OWASP 20th Anniversary Event: Full Schedule

Thank you for joining us at our 20th Anniversary Event! All sessions were recorded and will be posted in the coming weeks on the OWASP YouTube channel.

We have been working hard to secure the world through challenges and discovery. And now, it’s time to celebrate! Many of you have played a crucial role in the Foundation’s enduring history, and we encourage you to participate in the celebration coming this September! Our theme, Securing the Next 20 Years, is encouraging and exciting as we look ahead to the next 20 years!

Join us for FREE at this live 24-hour global event as we honor the past, celebrate the present, and embrace the future of OWASP and cybersecurity. Hear from world-renowned keynotes and special speakers, and network with your peers. It is FREE to attend, however, registration IS required, to gain access to the session links.

3:00am EDT

Opening Remarks

Please join us for our 20th Anniversary opening remarks, the announcement of the WASPY Award winners, and our Distinguished Lifetime members.

Friday September 24, 2021 3:00am - 3:10am EDT
On-Line

Opening Remarks

Audience All

3:10am EDT

AppSec is too hard!?

Looking at available tools and features, it is easy to conclude that AppSec is shooting for the moon. Modern frameworks build security in by default, and vulnerable technologies are replaced by more secure alternatives. But regardless of all these good intentions, we see the same vulnerabilities popping up over and over again. Are we just careless when building applications, or is AppSec too hard? Throughout this talk, we review various cases where frameworks and libraries get in the way of security, paving the way for application-level vulnerabilities. With practical examples, we investigate more robust approaches to application security. The patterns we discuss will not only help you to improve the security of your applications but also make application security more manageable at scale.

Speakers

Philippe De Ryck

Founder, Pragmatic Web Security

Philippe De Ryck helps developers protect companies through better web security. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional knowledge of the security landscape. As the founder of Pragmatic Web Security, Philippe delivers security training and security... Read More →

Friday September 24, 2021 3:10am - 4:00am EDT
On-Line

Keynote

4:00am EDT

OWASP Mobile Security Testing Guide Flagship Project

Speakers

Carlos Holguera

Security Engineer

Carlos Holguera is a security engineer, researcher and OWASP leader with many years of hands-on experience in the field of security testing for mobile apps and automotive devices. He is passionate about automation, reverse engineering, dynamic instrumentation of mobile apps and is... Read More →

Sven Schleier

Technical Director, F-Secure Consulting

Sven is the Technical Director of F-Secure Singapore and has hands-on experience in attacking and defending web and mobile apps for the last 10+ years. He became specialised in Application Security and has supported and guided software development projects for Mobile and Web Applications... Read More →

Friday September 24, 2021 4:00am - 4:30am EDT
On-Line

OWASP Flagship Projects

4:00am EDT

OWASP Top 10 Privacy Risks 2021

Abstract:
“The future is private” said Mark Zuckerberg back in 2019 at Facebook’s developer conference. OWASP is addressing the topic of web application privacy with its Top 10 Privacy Risks Project since 2014. The project covers technological and organizational aspects that focus on real-life privacy risks, not just legal issues. It provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. In the meanwhile, this OWASP project became best practice for experts all over the world. But new regulations like GDPR and CCPA and a rapidly changing world raise the question in how far the privacy risk landscape has changed since 2014. This led to the decision to update the project back in 2020 and finally more than one year later version 2.0 of the OWASP Top 10 Privacy Risks project has been published. In this session project founder and leader Florian Stahl will present the updated results and show that some well-known topics like web application vulnerabilities remain at the top of the list, but also new issues like “Consent on everything” or “Insufficient Data Quality” made it to the Top 10 Privacy Risks 2021. He also explains countermeasures against these risks and how to really build a private future.

Speakers

Florian Stahl

Principal Consultant, MSG

Florian Stahl is Principal Consultant for Security & Privacy at the software company msg in Germany. He achieved his Master's in Computer and Information Systems Science in Germany and Sweden and holds CISSP, CISM and CIPT certifications. Florian has more than ten years of experience... Read More →

Friday September 24, 2021 4:00am - 4:30am EDT
On-Line

OWASP Standard Classification

Audience Advanced, Intermediate, Beginner

4:00am EDT

Blockchain-based Security Framework for Cyber Physical Systems (BSF-CPS)

Abstract:
Cyber physical systems more commonly known as CPS, is a class of automated systems which work as a lifeline in smart cities’ systems such as home automation system, power grid, automotive industry, etc. CPS are transforming the way we interact, monitor and control the physical world around us. The security aspects of these systems are in high demand as these systems are involved in the day-to-day life of people and the national economy. Compromised CPS can harm the day-to-day operations of people. CPS systems are complex in design and more prone to cyber-attacks. Detection of safety and security deficiencies acts as a fundamental building block for creating a security framework for CPS at different levels. Cyber Physical Devices (CPS), the Internet of Things, and digital frameworks are generally cases of embedded devices in which the basic requirement is to provide flexibility to various applications with higher adaptability to provide reliable communication with the implementation of communication protocols. However, existing platforms use centralised networking, which suffers from security, scalability and big-data problems. In this talk, I will be presenting a blockchain-based security framework for CPS (BCSF-CPS) which will provide a trustable network to get rid of third-party problems. In addition, also improve the scalability, security and big-data problems for CPS. The rudimentary principal behind the proposed framework is based on a hybrid of open and consortium blockchain. This hybrid approach will provide a peer-to-peer communication network between the end user and the service provider. The first half of this talk will present a review of CPS major security problems like centralized control, cloud and edge device data management, heterogeneous environment, secure data access with high latency and accuracy, adversarial attacks, overall security, and privacy. The proposed BCSF-CPS framework will be presented in the second half of the talk. BCSF-CPF based on role-based access using the account address of the blockchain node as the identity, redefining access permissions, designing the initialization, access control, authorization, authorization revocation and audit processes, and using lightweight symmetric encryption algorithm to achieve privacy protection. Moreover, will also share review in applying blockchain technology for CPS to provide insights and highlight the challenges and future opportunities.

Speakers

Dr. Abhilasha Vyas

Subject Matter Expert, CloudThat Technologies

Dr. Abhilasha Vyas working as Subject Matter Expert, CloudThat Technologies. She is member of executive committee, Women in Big Data (WiBD) India Chapter. She is also working as Head, Cyber Cell, Suraj Sansthan, Jaipur. Her research area is Cyber Security and Detection of DDoS attacks... Read More →

Friday September 24, 2021 4:00am - 4:30am EDT
On-Line

Temporal

Audience Beginner

4:00am EDT

How Security, Development & Testing can work together to stop the same recurring vulnerabilities appearing in the OWASP Top 10

Abstract:
Although the OWASP top 10 has been updated several times, the same vulnerabilities keep appearing over and over again! Security is a shared responsibility, how can we work together to stop the same recurring vulnerabilities?

The majority of vulnerabilities are introduced during coding and identified during testing. How can development, security and testing work together to prevent these vulnerabilities reappearing? Changing culture is key! How can we motivate developers? How do we put a positive spin on security? How can we break down the silos between different teams and unite behind the shared goal of secure software?

Security can no longer be the ‘bad guy’ at the end of the software development process. Security practises must be embedded within the developer workflow and software development lifecycle. This requires a mix of hard and soft skills which will be discussed during this session.

Speakers

Stefania Chaplin

Solutions Architect, Secure Code Warrior

Stefania Chaplin is EMEA's Solution Architect at Secure Code Warrior. Her experience within Cybersecurity, DevSecOps and OSS governance means she's helped countless organisations understand and implement security throughout their SDLC. As a python developer at heart, Stefania is always... Read More →

Friday September 24, 2021 4:00am - 4:30am EDT
On-Line

Topics of Interest

Audience Beginner, Intermediate

4:30am EDT

OWASP ZAP Flagship Project

OWASP ZAP is the world’s most popular web scanner. In this session, Simon will tell you all about the next ZAP release - 2.11.0 - which is coming very soon.

Speakers

Simon Bennetts

Distinguished Engineer, StackHawk

Simon Bennetts is the OWASP Zed Attack Proxy (ZAP) Project Leader and a Distinguished Engineer at StackHawk, a company that uses ZAP to help users fix application security bugs before they hit production.He has talked about and demonstrated ZAP at conferences all over the world, including... Read More →

Friday September 24, 2021 4:30am - 5:00am EDT
On-Line

OWASP Flagship Projects

4:30am EDT

Introducing graph theory to Policy-As-Code

Abstract:
Graphs are a data structures used to model relationships between nodes. Modern cloud infrastructures can be thought of as graphs - compute resource depend on network resources, which in turn depend on access control resources, and so on.
Infrastcture as code projects such as Terraform builds a directed acyclic graph to model the relationships between resources so operators can safely manage and change infrastructure resources across bare metal, IaaS, PasS, and SaaS.
Can we utilize a similar graph to analyze and enforce a policy over infrastrcture as code?
In this talk we will explore how to apply graph theory to Policy As Code using the open source tool Checkov.
We will cover the internals of Checkov, Demonstrate usage and will write a costom policy that on the relationship that are between compute resources and acces control resources.

Speakers

Barak Schoster

Chief Architect, Bridgecrew By Prisma Cloud

Barak Schoster is co-founder and CTO of Bridgecrew. Based in Tel Aviv, Barak spends his time helping teams secure cloud infrastructure, writing code, and talking about writing code. He is the creator of Checkov and often contributes to other open source projects. Follow him on Twitter... Read More →

Friday September 24, 2021 4:30am - 5:00am EDT
On-Line

OWASP Standard Classification

Audience Intermediate

4:30am EDT

Your company, as a Knowledge Graph - the foundation of cybersecurity’s future

Merging the knowledge graph model with cloud security posture management results in an innovative new technology called Security Knowledge Graph.

It uses a data model that maps networks of cloud entities in an exhaustive graph which supports automated reasoning across multi-cloud infrastructures. The Security Knowledge Graph will surface crucial issues of all your interlinked cloud assets, helping you improve your security and data governance procedures.

Welcome to your connected organization, as a Knowledge Graph.

Speakers

Ovidiu Cical

Founder of Cyscale, Cyscale

OWASP speaker at both London AppSec 2018 and Tel-Aviv AppSec 2019. Cybersecurity enthusiast with over 15 years of experience in the field of information technology, working with Go, Big Data, Graph Databases, Python, and Linux. I worked as Software Developer at Sophos/Astaro, a... Read More →

Friday September 24, 2021 4:30am - 5:00am EDT
On-Line

Temporal

Audience Beginner, Advanced, Intermediate

4:30am EDT

Automatic Vulnerability Remediation: The Trusted and Secure Road to Developer Happiness

Abstract:
Developing secure software is not a trivial undertaking. Modern applications are commonly encumbered with security vulnerabilities that can present a serious risk to services, systems, organizations, and end users.

While vulnerability detection is commonly an automated process, vulnerability remediation is not. Relegating such effort to developers who might not possess the knowledge required to handle vulnerabilities is a demanding and ineffective process. However, the idea of automatic code remediation may not be easy for developers to accept, let alone endorse, due to a trust barrier. Developers will likely be concerned about any process that autonomously pushes changes that might break their code. To gain the requisite trust by developers, automatic remediation must ensure that code changes preserve application functionality and structure as much as possible. More importantly, automatically generated code should look like it was written by the code owner and must never break the application.

Automatic remediation of security vulnerabilities offers an immense value proposition for organizations. It does this by potentially expediting product release schedules, by freeing development bandwidth so that it may be dedicated for feature implementation (rather than software maintenance), and by ultimately delivering better software security. What’s more, customer studies and reviews reveal that an automated approach to vulnerability remediation can save time and eliminate friction with security teams.

This session presents how automatic vulnerability remediation realizes an incredible value proposition by enabling faster product release schedules, extended development bandwidth, and better software security.

