to send requests with clean fingerprints and IP addresses, making device and IP intelligence detection methods less effective. In this case, the next best thing in terms of detection is to check the user behavior to see how they interact with the website (i.e the path they took before interacting with the critical endpoint) as well as how they interact with the device that is sending the request (i.e mouse movements, key presses events, touch events, and coordinate changes from various sensors for mobile devices).

After reviewing the fraud threat landscape and how to defend against the most common attack methods, we’ll take a deep dive into behavioral detection methods. In particular, we’ll define what behavioral detection is, the signals that are worth collecting, methods of processing the information and finally building machine learning algorithms to effectively detect suspicious activity.


Speakers
avatar for David Senecal

David Senecal

VP, Architecture and Research, Akrose Labs
David Senecal is VP, Architecture and Research at Arkose Labs. He has two decades of experience in the cybersecurity and anti-fraud space.
avatar for Luke Stork

Luke Stork

Senior Data Scientist, Akrose Labs
Luke Stork is a Senior Data Scientist at Arkose Labs


Thursday November 11, 2021 10:00am - 11:00am PST
On-Line

10:30am PST

How to Use Your Vulnerabilities to Train Your Developers on Security
The idea of secure coding training that covers just what you need, right when you need it, seems too good to be true. But it’s not. Leading development teams are using their own vulnerabilities to train their coders, focusing on their most pressing mistakes while providing a more relevant experience that keeps coders engaged. This workshop will show you how to set up a program, reveal the most common vulnerabilities developers cause, and how to make sure your developers develop a fix that really solves the problem.

HackEDU is the Secure Coding Training company. Our hands-on training, which revolves around a real, functional web app, can be accessed anytime, anywhere via a web browser. Our offensive + defensive lessons, science-based approach, and DevSecOps toolchain integrations help to keep developers motivated and engaged, and learn and retain secure coding principles effectively.

https://www.hackedu.com/


Thursday November 11, 2021 10:30am - 11:00am PST
On-Line

11:00am PST

GitHub
GitHub is the developer company. We make it easier for developers to be developers: to work together, to solve challenging problems, to create the world’s most important technologies. We foster a collaborative community that can come together—as individuals and in teams—to create the future of software and make a difference in the world.

https://github.com/



Thursday November 11, 2021 11:00am - 11:30am PST
On-Line

11:00am PST

All your Ether are belong to us (a.k.a Hacking Ethereum-based DApps)
Blockchain technology is extremely fascinating... has captured our imaginations because of its huge potential to revolutionize industries such as logistics, food safety, music, insurance, banking, and even voting systems; however, its adoption is still very scarce. The reason is simple: blockchains are complex to use by end users.

During recent years, decentralized applications (DApps) have been emerging as candidates to change the rules of the game, mainly because of their ease of use and capability to leverage the full power of blockchains. The big question is... are DApps really secure?

This presentation will show how Ethereum-based DApps work, the technology behind them and some of their most common vulnerabilities. The ultimate goal will be to understand how to attack these applications and, especially, what to do to be protected.

Speakers
avatar for Luis Quispe Gonzales

Luis Quispe Gonzales

Lead Offensive Security Engineer, Halborn
Luis Quispe Gonzales is Lead Offensive Security Engineer at Halborn, a blockchain-specialized cybersecurity company. He has more than 11 years of professional experience in cybersecurity consulting, with clients belonging to banking, finance, energy, and mass consumption sectors... Read More →


Thursday November 11, 2021 11:00am - 12:00pm PST
On-Line

11:00am PST

How to build a security mindset
Our security knowledge increases, our tools improve, but breaches still happen.

Studies show that 95% of security breaches are caused by human errors. One strategy to eliminate them might be to automate everything―to use smart technologies. But full automation remains an unrealized desideratum.

Another strategy is to build a security mindset. And here we have a challenge: how do we encourage people to do something that requires effort, that demands a change in behavior?

Recently, I participated in several activities through which I learned about the Maori way of educating people and managing change through storytelling and mutual teaching. It inspired in me the idea that this approach could be effective for educating people about security.

I lead cyber security work at a small company that is rapidly scaling and must significantly improve its security practices. Policies, guides, and traditional learning approaches haven’t changed behaviors by much, and awareness fades quickly after a course or a conversation.

I decided to test a new approach by using insights from the Maori culture of New Zealand to help to change the employees’ security mindset.

Here I share what I did and how it worked out. With these same practices, you may be able to achieve similar positive changes in your own workplace.

Speakers
avatar for Anna Lezhikova

Anna Lezhikova

CoGo
Anna is a Lead DevSecOps engineer from Wellington, New Zealand. She worked with a wide range of technologies in various big and small companies and found that the key factor in everything was humans, not machines. In free time she raises kids, plants and communities.


Thursday November 11, 2021 11:00am - 12:00pm PST
On-Line
  Builder

11:00am PST

Metabadger: Automating IMDS Protection at Scale in AWS
Attackers have abused the IMDS in previous well-publicized breaches in AWS environments by finding applications that are vulnerable to Server-Side Request Forgery (SSRF) and obtaining privileged AWS credentials via the metadata service. AWS has since released v2 of IMDS to protect against SSRF. But how do you upgrade thousands of live EC2 instances across your AWS accounts without causing downtime?

Metabadger is an open source tool that we built at Salesforce that can help you rapidly and safely upgrade your EC2 instances to use IMDSv2 and prevent SSRF-based theft of EC2 Metadata Credentials. Using Metabadger, you can enforce IMDSv2 across your entire AWS account with a single command, specify exceptions, or investigate where and how you are using IMDSv2.

In this talk, we will walk through the different components of how the AWS Instance Metadata Service works. We’ll provide security and operational recommendations to consider when upgrading to IMDSv2. We’ll also dive into automation and enterprise architecture strategies for simplifying the process of migrating your AWS compute infrastructure to use the updated and more secure version of IMDSv2.

