Loading…
Attending this event?
We have been working hard to secure the world through challenges and discovery. And now, it’s time to celebrate! Many of you have played a crucial role in the Foundation’s enduring history, and we encourage you to participate in the celebration coming this September! Our theme, Securing the Next 20 Years, is encouraging and exciting as we look ahead to the next 20 years!

Join us for FREE at this live 24-hour global event as we honor the past, celebrate the present, and embrace the future of OWASP and cybersecurity. Hear from world-renowned keynotes and special speakers, and network with your peers. It is FREE to attend, however, registration IS required, so please register today!

Log in to bookmark your favorites and sync them to your phone or calendar.

Friday, September 24
 

3:10am EDT

AppSec is too hard!?
Looking at available tools and features, it is easy to conclude that AppSec is shooting for the moon. Modern frameworks build security in by default, and vulnerable technologies are replaced by more secure alternatives. But regardless of all these good intentions, we see the same vulnerabilities popping up over and over again. Are we just careless when building applications, or is AppSec too hard? Throughout this talk, we review various cases where frameworks and libraries get in the way of security, paving the way for application-level vulnerabilities. With practical examples, we investigate more robust approaches to application security. The patterns we discuss will not only help you to improve the security of your applications but also make application security more manageable at scale.




Speakers
avatar for Philippe De Ryck

Philippe De Ryck

Founder, Pragmatic Web Security
Philippe De Ryck helps developers protect companies through better web security. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional knowledge of the security landscape. As the founder of Pragmatic Web Security, Philippe delivers security training and security... Read More →


Friday September 24, 2021 3:10am - 4:00am EDT
On-Line

4:00am EDT

OWASP Mobile Security Testing Guide Flagship Project
Speakers
avatar for Carlos Holguera

Carlos Holguera

Security Engineer, ESCRYPT
avatar for Sven Schleier

Sven Schleier

Technical Director, F-Secure Consulting


Friday September 24, 2021 4:00am - 4:30am EDT
On-Line

4:00am EDT

OWASP Top 10 Privacy Risks 2021
Abstract:
​“The future is private” said Mark Zuckerberg back in 2019 at Facebook’s developer conference. OWASP is addressing the topic of web application privacy with its Top 10 Privacy Risks Project since 2014. The project covers technological and organizational aspects that focus on real-life privacy risks, not just legal issues. It provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. In the meanwhile, this OWASP project became best practice for experts all over the world. But new regulations like GDPR and CCPA and a rapidly changing world raise the question in how far the privacy risk landscape has changed since 2014. This led to the decision to update the project back in 2020 and finally more than one year later version 2.0 of the OWASP Top 10 Privacy Risks project has been published. In this session project founder and leader Florian Stahl will present the updated results and show that some well-known topics like web application vulnerabilities remain at the top of the list, but also new issues like “Consent on everything” or “Insufficient Data Quality” made it to the Top 10 Privacy Risks 2021. He also explains countermeasures against these risks and how to really build a private future.​​​

Speakers
avatar for Florian Stahl

Florian Stahl

Principal Consultant, MSG
Florian Stahl is Principal Consultant for Security & Privacy at the software company msg in Germany. He achieved his Master's in Computer and Information Systems Science in Germany and Sweden and holds CISSP, CISM and CIPT certifications. Florian has more than ten years of experience... Read More →


Friday September 24, 2021 4:00am - 4:30am EDT
On-Line

4:00am EDT

Blockchain-based Security Framework for Cyber Physical Systems (BSF-CPS)
Abstract:
Cyber physical systems more commonly known as CPS, is a class of automated systems which work as a lifeline in smart cities’ systems such as home automation system, power grid, automotive industry, etc. CPS are transforming the way we interact, monitor and control the physical world around us. The security aspects of these systems are in high demand as these systems are involved in the day-to-day life of people and the national economy. Compromised CPS can harm the day-to-day operations of people. CPS systems are complex in design and more prone to cyber-attacks. Detection of safety and security deficiencies acts as a fundamental building block for creating a security framework for CPS at different levels. Cyber Physical Devices (CPS), the Internet of Things, and digital frameworks are generally cases of embedded devices in which the basic requirement is to provide flexibility to various applications with higher adaptability to provide reliable communication with the implementation of communication protocols. However, existing platforms use centralised networking, which suffers from security, scalability and big-data problems. In this talk, I will be presenting a blockchain-based security framework for CPS (BCSF-CPS) which will provide a trustable network to get rid of third-party problems. In addition, also improve the scalability, security and big-data problems for CPS. The rudimentary principal behind the proposed framework is based on a hybrid of open and consortium blockchain. This hybrid approach will provide a peer-to-peer communication network between the end user and the service provider. The first half of this talk will present a review of CPS major security problems like centralized control, cloud and edge device data management, heterogeneous environment, secure data access with high latency and accuracy, adversarial attacks, overall security, and privacy. The proposed BCSF-CPS framework will be presented in the second half of the talk. BCSF-CPF based on role-based access using the account address of the blockchain node as the identity, redefining access permissions, designing the initialization, access control, authorization, authorization revocation and audit processes, and using lightweight symmetric encryption algorithm to achieve privacy protection. Moreover, will also share review in applying blockchain technology for CPS to provide insights and highlight the challenges and future opportunities.

Speakers
avatar for Dr. Abhilasha Vyas

Dr. Abhilasha Vyas

Senior Manager, Academic Initiative, Cyber Peace Foundation
Dr. Abhilasha Vyas working as Senior Manager, Academic Initiative, CyberPeace Foundation. She is member of executive committee, Women in Big Data (WiBD) India Chapter. She is also working as Head, Cyber Cell, Suraj Sansthan, Jaipur. Her research area is Cyber Security and Detection... Read More →


Friday September 24, 2021 4:00am - 4:30am EDT
On-Line

4:00am EDT

How Security, Development & Testing can work together to stop the same recurring vulnerabilities appearing in the OWASP Top 10
Abstract:
Although the OWASP top 10 has been updated several times, the same vulnerabilities keep appearing over and over again! Security is a shared responsibility, how can we work together to stop the same recurring vulnerabilities?

The majority of vulnerabilities are introduced during coding and identified during testing. How can development, security and testing work together to prevent these vulnerabilities reappearing? Changing culture is key! How can we motivate developers? How do we put a positive spin on security? How can we break down the silos between different teams and unite behind the shared goal of secure software?

Security can no longer be the ‘bad guy’ at the end of the software development process. Security practises must be embedded within the developer workflow and software development lifecycle. This requires a mix of hard and soft skills which will be discussed during this session.

Speakers
avatar for Stefania Chaplin

Stefania Chaplin

Solutions Architect, Secure Code Warrior
Stefania Chaplin is EMEA's Solution Architect at Secure Code Warrior. Her experience within Cybersecurity, DevSecOps and OSS governance means she's helped countless organisations understand and implement security throughout their SDLC. As a python developer at heart, Stefania is always... Read More →


Friday September 24, 2021 4:00am - 4:30am EDT
On-Line

TBA

An Attackers View on APAC's 2021 Three Major Breaches
In this short presentation, Ric is going to cover the top three major breaches reported via IHaveBeenPwned in the APAC region in 2021. The aim of this short presentation is to offer a summary of the publicly known information, where possible quickly cover how the attacks occurred and provide some tips on how to prevent these types of attacks.

Speakers
avatar for Ric Campo

Ric Campo

Senior Security Consultant
Ric is a Senior Security Consultant, his focus is on offensive security and vulnerability management. Ric is an experienced penetration tester and blue teamer. Ric's experience includes the Defence, Aviation, Financial and Medical sectors. He leads the OWASP Sydney Chapter and helps... Read More →


Friday September 24, 2021 TBA
On-Line

TBA

Security Chaos Engineering - Turning the Tide in the War on Uncertainty in Cyber Security
Hope isn’t a strategy. Likewise, perfection isn’t a plan. The systems we are responsible for are failing as a normal function of how they operate, whether we like it or not, whether we see it or not. Security chaos engineering is about increasing confidence that our security mechanisms are effective at performing under the conditions for which we designed them. Through continuous security experimentation, we become better prepared as an organization and reduce the likelihood of being caught off guard by unforeseen disruptions. Security Chaos Engineering serves as a foundation for developing a learning culture around how organizations build, operate, instrument, and secure their systems. The goal of these experiments is to move security in practice from subjective assessment into objective measurement. Chaos experiments allow security teams to reduce the “unknown unknowns” and replace “known unknowns” with information that can drive improvements to security posture. During this session Aaron Rinehart, the O’Reilly Author and pioneer behind Security Chaos Engineering will share how you can implement Security Chaos Engineering as a practice at your organization to proactively discover system weakness before they are an advantage of a malicious adversary. In this session Aaron will introduce a new concept known as Security Chaos Engineering and share some best practices and experiences in applying the emerging discipline to create highly secure, performant, and resilient distributed systems.

Speakers
avatar for Aaron Rinehart

Aaron Rinehart

Founder, Verica
Over the past 5 years, Aaron Rinehart has been expanding the possibilities of Chaos Engineering to Cybersecurity. He began pioneering security in chaos engineering when he released ChaoSlingr during his tenure as Chief Security Architect at UnitedHealth Group (UHG). . Rinehart is... Read More →


Friday September 24, 2021 TBA
On-Line

4:30am EDT

OWASP ZAP Flagship Project
Speakers
avatar for Simon Bennetts

Simon Bennetts

Distinguished Engineer, StackHawk


Friday September 24, 2021 4:30am - 5:00am EDT
On-Line

4:30am EDT

Introducing graph theory to Policy-As-Code
Abstract:
Graphs are a data structures used to model relationships between nodes. Modern cloud infrastructures can be thought of as graphs - compute resource depend on network resources, which in turn depend on access control resources, and so on.
Infrastcture as code projects such as Terraform builds a directed acyclic graph to model the relationships between resources so operators can safely manage and change infrastructure resources across bare metal, IaaS, PasS, and SaaS.
Can we utilize a similar graph to analyze and enforce a policy over infrastrcture as code?
In this talk we will explore how to apply graph theory to Policy As Code using the open source tool Checkov.
We will cover the internals of Checkov, Demonstrate usage and will write a costom policy that on the relationship that are between compute resources and acces control resources.

Speakers
avatar for Barak Schoster

Barak Schoster

Chief Architect, Bridgecrew By Prisma Cloud
Barak Schoster is co-founder and CTO of Bridgecrew. Based in Tel Aviv, Barak spends his time helping teams secure cloud infrastructure, writing code, and talking about writing code. He is the creator of Checkov and often contributes to other open source projects. Follow him on Twitter... Read More →


Friday September 24, 2021 4:30am - 5:00am EDT
On-Line

4:30am EDT

Your company, as a Knowledge Graph - the foundation of cybersecurity’s future
OWASP speaker at both London AppSec 2018 and Tel-Aviv AppSec 2019.

Cybersecurity enthusiast with over 15 years of experience in the field of information technology, working with Go, Big Data, Graph Databases, Python, and Linux.

I worked as Software Developer at Sophos/Astaro, a cloud Security Manager for Rolls-Royce, ABB, and Lloyd's Register.

Father of 3, biker, and animal lover.