Speakers

Rami Elron

Senior Director of Product Innovation, WhiteSource

Rami Elron is the Senior Director of Product Innovation at WhiteSource, driving application security strategic initiatives and thought leadership. Rami has defined and led the product specification for major staples of WhiteSource's portfolio, including the company's prioritization... Read More →

Friday September 24, 2021 4:30am - 5:00am EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate

5:00am EDT

OWASP Juice Shop Flagship Project

Speakers

Björn Kimminich

Senior Manager IT Architecture, Kuehne + Nagel

Bjoern Kimminich is an IT Product Group Lead at Kuehne + Nagel, responsible – among other things – for Application Security. On the side, he gives IT security lectures at the non-profit private university Nordakademie. Björn is an OWASP Lifetime Member, the project leader of... Read More →

Friday September 24, 2021 5:00am - 5:30am EDT
On-Line

OWASP Flagship Projects

5:00am EDT

Connecting the Dots: How Threat Intelligence Protects the Applications

Today we can see that digital technologies are the core of every business. The automation and the connections achieved with these technologies have revolutionized the world’s economic and cultural institutions but they have brought additional risk in the form of cyber attacks.

What is Cyber Threat Intelligence, how you can implement it properly to protect your business and why is an important component into the AppSec World?

In this presentation you will find how to integrate it into you Application Security Program but also solutions that automate data collection and processing, integrate with other solutions or services, take in unstructured data from disparate sources, and then connect the dots by providing context on indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) of threat actors. To put it short, Threat intelligence - knowledge that will allow you to prevent or mitigate those attacks.

Speakers

Catalin Curelaru

SecOps Manager, Visma

Catalin is a security generalist specialized into Infrastructure and Product Security areas with a strong knowledge of Security Operations. He works at Visma as a Security Operations Manager, enjoying his time into the Product Security Operations team providing technical leadership... Read More →

Friday September 24, 2021 5:00am - 5:30am EDT
On-Line

OWASP Standard Classification

Audience Intermediate

5:00am EDT

Achieving the Web Isolation Nirvana - How far along are we?

Abstract:
Security isolation is a design principle that improves the resilience of applications against attacks. It works like a second layer of defense that protects the application in the presence of a security breach, by containing the attack to the compromised partition. Sandboxing is one of the techniques often used to provide isolation by restricting code to a limited permission set. Isolation, in this context, is limiting what can happen if a vulnerability is exploited. It has a strong tie to the also well-known security principles of Least Privilege and Privilege Separation.

Any application can and should be designed using these principles. However, it is of vital importance for applications that include untrusted or 3rd party code. Companies can do code reviews of untrusted code before using it, but that is prone to oversights and is too costly to be done for every code change. Additionally, code reviews can be difficult to do in situations where there is no ahead of time access to the code, which is usually the case with web applications, where 3rd party vendor services are directly embedded into applications from their remote servers.

Using 3rd party code/components is a growing trend observed in the last decade, and will keep growing, as companies work towards cutting the development time of new applications. This is especially true for Web Applications as high-scale modern Web Applications use dozens of different 3rd party services. Any untrusted code can be compromised and put the rest of the Web Application at risk, potentially leaking sensitive data.

Throughout the years, several solutions and best practices have been advocated for creating Web Applications leveraging Web Isolation. The core security model of Browser-based apps sits upon the Same Origin Policy (SOP), a mechanism that aims to prevent different security domains from interfering with each other in malicious ways. But the SOP is limited to what it can do, and imposes several limitations to how the application is designed. It's neither practical nor economically efficient to split every code partition in its own origin. Iframe Sandboxing was a good complement to SOP, but its adoption is still anemic, as most third party scripts require direct access to the DOM and to other scripts in order to function properly. Despite our best efforts to bring effective Web Isolation and privilege separation to the client-side, we are still struggling.

In this talk, we will attempt to tie in the journey of the last 20 years of Web Isolation to the “next 20 years”. We’ll make a pit stop in the present, where we’ll showcase a client-side sandboxing solution that is transparent, does not require any browser modification and can be embedded into any Web Application. We can pontificate on what will be the likely state of Web Isolation for applications deployed in the future. And lastly, we can discuss where the security challenges will likely be located and how we, the security community, need to work together in order to overcome those challenges.

Speakers

Jasvir Nagra

Security Engineer, Dropbox

Jasvir Nagra is widely recognized as a thought leader in software protection. He is co-author of Surreptitious Software, the definitive textbook on software protection, and an early researcher in obfuscation, software watermarking, and fingerprinting. With more than 12 years of experience... Read More →

Pedro Fortuna

CTO and Founder, Jscrambler

Once on a trajectory to a full academic career, where he taught security and computer science courses for about 5 years - ended up falling in love with the fast paced world of entrepreneurship. Started Jscrambler where he leads all security research and drives the company product... Read More →

Friday September 24, 2021 5:00am - 5:30am EDT
On-Line

Temporal

Audience Intermediate

5:00am EDT

Effective Usage Analysis: The Shortest Path Between a Developer and Accelerated Product Releases

Abstract:
Modern software applications can feature thousands of direct or indirect code dependencies between proprietary and open source software components, many of which have security vulnerabilities.

Vulnerability scanning commonly reports a gigantic number of findings that demand attention by development teams. Our study, based on the review of hundreds of open source projects in Java, .NET, Python, and JavaScript, shows that about 70% of the reported vulnerabilities in real-world applications cannot be referenced from application code, thereby effectively posing no risk. However, many organizations establish the urgency of vulnerability handling based on the vulnerability’s reported severity. In light of the large number of reported vulnerabilities that are not ‘effective,’ security and development personnel often find themselves investing an inordinate amount of time addressing alerts that should have been prioritized in the first place.

Knowledge of a vulnerability’s ‘effectiveness’ is extremely valuable to organizations. It enables organizations to eliminate a substantial portion of reported security risks with 100% accuracy to concentrate on a significantly smaller number of ‘effective’ vulnerabilities. This enables organizations to save precious time, focus their development teams’ attention on real risks, apply remediation efficiently, and expedite product delivery.

This session presents how prioritization based on effective usage analysis enables organizations to confirm which reported vulnerabilities can be exploited, significantly reducing the number of vulnerabilities developers must remediate.

Speakers

Rami Elron

Senior Director of Product Innovation, WhiteSource

Friday September 24, 2021 5:00am - 5:30am EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate

5:30am EDT

Attacking the microservice systems: methods and practical tips

Abstract:
The microservice architecture is being increasingly used for designing and implementing application systems in both cloud-based and on-premise infrastructures for different purposes from small “startup” business process to large-scale telecommunications. But the microservices bring new security architecture patterns and approaches that completely change the attack surface and may lead to vulnerabilities. This presentation focuses on approaches and practical tips on how to provide a basic security assessment of microservice-based systems to find microservice-specific vulnerabilities. Our research results were extracted during multiple security assessments, collected, structured and contributed to the OWASP community.

Speakers

Alexander Barabanov

Principal Security Architect, Advanced Software Technology Lab, Huawei

Ph.D. in Computer Science, CISSP, CSSLP. Over ten years of working experience in IT security evaluation and application security. Current position is a Principal Security Engineer at Advanced Software Technology Lab, Huawei. Associate Professor at Bauman Moscow State Technical University... Read More →

Friday September 24, 2021 5:30am - 5:30am EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate, Beginner

5:30am EDT

OWASP Software Assurance Maturity Model (SAMM) Flagship Project

Speakers

Seba Deleersnyder

Co-founder & CTO, Toreon

Bart De Win

PwC, Director Cyber&Privacy

Bart De Win has over 20 years of experience in software security. He has an extensive background in the field, including his Ph.D. and research work on methods and techniques for software protection. Since 2009, Bart has been responsible for all application security services within... Read More →

Friday September 24, 2021 5:30am - 6:00am EDT
On-Line

OWASP Flagship Projects

5:30am EDT

OWASP Application Gateway: What is it and how can you use it to secure your webapp?

Abstract:
The OWASP Application Gateway is a modern HTTP reverse proxy that sits between your web application and the client and handles OAuth2 login and session. It is built to scale from from small projects to huge enterprise apps. For you, as a developer, OAG the hassle to implement login logic in the backend and frontend so you can focus totally on your application's logic.

In this talk, we'll go through the security challenges you'll face while building modern software systems and how the OWASP Application Gateway helps you building secure applications. Furthermore, we'll do a technical deep dive into how you can customize and extend the Application Gateway to your needs.

Speakers

Gian-Luca Frei

Security Engineer, Zühlke

Gian-Luca Frei is the initiator and leader of the OWASP Application Gateway project. Besides his open-source contributions, he is a security engineer at Zühlke. He has in-depth experience with systems with the highest security standards, such as e-banking portals and inter-banking... Read More →

Friday September 24, 2021 5:30am - 6:00am EDT
On-Line

OWASP Standard Classification

Audience Advanced, Beginner, Intermediate

5:30am EDT

Objects In The Rear View Mirror Are Closer Than They Appear

Abstract:
We are living in the future. Actually, we have been living in the future for some time now. Unfortunately, progress is not equally divided between the different facets of technology. An area that has always suffered a delayed reaction is security, and more specifically security testing. When it comes to innovation and digital transformation, we are charging forward at full speed, but failing to adapt testing practices to evolve with the times and technologies. We are quickly, and often blindly, embracing the bleeding edge of technology, but every tech adoption comes with the overhead of a new set of tests (and their respective vendors of course). We are aggressively shifting left to the point where our testing results are not actionable, and sometimes not even clear. In this talk, we will discuss the ‘opportunities’ future-fueled applications present to adversaries, the challenges security teams encounter with modern architectures, and the vision we should consider when testing and securing these applications to take a more proactive defense approach across the industry.

Speakers

Erez Yalon

VP of Security Research, Checkmarx

Erez Yalon is the VP of Security Research at Checkmarx. Yalon oversees Checkmarx’s research group comprising analysts, pen testers, security engineers, and threat hunters. He brings vast experience to his position and his efforts to empower today’s developers and organizations... Read More →

Friday September 24, 2021 5:30am - 6:00am EDT
On-Line

Temporal

Audience Intermediate, Advanced

6:00am EDT

OWASP Security Knowledge Framework Flagship Project

Speakers

Glenn ten Cate

Chief Information Security Officer, Zerocopter

Riccardo ten Cate

Zerocopter

Friday September 24, 2021 6:00am - 6:30am EDT
On-Line

OWASP Flagship Projects

6:00am EDT

Stop the looters: a method to detect digital skimming attacks

Abstract:
In 2019 British Airways was fined a remarkable £183 million for a data breach that affected more than 380.000 of its customers. Magecart, the hacking group behind the attack, specializes in credit card theft and British Airways have not been their only victim. Ticketmaster, Forbes, Newegg and numerous online webshops have suffered security breaches by digital skimmers.

In the real world, a skimmer is a physical device inserted at payment terminals in order to harvest credit card data. Digital skimming is usually done through javascript code injected in a webpage where victims visit to fill in payment, or other types of sensitive data.

So how do you detect an attack? Is there an easy method to monitor javascript and deter digital skimmers? In this talk I will be presenting exactly this: a method to audit your javascript in order to stop digital skimmers from looting your websites.

Speakers

Nikolaos Alexiou

IT Security Specialist, Skandia

Nikolaos (Nikos) Alexiou is an application security specialist based in Stockholm, Sweden. He is a leader of the OWASP Stockholm local chapter and has a software developer background. He holds a master in Information Systems and has published his research work in academic conferences... Read More →

Friday September 24, 2021 6:00am - 6:30am EDT
On-Line

OWASP Standard Classification

Audience Beginner, Intermediate

6:00am EDT

It's Not Your Developers' Fault

The number of security incidents and data breaches are increasing. It feels like not a week goes by without hearing of another breach or compromise. Are we getting worse at doing security? In this talk I'll provide my opinion on this, from an application security perspective, by taking a look at how software development has changed over the years. As we move towards Cloud Native workloads, staying secure is harder; and it's not always your developers' fault.

Speakers

Edwin Kwan

DevSecOps Advocate

Edwin Kwan is a DevSecOps advocate and strong believer in having a developer focused approach towards embedding security into the software development life cycle. Trained as a software engineer, he transitioned into security 7 years ago and now heads up the application security and... Read More →

Friday September 24, 2021 6:00am - 6:30am EDT
On-Line

Temporal

6:00am EDT

Top 10 Challenges for DevSecOps

Abstract:
DevSecOps is the push for security to fit into the success DevOps has created. Since 2015 we’ve been working with 100s of companies on the integration of DevSecOps into software development processes and have seen the troubles, the successes, and the same patterns coming up again and again. Therefore, in honor of OWASP, we’ve created a Top 10 list of challenges that DevSecOps will need to overcome to truly fulfill its promise and make our lives simpler.

Let’s all repeat to ourselves: “DevSecOps isn’t simple. DevSecOps isn’t hooking in a few APIs into CI/CD. DevSecOps is about giving precise, usable security data, when and where it’s needed.”