Speakers
avatar for Ashish Patel

Ashish Patel

Product Security Engineer, Salesforce
Ashish is currently a Product Security Engineer at Salesforce. He enjoys automating manual security hardening and letting the robots do the work for you. You'll often find him working on the challenges we come across in the cloud, application, and infrastructure security space. In... Read More →


Thursday November 11, 2021 11:00am - 12:00pm PST
On-Line

11:00am PST

Practical Threat Modeling for real-world and Cloud Situations in our hybrid and WFH World
In 2020, much of the world shifted to Work from Home (WFH) and now another shift in 2021 is hybrid work. This extends cybersecurity into the home and means that there are more vulnerable points as organizations shift to work though different configurations for the variety of work structures that now exist. While these shifts occur, vulnerabilities and risks are still present. Many of the attacks that have occurred impact multiple organizations, supply-chains, and are international - to name a few: Kaysea, SolarWinds/SunBurst, JBS Meatpacking, let alone the weaknesses from Pegasus and PrintNightmare. All of these attacks and vulnerabilities may make it seem like it is impossible to move forward. However, now more than ever being proactive is imperative. Hence, the importance of threat modeling. Focusing on risk analysis to contextualize the threat and applying controls based on risk should be part of any DevSecOps cycle. The process of shifting security left into the SDLC is paramount now more than ever, especially when attack surfaces increase regularly with more options for network connections and WFH models. This session will cover how to threat model with four stages: Create the model, identify the threats, address the threats, and validate the model. A fifth step once the modeling is done can also be added, which is to communicate out the findings. During the create the model phase, scope setting and scope creep will be discussed. During stage 2 - identify the threats - tools and methodologies will be discussed. For stage 3 an understanding of current systems and practices is essential as this stage will address the threats. Finally, during stage four there is a reflection regarding what was measured. Asking “Were the right components covered?” and having an audit system is crucial towards making effective decisions. After the threat modeling has finished, communicating out to the essential team members is necessary. Overall, realistic scenarios will be used with an emphasis on cloud security with configurations, shifting to the cloud, or being cloud native. These technical examples will be paired with real-world examples to begin the threat modeling conversation in an explainable method. Attendees will leave with tools for being able to model, practice with threat modeling, and suggestions for shifting security left in order to have it be earlier in the software development lifecycle. This session will focus on a high level discussion about threat modeling to shrink the attack surface, improve cyber posture, and decrease risk. Then there will be specifics regarding the four stages of threat modeling. Some vulnerabilities explored will be from the OWASP top ten and will be shown using the DVWA as well as using a virtual private cloud set-up for testing purposes.

Speakers
avatar for Uma Rajagopal

Uma Rajagopal

Amazon
For more than two decades, I’ve worked across multiple industries to become the cybersecurity leader that I am now. Before I came to Amazon, I served as Information Security Officer at Capital One, where I helped transform our cyber program and improved our response preparedness... Read More →
avatar for Meghan Jacquot

Meghan Jacquot

Cyber Threat Intel Analyst, Recorded Future
Meghan Jacquot is a Cyber Threat Intel Analyst with Recorded Future and is a curious lifelong learner with a commitment to sharing what she has learned. She is a Cybersecurity Specialist and is passionate about helping others, speaking at conferences to increase cyber awareness, and... Read More →


Thursday November 11, 2021 11:00am - 12:00pm PST
On-Line

11:30am PST

Micro Focus
Thursday November 11, 2021 11:30am - 12:00pm PST
On-Line

12:00pm PST

Lunch/Expo Hall
Thursday November 11, 2021 12:00pm - 1:00pm PST
On-Line

1:00pm PST

Check Point
Thursday November 11, 2021 1:00pm - 1:30pm PST
On-Line

1:00pm PST

Azure Vulnerability Testbed (AzGOAT)
With increased popularity of Azure in most of the organizations and less security awareness of customers, the attack surface of applications and services hosted on Azure platforms is getting magnified. Thus, it is a necessity to understand and harden the attack surfaces on Azure Platform.
As there exists very less literature on Azure security research, we have developed our lab which helps the organization to understand how the attackers leverage attack on the applications and services running on Azure platforms and consequently aids to design a solution to decrease the threats.
Explore how the AzGOAT assists product team to understand the security concerns affecting the Azure Environment, create secure designs, write more secure codes, harden the required configurations, and consequently minimized the threat to Azure environment. AzGOAT is regularly updated with newly discovered attack scenarios (either discovered by our research or other researchers).

Speakers
avatar for Akriti Srivastava

Akriti Srivastava

Adobe Systems
An eCPPT certified security researcher working with Adobe Systems. Blogger, web application security, APIs security, IoT security, Azure Security and Network security enthusiast. Involved in multiple responsible disclosure of critical vulnerabilities and listed in various Hall of... Read More →


Thursday November 11, 2021 1:00pm - 2:00pm PST
On-Line
  Breaker

1:00pm PST

Security Design Anti-Patterns – Creating Awareness to Limit Security Debt
This speech discusses observed Security Anti-Patterns as outcomes of Threat Modeling activities which require extensive rework if not accounted for in the design phase of the SDLC.
It also gives guidance on how to identify these Security Design Anti-Patterns in order to create awareness for Developers and Threat Modeling practitioners.

Mitigating Threats by implementing missing controls is part of fixing (acquired) Security Debt.
Threat Modeling activities aim at identifying missing controls very early on in the design phase of the SDLC.
However, not all Security Design flaws are created equal in terms of how easily they can be fixed. Apart from the impact that unmitigated threats have to a system’s security posture there is also the cost that development teams will have to bear associated with implementing missing controls.
Some design flaws or security threat mitigations can be fixed easier than others. Anti-Patterns described in the speech could result in a complete re-design of applications to fix security debt.
Worst case, the whole new system will not be allowed to be launched by compliance or the new system cannot be extended easily in a secure way.

Speakers
avatar for Joern Freydank

Joern Freydank

Lead Cyber Security Engineer with more than 20 years of experience. Currently establishing the Threat Modeling Program at major insurance company.Performed Application Security review and designed new Ci/CD Controls for AWS cloud based Java and NodeJS applications. Designed and developed... Read More →


Thursday November 11, 2021 1:00pm - 2:00pm PST
On-Line

1:00pm PST

How to Thwart Malicious Automation and Kick Bot Butt for $0
Credential stuffing, payment attacks, and other types of automated fraud aren't going away any time soon. How do you go from 0 to 100 in protecting your attack surface from bots and malicious automation? Vendors line up to promise in-house product security and operations teams their cure-all for this problem. In this talk, we'll take a holistic and vendor-agnostic approach to defending against bot attacks. We profile the threat together before going over tools for your stack -- including all open-source solutions! You can not only survive but thrive on $0 of vendor spend. Defensive maneuvers, architectural patterns, and product security recommendations will be covered. There are manual, reactive things you can do with your existing tools right now to thwart attackers. We'll build towards long-term and proactive controls. How to get management or developer buy-in will be explored in case that's a blocker today. At the end of this session, you will be a formidable bot hunter that humankind can be proud of -- plus a really informed product security person too!

Speakers
avatar for Randy Gingeleski

Randy Gingeleski

Randy Gingeleski is an application hacker, currently doing product security for Block.one's cryptocurrency exchange Bullish. Before this, he built out HBO Max's security program after some years of consulting and pen testing.


Thursday November 11, 2021 1:00pm - 2:00pm PST
On-Line

1:00pm PST

Container Security: It’s All About the Supply Chain
Containers continue to mystify security practitioners, mostly because they don’t know how securing them fits into their existing vulnerability program. Is it a virtual machine that gets scanned by the same tools used for over a decade? Or is it an application package that should be tested by SCA, SAST and DAST tools? How do you manage the image or runtime vulnerabilities vs. the application security issues? This talk will focus on container security as a supply chain lifecycle problem and how to integrate validation at multiple points to achieve the ultimate goal of *assurance.* The talk is tool agnostic, because security of the supply chain is more about a alignment with the software development process than the integration of a single, magical tool.