Speakers
avatar for Ovidiu Cical

Ovidiu Cical

Founder & Cloud Security Architect, Cyscale Cloud Security
OWASP speaker at both London AppSec 2018 and Tel-Aviv AppSec 2019. Cybersecurity enthusiast with over 15 years of experience in the field of information technology, working with Go, Big Data, Graph Databases, Python, and Linux. I worked as Software Developer at Sophos/Astaro, a... Read More →


Friday September 24, 2021 4:30am - 5:00am EDT
On-Line

4:30am EDT

Automatic Vulnerability Remediation: The Trusted and Secure Road to Developer Happiness
Abstract:
Developing secure software is not a trivial undertaking. Modern applications are commonly encumbered with security vulnerabilities that can present a serious risk to services, systems, organizations, and end users.

While vulnerability detection is commonly an automated process, vulnerability remediation is not. Relegating such effort to developers who might not possess the knowledge required to handle vulnerabilities is a demanding and ineffective process. However, the idea of automatic code remediation may not be easy for developers to accept, let alone endorse, due to a trust barrier. Developers will likely be concerned about any process that autonomously pushes changes that might break their code. To gain the requisite trust by developers, automatic remediation must ensure that code changes preserve application functionality and structure as much as possible. More importantly, automatically generated code should look like it was written by the code owner and must never break the application.

Automatic remediation of security vulnerabilities offers an immense value proposition for organizations. It does this by potentially expediting product release schedules, by freeing development bandwidth so that it may be dedicated for feature implementation (rather than software maintenance), and by ultimately delivering better software security. What’s more, customer studies and reviews reveal that an automated approach to vulnerability remediation can save time and eliminate friction with security teams.

This session presents how automatic vulnerability remediation realizes an incredible value proposition by enabling faster product release schedules, extended development bandwidth, and better software security.

Speakers
avatar for Rami Elron

Rami Elron

Senior Director of Product Management, WhiteSource
Rami Elron is the Senior Director of Product Innovation at WhiteSource, driving application security strategic initiatives and thought leadership. Rami has defined and led the product specification for major staples of WhiteSource's portfolio, including the company's prioritization... Read More →


Friday September 24, 2021 4:30am - 5:00am EDT
On-Line

5:00am EDT

OWASP Juice Shop Flagship Project
Speakers
avatar for Björn Kimminich

Björn Kimminich

Senior Manager IT Architecture, Kuehne + Nagel


Friday September 24, 2021 5:00am - 5:30am EDT
On-Line

5:00am EDT

Connecting the Dots: How Threat Intelligence Protects the Applications
Today we can see that digital technologies are the core of every business. The automation and the connections achieved with these technologies have revolutionized the world’s economic and cultural institutions but they have brought additional risk in the form of cyber attacks.

What is Cyber Threat Intelligence, how you can implement it properly to protect your business and why is an important component into the AppSec World?

In this presentation you will find how to integrate it into you Application Security Program but also solutions that automate data collection and processing, integrate with other solutions or services, take in unstructured data from disparate sources, and then connect the dots by providing context on indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) of threat actors. To put it short, Threat intelligence - knowledge that will allow you to prevent or mitigate those attacks.

Speakers
avatar for Catalin Curelaru

Catalin Curelaru

Security Operations Manager, Visma
Catalin is a security generalist specialized into Infrastructure and Product Security areas with a strong knowledge of Security Operations. He works at Visma as a Security Operations Manager, enjoying his time into the Product Security Operations team providing technical leadership... Read More →


Friday September 24, 2021 5:00am - 5:30am EDT
On-Line

5:00am EDT

Achieving the Web Isolation Nirvana - How far along are we?
Abstract:
​​​​Security isolation is a design principle that improves the resilience of applications against attacks. It works like a second layer of defense that protects the application in the presence of a security breach, by containing the attack to the compromised partition.  Sandboxing is one of the techniques often used to provide isolation by restricting code to a limited permission set. Isolation, in this context, is limiting what can happen if a vulnerability is exploited.  It has a strong tie to the also well-known security principles of Least Privilege and Privilege Separation.

Any application can and should be designed using these principles. However, it is of vital importance for applications that include untrusted or 3rd party code. Companies can do code reviews of untrusted code before using it, but that is prone to oversights and is too costly to be done for every code change. Additionally, code reviews can be difficult to do in situations where there is no ahead of time access to the code, which is usually the case with web applications, where 3rd party vendor services are directly embedded into applications from their remote servers.

Using 3rd party code/components is a growing trend observed in the last decade, and will keep growing, as companies work towards cutting the development time of new applications. This is especially true for Web Applications as high-scale modern Web Applications use dozens of different 3rd party services. Any untrusted code can be compromised and put the rest of the Web Application at risk, potentially leaking sensitive data.

Throughout the years, several solutions and best practices have been advocated for creating Web Applications leveraging Web Isolation. The core security model of Browser-based apps sits upon the Same Origin Policy (SOP), a mechanism that aims to prevent different security domains from interfering with each other in malicious ways. But the SOP is limited to what it can do, and imposes several limitations to how the application is designed. It's neither practical nor economically efficient to split every code partition in its own origin. Iframe Sandboxing was a good complement to SOP, but its adoption is still anemic, as most third party scripts require direct access to the DOM and to other scripts in order to function properly. Despite our best efforts to bring effective Web Isolation and privilege separation to the client-side, we are still struggling.

In this talk, we will attempt to tie in the journey of the last 20 years of Web Isolation to the “next 20 years”.  We’ll make a pit stop in the present, where we’ll showcase a client-side sandboxing solution that is transparent, does not require any browser modification and can be embedded into any Web Application.  We can pontificate on  what will be the likely state of Web Isolation for  applications deployed in the future.  And lastly, we can discuss where the security challenges will likely be located and how we, the security community, need to work together in order to overcome those challenges.

Speakers
avatar for Jasvir Nagra

Jasvir Nagra

Security Engineer, Dropbox
Jasvir Nagra is widely recognized as a thought leader in software protection. He is co-author of Surreptitious Software, the definitive textbook on software protection, and an early researcher in obfuscation, software watermarking, and fingerprinting. With more than 12 years of experience... Read More →
avatar for Pedro Fortuna

Pedro Fortuna

CTO, Jscrambler
Once on a trajectory to a full academic career, where he taught security and computer science courses for about 5 years - ended up falling in love with the fast paced world of entrepreneurship. Started Jscrambler where he leads all security research and drives the company product... Read More →


Friday September 24, 2021 5:00am - 5:30am EDT
On-Line

5:00am EDT

Effective Usage Analysis: The Shortest Path Between a Developer and Accelerated Product Releases
Abstract:
Modern software applications can feature thousands of direct or indirect code dependencies between proprietary and open source software components, many of which have security vulnerabilities.

Vulnerability scanning commonly reports a gigantic number of findings that demand attention by development teams. Our study, based on the review of hundreds of open source projects in Java, .NET, Python, and JavaScript, shows that about 70% of the reported vulnerabilities in real-world applications cannot be referenced from application code, thereby effectively posing no risk. However, many organizations establish the urgency of vulnerability handling based on the vulnerability’s reported severity. In light of the large number of reported vulnerabilities that are not ‘effective,’ security and development personnel often find themselves investing an inordinate amount of time addressing alerts that should have been prioritized in the first place.

Knowledge of a vulnerability’s ‘effectiveness’ is extremely valuable to organizations. It enables organizations to eliminate a substantial portion of reported security risks with 100% accuracy to concentrate on a significantly smaller number of ‘effective’ vulnerabilities. This enables organizations to save precious time, focus their development teams’ attention on real risks, apply remediation efficiently, and expedite product delivery.

This session presents how prioritization based on effective usage analysis enables organizations to confirm which reported vulnerabilities can be exploited, significantly reducing the number of vulnerabilities developers must remediate.

Speakers
avatar for Dr. Aharon Abadi

Dr. Aharon Abadi

Chief Scientist, WhiteSource
Aharon Abadi (PhD)  Chief Scientist at WhiteSource sinch November 2017. Aharon studied computer science at the Tel-Aviv University, receiving BSc, MSc, and PhD degrees, respectively. Aharon research interests lie a wide range of topics including application security, open source... Read More →
avatar for Rami Elron

Rami Elron

Senior Director of Product Management, WhiteSource
Rami Elron is the Senior Director of Product Innovation at WhiteSource, driving application security strategic initiatives and thought leadership. Rami has defined and led the product specification for major staples of WhiteSource's portfolio, including the company's prioritization... Read More →


Friday September 24, 2021 5:00am - 5:30am EDT
On-Line

5:30am EDT

Attacking the microservice systems: methods and practical tips
Abstract:
The microservice architecture is being increasingly used for designing and implementing application systems in both cloud-based and on-premise infrastructures for different purposes from small “startup” business process to large-scale telecommunications. But the microservices bring new security architecture patterns and approaches that completely change the attack surface and may lead to vulnerabilities. This presentation focuses on approaches and practical tips on how to provide a basic security assessment of microservice-based systems to find microservice-specific vulnerabilities. Our research results were extracted during multiple security assessments, collected, structured and contributed to the OWASP community.

Speakers
avatar for Alexander Barabanov

Alexander Barabanov

Principal Security Architect, Advanced Software Technology Lab, Huawei
Ph.D. in Computer Science, CISSP, CSSLP. Over ten years of working experience in IT security evaluation and application security. Current position is a Principal Security Engineer at Advanced Software Technology Lab, Huawei. Associate Professor at Bauman Moscow State Technical University... Read More →


Friday September 24, 2021 5:30am - 5:30am EDT
On-Line

5:30am EDT

OWASP Software Assurance Maturity Model (SAMM) Flagship Project
Speakers
avatar for Seba Deleersnyder

Seba Deleersnyder

Co-founder & CTO, Toreon
avatar for Bart De Win

Bart De Win

PwC, Director Cyber&Privacy


Friday September 24, 2021 5:30am - 6:00am EDT
On-Line

5:30am EDT

OWASP Application Gateway: What is it and how can you use it to secure your webapp?
Abstract:
The OWASP Application Gateway is a modern HTTP reverse proxy that sits between your web application and the client and handles OAuth2 login and session. It is built to scale from from small projects to huge enterprise apps. For you, as a developer, OAG the hassle to implement login logic in the backend and frontend so you can focus totally on your application's logic.

In this talk, we'll go through the security challenges you'll face while building modern software systems and how the OWASP Application Gateway helps you building secure applications. Furthermore, we'll do a technical deep dive into how you can customize and extend the Application Gateway to your needs.

Speakers
avatar for Gian-Luca Frei

Gian-Luca Frei

OWASP Application Gateway: What is it and how can you use it to secure your webapp?, OWASP Switzerland Chapter / Zühlke Engineering AG
Gian-Luca Frei is the initiator and leader of the OWASP Application Gateway project. Besides his open-source contributions, he is a security engineer at Zühlke. He has in-depth experience with systems with the highest security standards, such as e-banking portals and inter-banking... Read More →


Friday September 24, 2021 5:30am - 6:00am EDT
On-Line

5:30am EDT

Objects In The Rear View Mirror Are Closer Than They Appear
Abstract:
We are living in the future. Actually, we have been living in the future for some time now. Unfortunately, progress is not equally divided between the different facets of technology. An area that has always suffered a delayed reaction is security, and more specifically security testing. When it comes to innovation and digital transformation, we are charging forward at full speed, but failing to adapt testing practices to evolve with the times and technologies. We are quickly, and often blindly, embracing the bleeding edge of technology, but every tech adoption comes with the overhead of a new set of tests (and their respective vendors of course). We are aggressively shifting left to the point where our testing results are not actionable, and sometimes not even clear. In this talk, we will discuss the ‘opportunities’ future-fueled applications present to adversaries, the challenges security teams encounter with modern architectures, and the vision we should consider when testing and securing these applications to take a more proactive defense approach across the industry.