Note that in this presentation we very much focus on DevSecOps achieving the same promise as DevOps, i.e. the ability to deliver usable, actionable security within the DevOps or CI/CD pipelines such that the risk to the business is reduced. This means the ‘Sec’ in DevSecOps needs to provide value within the operation and timeframe that DevOps works at. This is a common problem seen in many DevSecOps rollouts.

Speakers

Gary Robinson

Director, Uleska

Gary has over 20 years of experience in software and cyber security. In the private sector he has held roles including Security Architect in global banking and CEO of Uleska, In the voluntary sector, Gary has run projects, conferences, and Global Board membership of OWASP. Gary... Read More →

Friday September 24, 2021 6:00am - 6:30am EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate, Beginner

6:30am EDT

OWASP Web Security Testing Guide Flagship Project

Speakers

Matteo Meucci

Chief Executive Officer, IMQ Minded Security

Matteo Meucci has been working in the field of Application Security since 2001, he is the founder of the OWASP Italian Chapter in 2005.Since 2006 he has been the leader of OWASP Testing Guide and OWASP Sw Security 5D Framework since 2018.Matteo is one of the founders and CEO of IMQ... Read More →

Friday September 24, 2021 6:30am - 7:00am EDT
On-Line

OWASP Flagship Projects

6:30am EDT

OWASP API Security Top 10 - A Beginner's Guide to Mitigation

Abstract:
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.

OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.

APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project in 2019.

In this session we’ll discuss:
· What risks are associated with each of the OWASP Top 10 for API Security
· Solutions you can implement to mitigate these risks
· Strategies for implementing API security across the entire lifecycle

Speakers

Isabelle Mauny

CTO and Co-Founder, 42Crunch

Isabelle Mauny, Chief Evangelist and co-founder of 42Crunch spent most of her career at IBM, across a variety of technical roles, at the European level. She was part of the IBM WebSphere Strategy board and played a key role in the deployment in Europe of flagship products such as... Read More →

Friday September 24, 2021 6:30am - 7:00am EDT
On-Line

OWASP Standard Classification

Audience Beginner

6:30am EDT

OWASP Nettacker Project Presentation

Join us for a presentation on the OWASP Nettacker Project
https://owasp.org/www-project-nettacker/

Speakers

Sam Stepanyan

OWASP London Chapter Leader, OWASP London

Sam Stepanyan is an OWASP London Chapter Leader and an Independent Application Security Consultant with over 20 years of experience in the IT industry with a background in software engineering and web application development. Sam has worked for various financial services institutions... Read More →

Friday September 24, 2021 6:30am - 7:00am EDT
On-Line

Temporal

6:30am EDT

Feedback loop in DevSecOps - mature security process and dev cooperation

Abstract:
Having Security testing in the pipeline is getting more and more popular, I would say it is becoming a standard! But what we are doing with findings? What are we automating and how are using the automation?

The presentation will cover security-as-a-code practices to integrate security testing into the CI and CD pipelines, but in addition - I will discuss the part of the testing that cannot be automated, which is penetration testing. How do you connect it with your automation testing and what is the role of penetration testing in monitoring? I will show how it affects next round of the process and what the process should look like.
During the presentation I will discuss real use cases from different pipelines and security tools, showing pros and cons, advantages and challenges. Demo will include GitHub Actions and open-source tools like OWASP ZAP and examples will be provided with pipeline-as-a-code and security-as-a-code. Real life use cases and examples with step-by-step instruction how the development process in mature state of DevSecOps should look like.

Speakers

Daniel Krasnokucki

Product Security Manager, Equinix

Security freak, pentester, programmer, and day-to-day also a manager of Product Security team @ Equinix. Leader of OWASP Poland with a strong focus on building security controls and improving different areas in a very techy company. Privately likes board games, football (soccer) and... Read More →

Friday September 24, 2021 6:30am - 7:00am EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate

7:00am EDT

OWASP Security Shepherd Flagship Project

Speakers

Sean Duggan

OWASP Security Shepard Flagship Project

Friday September 24, 2021 7:00am - 7:30am EDT
On-Line

OWASP Flagship Projects

7:00am EDT

Scaling AppSec through Education

Abstract:
Given that:
- Security teams are outnumbered by developers 100:1
- 50 - 80% more bugs are found in code review than in testing
- More than 70% of CVEs are caused by implementation in code

It must follow that AppSec should be the biggest part of your concern as a security person, and that you either need to seriously invest in more AppSec people to keep up with the developer population or you need to get developers looking for AppSec issues during code review.

So, how does one do that?

Speakers

Grant Ongers

CTO, Secure Delivery

Grant's experience spans Dev - building platforms for regulated industries for more than 10 years. 20+ years in Ops, everything from managing operations in NOCs to mainframe and DBs. He also has over 30 years pushing the limits of (Info)Sec - mostly white-hat. Grant’s community... Read More →

Friday September 24, 2021 7:00am - 7:30am EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate, Beginner

7:30am EDT

Break

Friday September 24, 2021 7:30am - 8:00am EDT
On-Line

Break

8:00am EDT

Our Secure Future

How do we build a better future for information security by examining the lessons learned in the recent as well as distant past?

Speakers

Jaya Baloo

Chief Information Security Officer, AVAST

Jaya Baloo -Chief Information Security Officer @ AVAST Jaya Baloo is Avast’s Chief Information Security Officer (CISO) and joined Avast in October 2019. Previously, Ms. Baloo held the position of CISO at KPN, the largest telecommunications carrier in the Netherlands, where she established... Read More →

Friday September 24, 2021 8:00am - 9:00am EDT
On-Line

Keynote

9:00am EDT

OWASP OWTF Flagship Project

In this session, Saurabh will talk about the OWASP OWTF project and the latest updates.

Speakers

Saurabh Nandedkar

DevSecOps engineer, Safe Security

I am a DevSecOps engineer and OWASP contributor. I love to automate stuff. I also love to read and write code. So on most days, I am either trying to find bugs in others' code, all the while trying to avoid creating them in mine.

Friday September 24, 2021 9:00am - 9:30am EDT
On-Line

OWASP Flagship Projects

9:00am EDT

Code-Origin Policy: Towards a Formal User Privacy Protection for the Web

Abstract:
Although there exist technical solutions or legislation laws, online user privacy is still an open issue and an unsolved crisis. Indeed, there is no formal assurance mechanism to guarantee that a web application will not violate its users' privacy stated in the user agreement. In this presentation, we introduce a new method to protect web users' privacy by monitoring JavaScript code based on the source of the code, i.e., code origin. Our code-origin policy enforcement approach advances the conventional same-origin policy standard and allows the users to customize their protection. We demonstrate that our privacy policies can be certified at the development phase and verified at runtime to provide formal assurance of the enforcement.

Speakers

Phu H. Phung

Associate Professor, University of Dayton

Dr. Phu H. Phung is an Associate Professor and the Director of the Intelligent Systems Security Lab in the Department of Computer Science, University of Dayton. He received his Ph.D. in Computer Science in 2011 from Chalmers University of Technology, Sweden. His research interests... Read More →

Friday September 24, 2021 9:00am - 9:30am EDT
On-Line

Temporal

Audience Intermediate, Advanced

9:00am EDT

React Native Security. Addressing typical mistakes

Abstract:
When developers choose to use React Native as a platform for their mobile apps, they think about the benefits of one codebase for two platforms, increased development speed and advantages of TypeScript. But what about application security? Many articles claim that React Native apps are less secure. In my talk, I'll shed light on React Native apps’ security based on my experience, and explain some risks and threats developers should address to prevent typical mistakes.

Speakers

Julia Potapenko

Security Software Engineer, Cossack Labs

Julia is a Security Software Engineer at Cossack Labs, building convenient and affordable data security and encryption solutions. With background experience in mobile application development, she helps customers to choose and implement security controls for their products. Julia is... Read More →

Friday September 24, 2021 9:00am - 9:30am EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate, Beginner

9:30am EDT

OWASP Cloud-Native Application Security Top 10 Flagship Project

Speakers

Ron Vider

Co-Founder and Chief Technology Officer, Oxeye

Ron is the CTO of Oxeye, an application security testing platform for cloud native applications. He brings over a decade of experience in application and cloud security, working for Orca Security and the IDF Cyber elite 8200 unit. He specializes in application, container, cluster... Read More →

Friday September 24, 2021 9:30am - 10:00am EDT
On-Line

OWASP Flagship Projects

9:30am EDT

Good Bot, Bad Bot: Characterizing Automated Browsing Activity

Abstract:
As the web keeps increasing in size, the number of vulnerable and poorly-managed websites increases commensurately. Attackers rely on armies of malicious bots to discover these vulnerable websites, compromising their servers, and exfiltrating sensitive user data. It is, therefore, crucial for the security of the web to understand the population and behavior of malicious bots.

In this presentation, we will report on the design, implementation, and results of Aristeus, a system for deploying large numbers of honeysites, i.e., websites that exist for the sole purpose of attracting and recording bot traffic. Through a seven-month-long experiment with 100 dedicated honeysites, Aristeus recorded 26.4 million requests sent by more than 287K unique IP addresses, with of them belonging to clearly malicious bots. By analyzing the type of requests and payloads that these bots send, we discover that the average honeysite received more than 76,396 requests each month, with more than 50% of these requests attempting to brute-force credentials, fingerprint the deployed web applications, and exploit large numbers of different vulnerabilities. By comparing the declared identity of these bots with their TLS handshakes and HTTP headers, we uncover that more than 86.2% of bots are claiming to be Mozilla Firefox and Google Chrome, yet are built on simple HTTP libraries and command-line tools.

Outline:
This talk is all about bot traffic on the web. The presentation will be broken-up as follows:

- Background: What are web bots? What is the difference between benign and malicious bots? What are malicious bots after? (exploiting vulnerabilities, stealing backups, scraping, etc.)

- Discovering bots on our web applications: How can we differentiate bots from users? How can we differentiate between benign and malicious bots?

- Details about our main experiment: Network of 100 honeysites, running different types of web applications, for the sole purpose of attracting web bot requests. How we built it, how we recorded data. Different techniques for identifying bots (client fingerprinting, payload classification, TLS stack fingerprinting, etc.)

- Results of the experiment: Number of bots, geographical distribution, how many bots are malicious, how many bots are benign, does bot activity increase or decrease over time? Do bots run JavaScript? Do they use command-line tools or are they instrumenting full-fledged browsers? Showing how our system-generated blocklist with IP addresses of malicious bots, outperforms very popular OSINT lists

Over Learning Objectives for Attendees
- Being able to describe what malicious bots are after
- Knowing multiple techniques for fingerprinting malicious bots
- Understanding the basics of deploying of bot-catching infrastructure in their organization, as a new source of blocklisting

Speakers

Nick Nikiforakis

Associate Professor, Stony Brook University

Dr. Nick Nikiforakis (PhD'13) is an Associate Professor in the Department of Computer Science at Stony Brook University. He leads the PragSec Lab, where his students conduct research in cyber security, with a focus on web security, web privacy, DNS security, attack-surface reduction... Read More →

Friday September 24, 2021 9:30am - 10:00am EDT
On-Line

OWASP Standard Classification

Audience Beginner, Intermediate, Advanced

9:30am EDT

Preventing an OWASP Top 10 in the world of AI

Abstract:
According to McKinsey & Company, by 2030, companies who fully absorb AI could double their cash flow. As AI continues to be deployed into complex settings (healthcare, transportation and financial services), policy makers have warned against the potential abuses of AI and ML for cybercriminals’ gain. At the same time, the cybersecurity community has highlighted the benefits of using these algorithms to identify and defend against threats by automating the detection of and response to attempted attacks.

To prevent a future where OWASP releases a top 10 for AI threats, we need to broaden the conversation around how AI systems can themselves be secured, not just about how they weaken or augment data and network security. In this session, the speaker will offer the benefits of utilizing this emerging technology while illustrating some of its vulnerabilities. He will demonstrate how a simple AI chatbot, like those used by so many companies today, can be easily manipulated. He will also offer suggestions for protecting the algorithms from being compromised. The conversation will include practical ideas on how an organization should structure its AI program including: Whether to utilize Human In The Loop (HITL) to ensure that a person controls when to start or stop any action performed by an AI system; How best to lock down AI based on data classification policies; and Why it is important to analyze log data in real time to provide AI threat monitoring, event correlation and incident response.