Speakers
avatar for Michele Chubirka

Michele Chubirka

Security Architect, Postmodern Security
The ubiquitous Mrs. Y. is a recovering Unix and network engineer currently working as a Chief Security Architect for a large software and service provider. Formerly the creator and official nerdstalker of the Healthy Paranoia Security Podcast, she has also been a freelance writer... Read More →


Thursday November 11, 2021 1:00pm - 2:00pm PST
On-Line

2:00pm PST

Keynote
Thursday November 11, 2021 2:00pm - 3:00pm PST
On-Line

3:00pm PST

NoName Security
Thursday November 11, 2021 3:00pm - 3:30pm PST
On-Line

3:00pm PST

Harmonizing the OWASP API and Application Top 10 Lists
OWASP brought out a new Top Ten Security Risks list specific to APIs in 2019. There are some vulnerabilities that are common between them but some exist only in one or the other. This talk will cover the basics of APIs and then discuss how to combine both top ten lists to cover a better spectrum of risks than using just one list allows. The basics of what each category of risk is, how they might differ in an API compared to a web application, how to detect them, and how to prevent them will be covered.

Speakers
avatar for Joe Schottman

Joe Schottman

Security Analyst focused on R&D, Truist (not speaking on behalf of them)
Joe Schottman is an application security focused security professional with experience ranging from web application development to DevOps to purple team engagements. He has spoken at regional and national conferences on threat hunting, web shells, purple teams, and more.


Thursday November 11, 2021 3:00pm - 4:00pm PST
On-Line

3:00pm PST

The How and Why of the OWASP Top Ten 2021
The goal of the OWASP Top Ten project is to raise awareness and create a baseline for application security by identifying some of the most critical risks facing organizations. The Top Ten project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more.

Join me as we dive into what changed in the new OWASP Top Ten 2021. We'll briefly talk about each category and why it's part of the Top Ten. Hear about what we learned from collecting and analyzing widely varying industry data on over half-a-million applications, and building a dataset for comparison and analysis. We will discuss tips and common pitfalls for structuring vulnerability data and the subsequent analysis, and lastly, we will dive into what the data can tell us and what questions are still left unanswered.

Speakers
avatar for Brian Glas

Brian Glas

Assistant Professor of Computer Science, Union University
Brian has over 20 years of experience in various roles in IT and over a decade and a half in application development and security. In addition to teaching a full load of Computer Science and Cybersecurity classes at Union University, Brian is the founding advisor for PG Security Advisors... Read More →


Thursday November 11, 2021 3:00pm - 4:00pm PST
On-Line
  Builder

3:00pm PST

Bots have gone phishing, but all they get is the boot
Web applications and the APIs which drive them are built with humans in mind. Exposing APIs enable interesting mashups of applications. But they also allow bots to automate access to these web applications, brute-forcing passwords, grabbing credit card numbers and gift cards; artificially inflating the price of goods and tickets; deny legitimate users service; and scraping content. Traditional approaches have focused on trying to detect legitimate browsers, known bot frameworks and user behavior but the easy availability of scriptable headless browsers are making this approach have diminishing returns.

Bots are also commonly used in the context of phishing web apps. These apps are copies of the website, usually hosted in similar host names, where the user is tricked by means of phishing attacks. There, the user is convinced to enter their credentials, just like they would in the legitimate website. 2FA does not help in this context, as the user will likely volunteer this information, believing that the request comes from the legitimate website. Once in possession of the user credentials and 2FA, bots are used to automate the login into the account and steal sensitive data or commit fraud.

In this talk, we will give a brief overview of the broad goals bot-writers have when targeting your site, examples of how these have affected businesses, how traditional approaches to defending against them work and where they fail when faced with modern scripted browsers. We will then focus on phishing bots, and how to defend against them.

We demonstrate a series of techniques using a combination of obfuscation and a one time token to increase the cost in time and money to a bot-writer rather than attempting to detect or block it. We will cover the challenges in creating such a solution, how to anticipate how bot-writers attempt to evade detection and how to proactively evolve the solution. A live demo will be included.

Speakers
avatar for Jasvir Nagra

Jasvir Nagra

None, None
Jasvir Nagra is widely recognized as a thought leader in software protection. He is co-author of Surreptitious Software, the definitive textbook on software protection, and an early researcher in obfuscation, software watermarking, and fingerprinting. With more than 12 years of experience... Read More →
avatar for Pedro Fortuna

Pedro Fortuna

CTO and Founder, Jscrambler
Once on a trajectory to a full academic career, where he taught security and computer science courses for about 5 years - ended up falling in love with the fast paced world of entrepreneurship. Started Jscrambler where he leads all security research and drives the company product... Read More →


Thursday November 11, 2021 3:00pm - 4:00pm PST
On-Line

3:00pm PST

Security Observability 101: Thinking Inside the Box!
Software is incredibly hard to secure because it's a black box. We've spent decades struggling to verify properties of software by analyzing the source code, scanning, fuzzing, pentesting, etc... The goal of "security observability" is to expose exactly what's going on inside the box while it's running. In this talk, you'll learn how to use the free and open source Java Observability Toolkit (JOT) project to easily create your own powerful runtime instrumentation without coding. You can use JOT to analyze security defenses, identify complex vulnerabilities, create custom sandboxes, and enforce policy at runtime. Ultimately, security observability allows Dev, Sec, and Ops teams to work together in harmony, so you can focus on delivering value at high velocity.

Speakers
avatar for Jeff Williams

Jeff Williams

Cofounder and CTO, Contrast Security
Jeff brings more than 25 years of application security leadership experience as co-founder and Chief Technology Officer of Contrast Security. Previously, Jeff was co-founder and CEO of Aspect Security, a successful and innovative application security consulting company acquired by... Read More →


Thursday November 11, 2021 3:00pm - 4:00pm PST
On-Line

3:30pm PST

Praetorian
Thursday November 11, 2021 3:30pm - 4:00pm PST
On-Line

4:00pm PST

WhiteSource
Thursday November 11, 2021 4:00pm - 4:30pm PST
On-Line

4:00pm PST

Insiders Guide to Mobile AppSec with Latest OWASP MASVS
From the birth of MASVS and MSTG in January 2018 to the most recent updates, the OWASP Mobile Security Project has advanced the state of mobile app security testing dramatically. As supporters and contributors to the Mobile Security Project at OWASP, we have pen tested thousands of mobile apps and scanned millions of commercial apps in the app stores over the years... and have identified the most common security issues that plague developers and security teams. Whether you are new to mobile pen testing or a veteran looking for the latest tools and tactics, join this session to learn the keys to mobile appsec leveraging OWASP MASVS and practical real world experience.