Speakers
avatar for Erez Yalon

Erez Yalon

Head of Security Research, Checkmarx
Erez Yalon, Head of Security Research, oversees Checkmarx’s research team comprising analysts, pen-testers, secure developers, and bug bounty hunters. He brings vast experience to his position and his efforts empower today’s developers and organizations to deliver more secure... Read More →


Friday September 24, 2021 5:30am - 6:00am EDT
On-Line

6:00am EDT

OWASP Security Knowledge Framework Flagship Project
Speakers
avatar for Glenn ten Cate

Glenn ten Cate

Chief Information Security Officer, Zerocopter


Friday September 24, 2021 6:00am - 6:30am EDT
On-Line

6:00am EDT

Stop the looters: a method to detect digital skimming attacks
Abstract:
In 2019 British Airways was fined a remarkable £183 million for a data breach that affected more than 380.000 of its customers. Magecart, the hacking group behind the attack, specializes in credit card theft and British Airways have not been their only victim. Ticketmaster, Forbes, Newegg and numerous online webshops have suffered security breaches by digital skimmers.

In the real world, a skimmer is a physical device inserted at payment terminals in order to harvest credit card data. Digital skimming is usually done through javascript code injected in a webpage where victims visit to fill in payment, or other types of sensitive data.

So how do you detect an attack? Is there an easy method to monitor javascript and deter digital skimmers? In this talk I will be presenting exactly this: a method to audit your javascript in order to stop digital skimmers from looting your websites.

Speakers
avatar for Nikolaos Alexiou

Nikolaos Alexiou

IT Security Specialist, Skandia
Nikolaos (Nikos) Alexiou is an application security specialist based in Stockholm, Sweden. He is a leader of the OWASP Stockholm local chapter and has a software developer background. He holds a master in Information Systems and has published his research work in academic conferences... Read More →


Friday September 24, 2021 6:00am - 6:30am EDT
On-Line

6:00am EDT

Top 10 Challenges for DevSecOps
Abstract:
DevSecOps is the push for security to fit into the success DevOps has created.  Since 2015 we’ve been working with 100s of companies on the integration of DevSecOps into software development processes and have seen the troubles, the successes, and the same patterns coming up again and again.  Therefore, in honor of OWASP, we’ve created a Top 10 list of challenges that DevSecOps will need to overcome to truly fulfill its promise and make our lives simpler.

Let’s all repeat to ourselves: “DevSecOps isn’t simple. DevSecOps isn’t hooking in a few APIs into CI/CD. DevSecOps is about giving precise, usable security data, when and where it’s needed.”

Note that in this presentation we very much focus on DevSecOps achieving the same promise as DevOps, i.e. the ability to deliver usable, actionable security within the DevOps or CI/CD pipelines such that the risk to the business is reduced.  This means the ‘Sec’ in DevSecOps needs to provide value within the operation and timeframe that DevOps works at.  This is a common problem seen in many DevSecOps rollouts.

Speakers
avatar for Gary Robinson

Gary Robinson

Director, Uleska
Gary has over 20 years of experience in software and cyber security.  In the private sector he has held roles including Security Architect in global banking and CEO of Uleska,  In the voluntary sector, Gary has run projects, conferences, and Global Board membership of OWASP. Gary... Read More →


Friday September 24, 2021 6:00am - 6:30am EDT
On-Line

6:30am EDT

OWASP Web Security Testing Guide Flagship Project
Speakers
avatar for Matteo Meucci

Matteo Meucci

Chief Executive Officer, IMQ Minded Security


Friday September 24, 2021 6:30am - 7:00am EDT
On-Line

6:30am EDT

OWASP API Security Top 10 - A Beginner's Guide to Mitigation
Abstract:
​In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.

OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.

APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project in 2019.

In this session we’ll discuss:
· What risks are associated with each of the OWASP Top 10 for API Security
· Solutions you can implement to mitigate these risks
·       Strategies for implementing API security across the entire lifecycle​​​

Speakers
avatar for Isabelle Mauny

Isabelle Mauny

CTO and Co-Founder, 42Crunch
Isabelle Mauny, Chief Evangelist and co-founder of 42Crunch spent most of her career at IBM, across a variety of technical roles, at the European level. She was part of the IBM WebSphere Strategy board and played a key role in the deployment in Europe of flagship products such as... Read More →


Friday September 24, 2021 6:30am - 7:00am EDT
On-Line

6:30am EDT

Feedback loop in DevSecOps - mature security process and dev cooperation
Abstract:
Having Security testing in the pipeline is getting more and more popular, I would say it is becoming a standard! But what we are doing with findings? What are we automating and how are using the automation?

The presentation will cover security-as-a-code practices to integrate security testing into the CI and CD pipelines, but in addition - I will discuss the part of the testing that cannot be automated, which is penetration testing. How do you connect it with your automation testing and what is the role of penetration testing in monitoring? I will show how it affects next round of the process and what the process should look like.
During the presentation I will discuss real use cases from different pipelines and security tools, showing pros and cons, advantages and challenges. Demo will include GitHub Actions and open-source tools like OWASP ZAP and examples will be provided with pipeline-as-a-code and security-as-a-code. Real life use cases and examples with step-by-step instruction how the development process in mature state of DevSecOps should look like.

Speakers
avatar for Daniel Krasnokucki

Daniel Krasnokucki

Product Security Manager, Equinix
Security freak, pentester, programmer, and day-to-day also a manager of Product Security team @ Equinix. Leader of OWASP Poland with a strong focus on building security controls and improving different areas in a very techy company. Privately likes board games, football (soccer) and... Read More →


Friday September 24, 2021 6:30am - 7:00am EDT
On-Line

7:00am EDT

Scaling AppSec through Education
Abstract:
Given that:
- Security teams are outnumbered by developers 100:1
- 50 - 80% more bugs are found in code review than in testing
- More than 70% of CVEs are caused by implementation in code

It must follow that AppSec should be the biggest part of your concern as a security person, and that you either need to seriously invest in more AppSec people to keep up with the developer population or you need to get developers looking for AppSec issues during code review.

So, how does one do that?

Speakers
avatar for Grant Ongers

Grant Ongers

Co-founder, Secure Delivery
Grant's experience spans Dev - building platforms for regulated industries for more than 10 years. 20+ years in Ops, everything from managing operations in NOCs to mainframe and DBs. He also has over 30 years pushing the limits of (Info)Sec - mostly white-hat. Grant’s community... Read More →


Friday September 24, 2021 7:00am - 7:30am EDT
On-Line

7:30am EDT

Break
Friday September 24, 2021 7:30am - 8:00am EDT
On-Line

8:00am EDT

Our Secure Future
How do we build a better future for information security by examining the lessons learned in the recent as well as distant past?

Speakers
avatar for Jaya Baloo

Jaya Baloo

Chief Information Security Officer, AVAST
Jaya Baloo -Chief Information Security Officer @ AVAST Jaya Baloo is Avast’s Chief Information Security Officer (CISO) and joined Avast in October 2019. Previously, Ms. Baloo held the position of CISO at KPN, the largest telecommunications carrier in the Netherlands, where she established... Read More →


Friday September 24, 2021 8:00am - 9:00am EDT
On-Line

9:00am EDT

TBD
Friday September 24, 2021 9:00am - 9:30am EDT
On-Line

9:00am EDT

OWASP OWTF Flagship Project
Speakers
avatar for Abraham Aranguren

Abraham Aranguren

Managing Director, 7ASecuirty


Friday September 24, 2021 9:00am - 9:30am EDT
On-Line

9:00am EDT

Code-Origin Policy: Towards a Formal User Privacy Protection for the Web
Abstract:
​Although there exist technical solutions or legislation laws, online user privacy is still an open issue and an unsolved crisis. Indeed, there is no formal assurance mechanism to guarantee that a web application will not violate its users' privacy stated in the user agreement. In this presentation, we introduce a new method to protect web users' privacy by monitoring JavaScript code based on the source of the code, i.e., code origin.  Our code-origin policy enforcement approach advances the conventional same-origin policy standard and allows the users to customize their protection. We demonstrate that our privacy policies can be certified at the development phase and verified at runtime to provide formal assurance of the enforcement.​​​

Speakers
avatar for Phu H. Phung

Phu H. Phung

Associate Professor, University of Dayton
Dr. Phu H. Phung is an Associate Professor and the Director of the Intelligent Systems Security Lab in the Department of Computer Science, University of Dayton. He received his Ph.D. in Computer Science in 2011 from Chalmers University of Technology, Sweden. His research interests... Read More →


Friday September 24, 2021 9:00am - 9:30am EDT
On-Line

9:00am EDT

React Native Security. Addressing typical mistakes
Abstract:
​When developers choose to use React Native as a platform for their mobile apps, they think about the benefits of one codebase for two platforms, increased development speed and advantages of TypeScript. But what about application security? Many articles claim that React Native apps are less secure. In my talk, I'll shed light on React Native apps’ security based on my experience, and explain some risks and threats developers should address to prevent typical mistakes.​​​

Speakers
avatar for Julia Potapenko

Julia Potapenko

Security Software Engineer, Cossack Labs
Julia is a Security Software Engineer at Cossack Labs, building convenient and affordable data security and encryption solutions. With background experience in mobile application development, she helps customers to choose and implement security controls for their products. Julia is... Read More →


Friday September 24, 2021 9:00am - 9:30am EDT
On-Line

9:30am EDT

OWASP Cloud-Native Application Security Top 10 Flagship Project
Speakers
avatar for Ron Vider

Ron Vider

Co-Founder and Chief Technology Officer, Oxeye
Ron is the CTO of Oxeye, an application security testing platform for cloud native applications. He brings over a decade of experience in application and cloud security, working for Orca Security and the IDF Cyber elite 8200 unit. He specializes in application, container, cluster... Read More →


Friday September 24, 2021 9:30am - 10:00am EDT
On-Line

9:30am EDT

Good Bot, Bad Bot: Characterizing Automated Browsing Activity
Abstract:
​As the web keeps increasing in size, the number of vulnerable and poorly-managed websites increases commensurately. Attackers rely on armies of malicious bots to discover these vulnerable websites, compromising their servers, and exfiltrating sensitive user data. It is, therefore, crucial for the security of the web to understand the population and behavior of malicious bots.

In this presentation, we will report on the design, implementation, and results of Aristeus, a system for deploying large numbers of honeysites, i.e., websites that exist for the sole purpose of attracting and recording bot traffic. Through a seven-month-long experiment with 100 dedicated honeysites, Aristeus recorded 26.4 million requests sent by more than 287K unique IP addresses, with  of them belonging to clearly malicious bots. By analyzing the type of requests and payloads that these bots send, we discover that the average honeysite received more than 76,396 requests each month, with more than 50% of these requests attempting to brute-force credentials, fingerprint the deployed web applications, and exploit large numbers of different vulnerabilities. By comparing the declared identity of these bots with their TLS handshakes and HTTP headers, we uncover that more than 86.2% of bots are claiming to be Mozilla Firefox and Google Chrome, yet are built on simple HTTP libraries and command-line tools.