Speakers

Aaron Ansari

VP Cloud Security, Trend Micro

Aaron brings practical knowledge which allows him to deliver tailored solutions for his clients. This knowledge comes from over a decade as a security practitioner in the Financial Services vertical. At BMW Financial Services, Aaron served as the Chief Security Architect. He oversaw... Read More →

Friday September 24, 2021 9:30am - 10:00am EDT
On-Line

Temporal

Audience Intermediate

9:30am EDT

Five philosophies to building better application logs

Abstract:
I would like to introduce you to the five philosophies of building application logs with future breaches in mine. These are by no means the only things to consider, and I could potentially write a book or two about my thoughts. I have dealt with teams who have suffered a compromise and had sensitive data disclosures. In my experience I have almost always used the logs, they can contain so much information or they can contain equal amounts of noise. I am on a crusade, to turn developers into ninja forensic coding logging forces of nature. I would like to deal with breaches in which care has been taken with the logs they produce, and not always mumble to my “It would have been nice to have better logs, or any logs for that matter”. It is easy to ask yourself the question as a developer. Do you take into account that your application will be breached, do you have enough information to determine what happened?” If you answered “I do not know” or “No”. Reach out to me I would like to set you on the path of building forensic and breach readiness into your application logs.

Speakers

Veronica Schmitt

Assistant Professor, Noroff University

Veronica started her forensic career in 2008. She is the Director of Incident Response within DFIRLABS. Veronica is also an Assistant Professor at Noroff University. Veronica holds a Master in Science at Rhodes University in Information Security with specialisation in the forensic... Read More →

Friday September 24, 2021 9:30am - 10:00am EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate, Beginner

10:00am EDT

OWASP ModSecurity Core Rule Set Flagship Project

Speakers

Christian Folini

Security Engineer, Partner, Netnea.com

Christian Folini is a security engineer and open source enthusiast. Heholds a PhD in medieval history and enjoys defending castles acrossEurope. Unfortunately, defending medieval castles is not a bigbusiness anymore and so he turned to defending web servers, which hefinds equally... Read More →

Friday September 24, 2021 10:00am - 10:30am EDT
On-Line

OWASP Flagship Projects

10:00am EDT

Rough Consensus - An OWASP Story

Speakers

Jeff Williams

Co-Founder and CTO, Contrast Security

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and... Read More →

Friday September 24, 2021 10:00am - 10:30am EDT
On-Line

OWASP Standard Classification, Guest Speaker

10:00am EDT

Over 20 Years of SQL Injection Attacks in the Wild - Time to Refine and Optimize Web Attack Detection by Using Data Mining Techniques

Abstract:
SQL injection was initially introduced to the wild over 20 years ago and some of the defensive capabilities, the process building and maintaining them, stayed obsolete and manual. In this presentation, I will show how Content Delivery Network (CDN) logs classified as SQL injection attacks can be used to refine and optimize security rules, improve detection of future attacks, and detect emerging attacks targeting new vulnerabilities.
The process used includes elements taken from Natural Language Processing (NLP) to analyze SQL injection payloads, clean and curate them, break them into keywords and find the best relation between them to be able to get new and valuable insights.

Speakers

Or Katz

Researcher, Akamai technologies

Or Katz is a security veteran, with years of experience at industry leading vendors, currently serves as principal lead security researcher for Akamai. Katz is a frequent Speaker in security conferences and published numerous articles, blogs and white papers on threat intelligence... Read More →

Friday September 24, 2021 10:00am - 10:30am EDT
On-Line

Temporal

Audience Intermediate

10:00am EDT

Agile Threat Modeling with Open-Source Tools

Abstract:
How can we quickly capture the risk landscape of agile projects to ensure we didn't miss an important thing? Traditionally, this happens in workshops with lots of discussion and model work on the whiteboard. It's just a pity that it often stops then: Instead of a living threat model, a slowly but surely eroding artifact is created, while the agile project evolves at a faster pace.

In order to counteract this process of decay, something has to be done continuously, something like "Threat-Model-as-Code" in the DevSecOps sense. The open-source tool Threagile implements the ideas behind this approach: Agile developer-friendly threat modeling right from within the IDE. Models editable in developer IDEs and diffable in Git, which automatically derive risks including graphical diagram and report generation with recommended mitigation actions.

The open-source Threagile toolkit runs either as a command line tool or a full-fledged server with a REST-API: Given information about your data assets, technical assets, communication links, and trust boundaries as input in a simple to maintain YAML file, it executes a set of over 40 built-in risk rules (and optionally your custom risk rules) against the processed model. The resulting artifacts are diagrams, JSON, Excel, and PDF reports about the identified risks, their rating, and the mitigation steps as well as risk tracking state.

Agile development teams can easily integrate threat modeling into their process by maintaining a simple YAML input file about their architecture and the open-source Threagile toolkits handles the risk evaluation.

Speakers

Christian Schneider

Freelancer, Christian Schneider

Christian has pursued a successful career as a freelance Java software developer since 1997 and expanded it in 2005 to include the focus on IT security. His major areas of work are penetration testing, security architecture consulting, and threat modeling. As a trainer, Christian... Read More →

Friday September 24, 2021 10:00am - 10:30am EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate

10:30am EDT

OWASP Top 10 Flagship Project "Intro of Top 10"

Speakers

Andrew van der Stock

Executive Director, OWASP Foundation

Andrew is a seasoned web application security specialist and enterprise security architect. He is the Executive Director at OWASP, taking the Foundation through organizational change and taking our mission to the next level. Andrew has worked in the IT industry for over 25 years... Read More →

Friday September 24, 2021 10:30am - 11:00am EDT
On-Line

OWASP Flagship Projects

10:30am EDT

What Shall We Do With a Vendor SBOM?

The development and adoption of a Software Bill of Materials (SBOM) got a welcome boost from the White House’s Executive Order. Teams who have been working on this for years are addressing generation, standards, use cases, and more. Once they’re ready for consumption, though, what should an organization plan to do with them? Somebody set us up the SBOM, now what?

Speakers

Wendy Nather

Head of Advisory CISOs, Cisco

Wendy Nather leads the Advisory CISO team at Cisco. She was previously the Research Director at the Retail ISAC, and Research Director of the Information Security Practice at 451 Research. Wendy led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation... Read More →

Friday September 24, 2021 10:30am - 11:00am EDT
On-Line

OWASP Standard Classification, Guest Speaker

10:30am EDT

OWASP ESAPI – A Retrospective: The Good, the Bad, & the Ugly

Abstract:
This talk will explore the lessons that I have learned in more than 20 years of developing, using, and reviewing FOSS-based security libraries. It will cover the well known XYZ library from both an open source development process and technical architectural perspective.

Speakers

Kevin Wall

Sr. Application Security Engineer, Guaranteed Rate

I have been involved in application security for almost the past 20+ years, but I still consider myself a developer first and an AppSec engineer second. During most of those past 20 years, I have specialized in applied cryptography and web AppSec. Before transitioning to AppSec, I... Read More →

Friday September 24, 2021 10:30am - 11:00am EDT
On-Line

Temporal

Audience Intermediate

10:30am EDT

Your code might be secure, but what about your pipeline? Challenges of securing build/deployment environment.

Abstract:
Traditionally Change Management is a very well-defined process. You can find hundreds of articles on the Internet explaining how each change should be properly requested, developed, tested and approved before being moved to the production environment.

Obviously, each of these steps requires documentation and formal approval (sign-off) from the appropriate person. This process was giving security engineers several chances to ensure that changes do not introduce any new vulnerabilities and infrastructure to which the application is deployed is hardened and patched.

Security around the Change Management process gets a little bit more complicated for agile software development and DevOps methodologies where tens of small changes are introduced every day. Each of these small changes is being automatically tested from various perspectives and if everything goes as expected it gets deployed to the environment of your choice without human intervention.

Without any manual review in place, change management and security controls rely heavily on the fact that:

- humans cannot access sensitive environments in an uncontrolled manner
- application’s and infrastructure’s code is independently reviewed to avoid unauthorized changes and detect flaws
- pre-approved and verified artifacts are used while building applications to decrease the risk of insecure dependencies or malicious artifacts
- automated tests are performed by pipeline to detect defects or security issues

It goes without saying, that ability to circumvent any of the above mentioned controls may introduce unauthorized changes and security issues to the application.

This presentation will describe often ignored area of application security which is related to security of development environment. Presenter will share some common misconfigurations of build/deployment environment which can have a significant negative impact on source code integrity and as an ultimate result on security of application itself.

Speakers

Marcin Szydłowski

InfoSec Manager, PMI

Cyber Security enthusiast familiar with application security from both offensive and defensive perspective. As currently responsible for secure implementation of information systems in a global company, Marcin is able to share his experiences on secure system development in an environment... Read More →

Friday September 24, 2021 10:30am - 11:00am EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate

11:00am EDT

Break

Friday September 24, 2021 11:00am - 11:30am EDT
On-Line

Break

11:30am EDT

AppSec: from Outsiders to Allies

AppSec roots began with late 90’s vulnerability research and the ultimate technology outsiders, hackers. Microsoft didn’t even want to touch application security until customers threatened to stop buying over the monthly worms of the early 2000’s. Then the threat space changed and attacks weren’t for just done for fun, but done by criminal gangs and nation states. Critical bugs were monetized in the millions of dollars and led to national level security events. In 2021 there is a realization that the security of the software the government purchases has a lot to do with how secure the government is. Now almost every development team needs some AppSec and they want it tightly embedded in their development process. This talk will discuss how we got here and how we need to work as allies with the software development team.

Speakers

Chris Wysopal

Chief Technology Officer, Veracode

Chris Wysopal, Veracode's CTO and co-founder, is responsible for the company's software security analysis capabilities. One of the original vulnerability researchers and a member of L0pht Heavy Industries, he has testified on Capitol Hill in the US on the subjects of government computer... Read More →

Friday September 24, 2021 11:30am - 12:30pm EDT
On-Line

Keynote

12:30pm EDT

OWASP CSRFGuard Flagship Project

Speakers

Azzeddine Ramrami

Senior Security Architect, IBM Security

Albert-Tóth István

DevSec Education Head, ProjectDiscovery.io

István is a developer advocate with a main focus on application security. He comes from an enterprise software development background, but to follow his passion he transitioned to the open-source world. István is the creator and maintainer of the 4.x version of the CSRFGuard project... Read More →

Friday September 24, 2021 12:30pm - 1:00pm EDT
On-Line

OWASP Flagship Projects

12:30pm EDT

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security

Speakers

Dan Cornell

VP of Product Strategy, Coalfire

A globally recognized software security expert, Dan Cornell has over 20 years of experience architecting, developing and securing software systems. As Vice President of Product Strategy at Coalfire, Dan works with customers and industry partners to help drive the direction of their... Read More →

Friday September 24, 2021 12:30pm - 1:00pm EDT
On-Line

OWASP Standard Classification, Guest Speaker

12:30pm EDT

The future of Dev[Sec]Ops transformation

Speakers

Larry Maccherone

DevSecOps Transformation, Contrast Security

Larry is a thought leader on DevSecOps. At Comcast, he launched and scaled the DevSecOps Transformation program over five years, and is now at Contrast helping organizations empower development teams to take ownership of security. Larry was a founding Director at Carnegie Mellon's... Read More →

Friday September 24, 2021 12:30pm - 1:00pm EDT
On-Line

Temporal, Guest Speaker

12:30pm EDT

Common NGINX Misconfigurations That Leave Your Web Server Open To Attack

Abstract:
NGINX is the web server powering one-third of all websites in the world. Detectify's Security Research team analyzed almost 50,000 unique NGINX configuration files downloaded from GitHub with Google BigQuery and discovered common misconfigurations that, if left unchecked, leave your web site vulnerable to attack. This training will walk through the most common issues, including demos and remediation tips for securing your web servers.