Speakers
avatar for Brendan Hann

Brendan Hann

NowSecure
Brendan Hann serves as mobile appsec advocate and product solution leader at NowSecure, helping developers and security teams build, test and deploy secure mobile apps in organizations large and small. Brendan has years of application security experience at NowSecure and Veracode... Read More →


Thursday November 11, 2021 4:00pm - 5:00pm PST
On-Line
  Breaker

4:00pm PST

Building Security Champions
With security teams being vastly outnumbered many organizations have responded to this challenge with different program scaling methods, including building security champions programs. Which leads us to questions; How does a security champions program work? How do you select your champions? And once you have them, what do you DO with them?

This session will teach you;
• How to attract the right people to your program
• What and how to train them
• How to engage them, and turn them into security advocates
• What do delegate and what NOT to delegate
• What to communicate, how often and to who
• How to motivate them
• How to build an AMAZING security champion program

Recipe for success; recruit, engage, teach, recognize, reward, don’t stop.

Speakers
avatar for Tanya Janca

Tanya Janca

CEO and Founder, We Hack Purple
Tanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and podcast that revolves around teaching everyone to create secure software... Read More →


Thursday November 11, 2021 4:00pm - 5:00pm PST
On-Line
  Builder

4:00pm PST

SBOM SmackDown: Conquer dragons in the shadows with OWASP CycloneDX
Software Bill of Materials (SBOM) has gained wide-spread support ranging from the software industry, to critical infrastructure, to the White House. Not all SBOMs, or SBOM formats, are created equal. In this session, transparency in the software supply chain will be highlighted along with strategies for effectively using the OWASP CycloneDX SBOM standard to make better risk-based decisions. In adherence to the Executive Order issued by the White House mandating SBOMs, the National Telecommunications and Infrastructure Administration (NTIA) has published minimum elements of an SBOM. This session will cover the minimum elements and why it's advantageous to exceed these requirements whenever possible. Example use cases will be presented that illustrate common software supply chain scenarios and how they can be represented in CycloneDX and communicated to others in the supply chain.

Speakers
avatar for Steve Springett

Steve Springett

Sr Manager, Secure Software Engineering, ServiceNow
Steve educates teams on the strategy and specifics of developing secure software.He practices security at every stage of the development lifecycle by leading sessions on threat modeling, secure architecture and design, static/dynamic/component analysis, offensive research, and defensive... Read More →


Thursday November 11, 2021 4:00pm - 5:00pm PST
On-Line

4:00pm PST

Purple Teaming with OWASP PurpleTeam
# What is OWASP PurpleTeam?

purpleteam is a security regression testing CLI and SaaS targeting Web applications and APIs.
The CLI is specifically targeted at sitting within your build pipelines but can also be run manually.
The SaaS that does the security testing of your applications and/or APIs can be deployed anywhere.

Kim will briefly discuss the three year journey that has brought purpleteam from a proof of concept (PoC) to where it is now.

An overview of the NodeJS micro-services with a pluggable tester architecture will be provided.

# Why would I want it in my build pipelines?

In this section Kim will discus the problem that purpleteam solves,
along with the cost savings of finding and fixing your application security defects early (as you're introducing them) as opposed to late (weeks months later with external penetration testing) or not at all.

# OK, I want it, how do we/I set it up?

Kim will walk you through all of the components and how to get them set-up and configured

# Great, but what do the work flows look like?

Let's walk through the different ways purpleteam can be run and utilised, such as:

* Running purpleteam standalone (with UI)
* Running purpleteam from within your pipelines as a spawned sub process (headless: without UI)
* Running all of the purpleteam components, including debugging each and every one of them if and when the need arises



Speakers
avatar for Kim Carter

Kim Carter

Architect. OWASP Chapter Leader, BinaryMist Limited
Kim is the published author of many information security books specifically targeting Software Engineers, DevOps Engineers and Architects. He has hosted and been a guest on many podcasts involving information security, including being a host for Software Engineering Radio. He has... Read More →


Thursday November 11, 2021 4:00pm - 5:00pm PST
On-Line

5:15pm PST

OWASP Leaders Meeting
OWASP Leaders Meeting
OWASP Leaders from projects, chapters, events, and committees are invited to listen to the latest updates about OWASP functional areas and to come together to share their experiences and discuss how to further the OWASP mission.

Speakers
avatar for Lisa Jones

Lisa Jones

Chapter and Membership Manager, OWASP Foundation
Lisa is the Chapter and Membership Manager at the OWASP Foundation. The Chapter and Membership Manager is a members’ advocate that professionally manages and services the chapter and membership functions of the OWASP Foundation. Additionally, this role supports our global partnerships... Read More →
avatar for Harold Blankenship

Harold Blankenship

Director of Technology & Projects, OWASP Foundation
Harold is the Director of Technology and Projects at the OWASP Foundation. The Director of Technology & Projects nurtures, manages, facilitates, and supports the volunteer open-source programs of the Foundation. Additionally, the Director of Technology & Projects champions, manages... Read More →


Thursday November 11, 2021 5:15pm - 6:15pm PST
On-Line
 
Friday, November 12
 

9:00am PST

Keynote
Friday November 12, 2021 9:00am - 10:00am PST
On-Line

10:00am PST

Magecart - The Rising Threat to e-commerce Websites
The news about a cyber attack in a big enterprise is not new. We keep on hearing about such attacks and how millions of data are being stolen or leaked. Thus, Data breaches are one common impact of cyber attacks in any large organization. Attackers keep on looking for newer exploits or rare kinds of attacks to steal user information and use them for malicious use. In this session, the audience will learn about a lesser-known kind of attackers’ group, whose main target is the e-commerce websites. They are called Magecart. A Magecart attack focuses on stealing PII (Personal Identifiable Information) details of the common users by digital skimming. The audience will understand how these kinds of attacks happen, the technical aspect of them and how to mitigate them. The session targets anyone who is interested in cyber-security and has the willingness to learn something new.

Speakers
avatar for Shrutirupa Banerjiee

Shrutirupa Banerjiee

Web Application Security Analyst, Qualys
Shrutirupa Banerjiee is a Web Application Security Analyst with over 3 years of demonstrated skills in Penetration Testing and Vulnerability Assessment of Applications(web & mobile) and Networks, Blockchain based Smart Contracts, currently working under WAF Research, at Qualys. She... Read More →


Friday November 12, 2021 10:00am - 11:00am PST
On-Line
  Breaker

10:00am PST

Ending Injection Vulnerabilities
How programming languages can bring an end to Injection Vulnerabilities, by "distinguishing strings from a trusted developer, from strings that may be attacker controlled".

This simple distinction will allow libraries to ensure Injection Vulnerabilities are not possible, because those sensitive values (e.g. SQL, HTML, CLI strings) cannot contain user values. Instead, it will be up to the well-tested libraries to handle user values; ideally via parameterised queries, but they can also use appropriate escaping.

