Loading…
Monday, February 13
 

9:00am GMT

2 Day Training: Adam Shostack's Threat Modeling Intensive
To purchase a ticket, please click here.
This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start with a guided threat modeling exercise, and we'll then iterate and break down the skills they're learning in more depth. We'll progressing through the Four Questions of Threat Modeling: what are we working on, what can go wrong, what are we going to do about it and did we do a good job. This is capped off with an end-to-end exercise that brings the skills together.

Speakers
avatar for Adam Shostack

Adam Shostack

CEO, Shostack + Associates
Adam Shostack is the world's leading expert on threat modeling. He helped create the CVE and is a member of the Blackhat Review Board.


Monday February 13, 2023 9:00am - 5:00pm GMT
Room: Liffey Meeting Room 1

9:00am GMT

2 Day Training: Building a High-Value AppSec Scanning Programme
To purchase a ticket, please click here.​​​
You bought the application security tools, you have the findings, but now what? Many organisations find themselves drowning in “possible vulnerabilities”, struggling to streamline their processes and not sure how to measure their progress.

If you are involved in using SAST, DAST or SCA tools in your organisation, these may be familiar feelings to you. In this course you will learn how to address these problems and more (in a vendor-neutral way), with topics including:
* What to expect from these tools?
* Customising and optimising these tools effectively
* Building tool processes which fit your business
* Automating workflows using CI/CD without slowing it down.
* Showing the value and improvements you are making
* Faster and easier triage through smart filtering
* How to focus on fixing what matters and cut down noise
* Techniques for various alternative forms of remediation
* Building similar processes for penetration testing activities.
* Comparison of the different tool types covered.

To bring the course to life and let you apply what you learn, you will work in teams on table-top exercises where you design processes to cover specific scenarios, explain and justify your decisions to simulated stakeholders and practice prioritising your remediation efforts.

For these exercises, you will work based on specially designed process templates (which we will provide) which you can use afterwards to apply these improvements within your own organisation.

Be ready to work in a group, take part in discussions and present your findings and leave the course with clear strategies and ideas on how to get less stress and more value from these tools.

Speakers
avatar for Josh Grossman

Josh Grossman

Chief Technology Officer, Bounce Security
Josh has worked as a consultant in IT/Application Security and Risk for 15 years now as well as a Software Developer. In that time he has seen the good, the bad and the stuff which is sadly/luckily still covered by an NDA and has spoken and trained both locally and internationally... Read More →


Monday February 13, 2023 9:00am - 5:00pm GMT
Room: Liffey Meeting Room 5

9:00am GMT

2 Day Training: Hacking Modern Web Apps - Master the Future of Attack Vectors
To purchase a ticket, please click here.
This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.

Long are the days since web servers were run by perl scripts apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server.

Modern Web apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review modern web apps, showcasing Node.js but using techniques that will also work against any other web app platform. Ideal for Penetration Testers, Web app Developers as well as everybody interested in JavaScript/Node.js and Modern app stack security.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:
1 hour workshop - https://7asecurity.com/free-workshop-web-apps

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support, lifetime access, step-by-step video recordings and interesting apps to practice, including all future updates for free.

Speakers
AS

Ashwin Shenoi

Security Trainer, 7A Security
Ashwin Shenoi is a Senior Security Engineer at CRED, with an avid passion for application security. He is highly skilled in application penetration testing and automation. Ashwin is a core member of team bi0s, a top-ranked Capture The Flag (CTF) team, according to CTFTime. In his... Read More →


Monday February 13, 2023 9:00am - 5:00pm GMT
Room: Liffey Meeting Room 4

9:00am GMT

2 Day Training: Mobile Security Testing Guide Hands-on
To purchase a ticket, please click here.
This course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven will share his experience and many small tips and tricks to attack mobile apps that he collected throughout their career and bug hunting adventures.

At the beginning of the first day we start by giving an overview of the Android Platform and it’s Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student, by using Corellium.