Outline: 
This talk is all about bot traffic on the web. The presentation will be broken-up as follows:

- Background: What are web bots? What is the difference between benign and malicious bots? What are malicious bots after? (exploiting vulnerabilities, stealing backups, scraping, etc.)

- Discovering bots on our web applications: How can we differentiate bots from users? How can we differentiate between benign and malicious bots?

- Details about our main experiment: Network of 100 honeysites, running different types of web applications, for the sole purpose of attracting web bot requests. How we built it, how we recorded data. Different techniques for identifying bots (client fingerprinting, payload classification, TLS stack fingerprinting, etc.)

- Results of the experiment: Number of bots, geographical distribution, how many bots are malicious, how many bots are benign, does bot activity increase or decrease over time? Do bots run JavaScript? Do they use command-line tools or are they instrumenting full-fledged browsers? Showing how our system-generated blocklist with IP addresses of malicious bots, outperforms very popular OSINT lists

Over Learning Objectives for Attendees
- Being able to describe what malicious bots are after
- Knowing multiple techniques for fingerprinting malicious bots
- Understanding the basics of deploying of bot-catching infrastructure in their organization, as a new source of blocklisting​​​

Speakers
avatar for Nick Nikiforakis

Nick Nikiforakis

Associate Professor, Stony Brook University
Dr. Nick Nikiforakis (PhD'13) is an Associate Professor in the Department of Computer Science at Stony Brook University. He leads the PragSec Lab, where his students conduct research in cyber security, with a focus on web security, web privacy, DNS security, attack-surface reduction... Read More →


Friday September 24, 2021 9:30am - 10:00am EDT
On-Line

9:30am EDT

Preventing an OWASP Top 10 in the world of AI
Abstract:
According to McKinsey & Company, by 2030, companies who fully absorb AI could double their cash flow. As AI continues to be deployed into complex settings (healthcare, transportation and financial services), policy makers have warned against the potential abuses of AI and ML for cybercriminals’ gain. At the same time, the cybersecurity community has highlighted the benefits of using these algorithms to identify and defend against threats by automating the detection of and response to attempted attacks.

To prevent a future where OWASP releases a top 10 for AI threats, we need to broaden the conversation around how AI systems can themselves be secured, not just about how they weaken or augment data and network security. In this session, the speaker will offer the benefits of utilizing this emerging technology while illustrating some of its vulnerabilities. He will demonstrate how a simple AI chatbot, like those used by so many companies today, can be easily manipulated. He will also offer suggestions for protecting the algorithms from being compromised. The conversation will include practical ideas on how an organization should structure its AI program including: Whether to utilize Human In The Loop (HITL) to ensure that a person controls when to start or stop any action performed by an AI system; How best to lock down AI based on data classification policies; and Why it is important to analyze log data in real time to provide AI threat monitoring, event correlation and incident response.

Speakers
avatar for Aaron Ansari

Aaron Ansari

VP Cloud Security, Trend Micro
Aaron brings practical knowledge which allows him to deliver tailored solutions for his clients. This knowledge comes from over a decade as a security practitioner in the Financial Services vertical.  At BMW Financial Services, Aaron served as the Chief Security Architect. He oversaw... Read More →


Friday September 24, 2021 9:30am - 10:00am EDT
On-Line

9:30am EDT

Five philosophies to building better application logs
Abstract:
I would like to introduce you to the five philosophies of building application logs with future breaches in mine. These are by no means the only things to consider, and I could potentially write a book or two about my thoughts. I have dealt with teams who have suffered a compromise and had sensitive data disclosures. In my experience I have almost always used the logs, they can contain so much information or they can contain equal amounts of noise. I am on a crusade, to turn developers into ninja forensic coding logging forces of nature. I would like to deal with breaches in which care has been taken with the logs they produce, and not always mumble to my “It would have been nice to have better logs, or any logs for that matter”. It is easy to ask  yourself the question as a developer. Do you take into account that your application will be breached, do you have enough information to determine what happened?” If you answered “I do not know” or “No”. Reach out to me I would like to set you on the path of building forensic and breach readiness into your application logs.

Speakers
avatar for Veronica Schmitt

Veronica Schmitt

Assistant Professor, Noroff University
Veronica started her forensic career in 2008.  She is the Director of Incident Response within DFIRLABS. Veronica is also an Assistant Professor at Noroff University. Veronica holds a Master in Science at Rhodes University in Information Security with specialisation in the forensic... Read More →


Friday September 24, 2021 9:30am - 10:00am EDT
On-Line

10:00am EDT

Rough Consensus - An OWASP Story
Speakers
avatar for Jeff Williams

Jeff Williams

Co-Founder and CTO, Contrast Security
Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and... Read More →


Friday September 24, 2021 10:00am - 10:30am EDT
On-Line

10:00am EDT

OWASP ModSecurity Core Rule Set Flagship Project
Speakers
avatar for Christian Folini

Christian Folini

Security Engineer, Partner, Netnea.com


Friday September 24, 2021 10:00am - 10:30am EDT
On-Line

10:00am EDT

Over 20 Years of SQL Injection Attacks in the Wild - Time to Refine and Optimize Web Attack Detection by Using Data Mining Techniques
Abstract:
SQL injection was initially introduced to the wild over 20 years ago and some of the defensive capabilities, the process building and maintaining them, stayed obsolete and manual. In this presentation, I will show how Content Delivery Network (CDN) logs classified as SQL injection attacks can be used to refine and optimize security rules, improve detection of future attacks, and detect emerging attacks targeting new vulnerabilities.
The process used includes elements taken from Natural Language Processing (NLP) to analyze SQL injection payloads, clean and curate them, break them into keywords and find the best relation between them to be able to get new and valuable insights.

Speakers
avatar for Or Katz

Or Katz

Principal Lead Security Researcher, Akamai Technologies Inc.
Or Katz is a security veteran, with years of experience at industry leading vendors, currently serves as principal lead security researcher for Akamai. Katz is a frequent Speaker in security conferences and published numerous articles, blogs and white papers on threat intelligence... Read More →


Friday September 24, 2021 10:00am - 10:30am EDT
On-Line

10:00am EDT

Agile Threat Modeling with Open-Source Tools
Abstract:
How can we quickly capture the risk landscape of agile projects to ensure we didn't miss an important thing? Traditionally, this happens in workshops with lots of discussion and model work on the whiteboard. It's just a pity that it often stops then: Instead of a living threat model, a slowly but surely eroding artifact is created, while the agile project evolves at a faster pace.

In order to counteract this process of decay, something has to be done continuously, something like "Threat-Model-as-Code" in the DevSecOps sense. The open-source tool Threagile implements the ideas behind this approach: Agile developer-friendly threat modeling right from within the IDE. Models editable in developer IDEs and diffable in Git, which automatically derive risks including graphical diagram and report generation with recommended mitigation actions.

The open-source Threagile toolkit runs either as a command line tool or a full-fledged server with a REST-API: Given information about your data assets, technical assets, communication links, and trust boundaries as input in a simple to maintain YAML file, it executes a set of over 40 built-in risk rules (and optionally your custom risk rules) against the processed model. The resulting artifacts are diagrams, JSON, Excel, and PDF reports about the identified risks, their rating, and the mitigation steps as well as risk tracking state.

Agile development teams can easily integrate threat modeling into their process by maintaining a simple YAML input file about their architecture and the open-source Threagile toolkits handles the risk evaluation. 

Speakers
avatar for Christian Schneider

Christian Schneider

Freelancer, Christian Schneider
Christian has pursued a successful career as a freelance software developer since 1997 and expanded it in 2005 to include the focus on IT security. His major areas of work are penetration testing, security architecture consulting, and threat modeling. As a trainer, Christian regularly... Read More →


Friday September 24, 2021 10:00am - 10:30am EDT
On-Line

10:30am EDT

What Shall We Do With a Vendor SBOM?
The development and adoption of a Software Bill of Materials (SBOM) got a welcome boost from the White House’s Executive Order. Teams who have been working on this for years are addressing generation, standards, use cases, and more. Once they’re ready for consumption, though, what should an organization plan to do with them? Somebody set us up the SBOM, now what?

Speakers
avatar for Wendy Nather

Wendy Nather

Head of Advisory CISOs, Cisco
Wendy Nather leads the Advisory CISO team at Cisco. She was previously the Research Director at the Retail ISAC, and Research Director of the Information Security Practice at 451 Research. Wendy led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation... Read More →


Friday September 24, 2021 10:30am - 11:00am EDT
On-Line

10:30am EDT

10:30am EDT

OWASP ESAPI – A Retrospective: The Good, the Bad, & the Ugly
Abstract:
This talk will explore the lessons that I have learned in more than 20 years of  developing, using, and reviewing FOSS-based security libraries. It will cover the well known XYZ library from both an open source development process and technical architectural perspective.

Speakers
avatar for Kevin Wall

Kevin Wall

Information Security Engineer, Wells Fargo
I have been involved in application security for almost the past 20+ years, but I still consider myself a developer first and an AppSec engineer second. During most of those past 20 years, I have specialized in applied cryptography and web AppSec. Before transitioning to AppSec, I... Read More →


Friday September 24, 2021 10:30am - 11:00am EDT
On-Line

10:30am EDT

Your code might be secure, but what about your pipeline? Challenges of securing build/deployment environment.
Abstract:
​Traditionally Change Management is a very well-defined process. You can find hundreds of articles on the Internet explaining how each change should be properly requested, developed, tested and approved before being moved to the production environment.

Obviously, each of these steps requires documentation and formal approval (sign-off) from the appropriate person. This process was giving security engineers several chances to ensure that changes do not introduce any new vulnerabilities and infrastructure to which the application is deployed is hardened and patched.

Security around the Change Management process gets a little bit more complicated for agile software development and DevOps methodologies where tens of small changes are introduced every day. Each of these small changes is being automatically tested from various perspectives and if everything goes as expected it gets deployed to the environment of your choice without human intervention.

Without any manual review in place, change management and security controls rely heavily on the fact that:

- humans cannot access sensitive environments in an uncontrolled manner
- application’s and infrastructure’s code is independently reviewed to avoid unauthorized changes and detect flaws
- pre-approved and verified artifacts are used while building applications to decrease the risk of insecure dependencies or malicious artifacts
- automated tests are performed by pipeline to detect defects or security issues

It goes without saying, that ability to circumvent any of the above mentioned controls may introduce unauthorized changes and security issues to the application.

This presentation will describe often ignored area of application security which is related to security of development environment. Presenter will share some common misconfigurations of build/deployment environment which can have a significant negative impact on source code integrity and as an ultimate result on security of application itself.​​​

Speakers
avatar for Marcin Szydlowski

Marcin Szydlowski

InfoSec Manager, PMI
Cyber Security enthusiast familiar with application security from both offensive and defensive perspective. As currently responsible for secure implementation of information systems in a global company, Marcin is able to share his experiences on secure system development in an environment... Read More →


Friday September 24, 2021 10:30am - 11:00am EDT
On-Line

11:00am EDT

Break
Friday September 24, 2021 11:00am - 11:30am EDT
On-Line

11:30am EDT

AppSec: from Outsiders to Allies
AppSec roots began with late 90’s vulnerability research and the ultimate technology outsiders, hackers. Microsoft didn’t even want to touch application security until customers threatened to stop buying over the monthly worms of the early 2000’s. Then the threat space changed and attacks weren’t for just done for fun, but done by criminal gangs and nation states. Critical bugs were monetized in the millions of dollars and led to national level security events. In 2021 there is a realization that the security of the software the government purchases has a lot to do with how secure the government is. Now almost every development team needs some AppSec and they want it tightly embedded in their development process. This talk will discuss how we got here and how we need to work as allies with the software development team.