Speakers

Spencer Pearlman

Security Research at Detectify, Detectify

Spencer Pearlman is a Security Researcher with Detectify. His past experience includes Security Analyst work with NBCUniversal, iOS engineering for an AR startup based in LA and he likes Bitcoin... like probably too much. The Detectify Security Research team is led by Tom "TomNomNom... Read More →

Friday September 24, 2021 12:30pm - 1:00pm EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate, Beginner

1:00pm EDT

OWASP Application Security Verification Standard (ASVS) Flagship Project

Speakers

Andrew van der Stock

Executive Director, OWASP Foundation

Jim Manico

CEO and Application Security Architect, Manicode Security

Friday September 24, 2021 1:00pm - 1:30pm EDT
On-Line

OWASP Flagship Projects

1:00pm EDT

Everything You Always Wanted to Know About Fingerprinting Browser Extensions, But Were Afraid to Ask

Abstract:
More and more users are finding out about browser fingerprinting and how trackers can use it to supplement or altogether replace cookie-based tracking. In this talk, we will explore the landscape of a specific kind of browser fingerprinting, namely browser-extension fingerprinting. Since users explicitly choose which extensions to install, the discovery of a user's extensions can reveal sensitive socioeconomic properties about that user, such as, their level of income, their political leanings, their technical expertise, and even their religion. Moreover, since different users install different sets of browser extensions, the set of extension of a given user can be straightforwardly turned into that user's fingerprint. We will go over the different techniques that are available for fingerprinting browser extensions (including web-accessible resources, DOM modifications, stylesheet hijacking) and what modern browsers are doing in order to protect their users against fingerprinting.

Speakers

Nick Nikiforakis

Associate Professor, Stony Brook University

Friday September 24, 2021 1:00pm - 1:30pm EDT
On-Line

OWASP Standard Classification

Audience Beginner, Intermediate, Advanced

1:00pm EDT

AppSec Timeline: Wins, Failures, Promises, and Predictions

Abstract:
On its 20th anniversary, the AppSec marketspace can boast an impressive, multi-billion-dollar size. Yet after 20 years, other security markets, such as Network Security, are much larger. On one hand, DevSecOps signifies a broad adoption of AppSec. Yet on the other hand, the stubborn statistics show that percentage of critical vulnerabilities in our applications is pretty much the same as 20 years ago. AppSec history has been anything but a triumph. Are we on the path to triumph now? What trends give us clues to the future of AppSec? In this presentation, we will review wins and failures of AppSec over the last 20 years, analyze their causes and consequences, inspect promises, and set up predictions for the years to come.

Speakers

Joseph Feiman

Chief Strategy Officer, NTT Application Security

Joseph Feiman is widely credited with co-founding and shaping the AppSec marketspace. He gave names to the major AppSec technologies, such as SAST, DAST, IAST, SCA, and RASP. As Gartner Fellow and lead AppSec analyst, he founded AppSec Testing Magic Quadrant, ranked vendors, evolved... Read More →

Friday September 24, 2021 1:00pm - 1:30pm EDT
On-Line

Temporal

Audience Advanced, Beginner, Intermediate

1:00pm EDT

Unlocking Mobile App Security Secrets

Abstract:
Mobile game cheats have become widely accessible. Whether in the form of walking through walls in games like Among Us, bypassing payments or installing paid apps for free, cheats are now common practice.

In this presentation, we explore the underlying techniques used to hack and cheat popular games and discuss how the techniques apply across all industries.

We highlight the top three most common areas of compromise, identify several countermeasures for each area, and include concrete tips for implementing them successfully in your iOS or Android app.

The key takeaway? The same key principles we use to counter game cheats and hacks can be used to protect all types of mobile applications – from healthcare, to e-commerce, to banking and beyond!

Speakers

Jan Seredynski

Mobile Application Security Engineer, Guardsquare

Jan Seredynski is a mobile security researcher and pentester with more than five years of experience in mobile app development. He has advised the top UK banks on secure architecture and anti-tampering techniques. Having reverse engineered and analyzed over 1,300 apps, he has given... Read More →

Friday September 24, 2021 1:00pm - 1:30pm EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate, Beginner

1:30pm EDT

OWASP DefectDojo Flagship Project

Speakers

Matt Tesauro

Engineer, NoName Security

Matt Tesauro is a DevSecOps and AppSec guru with specialization in creating security programs, leveraging automation to maximize team velocity and training emerging and senior professionals. When not writing automation code in Go, Matt is pushing for DevSecOps everywhere via his involvement... Read More →

Aaron Weaver

Director of Cloud Security, Financial Services

Friday September 24, 2021 1:30pm - 2:00pm EDT
On-Line

OWASP Flagship Projects

1:30pm EDT

How To Review Code For Vulnerabilities

Abstract:
Performing a source code review is one of the best ways to find security issues in an application. But how do you do it?

First, what are the main concepts that you should be familiar with before diving into code review? And where do you even start reviewing code? What strategies are there to identify different types of vulnerabilities? Are there any ways to automate the process?

In this talk, I will go through the basics of how to review an application’s source code to find vulnerabilities and introduce some strategies to review your application. You will also get the chance to practice reviewing a few pieces of code yourself. By the end of this presentation, you should be able to start identifying vulnerabilities in your applications!

Speakers

Vickie Li

Developer Evangelist, ShiftLeft Inc

Vickie Li is the resident developer evangelist at ShiftLeft. She is an experienced web developer with an avid interest in security research. She can be found on https://vickieli.dev, where she blogs about security news, techniques, and her latest bug bounty findings. She also hosts... Read More →

Friday September 24, 2021 1:30pm - 2:00pm EDT
On-Line

OWASP Standard Classification

Audience Beginner

1:30pm EDT

Looking at 4 years of web honeypot attacks: tactics, techniques and trends

Abstract:
We’ve collected over 9 million events from hundreds of web honeypots around the world for past 52 months. This session will present the results of our analysis of that data to help answer the question: what attacks should I expect?
Using this honeypot data, we’ve been able to identify specific CVEs being targeted in large global attack campaigns. From this, we have clues on attacker tactics regarding which platforms and technologies receive attention time after time, and which fade from usage. This kind of data is vital in building a data-driven defense.
Attendees also learn what kinds of attack are commonplace on the Internet, so the ones targeting them uniquely will stand out. We will explain techniques to investigate and classify web attack log traffic at scale.
To quote Deming: In God we trust. Everyone else, bring data. We’re bringing the data.

Speakers

Malcolm Heath

Senior Threat Researcher, F5, Inc.

Malcolm Heath is a Senior Threat Researcher with F5 Labs. His career has included incident response, program management, penetration testing, code auditing, vulnerability research, and exploit development at companies both very large and very small. Prior to joining F5 Labs, he was... Read More →

Raymond Pompon

Director F5 Labs, F5 Networks

Raymond Pompon is currently the Director of F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber‐crime investigations. He was been directly involved in several major intrusion cases including the FBI undercover... Read More →

Friday September 24, 2021 1:30pm - 2:00pm EDT
On-Line

Temporal

Audience Intermediate

1:30pm EDT

Common Application Security Mistakes that Enable Automated Attacks

Abstract:
Our customers are constantly battling automated attacks against their applications. Retail Fraud, Romance Scams, Account Take Over and many other problems can arise from simple security mistakes. In this talk I take a look at Billions of Transactions and break down the mistakes that allowed for automated attacks to flourish, and how we stopped them.

Speakers

Jason Kent

Hacker In Residence, Cequence Security

Jason KentFor over the last 20 years, Jason has been ethically peering into Client Behavior, Wireless Networks, Web Applications, APIs and Cloud Systems, helping organizations secure their assets and intellectual property from unauthorized access. As a consultant he's taken hundreds... Read More →

Friday September 24, 2021 1:30pm - 2:00pm EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate, Beginner

2:00pm EDT

OWASP Cheat Sheet Series Flagship Project

Speakers

Jim Manico

CEO and Application Security Architect, Manicode Security

Friday September 24, 2021 2:00pm - 2:30pm EDT
On-Line

OWASP Flagship Projects

2:00pm EDT

Fight Club | Grow your OWASP Chapter

So you want to organize like-minded people to focus on open-source software. You’re looking for tips tricks suggestions. Join this session to learn from two decades of experience. During the session, we will discuss various chapters around the world and what has made them successful or fail.

Speakers

Sam Stepanyan

OWASP London Chapter Leader, OWASP London

Tom Brennan

Managing Partner, ProactiveRISK

Tom Brennan is the CIO of a 90-year-old law firm, a partner in a cybersecurity solutions company, and leads the U.S. arm of CREST International. In this role, he works with government and commercial organizations to optimize the value of CREST as a cybersecurity accreditation body... Read More →

Friday September 24, 2021 2:00pm - 2:30pm EDT
On-Line

OWASP Standard Classification, Guest Speaker

Audience All

2:00pm EDT

Bot or human? Detecting malicious bots with machine learning in 2021

Abstract:
Detecting malicious bots has become an extremely complex task. Bot developers deliberately design their software to bypass bot detection systems. They attack from perfect browsers and mobile apps, leveraging exactly the same browsers as humans or headless browsers like Headless Chrome. They know how to forge attributes that are commonly used for bot detection: they manipulate HTTP headers and their values and order, and change their browser fingerprints. Bad bots are also distributed in extremely elaborate ways. Many use residential IPs with excellent reputations, and they make very few requests per IP — sometimes only one. Finally, the best bots perfectly mimic human behavior. For example, they can imitate realistic mouse movements and keyword strokes, using generative adversarial networks.

So what does it take to efficiently distinguish advanced bots from real humans?

This talk will reveal the inner workings of a modern bot detection engine. We will see which signals are collected, and how they are enriched. We will discuss why it is mandatory to analyze both server-side and client-side signals. We will explore the challenges of authenticating good bots, and how to detect frameworks such as Puppeteer extra stealth, Playwright, Selenium and Headless Chrome. Finally, we will take a deep dive into machine learning approaches for bad bot detection, with a demonstration of how the respective strengths of supervised and unsupervised machine learning can be combined for maximum predictive accuracy.

Outline:
Intro: What does a bad bot look like in 2021?
1.1. Bots use perfect browsers and apps
1.2. Bots attack from clean IP addresses
1.3. Bots run on real devices
1.4. Bots behave like humans

Overview of current bot detection techniques
2.1. Signals: why you need both server-side and client-side signals
2.2. IP reputation: how to extract valuable data from the humble IP address
2.3. So you say you’re Google? Authenticating good bots
2.4. Signature-based detection for simple bots
2.5. Detecting advanced bots with machine learning

Deep dive: Machine learning approaches for bot attack detection
3.1. Detecting proxies, forged headers, URL browsing, and more with supervised ML
3.2. Detecting Captcha farms with semi-supervised ML
3.3. Outlier detection with unsupervised ML
3.4. Detection techniques for single-request attacks

4. Feedback loops: managing false positives and preserving the human user experience

Speakers

Benjamin Fabre

CTO, DataDome

Benjamin is the CTO of DataDome, co-founded with Fabien Grenier in 2015. A serial entrepreneur, he has specialized, over the past 15 years, in scalable web infrastructures, AI powered data stream processing and SaaS technologies. TrendyBuzz, his previous company, was acquired in 2014... Read More →

Antoine V

Head of Research, DataDome

Antoine Vastel is Head of Research at DataDome, overseeing the Threat Research team. In this role, he focuses on improving DataDome's real-time bot detection engine through different approaches, such as behavioral detection, HTTP/browser fingerprinting, (Residential) proxies/Infected... Read More →

Friday September 24, 2021 2:00pm - 2:30pm EDT
On-Line

Temporal

Audience Beginner, Intermediate, Advanced

2:00pm EDT

Kubernetes Security: Attacking and Defending K8s Clusters

Abstract:
This presentation aims to talk about different attack scenarios leveraging Kubernetes clusters. We'll dig deeper into a real-world attack scenario using real-world applications to demonstrate different ways attackers and malicious users can use to exploit your cluster and the applications running on it. But first, we’ll give an overview about Kubernetes and its architecture, covering the main components from the Control Plane and the Worker Nodes. Then, we'll use the K8s Threat Matrix and the MITRE ATT&CK for Containers published this year to discuss the Tactics, Techniques and Procedures to demonstrate the Recon, Exploitation and Post-Exploitation phases. After that, we'll provide some best practices to securing your cluster based on the scenarios and the CIS Benchmarks for Kubernetes. We'll show how to use Role-based access control (RBAC) for Access Control, to enable audit logs for security and troubleshooting, and we'll set up some network policies to avoid communication between pods and prevent any lateral movement from attackers

Speakers

Magno Logan

Information Security Specialist

As an Information Security Specialist, Magno Logan specializes in various subjects, including Cloud, Container, Application Security Research, Threat Modeling, and Kubernetes Security. He boasts multiple international certifications and is a sought-after speaker at worldwide security... Read More →

Friday September 24, 2021 2:00pm - 2:30pm EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate

2:30pm EDT

OWASP Amass Flagship Project

Speakers

Jeff Foley

Senior Security Engineering Officer

Jeff is the Project Leader for Amass, an OWASP Foundation flagship project that performs in-depth attack surface mapping and asset discovery. He is also an Adjunct Lecturer teaching Penetration Testing and Cloud Security at the State University of New York Polytechnic Institute. Previously... Read More →

Friday September 24, 2021 2:30pm - 3:00pm EDT
On-Line

OWASP Flagship Projects

2:30pm EDT

Automate Security, Don't Tell Your Boss

This talk instills the lessons learned from multiple security automation efforts and the key elements needed to be successful. Success across multiple dimensions is covered including increasing team throughput, engaging and supporting external teams, The idea is to give those attending a leg up on starting a security automation program and allowing them to skip some painful lessons. Instead, they can focus on getting the key pieces in place and reaping the rewards of security automation quickly. Several real-world examples (and metrics) will be provided to demonstrate why you want to start a security automation journey right away.