These are some of the topics that will be covered during the course:

● Frida crash course to kick-start with dynamic instrumentation on Android apps
● Intercepting network traffic of apps written in mobile app frameworks such as Google’s Flutter
● Identifying and exploiting a real word Deep-link vulnerability
● Explore the differences and effectiveness of Reverse Engineering Android Apps through patching Smali, Xposed and Dynamic Instrumentation with Frida
● Analyze Local Storage of an Android App
● Using Brida to bypass End2End Encryption in an Android app
● Usage of dynamic Instrumentation with Frida to:
○ bypass Frida detection mechanisms
○ bypass multiple root detection mechanisms

On day 2 we are focusing on iOS and will begin with an overview of the iOS Platform and Security Architecture (Hardware Security, Code Signing, Sandbox, Secure Boot, Security Enclave etc.). After explaining what an IPA container is and the iOS file system structure, we start creating an iOS testing environment with Corellium and deep dive into various topics, including:
● Analyzing iOS applications that use non-HTTP traffic including ways of intercepting the traffic
● Frida crash course to kick-start with dynamic instrumentation for iOS apps
● Bypassing SSL Pinning with SSL Kill Switch and Objection
● Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida Gadget
● Testing stateless authentication mechanisms such as JWT in an iOS Application
● Using Frida for Runtime Instrumentation of iOS Apps to bypass:
○ Anti-Jailbreaking mechanisms
○ Frida detection mechanism
○ and other client-side security controls

The course consists of many different labs developed by us and the course is roughly 50% hands-on and 50% lecture.

At the end of each day a small CTF will be played to investigate an app with the newly learned skills and there will be prizes :-)

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile apps, how to mitigate them and how to execute tests consistently. The course is based on the OWASP Mobile Security Testing Guide (MSTG) and is conducted by one of the authors himself. The OWASP MSTG is a comprehensive and open source guide about mobile security testing for both iOS and Android.

Speakers
avatar for Carlos Holguera

Carlos Holguera

Mobile Security Research Engineer, NowSecure
Carlos is a mobile security research engineer and one of the two leaders of the OWASP Mobile App Security (MAS) project who has gained many years of hands-on experience in the field of security testing for mobile apps and embedded systems such as automotive control units and IoT devices... Read More →
avatar for Sven Schleier

Sven Schleier

Principal Security Consultant, Crayon
Sven is living in Austria and a Principal Security Consultant at Crayon, specialised in Cloud Security. He has extensive experience in offensive security engagements like Penetration Testing and Application Security by supporting and guiding software development projects for Mobile... Read More →


Monday February 13, 2023 9:00am - 5:00pm GMT
Room: Liffey Meeting Room 2B

9:00am GMT

2 Day Training: Securing your applications in AWS & Azure
To purchase a ticket, please click here.
This training provides a thorough introduction to cloud security, covering both AWS and Azure. During the first day, we will go through all you need to know in order to develop and deploy secure applications in AWS. We will present how you can build a secure cloud infrastructure in AWS. You will learn how to use AWS Identity and Access Management in order to manage your users and control access to your resources and data. We will demonstrate how to use AWS-specific tools and features to ensure your application's production data is adequately protected and monitored. By the end of the first day, you should understand how to set up a basic hardened AWS infrastructure capable of deploying a production web application.
During the second day, we will focus on how to build and deploy secure software on the Microsoft Azure cloud platform. You will learn common Azure terminology and the basic components of a secure application architecture in Azure. We will explain how identity and access management work in Azure and how you can leverage Microsoft Identity Platform to manage your users. You will understand how to use Azure-specific features to ensure your application's production data is adequately protected and monitored. By the end of the course, you should understand how to set up a secure infrastructure using Azure, capable of deploying cloud-native web applications and services.

Speakers
avatar for Dr. Konstantinos Papapanagiotou

Dr. Konstantinos Papapanagiotou

Cyber Security Consultant, Styx Cyber
Dr Kostas (Konstantinos) Papapanagiotou is a cyber security consultant that helps organizations around the world improve their security posture. He has more than 20 years of experience in the field of cyber security both as a corporate consultant and as a researcher. Over those... Read More →


Monday February 13, 2023 9:00am - 5:00pm GMT
Room: Liffey Meeting Room 3a

9:00am GMT

2 Day Training: Web Application Security Essentials
To purchase a ticket, please click here.
This course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures.

The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.

The topics covered include:

Introduction to Web Application Security
Technologies used in Web Applications
The Security Tester Toolkit
Critical Areas in Web Applications
Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server Side Request Forgery (SSRF)

Format: The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.