Speakers
avatar for Chris Wysopal

Chris Wysopal

Chief Technology Officer, Veracode
Chris Wysopal, Veracode's CTO and co-founder, is responsible for the company's software security analysis capabilities. One of the original vulnerability researchers and a member of L0pht Heavy Industries, he has testified on Capitol Hill in the US on the subjects of government computer... Read More →


Friday September 24, 2021 11:30am - 12:30pm EDT
On-Line

12:30pm EDT

The future of Dev[Sec]Ops transformation
Speakers
avatar for Larry Maccherone

Larry Maccherone

DevSecOps Transformation, Contrast Security
Larry is a thought leader on DevSecOps. At Comcast, he launched and scaled the DevSecOps Transformation program over five years, and is now at Contrast helping organizations empower development teams to take ownership of security. Larry was a founding Director at Carnegie Mellon's... Read More →


Friday September 24, 2021 12:30pm - 1:00pm EDT
On-Line

12:30pm EDT

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security
Speakers
avatar for Dan Cornell

Dan Cornell

VP of Product Strategy, Coalfire
A globally recognized software security expert, Dan Cornell has over 20 years of experience architecting, developing and securing software systems. As Vice President of Product Strategy at Coalfire, Dan works with customers and industry partners to help drive the direction of their... Read More →


Friday September 24, 2021 12:30pm - 1:00pm EDT
On-Line

12:30pm EDT

OWASP CSRFGuard Flagship Project
Speakers
avatar for Azzeddine Ramrami

Azzeddine Ramrami

Senior Security Architect, IBM Security
avatar for Albert-Tóth István

Albert-Tóth István

DevSec Education Head, ProjectDiscovery.io


Friday September 24, 2021 12:30pm - 1:00pm EDT
On-Line

12:30pm EDT

Common NGINX Misconfigurations That Leave Your Web Server Open To Attack
Abstract:
NGINX is the web server powering one-third of all websites in the world. Detectify's Security Research team analyzed almost 50,000 unique NGINX configuration files downloaded from GitHub with Google BigQuery and discovered common misconfigurations that, if left unchecked, leave your web site vulnerable to attack. This training will walk through the most common issues, including demos and remediation tips for securing your web servers.

Speakers
avatar for Spencer Pearlman

Spencer Pearlman

Security Research at Detectify, Detectify
Spencer Pearlman is a Security Researcher with Detectify. His past experience includes Security Analyst work with NBCUniversal, iOS engineering for an AR startup based in LA and he likes Bitcoin... like probably too much. The Detectify Security Research team is led by Tom "TomNomNom... Read More →


Friday September 24, 2021 12:30pm - 1:00pm EDT
On-Line

1:00pm EDT

1:00pm EDT

Everything You Always Wanted to Know About Fingerprinting Browser Extensions, But Were Afraid to Ask
Abstract:
​More and more users are finding out about browser fingerprinting and how trackers can use it to supplement or altogether replace cookie-based tracking. In this talk, we will explore the landscape of a specific kind of browser fingerprinting, namely browser-extension fingerprinting. Since users explicitly choose which extensions to install, the discovery of a user's extensions can reveal sensitive socioeconomic properties about that user, such as, their level of income, their political leanings, their technical expertise, and even their religion. Moreover, since different users install different sets of browser extensions, the set of extension of a given user can be straightforwardly turned into that user's fingerprint. We will go over the different techniques that are available for fingerprinting browser extensions (including web-accessible resources, DOM modifications, stylesheet hijacking) and what modern browsers are doing in order to protect their users against fingerprinting.​​​

Speakers
avatar for Nick Nikiforakis

Nick Nikiforakis

Associate Professor, Stony Brook University
Dr. Nick Nikiforakis (PhD'13) is an Associate Professor in the Department of Computer Science at Stony Brook University. He leads the PragSec Lab, where his students conduct research in cyber security, with a focus on web security, web privacy, DNS security, attack-surface reduction... Read More →


Friday September 24, 2021 1:00pm - 1:30pm EDT
On-Line

1:00pm EDT

AppSec Timeline: Wins, Failures, Promises, and Predictions
Abstract:
​On its 20th anniversary, the AppSec marketspace can boast an impressive, multi-billion-dollar size. Yet after 20 years, other security markets, such as Network Security, are much larger. On one hand, DevSecOps signifies a broad adoption of AppSec. Yet on the other hand, the stubborn statistics show that percentage of critical vulnerabilities in our applications is pretty much the same as 20 years ago. AppSec history has been anything but a triumph. Are we on the path to triumph now? What trends give us clues to the future of AppSec? In this presentation, we will review wins and failures of AppSec over the last 20 years, analyze their causes and consequences, inspect promises, and set up predictions for the years to come.​​​

Speakers
avatar for Joseph Feiman

Joseph Feiman

Chief Strategy Officer, NTT Application Security
Joseph Feiman is widely credited with co-founding and shaping the AppSec marketspace. He gave names to the major AppSec technologies, such as SAST, DAST, IAST, SCA, and RASP. As Gartner Fellow and lead AppSec analyst, he founded AppSec Testing Magic Quadrant, ranked vendors, evolved... Read More →


Friday September 24, 2021 1:00pm - 1:30pm EDT
On-Line

1:00pm EDT

Unlocking Mobile App Security Secrets
Abstract:
Mobile game cheats have become widely accessible. Whether in the form of walking through walls in games like Among Us, bypassing payments or installing paid apps for free, cheats are now common practice.

In this presentation, we explore the underlying techniques used to hack and cheat popular games and discuss how the techniques apply across all industries.

We highlight the top three most common areas of compromise, identify several countermeasures for each area, and include concrete tips for implementing them successfully in your iOS or Android app.

The key takeaway? The same key principles we use to counter game cheats and hacks can be used to protect all types of mobile applications – from healthcare, to e-commerce, to banking and beyond!

Speakers
avatar for Jan Seredynski

Jan Seredynski

Mobile Application Security Engineer, Guardsquare
Jan Seredynski is a mobile security researcher and pentester with more than five years of experience in mobile app development. He has advised the top UK banks on secure architecture and anti-tampering techniques. Having reverse engineered and analyzed over 1,300 apps, he has given... Read More →


Friday September 24, 2021 1:00pm - 1:30pm EDT
On-Line

1:30pm EDT

OWASP DefectDojo Flagship Project
Speakers
avatar for Matt Tesauro

Matt Tesauro

Security Engineer, Citizen of the World
Matt Tesauro is currently rolling out AppSec automation at a major financial institution and is a founder of 10Security.  Prior work included the Director of Community and Operations at the OWASP Foundation, Senior AppSec Engineer building an AppSec Pipeline and continuous security... Read More →
avatar for Aaron Weaver

Aaron Weaver

Director of Cloud Security, Financial Services


Friday September 24, 2021 1:30pm - 2:00pm EDT
On-Line

1:30pm EDT

How To Review Code For Vulnerabilities
Abstract:
​Performing a source code review is one of the best ways to find security issues in an application. But how do you do it?

First, what are the main concepts that you should be familiar with before diving into code review? And where do you even start reviewing code? What strategies are there to identify different types of vulnerabilities? Are there any ways to automate the process?

In this talk, I will go through the basics of how to review an application’s source code to find vulnerabilities and introduce some strategies to review your application. You will also get the chance to practice reviewing a few pieces of code yourself. By the end of this presentation, you should be able to start identifying vulnerabilities in your applications!​​​

Speakers
avatar for Vickie Li

Vickie Li

Developer Evangelist, ShiftLeft Inc
Vickie Li is the resident developer evangelist at ShiftLeft. She is an experienced web developer with an avid interest in security research. She can be found on https://vickieli.dev, where she blogs about security news, techniques, and her latest bug bounty findings. She also hosts... Read More →


Friday September 24, 2021 1:30pm - 2:00pm EDT
On-Line

1:30pm EDT

Looking at 4 years of web honeypot attacks: tactics, techniques and trends
Abstract:
We’ve collected over 9 million events from hundreds of web honeypots around the world for past 52 months. This session will present the results of our analysis of that data to help answer the question: what attacks should I expect?
Using this honeypot data, we’ve been able to identify specific CVEs being targeted in large global attack campaigns. From this, we have clues on attacker tactics regarding which platforms and technologies receive attention time after time, and which fade from usage. This kind of data is vital in building a data-driven defense.
Attendees also learn what kinds of attack are commonplace on the Internet, so the ones targeting them uniquely will stand out. We will explain techniques to investigate and classify web attack log traffic at scale.
To quote Deming: In God we trust. Everyone else, bring data. We’re bringing the data.

Speakers
avatar for Malcolm Heath

Malcolm Heath

Senior Threat Research Evangelist, F5 Networks
Malcolm Heath is a Senior Threat Researcher with F5 Labs. His career has included incident response, program management, penetration testing, code auditing, vulnerability research, and exploit development at companies both very large and very small. Prior to joining F5 Labs, he was... Read More →
avatar for Raymond Pompon

Raymond Pompon

Director F5 Labs, F5 Networks
Raymond Pompon is currently the Director of F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber‐crime investigations. He was been directly involved in several major intrusion cases including the FBI undercover... Read More →


Friday September 24, 2021 1:30pm - 2:00pm EDT
On-Line

1:30pm EDT

Common Application Security Mistakes that Enable Automated Attacks
Abstract:
Our customers are constantly battling automated attacks against their applications.  Retail Fraud, Romance Scams, Account Take Over and many other problems can arise from simple security mistakes.  In this talk I take a look at Billions of Transactions and break down the mistakes that allowed for automated attacks to flourish, and how we stopped them.

Speakers
avatar for Jason Kent

Jason Kent

Hacker In Residence, Cequence Security
Jason Kent For over the last 20 years, Jason has been ethically peering into Client Behavior, Wireless Networks, Web Applications, APIs and Cloud Systems, helping organizations secure their assets and intellectual property from unauthorized access.  As a consultant he's taken hundreds... Read More →


Friday September 24, 2021 1:30pm - 2:00pm EDT
On-Line

2:00pm EDT

Fight Club | Grow your OWASP Chapter
So you want to organize like-minded people to focus on open-source software. You’re looking for tips tricks suggestions. Join this session to learn from two decades of experience. During the session, we will discuss various chapters around the world and what has made them successful or fail.