Speakers

Matt Tesauro

Engineer, NoName Security

Friday September 24, 2021 2:30pm - 3:00pm EDT
On-Line

OWASP Standard Classification

Audience Beginner, Intermediate

2:30pm EDT

The future is simple - introducing the CRE

Abstract:
This presentation marks the official go-live of the Common Requirement Enumeration initiative, as an interactive linking platform across standards and guidelines.
Software is becoming more important for us every day, and at the same time software security is complex and not getting any easier. This is our calling as appsec professionals. To deal with this, we have built great tools and helpful standards and guidelines. But because there is no single silver bullet, we now face the big challenge to combine all these separate solutions into an integrated approach – to make it easier for the experts, but above all: to bring application security within reach of a larger group of people. This is essential because the shortage of application security superheroes is not expected to go away. Therefore, the key to a secure future is to make appsec more accessible. More simple.
Unfortunately, making things simple is not easy. Within OWASP, an initiative to drive integration has started in 2020, with the Integration standards project. Its goal is to link and align key standards (OWASP and others), by providing a unified framework to attain more consistency, completeness, overview and clarity.
One of the results has been the Appsec wafyinder: an interactive map of the key OWASP projects.
Another, more substantial effort is the Common Requirement Enumeration(CRE): a semantic web that links standards at the level of topics, within OWASP and beyond (NIST, PCI-DSS, ISO/IEC, MITRE, CIS etc etc). The CRE ties all standards and guidelines together and allows people to jump from source to source to learn more on a specific subject. For example, the CRE links an ASVS check to the corresponding Testing guide section, with the right Cheat sheet, Pro-active control and Top 10 entry.
This meta-mapping is self-maintaining, so when standards refer to other standards using the CRE: those links will automatically stay up to date. The important side-effects of this integration are increased consensus, more clarity and a mutual understanding of what application security is for developers, ops, testers, security teams, management, procurement and other stakeholders, across domains. No more silos. The future is simple.
This presentation officially launches the CRE, discusses the extensive research that has been done on the landscape of appsec standards and describes how alignment is created through the unified CRE framework - positioning OWASP as a driver of community-based global consensus .

Speakers

Rob van der Veer

Principal consultant, Software Improvement Group

Rob van der Veer has a 25-year background in building secure software and running software businesses. Cyber security and privacy have been constant themes in his career, from hacking into the British RAF in 1986, to building AI solutions for national security. Rob is the principal... Read More →

Spyros Gasteratos

AppSec Tech Lead Manager, Thought Machine

Spyros has been helping developers ship secure code for 10 years.He has been an OWASP volunteer since 2012 and he is currently the Product Security lead in the fintech company Thought Machine. He contributes to several Open Source projects including the security automation framework... Read More →

Friday September 24, 2021 2:30pm - 3:00pm EDT
On-Line

Temporal

Audience Advanced, Beginner, Intermediate

2:30pm EDT

Automated Finding Correlation where do SAST, DAST and IAST overlap

Abstract:
Did you ever wonder what is the overlap between different scanning technologies? why should you use few different technologies, and is there a single technology to rule them all?
Well, we did wonder about this exact topic and decided to once and for all find an answer.
We knew that the information included in an IAST finding can be used to uniquely identify issues reported by DAST and SAST. We have built an automated correlation service that goes over vulnerabilities reported by the three technologies and automatically matches findings.
In this session, you will learn about our findings. Did we find a significant overlap? which issue types are more common to be detected by one technology over the other? and is there one technology to rule them all?
You will also learn about the value such correlation brings, whether you are a developer or security expert, and how using more technologies can actually reduce your work and shorten the time for remediation.

Speakers

Ran Klein

Product Manager, HCL Technologies

Ran has started his professional journey in the IDF Unit 8200. Since then, he has had the opportunity to act as a developer, product manager, and entrepreneur in cyber and analytics domains. Today Ran is leading AppScan's IAST technology both as a stand-alone AST solution and as a... Read More →

Eitan Worcel

Mobb

Eitan has over 15 years of experience in Application Security as a developer and product manager in AppScan. He has worked with a wide range of customers, assisting them in their quests to build secure web applications. At the end of 2021, Eitan cofounded Mobb, aiming to provide developers... Read More →

Friday September 24, 2021 2:30pm - 3:00pm EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate, Beginner

3:00pm EDT

Break

Friday September 24, 2021 3:00pm - 3:30pm EDT
On-Line

Break

3:30pm EDT

20:20 - The History and Future of OWASP

20 years ago I was moderating the webappsec mailing list on securityfocus and had just started a new job running application security at Charles Schwab, when the CIO came running down the hall demanding to speak to the new guy. He wanted to know why we were in the Wall Street Journal and what I was going to do about it. I felt like I had been framed. After fending off ambulance chasers and wading through marketing “bull shiitake” from vendors, I realized there was a gap that needed to be filled. OWASP was born. No real plan, no real goal, armed with just a belief that the world needed better information I sent out a call to action for like-minded people to get involved. The rest as they say is history. Looking back it’s been an amazing success story of a community that has had a significant positive impact on the world during a time when development technology and the threat landscape has changed beyond recognition. What was critical to OWASPs success and how should it evolve over the next 20 years? We will take a walk down memory lane, stargaze into the future and leave with an updated call to action for the next twenty years.

Speakers

Mark Curphey

Co-Founder and CTO, Open Raven

Mark is the founder of OWASP, founder and CEO of SourceClear (acquired by Veracode in 2018) and now the co-founder of Open Raven (https://www.openraven.com), a data security company. He is a British ex-pat currently living in San Francisco and usually found riding a bicycle.

Friday September 24, 2021 3:30pm - 4:30pm EDT
On-Line

Keynote

4:30pm EDT

OWASP Dependency Track Flagship Project

Speakers

Steve Springett

Senior Manager - Product Security, ServiceNow

Steve educates teams on the strategy and specifics of developing secure software.He practices security at every stage of the development lifecycle by leading sessions on threat modeling, secure architecture and design, static/dynamic/component analysis, offensive research, and defensive... Read More →

Friday September 24, 2021 4:30pm - 5:00pm EDT
On-Line

OWASP Flagship Projects

4:30pm EDT

Security Chaos Engineering - Turning the Tide in the War on Uncertainty in Cyber Security

Hope isn’t a strategy. Likewise, perfection isn’t a plan. The systems we are responsible for are failing as a normal function of how they operate, whether we like it or not, whether we see it or not. Security chaos engineering is about increasing confidence that our security mechanisms are effective at performing under the conditions for which we designed them. Through continuous security experimentation, we become better prepared as an organization and reduce the likelihood of being caught off guard by unforeseen disruptions. Security Chaos Engineering serves as a foundation for developing a learning culture around how organizations build, operate, instrument, and secure their systems. The goal of these experiments is to move security in practice from subjective assessment into objective measurement. Chaos experiments allow security teams to reduce the “unknown unknowns” and replace “known unknowns” with information that can drive improvements to security posture. During this session Aaron Rinehart, the O’Reilly Author and pioneer behind Security Chaos Engineering will share how you can implement Security Chaos Engineering as a practice at your organization to proactively discover system weakness before they are an advantage of a malicious adversary. In this session Aaron will introduce a new concept known as Security Chaos Engineering and share some best practices and experiences in applying the emerging discipline to create highly secure, performant, and resilient distributed systems.

Speakers

Aaron Rinehart

CTO & Co-Founder, Verica.io

Aaron has been expanding the possibilities of chaos engineering in its application to other safety-critical portions of the IT domain notably cybersecurity. He began pioneering the application of security in chaos engineering during his tenure as the Chief Security Architect at the... Read More →

Friday September 24, 2021 4:30pm - 5:00pm EDT
On-Line

OWASP Standard Classification

4:30pm EDT

Decoded: Leverage Cybersecurity as a Business Enabler

Speakers

Nicole Dove

Business Information Security Officer, WarnerMedia

Nicole Dove is a cybersecurity leader, speaker, university lecturer & host of the Urban Girl Corporate World podcast. As Business Information Security Officer at WarnerMedia, she collaborates with executives to manage the cybersecurity strategies of CNN Digital, Turner Sports, Bleacher... Read More →

Friday September 24, 2021 4:30pm - 5:00pm EDT
On-Line

Temporal, Guest Speaker

4:30pm EDT

Creating an IoT-connected Mobile App Compliance Program Leveraging OWASP MASVS

Abstract:
The OWASP MASVS specification is the ultimate guide for mobile app security. In late 2020, Google, NowSecure, Amazon and other IoT device manufacturers as part of the ioXt Alliance partnered to create a mobile app protection profile specifically for security certification of mobile apps connected to IoT devices. From the start, the team of security veterans, who were well versed in the OWASP MASVS, sought to build upon the OWASP community work - with a specific focus on the unique needs of IoT-connected mobile apps. The outcome of this fast work launched in April 2021 with numerous IoT manufacturers already certified. Join this session led by Brooke Davis, Google Android Security Team and Brian Reed, Chief Mobility Officer at NowSecure to learn the inside story about the journey of creating this unique certification program and how to create your own security testing program for mobile apps connected to things.

Speakers

Brian Reed

Chief Mobility Officer, NowSecure

As Chief Mobility Officer, Brian Reed leads the mobile DevSecOps charge at NowSecure helping orgs deliver secure mobile apps faster. He brings decades of experience in mobile, apps, security, dev, operations and standards helping Fortune 2000 global customers and mobile DevSecOps... Read More →

Friday September 24, 2021 4:30pm - 5:00pm EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate

5:00pm EDT

OWASP Top 10 Flagship Project "The making of the OWASP Top 10 and beyond"

Ever wonder how the bread is made? We'll take you back into the kitchen so you can see how the Top 10 2021 was made. We'll walk through the process of which decisions were made and why. Covering data collection, survey, data analysis, categorization, drafts, reviews, and the released product. This talk is not about what's in the Top 10, check out the earlier talk for that discussion; this talk is about what went into making the Top 10 2021.

Speakers

Brian Glas

Assistant Professor Of Computer Science, Union University

Brian has over 20 years of experience in various roles in IT and over a decade and a half of that in application development and security. His day job is serving as an Assistant Professor teaching a full load of Computer Science and Cybersecurity classes at Union University. He helped... Read More →

Friday September 24, 2021 5:00pm - 5:30pm EDT
On-Line

OWASP Flagship Projects

5:00pm EDT

Achieving Security by Shifting Left in Agile

We owe it to ourselves to ingrain the application security in the software development life cycle (SDLC) to prevent breeches and loss of lives. Agile software development is prevalent in our industry. The backbone of the agile practice is a backlog of stories grouped as an epic which is subsequently implemented as a set of features and stories. A holistic approach to build a secure web application is to include security related personas (actors) and develop stories (use cases) with respect to these personas. A typical set of security persona is a hacker, a security engineer representing the functional security requirements, industry compliance such as PCI, local and federal Government standards as well as any international mandates like GDPR. Once identified, these stories are prioritized in the order of threat using the STRIDE method. They are then developed like any other stories (functional and UX) and validated at different stages using standard practices such as code review, static and dynamic code analysis and penetration testing. By enabling this approach, we are truly shifting the security left in the software development and raising the level of confidence.
Using a web application under development this paper will illustrate how to create application security stories related to the personas, develop acceptance criteria, establish test cases, identify different types of testing at various stages in the SDLC, and create and execute a test plan. It will also discuss the processes and the tools to achieve a high confidence secure application. The audience will learn:
1. How to create a set of stories for security-related personas
2. Build acceptance criteria, security controls, test cases including negative testing, and a test plan
3. Use of tools at different stages of life cycle and how to use the results from these tools to make testing even more efficient
4. Creating an overall more secure web application

Speakers

BHUSHAN B GUPTA

Principal Consultant, Gupta Consulting LLC.