Speakers
avatar for Nanne Baars

Nanne Baars

Developer, Xebia
Nanne is a security software developer at Xebia with a focus on Java development and one of the projects leads for the OWASP WebGoat project.


Monday February 13, 2023 9:00am - 5:00pm GMT
Room: Liffey Meeting Room 2a

10:30am GMT

AM Break
AM Coffee Break

Monday February 13, 2023 10:30am - 11:00am GMT
Room: Liffey Meeting Room Foyer

12:00pm GMT

Lunch
Monday February 13, 2023 12:00pm - 1:00pm GMT
Room: Liffey Meeting Room Foyer

3:00pm GMT

PM Break
PM Break provided by OWASP

Monday February 13, 2023 3:00pm - 3:30pm GMT
Room: Liffey Meeting Room Foyer
 
Tuesday, February 14
 

8:00am GMT

Global Board of Directors Meeting - Closed Meeting
This is a closed meeting for OWASP Global Board of Directors

Tuesday February 14, 2023 8:00am - 6:00pm GMT
Room: Liffey Boardroom 2

9:00am GMT

Global Board of Directors / Closed Meeting
This is a closed board meeting for the OWASP Global Board of Directors

Tuesday February 14, 2023 9:00am - 5:00pm GMT
Room: Liffey Boardroom 2

9:00am GMT

OWASP CRS
This is a complimentary event although a separate ticket is needed.

For more information please click here or below:

The program is still in the making, but please expect a variety of talks about CRS, ModSecurity and Coraza. Here is what we know:
  • Welcoming address
  • Ervin Hegedüs: My work on ... (project title not fixed yet)
  • Where is CRS 4?
  • A round-up of the 2022 Bug Bounty Program and how we handled the reports
  • CRS 4 plugin architecture and an overview of existing plugins
Of course, there will be enough time to meet the team, integrators and fellow users.

After the “official” program we will go out together for dinner, paid for by our sponsors.

If you are interested to present yourself, then please get in touch. Slots are likely to be 25min of presentation + Q&A. We are interested in anything CRS-centered, namely technical talks or stories from production.

Attendance is free.

Please notice that our summit is co-hosted with the OWASP Global AppSec Europe conference in the same location, Feb 15 and 16. We encourage you to register for the OWASP conference too. A registration for the CRS Community Summit does not give you access to the OWASP AppSec conference

The CRS Community Summit presents an opportunity to build ties, to get inspiration from the community and to understand what people are doing with CRS. We invite the whole CRS community, developers, integrators and users.
If you have further questions don’t be afraid to contact us.

We are looking very much forward to seeing you all in Dublin.

Cheers,
Christian Folini for the CRS team

Tuesday February 14, 2023 9:00am - 5:00pm GMT
Room: Liffey Hall 1

9:00am GMT

2 Day Training: Adam Shostack's Threat Modeling Intensive
To purchase a ticket, please click here.
This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start with a guided threat modeling exercise, and we'll then iterate and break down the skills they're learning in more depth. We'll progressing through the Four Questions of Threat Modeling: what are we working on, what can go wrong, what are we going to do about it and did we do a good job. This is capped off with an end-to-end exercise that brings the skills together.

Speakers
avatar for Adam Shostack

Adam Shostack

CEO, Shostack + Associates
Adam Shostack is the world's leading expert on threat modeling. He helped create the CVE and is a member of the Blackhat Review Board.


Tuesday February 14, 2023 9:00am - 5:00pm GMT
Room: Liffey Meeting Room 1

9:00am GMT

2 Day Training: Building a High-Value AppSec Scanning Programme
To purchase a ticket, please click here.
You bought the application security tools, you have the findings, but now what? Many organisations find themselves drowning in “possible vulnerabilities”, struggling to streamline their processes and not sure how to measure their progress.

If you are involved in using SAST, DAST or SCA tools in your organisation, these may be familiar feelings to you. In this course you will learn how to address these problems and more (in a vendor-neutral way), with topics including:
* What to expect from these tools?
* Customising and optimising these tools effectively
* Building tool processes which fit your business
* Automating workflows using CI/CD without slowing it down.
* Showing the value and improvements you are making
* Faster and easier triage through smart filtering
* How to focus on fixing what matters and cut down noise
* Techniques for various alternative forms of remediation
* Building similar processes for penetration testing activities.
* Comparison of the different tool types covered.