Speakers
avatar for Tom Brennan

Tom Brennan

Managing Partner, ProactiveRISK
Tom Brennan is the CIO of a 90-year-old law firm, a partner in a cybersecurity solutions company, and leads the U.S. arm of CREST International. In this role, he works with government and commercial organizations to optimize the value of CREST as a cybersecurity accreditation body... Read More →


Friday September 24, 2021 2:00pm - 2:30pm EDT
On-Line

2:00pm EDT

OWASP Cheat Sheet Series Flagship Project
Speakers
avatar for Jim Manico

Jim Manico

CEO and Application Security Architect, Manicode Security


Friday September 24, 2021 2:00pm - 2:30pm EDT
On-Line

2:00pm EDT

Bot or human? Detecting malicious bots with machine learning in 2021
Abstract:
Detecting malicious bots has become an extremely complex task. Bot developers deliberately design their software to bypass bot detection systems. They attack from perfect browsers and mobile apps, leveraging exactly the same browsers as humans or headless browsers like Headless Chrome. They know how to forge attributes that are commonly used for bot detection: they manipulate HTTP headers and their values and order, and change their browser fingerprints. Bad bots are also distributed in extremely elaborate ways. Many use residential IPs with excellent reputations, and they make very few requests per IP — sometimes only one. Finally, the best bots perfectly mimic human behavior. For example, they can imitate realistic mouse movements and keyword strokes, using generative adversarial networks.

So what does it take to efficiently distinguish advanced bots from real humans?

This talk will reveal the inner workings of a modern bot detection engine. We will see which signals are collected, and how they are enriched. We will discuss why it is mandatory to analyze both server-side and client-side signals. We will explore the challenges of authenticating good bots, and how to detect frameworks such as Puppeteer extra stealth, Playwright, Selenium and Headless Chrome. Finally, we will take a deep dive into machine learning approaches for bad bot detection, with a demonstration of how the respective strengths of supervised and unsupervised machine learning can be combined for maximum predictive accuracy.

Outline: 
Intro: What does a bad bot look like in 2021?
1.1. Bots use perfect browsers and apps
1.2. Bots attack from clean IP addresses
1.3. Bots run on real devices
1.4. Bots behave like humans

Overview of current bot detection techniques
2.1. Signals: why you need both server-side and client-side signals
2.2. IP reputation: how to extract valuable data from the humble IP address
2.3. So you say you’re Google? Authenticating good bots
2.4. Signature-based detection for simple bots
2.5. Detecting advanced bots with machine learning

Deep dive: Machine learning approaches for bot attack detection
3.1. Detecting proxies, forged headers, URL browsing, and more with supervised ML
3.2. Detecting Captcha farms with semi-supervised ML
3.3. Outlier detection with unsupervised ML
3.4. Detection techniques for single-request attacks

4. Feedback loops: managing false positives and preserving the human user experience

Speakers
avatar for Benjamin Fabre

Benjamin Fabre

CTO, DataDome
Benjamin is the CTO of DataDome, co-founded with Fabien Grenier in 2015. A serial entrepreneur, he has specialized, over the past 15 years, in scalable web infrastructures, AI powered data stream processing and SaaS technologies. TrendyBuzz, his previous company, was acquired in 2014... Read More →
avatar for Antoine Vastel

Antoine Vastel

Engineering Manager, DataDome
Antoine Vastel is an Engineering Manager at DataDome, overseeing the Threat Research team. In this role, he focuses on improving DataDome's real-time bot detection engine through different approaches, such as behavioral detection, HTTP/browser fingerprinting, (Residential) proxies/Infected... Read More →


Friday September 24, 2021 2:00pm - 2:30pm EDT
On-Line

2:00pm EDT

Kubernetes Security: Attacking and Defending K8s Clusters
Abstract:
​This presentation aims to talk about different attack scenarios leveraging Kubernetes clusters. We'll dig deeper into a real-world attack scenario using real-world applications to demonstrate different ways attackers and malicious users can use to exploit your cluster and the applications running on it. But first, we’ll give an overview about Kubernetes and its architecture, covering the main components from the Control Plane and the Worker Nodes. Then, we'll use the K8s Threat Matrix and the MITRE ATT&CK for Containers published this year to discuss the Tactics, Techniques and Procedures to demonstrate the Recon, Exploitation and Post-Exploitation phases. After that, we'll provide some best practices to securing your cluster based on the scenarios and the CIS Benchmarks for Kubernetes. We'll show how to use Role-based access control (RBAC)  for Access Control, to enable audit logs for security and troubleshooting, and we'll set up some network policies to avoid communication between pods and prevent any lateral movement from attackers​​​

Speakers
avatar for Magno Logan

Magno Logan

Information Security Specialist, Trend Micro
Magno Logan works as an Information Security Specialist for Trend Micro. He specializes in Cloud, Container, and Application Security Research, Threat Modelling, and Red Teaming. In addition, he has been tapped as a resource speaker for numerous security conferences around the globe... Read More →


Friday September 24, 2021 2:00pm - 2:30pm EDT
On-Line

2:30pm EDT

OWASP Amass Flagship Project
Speakers
avatar for Jeff Foley

Jeff Foley

Senior Security Engineering Officer, Citi


Friday September 24, 2021 2:30pm - 3:00pm EDT
On-Line

2:30pm EDT

OWASP DefectDojo - the Heart of your AppSec Automation
Abstract:
You’re tasked with ‘doing AppSec’ for your company and you’ve got more apps and issues than you know how to deal with. How do you make sense of the different tools outputs for all your different apps? DefectDojo can be your one source of truth and become the heart of your AppSec automation program.

DefectDojo grew out of a Product Security program 8 years ago and was created by AppSec people for AppSec people. In this talk, you’ll learn about DefectDojo and how to make the most of the many features it offers including its REST-based API. DefectDojo can be your one source of truth for discovered security vulnerabilities, report generation, aggregation of over 100 different security tools, inventory of applications, tracking testing efforts and metrics on the AppSec program. DefectDojo was the heart of an AppSec automation effort that saw an increase in assessments from 44 to 414 in two years. Don't you want 9.4 times more output from your AppSec program? It's time to ditch spreadsheets and get DefectDojo.

Speakers
avatar for Matt Tesauro

Matt Tesauro

Security Engineer, Citizen of the World
Matt Tesauro is currently rolling out AppSec automation at a major financial institution and is a founder of 10Security.  Prior work included the Director of Community and Operations at the OWASP Foundation, Senior AppSec Engineer building an AppSec Pipeline and continuous security... Read More →


Friday September 24, 2021 2:30pm - 3:00pm EDT
On-Line

2:30pm EDT

The future is simple - introducing the CRE
Abstract:
​This presentation marks the official go-live of the Common Requirement Enumeration initiative, as an interactive linking platform across standards and guidelines.
Software is becoming more important for us every day, and at the same time software security is complex and not getting any easier. This is our calling as appsec professionals. To deal with this, we have built great tools and helpful standards and guidelines. But because there is no single silver bullet, we now face the big challenge to combine all these separate solutions into an integrated approach – to make it easier for the experts, but above all: to bring application security within reach of a larger group of people. This is essential because the shortage of application security superheroes is not expected to go away. Therefore, the key to a secure future is to make appsec more accessible. More simple.
Unfortunately, making things simple is not easy. Within OWASP, an initiative to drive integration has started in 2020, with the Integration standards project. Its goal is to link and align key standards (OWASP and others), by providing a unified framework to attain more consistency, completeness, overview and clarity.
One of the results has been the Appsec wafyinder: an interactive map of the key OWASP projects.
Another, more substantial effort is the Common Requirement Enumeration(CRE): a semantic web that links standards at the level of topics, within OWASP and beyond (NIST, PCI-DSS, ISO/IEC, MITRE, CIS etc etc). The CRE ties all standards and guidelines together and allows people to jump from source to source to learn more on a specific subject. For example, the CRE links an ASVS check to the corresponding Testing guide section, with the right Cheat sheet, Pro-active control and Top 10 entry.
This meta-mapping is self-maintaining, so when standards refer to other standards using the CRE: those links will automatically stay up to date. The important side-effects of this integration are increased consensus, more clarity and a mutual understanding of what application security is for developers, ops, testers, security teams, management, procurement and other stakeholders, across domains. No more silos. The future is simple.
This presentation officially launches the CRE, discusses the extensive research that has been done on the landscape of appsec standards and describes how alignment is created through the unified CRE framework - positioning OWASP as a driver of community-based global consensus .​​​
​​​​


Speakers
avatar for Rob van der Veer

Rob van der Veer

Principal consultant, Software Improvement Group
Rob van der Veer has a 25 year background in building secure software and running software businesses. Cyber security and privacy have been constant themes in his career, from hacking into the British RAF in 1986, to building AI solutions for national security. At the Software Improvement... Read More →
avatar for Spyros Gasteratos

Spyros Gasteratos

AppSec Tech Lead Manager, Thought Machine


Friday September 24, 2021 2:30pm - 3:00pm EDT
On-Line

2:30pm EDT

Automated Finding Correlation where do SAST, DAST and IAST overlap
Abstract:
Did you ever wonder what is the overlap between different scanning technologies? why should you use few different technologies, and is there a single technology to rule them all?
Well, we did wonder about this exact topic and decided to once and for all find an answer.
We knew that the information included in an IAST finding can be used to uniquely identify issues reported by DAST and SAST. We have built an automated correlation service that goes over vulnerabilities reported by the three technologies and automatically matches findings.
In this session, you will learn about our findings. Did we find a significant overlap? which issue types are more common to be detected by one technology over the other? and is there one technology to rule them all?
You will also learn about the value such correlation brings, whether you are a developer or security expert, and how using more technologies can actually reduce your work and shorten the time for remediation.

Speakers
avatar for Ran Klein

Ran Klein

Product Manager, HCL Technologies
Ran has started his professional journey in the IDF Unit 8200. Since then, he has had the opportunity to act as a developer, product manager, and entrepreneur in cyber and analytics domains. Today Ran is leading AppScan's IAST technology both as a stand-alone AST solution and as a... Read More →
avatar for Eitan Worcel

Eitan Worcel

Head of Product, AppScan, HCL
Eitan has nearly 15 years of experience in Application Security, both as a developer and as a product manager in HCL AppScan's product suite. He has worked with a wide range of customers, assisting them in their quests to build secure web applications. Eitan now leads HCL AppScan’s... Read More →


Friday September 24, 2021 2:30pm - 3:00pm EDT
On-Line

3:00pm EDT

Break
Friday September 24, 2021 3:00pm - 3:30pm EDT
On-Line

3:30pm EDT

20:20 - The History and Future of OWASP
20 years ago I was moderating the webappsec mailing list on securityfocus and had just started a new job running application security at Charles Schwab, when the CIO came running down the hall demanding to speak to the new guy. He wanted to know why we were in the Wall Street Journal and what I was going to do about it. I felt like I had been framed. After fending off ambulance chasers and wading through marketing “bull shiitake” from vendors, I realized there was a gap that needed to be filled. OWASP was born. No real plan, no real goal, armed with just a belief that the world needed better information I sent out a call to action for like-minded people to get involved. The rest as they say is history. Looking back it’s been an amazing success story of a community that has had a significant positive impact on the world during a time when development technology and the threat landscape has changed beyond recognition. What was critical to OWASPs success and how should it evolve over the next 20 years? We will take a walk down memory lane, stargaze into the future and leave with an updated call to action for the next twenty years.

Speakers
avatar for Mark Curphey

Mark Curphey

Co-Founder and CTO, Open Raven
Mark is the founder of OWASP, founder and CEO of SourceClear (acquired by Veracode in 2018) and now the co-founder of Open Raven (https://www.openraven.com), a data security company. He is a British ex-pat currently living in San Francisco and usually found riding a bicycle. 