Speakers
avatar for Craig Francis

Craig Francis

Developer, Code Poets Limited
Software developer for 20 something years,OWASP Chapter Co-Lead for Bristol UK


Friday November 12, 2021 10:00am - 11:00am PST
On-Line

10:00am PST

OWASP cautions against “insufficient logging & monitoring.” What does sufficient look like?
The OWASP API Security Top 10 defines the most critical API security risks with recommendations on how to prevent them. Number 10 on this list is what OWASP calls “Insufficient Logging and Monitoring.” OWASP states what we all know: “Without logging and monitoring, or with insufficient logging and monitoring, it is almost impossible to track suspicious activities and respond to them in a timely fashion.” The 2020 Ponemon study found that data breaches aren’t discovered for an average of 203 days and that they take an average of 73 days to remediate. Clearly, whatever people have been doing up until now is not sufficient.

Much of API security is focused on design and development – don’t let the bad guys in and they can’t hurt you. But this is where Hyram’s Law plays out: Your APIs will be used in a way that serves the user or abuser. Understanding API use and risk in production is left to Ops teams to decipher and manage. Inevitably, logging and monitoring are overlooked in hectic and busy Ops centers. Even those with general logging and monitoring systems may not be using them in a way that provides sufficient protection for APIs.

We’ll walk through real-world examples (unfortunately, there are many) and five ways to build sufficient logging and monitoring for your APIs. We’ll discuss how to create a chronological record of API calls to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence for auditing, security, and API observability.

Speakers
avatar for Rob Dickinson

Rob Dickinson

CTO and Co-Founder, Resurface Labs
Co-founder and CTO at Resurface Labs, Rob lives and breathes APIs. Years at Intel, Dell, and Quest Software framed his passion for customer input, and to find a way to architect and build a scalable solution to solve for customer escalation and operational security using real API... Read More →


Friday November 12, 2021 10:00am - 11:00am PST
On-Line
  Defender
  • Audience Intermediate
  • about <br>Co-founder and CTO at Resurface Labs, Rob lives and breathes APIs. Years at Intel, Dell, and Quest Software framed his passion for customer input, and to find a way to architect and build a scalable solution to solve for customer escalation and operational security using real API data from real users.

10:00am PST

Why SecDevOps is the new way in Cybersecurity?
"Development" and "Deployment" are 2 integral parts of CI/CD Pipeline which constitutes continuous integration, delivery and deployment.
But, we have made Security as optional or bring it up at a later stage.

SecDevOps make sure that your security posture, and mechanisms are integrated as soon as possible to make sure that we are not deploying application with vulnerabilities. That’s the whole idea of SecDevOps.

Main talking points are:
1. How to integrate security into iteration and pipeline application development?
2. How to secure development environments?
3. SecDevOps distinct parts:
- Security as code
- Infrastructure as code

Want to be secure from the start? Opt for SecDevOps

Speakers
avatar for Saman Fatima

Saman Fatima

Data Engineer, Macquarie Group
Saman Fatima is a Data Engineer at Macquarie Group with 4+ years of comprehensive experience in software development and Cybersecurity.Trained in Identity and Access Management, she has always been a CyberSecurity enthusiast and is an active member of a lot of cyber communities... Read More →


Friday November 12, 2021 10:00am - 11:00am PST
On-Line

11:00am PST

How hackers can breach your C.I / C.D systems
Since software started to be created as a product or as an essential part of many companies. There has been analysed how to automate the software development process.

There are currently two acronyms that define the main processes of creating and deploying modern software: C.I. / C.D.

Each represents a series of clearly differentiated processes: during the software creation process and its subsequent release into production.

With the rise of these philosophies, countless new concepts and associated software have emerged to carry them out: Jenkins, Drone, Bamboo, Github, Gitlab, Docker, Docker Swarm, Kubernetes, Terraform, Ansible, Slack, etc.

We rely on our production services to be updated and deployed by this kind of software. We do complex and thorough hardening processes of our production systems, but do we put the same effort in securing CI/CD environments? are we aware that these systems often have a high level of permissions? Do we know the consequences for the company if they are compromised?

This talk aims to demonstrate how possible it is to take control of all the productive systems of an organisation by breaching the security of CI/CD systems.

We will analyse CI/CD environments with commonly used and well-known components, analysing the most typical security flaws, how to exploit them, and how to mitigate them.

Several demos will be conducted in which complete CI/CD environments will be deployed, and each of the most vulnerable points will be exploited.

Speakers
avatar for Daniel García

Daniel García

Daniel is a security researcher, pentester, source code analyst, SecDevOps, and expert developer.I have a bit strange profile. I am mixing in hacking and development. I love researching anything, and I am a little obsessed with the idea that not everything is invented yet.Currently... Read More →
avatar for Cesar Gallego

Cesar Gallego

Data and functional programming were my day to day until I began to fall, like Alice in Wonderland, down the security rabbit hole. I don't know where my journey will end, but every step I take fascinates me like the first day. I have decades of professional computing experience, mostly... Read More →


Friday November 12, 2021 11:00am - 12:00pm PST
On-Line

11:00am PST

Automating Architectural Risk Analysis with the Open Threat Model format
1. What's the need for automating architectural risk analysis, and why is IaC uniquely suited to helping us automate this activity?
2. Overview of the Open Threat Model format, and how to generate it using open source tools.
3. Operationalise OTM in a SecDevOps workflow.

Friday November 12, 2021 11:00am - 12:00pm PST
On-Line

11:00am PST

600 apps in 60 days: our journey to uncover vulnerable dependencies at scale with OWASP Dependency-Check
Software Composition Analysis (SCA) is becoming increasingly popular in addressing the increased risks from software supply chain attacks. However, the practice of SCA is still uncommon in non-mature software development teams which allowed patch debt from emerging libraries to accumulate over the years. In this presentation, we’ll discuss how OWASP Dependency-Check was successfully used to enable a decentralized large-scale SCA exercise on hundreds of third-party vendor managed applications in two months. Specific topics include process design, automation, monitoring and vendor interaction.

Speakers
avatar for Frank Liauw

Frank Liauw

Senior Red Team Engineer and AppSec Team Lead, Government Technology Agency Singapore
Frank is a Senior Red Team Engineer and AppSec Team Lead at the Clusters and Technology Management Office (CTMO), a division of GovTech Singapore that supports half of all Government agencies in Singapore in uplifting AppSec posture of hundreds of e-Services and application systems... Read More →


Friday November 12, 2021 11:00am - 12:00pm PST
On-Line

11:00am PST

Why checking your infrastructure-as-code for misconfigurations is not enough – How to secure your cloud native applications
Misconfigurations are often the focus of security for cloud-native applications, and for good reason. Back in 2017, more than 60,000 files from the U.S. Department of Defense were left unsecured on an Amazon S3 repository, available to the public. Earlier this year, Hobby lobby accidentally exposed 136 GB of sensitive data for 300,000 customers.
Most organizations focus on checking misconfigurations post-deployment. With the adoption of infrastructure-as-code, many organizations are now looking to identify misconfigurations earlier in the development lifecycle by assessing the infrastructure-as-code. This is certainly a very important practice to avoid the unforced errors we see in the news so often, but the security challenges we face are broader.