To bring the course to life and let you apply what you learn, you will work in teams on table-top exercises where you design processes to cover specific scenarios, explain and justify your decisions to simulated stakeholders and practice prioritising your remediation efforts.

For these exercises, you will work based on specially designed process templates (which we will provide) which you can use afterwards to apply these improvements within your own organisation.

Be ready to work in a group, take part in discussions and present your findings and leave the course with clear strategies and ideas on how to get less stress and more value from these tools.

Speakers
avatar for Josh Grossman

Josh Grossman

Chief Technology Officer, Bounce Security
Josh has worked as a consultant in IT/Application Security and Risk for 15 years now as well as a Software Developer. In that time he has seen the good, the bad and the stuff which is sadly/luckily still covered by an NDA and has spoken and trained both locally and internationally... Read More →


Tuesday February 14, 2023 9:00am - 5:00pm GMT
Room: Liffey Meeting Room 5

9:00am GMT

2 Day Training: Hacking Modern Web Apps - Master the Future of Attack Vectors
To purchase a ticket, please click here.
This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.

Long are the days since web servers were run by perl scripts apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server.

Modern Web apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review modern web apps, showcasing Node.js but using techniques that will also work against any other web app platform. Ideal for Penetration Testers, Web app Developers as well as everybody interested in JavaScript/Node.js and Modern app stack security.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:
1 hour workshop - https://7asecurity.com/free-workshop-web-apps

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support, lifetime access, step-by-step video recordings and interesting apps to practice, including all future updates for free.

Speakers
AS

Ashwin Shenoi

Security Trainer, 7A Security
Ashwin Shenoi is a Senior Security Engineer at CRED, with an avid passion for application security. He is highly skilled in application penetration testing and automation. Ashwin is a core member of team bi0s, a top-ranked Capture The Flag (CTF) team, according to CTFTime. In his... Read More →


Tuesday February 14, 2023 9:00am - 5:00pm GMT
Room: Liffey Meeting Room 4

9:00am GMT

2 Day Training: Mobile Security Testing Guide Hands-on
To purchase a ticket, please click here.
This course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven will share his experience and many small tips and tricks to attack mobile apps that he collected throughout their career and bug hunting adventures.

At the beginning of the first day we start by giving an overview of the Android Platform and it’s Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student, by using Corellium.

These are some of the topics that will be covered during the course:

● Frida crash course to kick-start with dynamic instrumentation on Android apps
● Intercepting network traffic of apps written in mobile app frameworks such as Google’s Flutter
● Identifying and exploiting a real word Deep-link vulnerability
● Explore the differences and effectiveness of Reverse Engineering Android Apps through patching Smali, Xposed and Dynamic Instrumentation with Frida
● Analyze Local Storage of an Android App
● Using Brida to bypass End2End Encryption in an Android app
● Usage of dynamic Instrumentation with Frida to:
○ bypass Frida detection mechanisms
○ bypass multiple root detection mechanisms

On day 2 we are focusing on iOS and will begin with an overview of the iOS Platform and Security Architecture (Hardware Security, Code Signing, Sandbox, Secure Boot, Security Enclave etc.). After explaining what an IPA container is and the iOS file system structure, we start creating an iOS testing environment with Corellium and deep dive into various topics, including:
● Analyzing iOS applications that use non-HTTP traffic including ways of intercepting the traffic
● Frida crash course to kick-start with dynamic instrumentation for iOS apps
● Bypassing SSL Pinning with SSL Kill Switch and Objection
● Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida Gadget
● Testing stateless authentication mechanisms such as JWT in an iOS Application
● Using Frida for Runtime Instrumentation of iOS Apps to bypass:
○ Anti-Jailbreaking mechanisms
○ Frida detection mechanism
○ and other client-side security controls

The course consists of many different labs developed by us and the course is roughly 50% hands-on and 50% lecture.