Bhushan Gupta, Principal consultant at Gupta Consulting LLC.Bhushan Gupta is passionate about development methods and tools that yield more secure web applications especially in the agile software development environment. He has keen interest in understanding and applying fundamental... Read More →

Friday September 24, 2021 5:00pm - 5:30pm EDT
On-Line

OWASP Standard Classification

Audience Beginner

5:00pm EDT

Developers Struggle with Application Security (and How to Make It Better)

Abstract:
We’ve all heard the buzz around pushing application security into the hands of developers, but if you’re like most companies, it has been hard to actually make this a reality. You aren’t alone - putting the culture, processes, and tooling into place to make this happen is tough. Join StackHawk CSO Scott Gerlach as he shares his triumphs and failures while building DevSecOps practices and tools at companies such as GoDaddy, SendGrid, and Twilio. Dig into specific reasons why developers struggle with AppSec and what you can do to make it work better. Whether you’re a seasoned DevSecOps pro or just starting out, this will be an entertaining (and judgement-free!) talk you won’t want to miss!

Speakers

Scott Gerlach

Co-Founder and Chief Security Officer, StackHawk

Scott Gerlach is Co-founder and Chief Security Officer at StackHawk, a Denver-based startup focused on empowering engineers to easily identify and remediate security bugs. Scott brings over two decades of security and engineering experience to his current role, having served as CSO... Read More →

Friday September 24, 2021 5:00pm - 5:30pm EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate, Beginner

5:30pm EDT

OWASP Dependency-Check Flagship Project

Speakers

Jeremy Long

Principal Engineer

Jeremy Long is a principal engineer at a large financial institution. He specializes in securing the SDLC via secure development training, software testing, tooling for early identification in build pipelines, etc. He has a deep understanding of static analysis and software composition... Read More →

Friday September 24, 2021 5:30pm - 6:00pm EDT
On-Line

OWASP Flagship Projects

5:30pm EDT

These are the Vulns You are Looking For: AppSec Champions & Jedi Mind Tricks

Abstract:
AppSec champions program exist in virtually every organization that builds a ton of software and is security paranoid. These programs use informal influence and the art of persuasion to get software developers to write more secure applications. Many programs originate from the bottom up and lack strong organizational mandates – that’s where the Jedi Mind tricks come in.

AppSec champions may be widely implemented, but in general there is a lack of data on what organizations are actually doing in the field. The results of a nine-month research survey attempt change that, with first-ever data of common denominators of leading-edge AppSec champions programs published. The structured research project involved 26 of the most innovative AppSec programs. Many, if not most, were operating in isolation with no benchmarking data or widely understood best practices.

This session will identify the common denominators that we observed in the survey respondents including emerging best practices around identification and recruiting of champions, how security organizations trained champions, and how they communicated with champions in the field. Finally, return on investment responses are included to provide insight into how organization are measuring success around their programs.

This data provides certain recommendations about how security leaders should further build these programs to get upstream of the “vulnerability production engine” that creates additional attack surface. An emphasis will be placed on how attendees can take the survey results and use them for further justification for their own programs.

We’re not remotely close to solving the secure development problem. AppSec champions helps win the hearts and minds of developers who are ultimately the one who solve this issue. The hope is that, armed with AppSec champions numbers and best practices, attendees will be better equipped to help their development colleagues via AppSec champions programs.

Speakers

John Dickson

VP, Coalfire

John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group... Read More →

Friday September 24, 2021 5:30pm - 6:00pm EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate, Beginner

6:00pm EDT

OWASP CycloneDX Flagship Project

Speakers

Steve Springett

Senior Manager - Product Security, ServiceNow

Patrick Dwyer

OWASP CycloneDX SBOM Project Lead

Patrick is the software development lead for a Government organisation in Australia. He also works on the OWASP CycloneDX SBOM Standard Core Working Group.

Friday September 24, 2021 6:00pm - 6:30pm EDT
On-Line

OWASP Flagship Projects

6:00pm EDT

Running a local Chapter

Abstract:
In this non-technical talk, we'll discuss the behind-the-scenes life of a chapter President: Getting speakers, volunteers, sponsors, running meetups, venues, coordination with the OWASP foundations, allocating funds, attracting an engaged audience all while increasing revenue and having fun.

Speakers

Serge Borso

CEO, SpyderSec

When it comes to web application security and penetration testing, Serge is among the best possible instructors to learn from due to his experience, accomplishments, and, quite frankly, his personality. Duplicate badges to walk right through security and access a "secure" facility... Read More →

Friday September 24, 2021 6:00pm - 6:30pm EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate, Beginner

6:30pm EDT

All your Ether belong to us (a.k.a Hacking Ethereum-based DApps)

Abstract:
Blockchain technology is extremely fascinating... has captured our imaginations because of its huge potential to revolutionize industries such as logistics, food safety, music, insurance, banking, and even voting systems; however, its adoption is still very scarce. The reason is simple: blockchains are complex to use by end users.

During recent years, decentralized applications (DApps) have been emerging as candidates to change the rules of the game, mainly because of their ease of use and capability to leverage the full power of blockchains. The big question is... are DApps really secure?

This presentation will show how Ethereum-based DApps work, the technology behind them and some of their most common vulnerabilities. The ultimate goal will be to understand how to attack these applications and, especially, what to do to be protected.

Speakers

Luis Quispe Gonzales

Lead Offensive Security Engineer, Halborn

Luis Quispe Gonzales is Lead Offensive Security Engineer at Halborn, a blockchain-specialized cybersecurity company. He has more than 11 years of professional experience in cybersecurity consulting, with clients belonging to banking, finance, energy, and mass consumption sectors... Read More →

Friday September 24, 2021 6:30pm - 7:00pm EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate

7:00pm EDT

Break

Friday September 24, 2021 7:00pm - 7:30pm EDT
On-Line

Break

7:30pm EDT

Who Deserves Cybersecurity? Expanding Our Circle of Care

Speakers

Eva Galperin

Director of Cybersecurity, EFF

Eva Galperin is EFF's Director of Cybersecurity. Prior to 2007, when she came to work for EFF, Eva worked in security and IT in Silicon Valley and earned degrees in Political Science and International Relations from SFSU. Her work is primarily focused on providing privacy and security... Read More →

Friday September 24, 2021 7:30pm - 8:30pm EDT
On-Line

Keynote

8:30pm EDT

Live Q&A Session

Speakers

Troy Hunt

Information Security Author & Instructor, Pluralsight

Troy Hunt is an Australian security researcher and founder of the data breach notification service, Have I Been Pwned. Troy has a background in software development specialising in information security and is a regular conference speaker and trainer. He regularly appears in the media... Read More →

Friday September 24, 2021 8:30pm - 9:00pm EDT
On-Line

OWASP Standard Classification, Guest Speaker

8:30pm EDT

Security As Code - The New Model Of Achieving Security At Scale

Speakers

Dr. Chenxi Wang

Founder and General Partner, Rain Capital

Dr. Chenxi Wang is the Founder and General Partner of Rain Capital, a Silicon Valley-based venture fund focused on Enterprise Software and Cybersecurity investments. A well-known operator, technologist, and thought leader in the Cybersecurity industry, Dr. Wang is a member of the... Read More →

Friday September 24, 2021 8:30pm - 9:00pm EDT
On-Line

Temporal, Guest Speaker

8:30pm EDT

Using binary search algorithms for blind sql injection

Abstract:
Ever when you started programming, did you ever wonder when will I use this in real life? I remember my first programming courses, where they gave me exercises with techniques that personally I never thought I could apply them to real life, less to the world of pentesting, and running some white box tests, I found a manual blindsqlinjection, but it was very slow, very tedious, and you can imagine, very noisy, so I decided to apply this algorithm to my script finding that all that knowledge was not in vain, but I could apply it in my day to day. This is the story.

Speakers

Juan Pablo Quiñe Paz

Manager Security Arquitect, BCP

Strategist specialized in Cybersecurity and Innovation, with more than 20 years of experience in the field, working for public and private companies, and providing various services for companies in areas such as Banking, Telecommunications, Energy and Health in several countries of... Read More →

Friday September 24, 2021 8:30pm - 9:00pm EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate, Beginner

9:00pm EDT

DevSecOps in 2031: How robots and humans will secure apps together

The year is 2031, how has software development and security evolved in the last decade? Are there any developers or security folks left? Have robots taken our jobs? Join this light-hearted talk and find out.

We will join Security Engineer Sam, that is responsible for securing a cutting edge application for an upcoming fintech company in the year 2021. The app has just completed a major release and Sam is sharing her progress and learnings with her peers at a local OWASP meetup. After a night of celebration she wakes up and finds her future self jumping out of a time-machine in her bedroom closet. Time-space paradoxes aside, the future of the world is at stake because hackers are threatening to hack the planet. There is a small task force that has been working for a decade on finding a way to finally solve secure software development, and they have done it! There is no time to waste, you are joining your future self to go to the year 2031 and learn what they have learned to bring that knowledge back to present and avoid the dark future from ever happening.

Speakers

Stefan Streichsbier

CTO, GuardRails

Stefan began his career in Security in 2003 and has since performed hard-core security testing across hundreds of corporate networks and business-critical applications. With the rise of Agile and DevOps Stefan has been focused on secure application development for web and mobile applications... Read More →

Friday September 24, 2021 9:00pm - 9:30pm EDT
On-Line

OWASP Standard Classification

9:00pm EDT

Redefining Threat Modeling: Security team goes on vacation

Speakers

Jeevan Singh

Security Engineering Manager, Segment

Jeevan Singh is a Security Engineering Manager for Segment, where he is embedding security into all aspects of the software development process. Jeevan enjoys building a security culture within organizations and educating staff on security best practices. Jeevan is responsible for... Read More →

Friday September 24, 2021 9:00pm - 9:30pm EDT
On-Line

Temporal

Audience Beginner, Advanced, Intermediate

9:00pm EDT

Hack Your APIs in 15 Minutes or Less

Abstract:
This talk will discuss one of many methods that are used in the wild to target Shadow APIs and export large volumes of data with a few clicks of a button (lines of code in python code :). Attendees will learn about a very basic yet non-so-obvious problem in securing data, and how hackers are using creative methods to steal large volumes of data.

Speakers

Himanshu Dwivedi

Co-Founder and Chief Executive Officer, Data Theorem, Inc

Himanshu Dwivedi is the CEO of Data Theorem, Inc., an application security company focusing on API Security (RESTful & GraphQL), mobile apps (iOS &Android), Cloud Apps (Serverless), and Single Page WebApps (SPAs). Himanshu has been an avid start-up entrepreneur since 1999, where he... Read More →

Friday September 24, 2021 9:00pm - 9:30pm EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate, Beginner

9:30pm EDT

Back to Basics: Looking for subtle bugs in beginner programming constructs

In this talk, Cole will cover how some more subtle programming mistakes can end up becoming security issues. Authentication bypasses, injection, and more can simply stem from misunderstanding basic programming concepts like comparisons, conditionals, loops, and more.

Cole hopes that people will come away from this talk with a more thorough eye towards the basics, and how applying a critical security lens to the architecture of your code can help you find bugs.

Speakers

Cole Cornford

Senior SecOps Engineer, Lendi

Cole is a Senior SecOps engineer at Lendi, an Australian SaaS FinTech and also a security consultant for Telstra. Cole brings enthusiasm and engagement to his Application Security talks, always trying to make sometimes dry topics seem fun! Regularly appearing as a speaker at various... Read More →

Friday September 24, 2021 9:30pm - 10:00pm EDT
On-Line

OWASP Standard Classification

9:30pm EDT

Security Metrics: Protecting Our Digital Assets of the Future

Abstract:
Caroline Wong, Chief Strategy Officer at Cobalt, holds deep-rooted expertise in information security. She began her security career about 15 years ago, leading security teams at eBay and Zynga. Since then, she has run a global product management team at Symantec, and has been a management consultant at an application security company called Cigital, which was later acquired by Synopsys.