Despite the many high-profile breaches caused by misconfigurations, focusing security only around fixing these errors ignores the larger security design flaws in the application architecture. It’s akin to a building inspector checking that all the doors have locks without bothering to make sure the structure is sound. If your application has inherent design flaws, then not only is this going to expose the business to security risks, but it will also create security debt that will be costly to pay off.

We need a more dynamic and comprehensive approach to securing cloud-native applications that focuses on security & compliance by-design. We need to holistically consider the security and compliance objectives of the application and be able to assess how well the application architecture is meeting these objectives. Fortunately, with the adoption of infrastructure-as-code, application architectures are now represented as code, and organizations can leverage automation to assess the design of their cloud-native application.

This session will focus on best practices to dynamically and comprehensively assess the security design of their cloud-native application.

Speakers
avatar for Aakash Shah

Aakash Shah

CTO, Oak9
Aakash is the CTO of Oak9. He is focused on building foundational security capabilities to help customers transform their security practice and deliver dynamic, comprehensive & risk-appropriate security that enables the velocity of modern software development.Aakash is a proven leader... Read More →


Friday November 12, 2021 11:00am - 12:00pm PST
On-Line

12:00pm PST

Lunch/Expo Hall
Friday November 12, 2021 12:00pm - 1:00pm PST
On-Line

1:00pm PST

Exploiting web messaging implementations
In the presentation I will outline my journey on how I identified post messages vulnerabilities, performed research and made a powerful tool to allow other researchers to identify post messaging vulnerabilities.
I will talk about the cross-document messaging basics, developers’ common mistakes, demo of the open-source tools and expose of vulnerabilities already fixed by the vendors

Speakers
avatar for Barak Tawily

Barak Tawily

CTO, enso.security
I am Barak Tawily, CTO of enso.security by day and Application Security Researcher by night. I have my own blog: https://quitten.github.io/ where I publish interesting things I research, and I am the author of Autorize (https://github.com/Quitten/Autorize), the most popular tool for research authorization flaws... Read More →


Friday November 12, 2021 1:00pm - 2:00pm PST
On-Line

1:00pm PST

OWASP ESAPI – A Retrospective: The Good, the Bad, & the Ugly
Dating back to around 2007, OWASP ESAPI was one of the first comprehensive security libraries to attempt to provide security controls as defenses against common vulnerabilities in web applications. This presentation is a "lessons learned" from ESAPI about what was done right, what was done wrong, and some ugly hacks that many wish were done differently. The talk will focus on three perspectives: people, process, and technical details and will emphasize the unique challenges of supporting a security library.

Speakers
avatar for Kevin Wall

Kevin Wall

Senior Application Security Engineer, Guaranteed Rate
I have been involved in application security for almost the past 20 years, but I still consider myself a developer first and an AppSec engineer second. During most of those past 20 years, I have specialized in applied cryptography and web AppSec. Before transitioning to AppSec, I... Read More →


Friday November 12, 2021 1:00pm - 2:00pm PST
On-Line

1:00pm PST

Roadblocks for CSP and Where to Find Them
The Web as a cornerstone of our modern society is one of the main targets of attacks, most prominently Cross-Site Scripting (XSS). To mitigate the effect of those attacks from the Web application itself, browsers support the Content Security Policy (CSP). By deploying such a policy, a Web developer can specify a list of allowed JavaScript sources and prohibit the execution of inline scripts, making it hard or even impossible for an attacker to execute their malicious payload.
Although CSP may sound like the holy grail of Web Security, it suffers from several issues. Research has shown that the majority of all policies deployed by real-world Web sites are trivially bypassable because they either allow the execution of inline JavaScript or allow all resources of a specific scheme.
Now it would be easy to just point our finger at Web developers and claim that they are just not smart enough to use the mechanism in the intended way. However, CSP is arguably one of the most complex security mechanisms, interacting with ever-changing dynamically created Web applications. This motivated us to explore why it is so hard for developers to deploy a CSP and which factors hinder a secure deployment of the mechanism. Hence, we directly involved real-world Web developers in our recent study and focused on their mindset, experiences, and problems when working with CSP.
With our talk, we want to raise awareness regarding the various roadblocks we found, hindering a secure deployment of CSP. Since these roadblocks touch upon a variety of issues throughout the development and deployment stack - such as framework and browser support, plugins, error reports, information sources, etc. - it is not enough to solely focus on developers’ capabilities. Although the complexity of the mechanism is indeed an issue, other factors such as application and company structure impose constraints on developers that may complicate the development process. We will both discuss how these roadblocks could be removed in the future, and which steps developers can take to circumvent them now. In addition to that, we want to address actionable strategies that assist the development of a secure CSP, all together hopefully making the Web a safer place. Furthermore, we will encourage the audience to share their triumphs and horror stories regarding CSP, setting our findings in the context of their personal experiences.

Speakers
avatar for Lea Gröber

Lea Gröber

Lea Gröber is a second-year PhD student at the CISPA Helmholtz Center for Information Security, where she is supervised by Katharina Krombholz. She does interdisciplinary research on making security and privacy critical technology and defensive mechanisms more accessible to users... Read More →


Friday November 12, 2021 1:00pm - 2:00pm PST
On-Line

1:00pm PST

Scaling Security through Context Based Security Assessments
Most product security teams in hyper-growth organizations struggle with scaling both security assessments, and providing relevant, timely feedback at scale. Integrating scan tools into CI has been the most common pattern for scaling application security assessments. However there are massive productivity gains that could be achieved by simply streamlining processes and through workflow automation for security assessments. There are not a lot of tools that solve the scaling problem through workflow automation because processes and workflow are unique to each organization.

However there are common problems multiple product security teams face in a mid-large sized company: Wouldn’t it be amazing for both Product Security and engineering teams if there was a magical funnel that is able to receive information about all product changes being made in their organizations and automatically determine, based on product context the type of security assessment workflow it needs to go through? The goal of this talk is to demonstrate how we scale security assurance at Splunk by capturing the context of each product and creating custom assessment workflows based on security impact. Not only do we capture the context once, we retain and build on this context for future assessments so that engineering teams don’t have to provide the same information to security teams over and over again.