At the end of each day a small CTF will be played to investigate an app with the newly learned skills and there will be prizes :-)

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile apps, how to mitigate them and how to execute tests consistently. The course is based on the OWASP Mobile Security Testing Guide (MSTG) and is conducted by one of the authors himself. The OWASP MSTG is a comprehensive and open source guide about mobile security testing for both iOS and Android.

Speakers
avatar for Carlos Holguera

Carlos Holguera

Mobile Security Research Engineer, NowSecure
Carlos is a mobile security research engineer and one of the two leaders of the OWASP Mobile App Security (MAS) project who has gained many years of hands-on experience in the field of security testing for mobile apps and embedded systems such as automotive control units and IoT devices... Read More →
avatar for Sven Schleier

Sven Schleier

Principal Security Consultant, Crayon
Sven is living in Austria and a Principal Security Consultant at Crayon, specialised in Cloud Security. He has extensive experience in offensive security engagements like Penetration Testing and Application Security by supporting and guiding software development projects for Mobile... Read More →


Tuesday February 14, 2023 9:00am - 5:00pm GMT
Room: Liffey Meeting Room 2B

9:00am GMT

2 Day Training: Securing your applications in AWS & Azure
To purchase a ticket, please click here.
This training provides a thorough introduction to cloud security, covering both AWS and Azure. During the first day, we will go through all you need to know in order to develop and deploy secure applications in AWS. We will present how you can build a secure cloud infrastructure in AWS. You will learn how to use AWS Identity and Access Management in order to manage your users and control access to your resources and data. We will demonstrate how to use AWS-specific tools and features to ensure your application's production data is adequately protected and monitored. By the end of the first day, you should understand how to set up a basic hardened AWS infrastructure capable of deploying a production web application.
During the second day, we will focus on how to build and deploy secure software on the Microsoft Azure cloud platform. You will learn common Azure terminology and the basic components of a secure application architecture in Azure. We will explain how identity and access management work in Azure and how you can leverage Microsoft Identity Platform to manage your users. You will understand how to use Azure-specific features to ensure your application's production data is adequately protected and monitored. By the end of the course, you should understand how to set up a secure infrastructure using Azure, capable of deploying cloud-native web applications and services.

Speakers
avatar for Dr. Konstantinos Papapanagiotou

Dr. Konstantinos Papapanagiotou

Cyber Security Consultant, Styx Cyber
Dr Kostas (Konstantinos) Papapanagiotou is a cyber security consultant that helps organizations around the world improve their security posture. He has more than 20 years of experience in the field of cyber security both as a corporate consultant and as a researcher. Over those... Read More →


Tuesday February 14, 2023 9:00am - 5:00pm GMT
Room: Liffey Meeting Room 3a

9:00am GMT

2 Day Training: Web Application Security Essentials
To purchase a ticket, please click here.
This course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures.

The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.

The topics covered include:

Introduction to Web Application Security
Technologies used in Web Applications
The Security Tester Toolkit
Critical Areas in Web Applications
Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server Side Request Forgery (SSRF)

Format: The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.

Speakers
avatar for Nanne Baars

Nanne Baars

Developer, Xebia
Nanne is a security software developer at Xebia with a focus on Java development and one of the projects leads for the OWASP WebGoat project.


Tuesday February 14, 2023 9:00am - 5:00pm GMT
Room: Liffey Meeting Room 2a

10:30am GMT

AM Break
AM Coffee Break

Tuesday February 14, 2023 10:30am - 11:00am GMT
Room: Liffey Meeting Room Foyer

12:00pm GMT

Lunch
Tuesday February 14, 2023 12:00pm - 1:00pm GMT
Room: Liffey Meeting Room Foyer

3:00pm GMT

PM Break
PM Break provided by OWASP

Tuesday February 14, 2023 3:00pm - 3:30pm GMT
Room: Liffey Meeting Room Foyer

5:00pm GMT

Happy Hour Mixer at OWASP Dublin Hosted By Jit & Semgrep · Luma

If you are in town, we invite you to the Dublin Happy Hour on Tuesday, February 14th from 5:00 pm - 8:00 pm, sponsored by Jit and Semgrep.


OWASP's Simon Bennetts will be there, along with keynote speakers, OWASP board members, where you'll have a unique networking opportunity before the event gets started.