Friday September 24, 2021 3:30pm - 4:30pm EDT
On-Line

4:30pm EDT

Decoded: Leverage Cybersecurity as a Business Enabler
Speakers
avatar for Nicole Dove

Nicole Dove

Business Information Security Officer, WarnerMedia
Nicole Dove is a cybersecurity leader, speaker, university lecturer & host of the Urban Girl Corporate World podcast. As Business Information Security Officer at WarnerMedia, she collaborates with executives to manage the cybersecurity strategies of CNN Digital, Turner Sports, Bleacher... Read More →


Friday September 24, 2021 4:30pm - 5:00pm EDT
On-Line

4:30pm EDT

OWASP Dependency Track Flagship Project
Speakers
avatar for Steve Springett

Steve Springett

Senior Manager - Product Security, ServiceNow


Friday September 24, 2021 4:30pm - 5:00pm EDT
On-Line

4:30pm EDT

Creating an IoT-connected Mobile App Compliance Program Leveraging OWASP MASVS
Abstract:
​The OWASP MASVS specification is the ultimate guide for mobile app security. In late 2020, Google, NowSecure, Amazon and other IoT device manufacturers as part of the ioXt Alliance partnered to create a mobile app protection profile specifically for security certification of mobile apps connected to IoT devices. From the start, the team of security veterans, who were well versed in the OWASP MASVS, sought to build upon the OWASP community work - with a specific focus on the unique needs of IoT-connected mobile apps. The outcome of this fast work launched in April 2021 with numerous IoT manufacturers already certified. Join this session led by Brooke Davis, Google Android Security Team and Brian Reed, Chief Mobility Officer at NowSecure to learn the inside story about the journey of creating this unique certification program and how to create your own security testing program for mobile apps connected to things.​​​

Speakers
avatar for Brian Reed

Brian Reed

Chief Mobility Officer, NowSecure
As Chief Mobility Officer, Brian Reed leads the mobile DevSecOps charge at NowSecure helping orgs deliver secure mobile apps faster. He brings decades of experience in mobile, apps, security, dev, operations and standards helping Fortune 2000 global customers and mobile DevSecOps... Read More →


Friday September 24, 2021 4:30pm - 5:00pm EDT
On-Line

5:00pm EDT

OWASP Top 10 Flagship Project "The making of the OWASP Top 10 and beyond"
Ever wonder how the bread is made? We'll take you back into the kitchen so you can see how the Top 10 2021 was made. We'll walk through the process of which decisions were made and why. Covering data collection, survey, data analysis, categorization, drafts, reviews, and the released product. This talk is not about what's in the Top 10, check out the earlier talk for that discussion; this talk is about what went into making the Top 10 2021.


Speakers
avatar for Brian Glas

Brian Glas

Assistant Professor Of Computer Science, Union University
Brian has over 20 years of experience in various roles in IT and over a decade and a half of that in application development and security. His day job is serving as an Assistant Professor teaching a full load of Computer Science and Cybersecurity classes at Union University. He helped... Read More →


Friday September 24, 2021 5:00pm - 5:30pm EDT
On-Line

5:00pm EDT

Developers Struggle with Application Security (and How to Make It Better)
Abstract:
We’ve all heard the buzz around pushing application security into the hands of developers, but if you’re like most companies, it has been hard to actually make this a reality. You aren’t alone - putting the culture, processes, and tooling into place to make this happen is tough. Join StackHawk CSO Scott Gerlach as he shares his triumphs and failures while building DevSecOps practices and tools at companies such as GoDaddy, SendGrid, and Twilio. Dig into specific reasons why developers struggle with AppSec and what you can do to make it work better. Whether you’re a seasoned DevSecOps pro or just starting out, this will be an entertaining (and judgement-free!) talk you won’t want to miss!


Speakers
avatar for Scott Gerlach

Scott Gerlach

Co-Founder and Chief Security Officer, StackHawk
Scott Gerlach is Co-founder and Chief Security Officer at StackHawk, a Denver-based startup focused on empowering engineers to easily identify and remediate security bugs. Scott brings over two decades of security and engineering experience to his current role, having served as CSO... Read More →


Friday September 24, 2021 5:00pm - 5:30pm EDT
On-Line

5:30pm EDT

OWASP Dependency-Check Flagship Project
Speakers
avatar for Jeremy Long

Jeremy Long

Principal Engineer


Friday September 24, 2021 5:30pm - 6:00pm EDT
On-Line

5:30pm EDT

These are the Vulns You are Looking For: AppSec Champions & Jedi Mind Tricks
Abstract:
AppSec champions program exist in virtually every organization that builds a ton of software and is security paranoid.   These programs use informal influence and the art of persuasion to get software developers to write more secure applications.  Many programs originate from the bottom up and lack strong organizational mandates – that’s where the Jedi Mind tricks come in.  

AppSec champions may be widely implemented, but in general there is a lack of data on what organizations are actually doing in the field. The results of a nine-month research survey attempt change that, with first-ever data of common denominators of leading-edge AppSec champions programs published. The structured research project involved 26 of the most innovative AppSec programs. Many, if not most, were operating in isolation with no benchmarking data or widely understood best practices.

This session will identify the common denominators that we observed in the survey respondents including emerging best practices around identification and recruiting of champions, how security organizations trained champions, and how they communicated with champions in the field. Finally, return on investment responses are included to provide insight into how organization are measuring success around their programs.

This data provides certain recommendations about how security leaders should further build these programs to get upstream of the “vulnerability production engine” that creates additional attack surface. An emphasis will be placed on how attendees can take the survey results and use them for further justification for their own programs.

We’re not remotely close to solving the secure development problem.  AppSec champions helps win the hearts and minds of developers who are ultimately the one who solve this issue.  The hope is that, armed with AppSec champions numbers and best practices, attendees will be better equipped to help their development colleagues via AppSec champions programs.

Speakers
avatar for John Dickson

John Dickson

VP, Coalfire
John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group... Read More →


Friday September 24, 2021 5:30pm - 6:00pm EDT
On-Line

6:00pm EDT

OWASP CycloneDX Flagship Project
Speakers
avatar for Steve Springett

Steve Springett

Senior Manager - Product Security, ServiceNow
avatar for Patrick Dwyer

Patrick Dwyer

OWASP CycloneDX SBOM Project Lead


Friday September 24, 2021 6:00pm - 6:30pm EDT
On-Line

6:00pm EDT

Running a local Chapter
Abstract:
In this non-technical talk, we'll discuss the behind-the-scenes life of a chapter President: Getting speakers, volunteers, sponsors, running meetups, venues, coordination with the OWASP foundations, allocating funds, attracting an engaged audience all while increasing revenue and having fun.

Speakers
avatar for Serge Borso

Serge Borso

CEO, SpyderSec
When it comes to web application security and penetration testing, Serge is among the best possible instructors to learn from due to his experience, accomplishments, and, quite frankly, his personality. Duplicate badges to walk right through security and access a "secure" facility... Read More →


Friday September 24, 2021 6:00pm - 6:30pm EDT
On-Line

6:30pm EDT

All your Ether belong to us (a.k.a Hacking Ethereum-based DApps)
Abstract:
​Blockchain technology is extremely fascinating... has captured our imaginations because of its huge potential to revolutionize industries such as logistics, food safety, music, insurance, banking, and even voting systems; however, its adoption is still very scarce. The reason is simple: blockchains are complex to use by end users.

During recent years, decentralized applications (DApps) have been emerging as candidates to change the rules of the game, mainly because of their ease of use and capability to leverage the full power of blockchains. The big question is... are DApps really secure?

This presentation will show how Ethereum-based DApps work, the technology behind them and some of their most common vulnerabilities. The ultimate goal will be to understand how to attack these applications and, especially, what to do to be protected.​​​

Speakers
avatar for Luis Quispe Gonzales

Luis Quispe Gonzales

Lead Offensive Security Engineer, Halborn
Luis Quispe Gonzales is Lead Offensive Security Engineer at Halborn, a blockchain-specialized cybersecurity company. He has more than 11 years of professional experience in cybersecurity consulting, with clients belonging to banking, finance, energy, and mass consumption sectors... Read More →


Friday September 24, 2021 6:30pm - 7:00pm EDT
On-Line

7:00pm EDT

Break
Friday September 24, 2021 7:00pm - 7:30pm EDT
On-Line

7:30pm EDT

TBD
Speakers
avatar for Eva Galperin

Eva Galperin

Director of Cybersecurity, EFF
Eva Galperin is EFF's Director of Cybersecurity. Prior to 2007, when she came to work for EFF, Eva worked in security and IT in Silicon Valley and earned degrees in Political Science and International Relations from SFSU. Her work is primarily focused on providing privacy and security... Read More →


Friday September 24, 2021 7:30pm - 8:30pm EDT
On-Line

8:30pm EDT

Live Q&A Session



Speakers
avatar for Troy Hunt

Troy Hunt

Information Security Author & Instructor, Pluralsight
Troy Hunt is an Australian security researcher and founder of the data breach notification service, Have I Been Pwned. Troy has a background in software development specialising in information security and is a regular conference speaker and trainer. He regularly appears in the media... Read More →


Friday September 24, 2021 8:30pm - 9:00pm EDT
On-Line

8:30pm EDT

Security As Code - The New Model Of Achieving Security At Scale
Speakers
avatar for Dr. Chenxi Wang

Dr. Chenxi Wang

Founder and General Partner, Rain Capital
Dr. Chenxi Wang is the Founder and General Partner of Rain Capital, a Silicon Valley-based venture fund focused on Enterprise Software and Cybersecurity investments. A well-known operator, technologist, and thought leader in the Cybersecurity industry, Dr. Wang is a member of the... Read More →


Friday September 24, 2021 8:30pm - 9:00pm EDT
On-Line

8:30pm EDT

Using binary search algorithms for blind sql injection
Abstract:
Ever when you started programming, did you ever wonder when will I use this in real life? I remember my first programming courses, where they gave me exercises with techniques that personally I never thought I could apply them to real life, less to the world of pentesting, and running some white box tests, I found a manual blindsqlinjection, but it was very slow, very tedious, and you can imagine, very noisy, so I decided to apply this algorithm to my script finding that all that knowledge was not in vain, but I could apply it in my day to day. This is the story.

Speakers
avatar for Juan Pablo Quiñe Paz

Juan Pablo Quiñe Paz

Manager Security Arquitect, BCP
Strategist specialized in Cybersecurity and Innovation, with more than 20 years of experience in the field, working for public and private companies, and providing various services for companies in areas such as Banking, Telecommunications, Energy and Health in several countries of... Read More →


Friday September 24, 2021 8:30pm - 9:00pm EDT
On-Line

9:00pm EDT

Redefining Threat Modeling: Security team goes on vacation
Speakers
avatar for Jeevan Singh

Jeevan Singh

Security Engineering Manager, Segment
Jeevan Singh is a Security Engineering Manager for Segment, where he is embedding security into all aspects of the software development process. Jeevan enjoys building a security culture within organizations and educating staff on security best practices. Jeevan is responsible for... Read More →


Friday September 24, 2021 9:00pm - 9:30pm EDT
On-Line

9:00pm EDT

Hack Your APIs in 15 Minutes or Less
Abstract:
This talk will discuss one of many methods that are used in the wild to target Shadow APIs and export large volumes of data with a few clicks of a button (lines of code in python code :). Attendees will learn about a very basic yet non-so-obvious problem in securing data, and how hackers are using creative methods to steal large volumes of data.