Speakers
avatar for Sanjeev Reddy

Sanjeev Reddy

Product Security Tooling Engineer, Splunk
Sanjeev is a Product Security tooling engineer at Splunk by day and a hands-on hobbyist by night. Some of his favorite time sinks include sketching, clay sculpting, resin casting, mechanical keyboards, and running out of shelf space to store his growing collection of Legos. Prior... Read More →
avatar for Teja Myneedu

Teja Myneedu

Teja Myneedu is a tinkerer who loves learning about technology, science, and security. Current interests include: blockchains, DLT, and dad-jokes. Professionally Teja is the Senior Engineering Manager of Product Security at Splunk. Previously Teja was a Principal Engineer at Splunk... Read More →
avatar for Andrew Lien

Andrew Lien

Andrew Lien has over 5 years of software engineering experience within the realms of cyber security, big data analytics, data and developer infrastructure, and recently, tooling and automation. An avid hiker and eagle scout, Andrew spends many weekends checking out new hiking trails... Read More →


Friday November 12, 2021 1:00pm - 2:00pm PST
On-Line

2:00pm PST

Keynote
Friday November 12, 2021 2:00pm - 3:00pm PST
On-Line

2:00pm PST

We Deserve Rights
Hackers have been mislabeled and treated as criminals due to socially constructed beliefs that have been pushed out by the public. In return, we face prosecution when doing our job and trying to keep the world safe from attackers. Current legislation has destroyed many lives of hackers who did not exploit and stayed within scope. In return, 1 out of 4 hackers don't submit vulnerabilities due to the ongoing fear of prosecution. This talk dives into the socially constructed beliefs that the world has towards hackers and how increasing public awareness is needed to change their mindset to update out-of-date legislation.

Speakers
avatar for Chloé Messdaghi

Chloé Messdaghi

Cofounder, We Open Tech
Chloé Messdaghi is an award-winning changemaker who is innovating tech and information security sectors to meet today and future demands by providing solutions that empower organizations, products, and people to stand out from the crowd. She is an international keynote speaker at... Read More →


Friday November 12, 2021 2:00pm - 3:00pm PST
On-Line
  Keynote

3:00pm PST

Outside the box: pwning IoT devices through their applications
We often think of AppSec and IoT as two separate infosec disciplines. Sure, the domain knowledge, attack vectors, and threat mitigation are not exactly the same in those two worlds. At the same time, as the hardware continues to evolve, we see more and more tiny general purpose computers around us. Many of these tiny computers nowadays run software that is written in a conventional programming language, listen on network ports, process data inputs, and communicate with the outside world. These devices can be attacked just like any other application running on a desktop, on a server, or in the cloud.

In this talk, I am going to tell you a story about my hacking journey that unexpectedly took me from device configuration settings to software reverse engineering, vulnerability discovery, and six new CVEs. Together, we’ll go step by step through firmware analysis, decompiling, code review, and vulnerability demos. I’ll also share my experience with the responsible disclosure process. I hope this talk inspires you to apply your application security knowledge to new areas such as IoT, even if you’ve never done that before.

Speakers
avatar for Alexei Kojenov

Alexei Kojenov

Lead Product Security Engineer, Salesforce
Alexei began his career as a software developer. A decade later, he realized that breaking code was way more fun than writing code, and decided to switch direction. He is now a full-time application security professional, with several years of assisting engineering teams in delivering... Read More →


Friday November 12, 2021 3:00pm - 4:00pm PST
On-Line

3:00pm PST

Data-Driven AppSec Champions Programs – Benchmarking Your Program with Numbers
AppSec champions program exist in virtually every organization that builds a ton of software and is security paranoid. These programs use informal influence and the art of persuasion to get software developers to write code with fewer security vulnerabilities. Many programs originate from the bottom up and lack strong organizational mandates – that’s where the Jedi Mind tricks come in.

AppSec champions may be widely implemented, but in general there is a lack of data on what organizations are actually doing in the field. The results of a 9-month research survey project attempt to change that, with first-ever data of common denominators of leading-edge appsec champions programs published. The structured research project involved 26 of the most innovative appsec programs, all of which had an appsec champion program. Many, if not most, were operating in isolation with no competitive data or widely understood best practices.

This session will identify the common denominators that we observed in the survey responses including emerging best practices around recruiting appsed champions, how security organizations trained champions, and how they communicated with champions in the field. Finally, return on investment responses are included to provide insight into how organizations are measuring success around their programs.

This data will certain recommendations about how security leaders should further build these programs to get upstream of the “vulnerability production engine” that creates additional attack surface. An emphasis will be focused on how attendees can take the survey results and use them for further justification for their own programs.

We’re not remotely close to solving the secure development problem. AppSec champions help win the hearts and minds of developers who are ultimately the ones who solve this problem. The hope is that armed with appsec champions numbers and best practices, attendees will be better equipped to help their development colleagues via AppSec champions programs.

Speakers
avatar for John Dickson

John Dickson

Vice President, Coalfire
John Dickson is an internationally recognized security leader, entrepreneur, and Vice President at Coalfire. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public and military sectors. John helps... Read More →


Friday November 12, 2021 3:00pm - 4:00pm PST
On-Line

3:00pm PST

Cluster Wrangling: How to make Kubernetes clusters secure and usable
With the usage of Kubernetes in large companies ever increasing, it is important to get security right early on in the adoption process. As with any new technology best practices are still emerging, so there is no “one true way” to secure a cluster.

When it comes to clusters big and small, many mistakes are still made during and these mistakes often come with increased risk at very little cost of putting them right.

The goal of this talk is to be a practical, defence-oriented look at two main areas of Kubernetes security. This is usable defensive measures you can implement now (well, once you’ve seen my talk)

The information used is based on the real-world cluster reviews that I’ve done in previous roles, knowledge of Kubernetes security built up via participation in the project and initiatives like the CIS benchmarks and also the intelligence on attack patterns coming from our security research team.

First we’ll look at common mis-configurations that are seen in newly deployed clusters. As Kubernetes is a relatively complex product, typically companies will deploy default configurations which are not always secure.

There are some, sometimes surprising, defaults chosen by providers, and we’ll discuss those. For one example, the use of a generic cluster admin credential, which can only be revoked by changing the keys for an entire certificate authority.

In addition to default security the talk will look at approaches to Kubernetes cluster security that can work and scale up well. There’s a lot of variety on how companies deploy the product, in terms of cluster size and whether developers have direct access to the main Kubernetes API and they have consequences for security, so we can recommend approaches that will work for different threat models.

Whilst having shared clusters amongst groups of developers may be appropriate for internal clusters, where companies are using Kubernetes in a multi-tenant configuration with Internet facing applications, it is difficult to properly segregate permissions to enable this to operate securely, and the talk will delve into some specifics around that.

Speakers
avatar for Rory McCune

Rory McCune

Aqua Security
Rory has worked in the Information and IT Security arena for the last 20 years in a variety of roles. These days he spends his work time on container and cloud native security as a Cloud Native Security Advocate for Aqua. He is an active member of the container security community... Read More →


Friday November 12, 2021 3:00pm - 4:00pm PST
On-Line

3:00pm PST

OWASP Open Application Security Curriculum
Part of OWASP’s main purpose is to “Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software”. A key part of that mission is to educate not just the current generation of developers or information security professionals, but also the next generation, particularly in the context of the acknowledged skills shortage in the security sector.