Tuesday February 14, 2023 5:00pm - 8:00pm GMT
Foley's Bar 1 Merrion Row, Dublin 2, Ireland
 
Wednesday, February 15
 

8:00am GMT

Exhibitor Hall
Wednesday February 15, 2023 8:00am - 7:30pm GMT
Room: Liffey B

9:00am GMT

A Taste of Privacy Threat Modeling

Join us for a delicious journey into the world of privacy engineering! As data protection legislation becomes increasingly prevalent, it's more important than ever to understand how to keep your software systems safe from privacy threats. In this talk, we'll explore what privacy is all about, why it matters, and how threat modeling can help you introduce it early on in the software development lifecycle. We'll tackle some common misconceptions about privacy and threat modeling along the way. And we'll talk about ice cream. Yum!

Speakers
avatar for Kim Wuyts

Kim Wuyts

Kim Wuyts is a senior privacy researcher at the imec-DistriNet research group at KU Leuven (Belgium). She has more than 15 years of experience in security and privacy engineering. Kim is one of the driving forces behind the development and extension of LINDDUN, a privacy threat modeling... Read More →


Wednesday February 15, 2023 9:00am - 10:00am GMT
Room: The Liffey A

9:00am GMT

Member Lounge
Wednesday February 15, 2023 9:00am - 5:30pm GMT
Dublin Convention Center

10:00am GMT

AM Coffee Break with Exhibitors
Wednesday February 15, 2023 10:00am - 10:30am GMT
Room: Liffey B

10:30am GMT

GitHub Actions: Vulnerabilities, Attacks, and Counter-measures
More organizations are applying a DevOps methodology to optimize software development. One of the main tools used in this process is a continuous integration (CI) tool that automates code changes from multiple developers working on the same project. In 2019, GitHub released its own CI tool called GitHub Actions. According to GitHub, GitHub Actions help you automate tasks within your software development life cycle, and it has been gaining a lot of adoption from developers. This talk plans to demonstrate how GitHub Actions work and show security measures to protect your Actions from misuse by attackers. First, we'll do a deep dive into the Runners, the servers provided by GitHub to run your Actions, and the risks of using them. Then, we'll show how attackers can leverage these runners to mine cryptocurrencies, pivot into other targets, and more. Lastly, we'll demonstrate how to maliciously distribute backdoors into different repositories via the GitHub Actions Marketplace. This presentation results from detailed research published earlier this year on the topic where the author investigated abuse case scenarios such as how attackers were leveraging this free service to mine cryptocurrencies on their behalf and behalf of other users, among other attack vectors. We'll also demonstrate how to perform interactive commands to the Runner servers via reverse shell, which is technically not allowed via traditional means. Ultimately, we'll show the problem of third-party dependencies via the GitHub Actions Marketplace. By demonstrating how easy it is to create a fake GitHub Action that, if used unwillingly by other projects, can make their runners act as bots to target other victims and even be used in supply-chain attacks by tampering with the result of the pipeline.

Speakers
avatar for Magno Logan

Magno Logan

Information Security Specialist, GoHacking
Magno Logan works as an Information Security Specialist for Trend Micro. He specializes in Cloud, Container and Application Security Research, Threat Modelling and Red Teaming. He has been tapped as a resource speaker for numerous security conferences around the globe. He is also... Read More →



Wednesday February 15, 2023 10:30am - 11:30am GMT
Room: Liffey Hall 1

10:30am GMT

Far from green fields - introducing Threat modelling to established teams
'Far from green fields - introducing Threat modelling to established teams' takes a look at the unique challenges of introducing Threat Modelling to well established software teams. Microsoft introduced threat modelling as part of the trustworthy computing initiative back in the early 2000s. This was in response to issues they were facing maintaining the trust of their user base in the light of several high profile security issues. Nobody would categorise Microsoft as a startup in 2002 and nobody at Microsoft was suggesting that they stop moving forward with planned features and advancements while they adjusted their practices. Why is it so that so much of the material available to support you as you roll out threat modelling describes it in the context of greenfield projects? Most of us need to know how to successfully introduce this highly effective shift-left security practice to real teams; teams that are running at pace on the tread mill of change, spinning the plates of customers commitments and feature enhancements. In this talk, I will share the experiences of a 3 year journey I have been on to introduce threat modelling to my colleagues across a range of product offerings. We made some mistakes, we learned some lessons the books could not have taught us but ultimately we succeeded and in succeeding we learned that introducing threat modelling is only the beginning. Originally conceived in a pre-COVID world, this talk has been updated to include a look at the challenges and some surprising advantages of threat modelling on remote teams.