In this talk, Caroline will discuss the different roles that people, processes, and technology play when it comes to securing the world’s digital assets of the future. In particular - Caroline will discuss security metrics, and the importance of establishing a framework to measure whether or not your organization’s cybersecurity program is accomplishing goals and maintaining compliance over time.

This past year has seen more vulnerabilities than ever before, bringing new and urgent challenges for security leaders to adapt to on a daily basis. Covid precipitated a virtually overnight shift to remote working, catching many organizations by surprise. In fact - the U.N. reported that cybercrime increased by 600% during the pandemic. Due to this rapidly changing environment, organizations’ security metrics must evolve quickly, yet sustainably, to meet the needs of evolving vulnerabilities and technology. Throughout Caroline’s talk, she will outline the evolution of security metrics, as well as how organizations can set a framework for successful monitoring in today’s cybersecurity world. Major points will include:

- Why effective security metrics focus less on the numbers and more on the overall stories and messages behind a program’s performance.
- Why every organization has to determine a budget when discussing how to invest in areas, such as data security, for the long run. For example, if you put a dollar toward an information security program - that means you’re not putting that same dollar into engineering, marketing, sales, or other areas that might be more clearly understood by an executive.
- Why security metrics provide quantifiable and qualitative insight into a security program’s performance, and can be an extremely valuable asset for security teams asking for additional investment and resources.

Security metrics, and how they can be implemented within an organization, is a topic that has fascinated Caroline since early on in her career, leading to ample research and exploration. In fact, Caroline wrote a book with McGraw Hill in 2011 entitled “Security Metrics: A Beginner’s Guide,” and plans to produce a new OWASP course about security metrics over the next few months.

Speakers

Caroline Wong

Chief Strategy Officer, Cobalt

Caroline Wong is the Chief Strategy Officer at Cobalt. As CSO, Caroline leads the Security, Community, and People teams at Cobalt. She brings a proven background in communications, cybersecurity, and experience delivering global programs to the role. Caroline’s close and practical... Read More →

Friday September 24, 2021 9:30pm - 10:00pm EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate, Beginner

10:00pm EDT

Purple Teaming with OWASP PurpleTeam

Abstract:
What is OWASP PurpleTeam?

PurpleTeam is a security regression testing CLI and SaaS targeting Web applications and APIs.
The CLI is specifically targeted at sitting within your build pipelines but can also be run manually.
The SaaS that does the security testing of your applications and/or APIs can be deployed anywhere.

Kim will briefly discuss the three-year journey that has brought PurpleTeam from a proof of concept (PoC) to where it is now.

An overview of the NodeJS micro-services with a pluggable tester architecture will be provided.

Why would I want it in my build pipelines?

In this section, Kim will discuss the problem that PurpleTeam solves,
along with the cost savings of finding and fixing your application security defects early (as you're introducing them) as opposed to late (weeks months later with external penetration testing) or not at all.

OK, I want it, how do we/I set it up?

Kim will walk you through all of the components and how to get them set-up and configured

Great, but what do the workflows look like?

Let's walk through the different ways PurpleTeam can be run and utilised, such as:

* Running purpleteam standalone (with UI)
* Running purpleteam from within your pipelines as a spawned sub process (headless: without UI)
* Running all of the PurpleTeam components, including debugging each and every one of them if and when the need arises

Speakers

Kim Carter

Purple Teaming with OWASP purpleteam

Technologist / Engineer, Information Security Professional, Entrepreneur and the founder of BinaryMist Ltd (https://binarymist.io/) and purpleteam-labs (https:purpleteam-labs.com). OWASP NZ Chapter Leader for Chch. Certified Scrum Master. Facilitator, mentor and motivator of cross... Read More →

Friday September 24, 2021 10:00pm - 10:30pm EDT
On-Line

OWASP Standard Classification

Audience Intermediate

10:00pm EDT

An Attackers View on APAC's 2021 Three Major Breaches

In this short presentation, Ric is going to cover the top three major breaches reported via IHaveBeenPwned in the APAC region in 2021. The aim of this short presentation is to offer a summary of the publicly known information, where possible quickly cover how the attacks occurred and provide some tips on how to prevent these types of attacks.

Speakers

Ric Campo

Chapter Leader, OWASP

Ric is a Senior Security Consultant, his focus is on offensive security and vulnerability management. Ric is an experienced penetration tester and blue teamer. Ric's experience includes the Defence, Aviation, Financial and Medical sectors. He leads the OWASP Sydney Chapter and helps... Read More →

Friday September 24, 2021 10:00pm - 10:30pm EDT
On-Line

Topics of Interest

10:30pm EDT

Birds & Buttons - Cyber Risk Success Criteria for Board & Executives

This session is a crash course for CISOs and cyber risk leaders. How do you give a cyber talk for non-cyber executives and the board? In this segment, author of ‘Cyber Risk Leaders: Global C-Suite Insights, Shamane Tan will walkthrough key extracts from her years of research and more than a thousand coffee meetings with CxOs from across the globe. Find out where do Birds & Buttons fit in, as Shamane highlights key cyber risks success criteria for board and executives.

Speakers

Shamane Tan

Chief Growth Officer, Privasec

As one of the most established women in the fields of technology and cybersecurity, Shamane Tan is the Chief Growth Officer at Privasec, leading the security outreach strategy with the C-Suite and executives. Recognised by IFSEC as one of the global top 20 cybersecurity influencers... Read More →

Friday September 24, 2021 10:30pm - 11:00pm EDT
On-Line

OWASP Standard Classification

Audience Beginner

10:30pm EDT

Costly mistakes in serverless computing

Abstract:
Serverless computing has revolutionized cloud computing. It makes deploying code faster, cheaper, and more compact. Yet, with this convenience, we might be prone to making mistakes that weaken our cybersecurity posture. This presentation will highlight some costly mistakes to avoid when building our serverless applications.

Speakers

Miguel Calles

Principal Solutions and Security Engineer, VeriToll LLC

Miguel A. Calles is the author of the "Serverless Security" book and a Cybersecurity engineer who works on cloud computing projects. He has worked on multiple serverless projects as a developer and security engineer, contributed to open-source serverless projects, and worked on large... Read More →

Friday September 24, 2021 10:30pm - 11:00pm EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate, Beginner

11:00pm EDT

AWS (mis)configuration from an attacker’s-eye view

Kavisha is a Security Analyst by profession. She is a cloud security and machine learning enthusiast who dabbles in an application and API security and is passionate about helping customers in securing their IT assets. She spends time findings vulnerabilities and doing research for the same. She has been recognized by the Government of India for helping them in securing their websites. She has also been listed in the list of top security researchers of the nation, in a recent newsletter of NCIIPC RVDP.

She believes in giving back to the community and frequently finds audiences to talk. She is also a cybersecurity speaker and love to share her views on various infosec threads. She has spoken at various security events and around the world including Defcon Cloud village, OWASP Bay area, OWASP Sofia, Null Bangalore, Bsides Noida, Infosec girl, and so on.

Speakers

Kavisha Sheth

Security Analyst, Appsecco

Kavisha is a Security Analyst by profession. She is a cloud security and machine learning enthusiast who dabbles in the application and API security and is passionate about helping customers in securing their IT assets. She spends time findings vulnerabilities and doing research for... Read More →

Friday September 24, 2021 11:00pm - 11:30pm EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate

11:30pm EDT

vAPI : Vulnerable Adversely Programmed Interface (OWASP API Top 10)

Abstract:
We have seen developers move from traditional 2 tier application architecture to a 3 tier architecture which involves an API talking to front end and backend services.The API used or developed might ease the development process but a lot of vulnerabilities can come up if not developed or configured properly. vAPI is a Vulnerable Interface in a Lab like environment that mimics the scenarios from OWASP API Top 10 and helps the user understand and exploit the vulnerabilities according to OWASP API Top 10 2019.It might be useful for Developers as well as Penetration Testers to understand the type of vulnerabilities in APIs. The lab is divided into 10 exercises that sequentially demonstrate the vulnerabilities and give a flag if exploited successfully.

Speakers

Tushar Kulkarni

Security Developer, Holm Security

Tushar Kulkarni works at Holm Security where as a part of the team, he works towards ensuring customer's Vulnerability Management and Assessment. He also leads and manages the OWASP's Nagpur chapter which has AppSec Meets every now and then. He has given talks and trainings at various... Read More →

Friday September 24, 2021 11:30pm - Saturday September 25, 2021 12:00am EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate, Beginner

12:00am EDT

Post-DevOps, what should we shift-left?

Abstract:
The traditional V-shaped quality assurance of waterfall has been replaced by DevOps and CI/CD. It is clear that fast improvement cycles have contributed to making the code much easier to maintain and higher quality.
But why is it that AppSec is still vulnerable to attacks and has yet to mature? Do automated mechanisms contribute to robustness against change?
In this talk, I will show what we have learned through our experience of organizing Hardening Project in Japan. I will cover the critical points related to each stage of DevOps to take DevOps to the next stage - they are about risk profile, architecture design of threat response, and operational matter. I hope it will show some challenges that AppSec faces in its further evolution.

Speakers

Riotaro OKADA

lead, OWASP Japan

Born in Kobe, Japan, Mr. Okada, the executive researcher of Asterisk Research, has 20+ years of experience in software development and security. He is an experienced CISO advisor, PSIRT practitioner, and author who can implement information security programs. His field of work contributes... Read More →

Saturday September 25, 2021 12:00am - 12:30am EDT
On-Line

Topics of Interest

Audience Intermediate

12:30am EDT

Software Security Engineering (Learnings from the past to fix the future)

Abstract:
Over the last 20 years, exponential growth in technology and technological advancement has led to a significant increase in an application or software attack surface. If these applications become part of an organisation's internal or external facing infrastructure, it inherently increases an organisation overall attack surface.
Interestingly a vast majority of security bugs the industry have been dealing with these days have been around for at least two decades.

Suppose you are responsible for ensuring application security for your organisation or a vital member of the software engineering team and dealing with known security issues affecting these applications year after year. In that case, there are few critical questions to ask yourself.

Is it challenging to entirely eradicate any known application security bugs in a single application and across all the applications in your organisation? Does your product team observe the nature of security bugs identified and mitigated in a particular application/software release, continues to surface back in future releases? Have you made a move to DevSecOps, or considering migrating away from Waterfall and Agile with the hope that it would take care of all the security bugs in your applications/software.

If the answer to either or all of the above questions is "Yes", then this talk is for you.

This talk will have no fancy demos; instead, this talk will cover some of the crucial aspects of software security engineering and strategy that most organisations have overlooked or ignored.
The key to ensuring maximum possible security resilience in an application/software against known and unknown threats is hidden in past events. Therefore, there will be past examples covered during the talk to learn from and retrospect to fix future security problems in an application/software.

It is quite possible to eliminate known security bugs entirely across all the applications in an organisation and prevent them from reoccurring. While achieving 100% resilience against zero-day threats for your software is less likely, it is quite possible to achieve at least 99.99% security resilience in application/software to defend against variants of know security bugs.

This talk will provide some food for thoughts on how to steer software security engineering in an organisation to achieve such results. Among all the solutions I'd cover, none of those will lead to DevSecOps. You'll find out why during the talk.

Speakers

Debasis Mohanty

Head Of Technical Services, SEQA

Debasis has over 20+ years of insightful experience in Offensive and Defensive security. He got into security as early as 1998 when there were limited online resources, and one had to self-learn and rely more on textbooks, MSDN resources (Windows), or man pages (Linux/Unix) than on... Read More →

Saturday September 25, 2021 12:30am - 1:00am EDT
On-Line

Topics of Interest

Audience Advanced, Intermediate, Beginner

1:00am EDT

Security begins with secure development environments

We have been witnessing an ever-growing amount of supply chain security incidents in the wild. And now, those incidents are starting to extend to the place where developers spend most of their time: their integrated development environment, and specifically the Visual Studio Code IDE.

Recently, Snyk has discovered and disclosed vulnerabilities that pose a real and imminent threat to developers who use these extensions. The potential compromise is so significantly severe that a remote code execution on a developer’s machine is possible by simply tricking the developer to click a link.

Speakers