A common problem with many security education programmes (whether cyber or InfoSec) or even traditional computer science programmes is that they do not address application security adequately, if at all. In some regions, attempts have been made to address this deficit.

In the UK for example, ISC2 and the BCS are working on an initiative to embed security firmly within the Computer Science curriculum, with an emphasis on secure coding techniques. OWASP, through my involvement, also champions this initiative.

There is an opportunity for OWASP to pull together its wide-ranging expertise, projects, and dedicated volunteers to engage in these types of education programmes and initiatives by developing an educational strategy for undergraduate and postgraduate students. This could take the form of an open “Standard” curriculum template which can be adopted and adapted by diverse educational partners and organisations. Such a template would also give a useful starting point or reference document for when we engage with other professional bodies.

Speakers
avatar for Adrian Winckles

Adrian Winckles

Director of Cyber Security & Networking Research Group & Security Researcher, Anglia Ruskin University
Adrian Winckles is Director of Cyber Security & Networking Research Group & Security Researcher at Anglia Ruskin University. He is OWASP Cambridge Chapter Leader, OWASP Europe Board Member and Chair of OWASP Education Committee.His security research programs include (in)security of... Read More →


Friday November 12, 2021 3:00pm - 4:00pm PST
On-Line

4:00pm PST

Application Threat Modeling Implementation Tips and Tricks
Threat modeling is a structured approach that enables you to identify, quantify, and address the security risks associated with an application. It could be utilized during the SDLC process in several ways; these range from verifying application architecture, identifying and evaluating threats, designing countermeasures, to penetration testing based on a threat model.

The primary purpose of this talk is to provide essential knowledge and valuable tips and tricks that application security researchers need to know when designing and implementing application threat modeling.
The talk will discuss the best practices to draw the data flow diagram (DFD) for some advanced cases that include micro-services architecture based applications, designing the DFD processes for the applications developed with client-side frameworks, in addition to some tips in analyzing the application’s DFD to list all possible logical threats.

Speakers
avatar for Mohamed Alfateh

Mohamed Alfateh

Cyber Security, ZINAD IT
Mohamed Alfateh is the OWASP Cairo chapter leader. He has a vast and deep experience in secure SDLC, code review & application threat modeling, in addition to DevSecOps and security compliance. Mohamed has several OWASP contributions; he is a board member of the OWASP Chapter Committee... Read More →


Friday November 12, 2021 4:00pm - 5:00pm PST
On-Line

4:00pm PST

Automated Serverless Security Testing: Delivering secure apps continuously
Serverless technology eliminates the need for development teams to provision servers, and it also results in some security threats being passed to the cloud provider. This frees up developers to concentrate on building logic and producing value quickly. But cloud functions still execute code. If the software is written poorly, it can lead to a cloud disaster.

How can developers ensure that their code is secure enough? They can scan for common vulnerabilities and exposures (CVEs) in open-source code. They can even scan their Infrastructure-as-Code (IaC) tool to identify insecure configurations. But what about custom code? At many organizations, the application security team struggles to keep up with the speed of development in a serverless environment. Traditional testing tools not only provide very limited coverage, but also slow development cycles unacceptably. Serverless code contains a mixture of cloud configurations and application programming interfaces (API) calls. As a result, legacy solutions lack the context that is necessary in a serverless environment, and the consequence is a lack of observability and slower response times.

Fortunately, it does not have to be this way. Organizations can leverage robust security during serverless development, automatically—if it is done properly. In this talk, we will discuss common risks in serverless environments. We will then cover existing testing methodologies and why they do not work well for serverless. Finally, we will present a new, completely frictionless way of testing serverless applications automatically—with no scripts, no tests, and no delays.

Speakers
avatar for Tal Melamed

Tal Melamed

Contrast Security
With over 15 years’ experience in security research and engineering - Tal possesses an unprecedented understanding of the Application and Serverless Security landscape. Most recently Tal co-founded CloudEssence, a cloud-native security technology company that enables organisations... Read More →


Friday November 12, 2021 4:00pm - 5:00pm PST
On-Line
  Builder

4:00pm PST

Web Application Honeypot Threat Intelligence
The goal of the OWASP Web Application Honeypot Project is to identify emerging attacks against web applications and report them to the community, in order to facilitate protection against such targeted attacks. Within this project, we are leading the collection, storage and analysis of threat intelligence data.

The purpose of this part of the project is to capture intelligence on attacker activity against web applications and utilise this intelligence as ways to protect software against attacks. Honeypots are an established industry technique to provide a realistic target to entice a criminal, whilst encouraging them to divulge the tools and techniques they use during an attack. Like bees to a honeypot. These honeypots are safely designed to contain no information of monetary use to an attacker, and hence provide no risk to the businesses implementing them.

The honeypots in VM, Docker or small computing profiles like Raspberry Pi, employ ModSecurity based Web Application Firewall technology using OWASP’s Core Rule Set pushing intelligence data back to a console to be converted to STIX/TAXII format for threat intelligence or pushed into ELK for visualisation.

The project will create honeypots that the community can distribute within their own networks. With enough honeypots globally distributed, we will be in a position to aggregate attack techniques to better understand and protect against the techniques used by attackers. With this information, we will be in a position to create educational information, such as rules and strategies, that application writers can use to ensure that any detected bugs and vulnerabilities are closed.

From a post attack forensic or incident response perspective, a rich data set of the following information is potentially available to the community or individual organisations utilising the honeypots

Speakers
avatar for Adrian Winckles

Adrian Winckles

Director of Cyber Security & Networking Research Group & Security Researcher, Anglia Ruskin University
Adrian Winckles is Director of Cyber Security & Networking Research Group & Security Researcher at Anglia Ruskin University. He is OWASP Cambridge Chapter Leader, OWASP Europe Board Member and Chair of OWASP Education Committee.His security research programs include (in)security of... Read More →


Friday November 12, 2021 4:00pm - 5:00pm PST
On-Line

4:00pm PST

OWASP ZAP & DeepFactor Continuous AppSec Observability: Made For Each Other!
Observability has typically been used in the context of performance-related tracing and troubleshooting. DeepFactor, however, uses observability for security and compliance. It’s a much more powerful, comprehensive, and modern way to think about your DevSecOps pipeline. DeepFactor observes the millions of events in every thread of every process of every container of an application and detects security & compliance risks by identifying needles in this haystack. Observability and OWASP ZAP, by themselves, are highly valuable. However, together, 1 + 1 > 2.


Speakers
avatar for Kiran Kamity

Kiran Kamity

CEO, DeepFactor
Kiran Kamity is the Founder & CEO of Deepfactor. He is a passionate serial Silicon Valley entrepreneur. Prior to DeepFactor, Kiran was the Head of product at Cisco Cloud BU, Founder/CEO at ContainerX (acquired by Cisco), and the Founder/VP at RingCube (acquired by Citrix). Kiran is... Read More →


Friday November 12, 2021 4:00pm - 5:00pm PST
On-Line