Speakers
avatar for Sarah-Jane Madden

Sarah-Jane Madden

Chief Information Security Officer - Sensing Technology Group, Fortive
Sarah-Jane is the Chief Information Security Officer of Sensing Technology Group - part of Fortive. She has over 20 years software experience from the most formal environments to 'let's fix it in production' type teams. She has been a longtime advocate of deliberate application security... Read More →


Wednesday February 15, 2023 10:30am - 11:30am GMT
Room: The Liffey A

10:30am GMT

JavaScript Realms - The Blank Spot In Web Application Runtime Security
Due to the rise of dependencies based development, the JavaScript ecosystem (and the browser JavaScript ecosystem in particular) is far more vulnerable to the rising major problem we know as “supply chain attacks”.

Therefore, many different supply chain security solutions were introduced to the industry as well, focusing on different ends of it, ranging from build time to runtime protection. However, runtime browser based protections usually lack a major component in their solutions, one that mostly leaves such solutions completely vulnerable, almost as if they were never there.

Realms (aka iframes in the browser) is an ancient and legitimate concept that goes through a horrific spinoff in the context of bypassing browser based supply chain security attempts. And the worst part is that carrying out attacks is so easy with realms, but defending realms is so complicated.

It's time to dive into the so important yet ignored layer in securing against unwanted code execution - it's time to talk about the JavaScript realms blank spot and its offensive/defensive security aspects. In this talk we'll understand what realms are, why they are so easily abused to bypass protections, why they are such an important and unregarded layer to secure and we'll also introduce SnowJS - the most advanced open source software for securing JavaScript realms.

Speakers
avatar for Gal Weizman

Gal Weizman

Senior JS Security Engineer, MetaMask
Gal is an experienced security researcher in the browser javascript field with proven published work including critical vulnerabilities disclosures, global talks and innovative security tools and write-ups. https://weizman.github.io/page-about/... Read More →



Wednesday February 15, 2023 10:30am - 11:30am GMT
Room: Liffey Meeting Room 1

10:30am GMT

Narrow – SCA Reachability Analysis without the Effort
“Reachability analysis” in software composition analysis (SCA) is a recent advancement that help developers and security teams understand which vulnerable dependencies are reachable by the first-party code, thereby reducing noise. However, most existing approaches require manual intervention (e.g., documenting “target functions”, creating rulesets, etc.) In this talk, we present a scalable approach to reachability analysis demonstrated by a new open-source tool named “Narrow”. Narrow combines patch analysis with static program analysis to automatically indicate whether vulnerabilities in third-party software components are truly relevant to your (python) codebase. The best part: no need to create rules for every new vulnerability. Later in the talk we’ll discuss our experience implementing and rolling this out at a large enterprise. It wasn’t easy. There were technical, process, and human perception issues to deal with. Still, by the end we were able to remove a substantial amount of uncertainty from our risk management program and believe you can too.

Speakers
avatar for Josiah Bruner

Josiah Bruner

Senior Security Engineer, Jellyfish
Josiah is a senior security engineer at Jellyfish where he focuses on security engineering. His interests lie in topics such as secure supply chain security, threat modeling, and program analysis. Prior to Jellyfish, Josiah did product security for Duo Security and automotive product... Read More →


Wednesday February 15, 2023 10:30am - 11:30am GMT
Room: Liffey Hall 2

10:30am GMT

OWASP Coraza: The way to WAF in 2023
We are fighting a 2023 problem by using early 2000s technology. The web has evolved. Some people even talk about web 3.0, bringing blockchain technology into our daily internet navigation. Therefore, the threats have evolved, SQL injection isn’t as common as it used to be, and attackers are now looking for more complex vulnerabilities that could provide faster and bigger profits. New technologies also come with new architecture and deployment requirements, so the final question becomes, how can we protect our applications without risking false positives or decreasing performance? OWASP Coraza’s goal is to solve these questions by providing a modern approach to Open-Source WAF using Golang. Coraza provides a modular, fast, developer-friendly, and efficient set of WAF capabilities that can be easily integrated into any program, it also provides connectors for Web Servers, API Gateways, HTTP frameworks, and more. Coraza is 100% compatible with OWASP Core Ruleset and extends ModSecurity capabilities to the 2020s internet.