Speakers
avatar for Himanshu Dwivedi

Himanshu Dwivedi

Co-Founder and Chief Executive Officer, Data Theorem
Himanshu Dwivedi is the CEO of Data Theorem, Inc., an application security company focusing on API Security (RESTful & GraphQL), mobile apps (iOS &Android), Cloud Apps (Serverless), and Single Page WebApps (SPAs). Himanshu has been an avid start-up entrepreneur since 1999, where he... Read More →


Friday September 24, 2021 9:00pm - 9:30pm EDT
On-Line

9:30pm EDT

Security Metrics: Protecting Our Digital Assets of the Future
Abstract:
Caroline Wong, Chief Strategy Officer at Cobalt, holds deep-rooted expertise in information security. She began her security career about 15 years ago, leading security teams at eBay and Zynga. Since then, she has run a global product management team at Symantec, and has been a management consultant at an application security company called Cigital, which was later acquired by Synopsys.

In this talk, Caroline will discuss the different roles that people, processes, and technology play when it comes to securing the world’s digital assets of the future. In particular - Caroline will discuss security metrics, and the importance of establishing a framework to measure whether or not your organization’s cybersecurity program is accomplishing goals and maintaining compliance over time.

This past year has seen more vulnerabilities than ever before, bringing new and urgent challenges for security leaders to adapt to on a daily basis. Covid precipitated a virtually overnight shift to remote working, catching many organizations by surprise. In fact - the U.N. reported that cybercrime increased by 600% during the pandemic. Due to this rapidly changing environment, organizations’ security metrics must evolve quickly, yet sustainably, to meet the needs of evolving vulnerabilities and technology. Throughout Caroline’s talk, she will outline the evolution of security metrics, as well as how organizations can set a framework for successful monitoring in today’s cybersecurity world. Major points will include:

- Why effective security metrics focus less on the numbers and more on the overall stories and messages behind a program’s performance.
- Why every organization has to determine a budget when discussing how to invest in areas, such as data security, for the long run. For example, if you put a dollar toward an information security program - that means you’re not putting that same dollar into engineering, marketing, sales, or other areas that might be more clearly understood by an executive.
- Why security metrics provide quantifiable and qualitative insight into a security program’s performance, and can be an extremely valuable asset for security teams asking for additional investment and resources.

Security metrics, and how they can be implemented within an organization, is a topic that has fascinated Caroline since early on in her career, leading to ample research and exploration. In fact, Caroline wrote a book with McGraw Hill in 2011 entitled “Security Metrics: A Beginner’s Guide,” and plans to produce a new OWASP course about security metrics over the next few months.

Speakers
avatar for Caroline Wong

Caroline Wong

Chief Strategy Officer, Cobalt
Caroline Wong is the Chief Strategy Officer at Cobalt. As CSO, Caroline leads the Security, Community, and People teams at Cobalt. She brings a proven background in communications, cybersecurity, and experience delivering global programs to the role. Caroline’s close and practical... Read More →


Friday September 24, 2021 9:30pm - 10:00pm EDT
On-Line

10:00pm EDT

Purple Teaming with OWASP Purpleteam
Abstract:
What is OWASP purpleteam?

purpleteam is a security regression testing CLI and SaaS targeting Web applications and APIs.
The CLI is specifically targeted at sitting within your build pipelines but can also be run manually.
The SaaS that does the security testing of your applications and/or APIs can be deployed anywhere.

Kim will briefly discuss the three year journey that has brought purpleteam from a proof of concept (PoC) to where it is now.

An overview of the NodeJS micro-services with a pluggable tester architecture will be provided. Additional Testers can be contributed by the community (that's you!).

Why would I want it in my build pipelines?

In this section Kim will discus the problem that purpleteam solves,
along with the cost savings of finding and fixing your application security defects early (as you're introducing them) as opposed to late (weeks months later with external penetration testing) or not at all.

OK, I want it, how do we/I set it up?

Kim will walk you through all of the components and how to get them set-up and configured

Great, but what do the work flows look like?

Let's walk through the different ways purpleteam can be run and utilised, such as:

* Running purpleteam standalone (with UI)
* Running purpleteam from within your pipelines as a spawned sub process (headless: without UI)
* Running all of the purpleteam components, including debugging each and every one of them if and when the need arises

Speakers
avatar for Kim Carter

Kim Carter

Purple Teaming with OWASP purpleteam
Technologist / Engineer, Information Security Professional, Entrepreneur and the founder of BinaryMist Ltd (https://binarymist.io/) and purpleteam-labs (https:purpleteam-labs.com). OWASP NZ Chapter Leader for Chch. Certified Scrum Master. Facilitator, mentor and motivator of cross... Read More →


Friday September 24, 2021 10:00pm - 10:30pm EDT
On-Line

10:30pm EDT

Costly mistakes in serverless computing
Abstract:
Serverless computing has revolutionized cloud computing. It makes deploying code faster, cheaper, and more compact. Yet, with this convenience, we might be prone to making mistakes that weaken our cybersecurity posture. This presentation will highlight some costly mistakes to avoid when building our serverless applications.


Speakers
avatar for Miguel Calles

Miguel Calles

Principal Solutions and Security Engineer, VeriToll LLC
Miguel A. Calles is the author of the "Serverless Security" book and a Cybersecurity engineer who works on cloud computing projects. He has worked on multiple serverless projects as a developer and security engineer, contributed to open-source serverless projects, and worked on large... Read More →


Friday September 24, 2021 10:30pm - 11:00pm EDT
On-Line

11:00pm EDT

AWS (mis)configuration from an attacker’s-eye view
Kavisha is a Security Analyst by profession. She is a cloud security and machine learning enthusiast who dabbles in an application and API security and is passionate about helping customers in securing their IT assets. She spends time findings vulnerabilities and doing research for the same. She has been recognized by the Government of India for helping them in securing their websites. She has also been listed in the list of top security researchers of the nation, in a recent newsletter of NCIIPC RVDP.

She believes in giving back to the community and frequently finds audiences to talk. She is also a cybersecurity speaker and love to share her views on various infosec threads. She has spoken at various security events and around the world including Defcon Cloud village, OWASP Bay area, OWASP Sofia, Null Bangalore, Bsides Noida, Infosec girl, and so on.

Speakers
avatar for Kavisha Sheth

Kavisha Sheth

Security Analyst, Appsecco


Friday September 24, 2021 11:00pm - 11:30pm EDT
On-Line

11:30pm EDT

vAPI : Vulnerable Adversely Programmed Interface (OWASP API Top 10)
Abstract:
We have seen developers move from traditional 2 tier application architecture to a 3 tier architecture which involves an API talking to front end and backend services.The API used or developed might ease the development process but a lot of vulnerabilities can come up if not developed or configured properly. vAPI is a Vulnerable Interface in a Lab like environment that mimics the scenarios from OWASP API Top 10 and helps the user understand and exploit the vulnerabilities according to OWASP API Top 10 2019.It might be useful for Developers as well as Penetration Testers to understand the type of vulnerabilities in APIs. The lab is divided into 10 exercises that sequentially demonstrate the vulnerabilities and give a flag if exploited successfully.

Speakers
avatar for Tushar Kulkarni

Tushar Kulkarni

Holm Security
Tushar Kulkarni works at Holm Security where as a part of the team, he works towards ensuring customer's Vulnerability Management and Assessment. He also leads and manages the OWASP's Nagpur chapter which has AppSec Meets every now and then. He has given talks and trainings at various... Read More →


Friday September 24, 2021 11:30pm - Saturday September 25, 2021 12:00am EDT
On-Line
 
Saturday, September 25
 

12:00am EDT

Post-DevOps, what should we shift-left?
Abstract:
The traditional V-shaped quality assurance of waterfall has been replaced by DevOps and CI/CD. It is clear that fast improvement cycles have contributed to making the code much easier to maintain and higher quality.
But why is it that AppSec is still vulnerable to attacks and has yet to mature? Do automated mechanisms contribute to robustness against change?
In this talk, I will show what we have learned through our experience of organizing Hardening Project in Japan. I will cover the critical points related to each stage of DevOps to take DevOps to the next stage - they are about risk profile, architecture design of threat response, and operational matter. I hope it will show some challenges that AppSec faces in its further evolution.

Speakers
avatar for Riotaro OKADA

Riotaro OKADA

Executive Advisor/Industry Analyst, OWASP Japan/Asterisk Research, Inc.
Born in Kobe, Japan, Mr. Okada, the executive researcher of Asterisk Research, has 20+ years of experience in software development and security. He is an experienced CISO advisor, PSIRT practitioner, and author who can implement information security programs. His field of work contributes... Read More →


Saturday September 25, 2021 12:00am - 12:30am EDT
On-Line

12:30am EDT

Software Security Engineering (Learnings from the past to fix the future)
Abstract:
Over the last 20 years, exponential growth in technology and technological advancement has led to a significant increase in an application or software attack surface. If these applications become part of an organisation's internal or external facing infrastructure, it inherently increases an organisation overall attack surface.
Interestingly a vast majority of security bugs the industry have been dealing with these days have been around for at least two decades.

Suppose you are responsible for ensuring application security for your organisation or a vital member of the software engineering team and dealing with known security issues affecting these applications year after year. In that case, there are few critical questions to ask yourself.

Is it challenging to entirely eradicate any known application security bugs in a single application and across all the applications in your organisation? Does your product team observe the nature of security bugs identified and mitigated in a particular application/software release, continues to surface back in future releases? Have you made a move to DevSecOps, or considering migrating away from Waterfall and Agile with the hope that it would take care of all the security bugs in your applications/software.

If the answer to either or all of the above questions is "Yes", then this talk is for you.

This talk will have no fancy demos; instead, this talk will cover some of the crucial aspects of software security engineering and strategy that most organisations have overlooked or ignored.
The key to ensuring maximum possible security resilience in an application/software against known and unknown threats is hidden in past events. Therefore, there will be past examples covered during the talk to learn from and retrospect to fix future security problems in an application/software.

It is quite possible to eliminate known security bugs entirely across all the applications in an organisation and prevent them from reoccurring. While achieving 100% resilience against zero-day threats for your software is less likely, it is quite possible to achieve at least 99.99% security resilience in application/software to defend against variants of know security bugs.

This talk will provide some food for thoughts on how to steer software security engineering in an organisation to achieve such results. Among all the solutions I'd cover, none of those will lead to DevSecOps. You'll find out why during the talk.

Speakers
avatar for Debasis Mohanty

Debasis Mohanty

Head Of Technical Services, SEQA
Debasis has over 20+ years of insightful experience in Offensive and Defensive security. He got into security as early as 1998 when there were limited online resources, and one had to self-learn and rely more on textbooks, MSDN resources (Windows), or man pages (Linux/Unix) than on... Read More →


Saturday September 25, 2021 12:30am - 1:00am EDT
On-Line
 
  • Timezone
  • Filter By Date OWASP 20th Anniversary Event Sep 24 -25, 2021
  • Filter By Venue On-line
  • Filter By Type
  • Break
  • Guest Speaker
  • Keynote
  • OWASP Flagship Projects
  • OWASP Standard Classification
  • Temporal
  • Topics of Interest
  • Audience