This is the first public talk of OWASP Coraza WAF. We are currently a lab project in OWASP, soon Flagship. Coraza is also used by many fortune 500 companies around the world, in the top 10 of the ranking.

Topics:
  • WAF in the early 2000s
  • 1990s World Wide Web
  • AppShield WAF
  • Reverse/Transparent Proxy
  • ModSecurity
  • Rich Content Applications (Ajax)
  • OWASP TOP 10
  • Core Ruleset
  • Blocking Models Web 2.0
  • New web Frameworks
  • Websockets: Transmitted data is not standard. How can we protect it?
  • GraphQL: New language, new vulnerabilities Next Generation WAFs Libmodsecurity:
  • From Apache to everything (mostly Nginx)
  • New architecture Connectors WAF deployment TCP Dump: We can read decrypted traffic, but we cannot terminate a session
  • EBPF: We can read encrypted traffic, but we cannot terminate a session
  • Open Tracing: We can read traffic, but we cannot terminate a session
  • GRPC and OPA: Can be evaluated inline to terminate a session
  • Edge Termination: Request session termination from another endpoint
  • 2023 Challenges
  • We are not only looking for SQL Injection
  • Escalate and terminate without latency
  • Rule-less protection
  • 0 False Positives
  • Compliance or protection?
  • Compete against CDN WAF
  • Block the user, not the IP
  • OWASP Coraza
  • Introduction to Coraza
  • High-Level Architecture Deployment Options
  • Extended Web/API capabilities
  • Extensibility
  • Roadmap
  • Conclusions

Coraza Links:
https://www.coraza.io/
https://github.com/corazawaf/coraza
https://owasp.org/www-project-coraza-web-application-firewall/


Speakers
avatar for Felipe Zipitria

Felipe Zipitria

Senior Engineer II, Security, Life360
Felipe has over 15 years of experience in the information security field. He regularly trains professionals from different backgrounds in application security, cloud security, and information security. He is a lecturer on Computer Security Foundations for graduates and Application... Read More →
avatar for Juan Pablo Tosso

Juan Pablo Tosso

Security Research Engineer, Traceable AI
I'm a cybersecurity researcher from Chile, currently working at traceable.ai. I enjoy writing open-source code, hiking, biking, spending time with my children, traveling, writing, and reading. I used to be a white hat hacker, but now I turned to the blue side. I’m the founder and project leader of the OWASP Coraza WAF project... Read More →


Wednesday February 15, 2023 10:30am - 11:30am GMT
Room: Liffey Meeting Room 2

11:30am GMT

[T]OTPs are not as secure as you might believe
You likely receive OTPs (one-time-passwords) all the time, usually in the form of an SMS with a 4 to 8 digit code in it. Pretty common when you sign-in (or register) to Uber, your bank (usually as a second factor), Whatsapp, etc. The most adopted OTP size is 6 digits, and we just accept that it's hard to guess, after all its 1 in a million chance, and it's valid just for a few minutes, and leave it there. A few paranoid folks might wonder, what if get a new OTP after the first one expire, they may assume it's another 1 in a million chance, and continue with their life. The truth is that when you calculate the actual chance of guessing an OTP one after the other, the odds are NOT 1 in a million. You will be surprised how the probabilities of guessing spiral once you start thinking of brute forcing OTPs one after the other, and what about parallelising the brute force among different users, the surprise is even bigger.

Speakers
avatar for Santiago Kantorowicz

Santiago Kantorowicz

Principal Security Engineer, Twilio
Santiago is a Principal Security Engineer at Twilio, with 14 years of experience in cybersecurity. He worked for 6 years securing and designing OTP and TOTP products, such as Authy and Twilio Verify. He is currently dedicated to securing Twilio Voice and Video products along with... Read More →



Wednesday February 15, 2023 11:30am - 12:30pm GMT
Room: Liffey Hall 1

11:30am GMT

Attacking and protecting Artificial Intelligence
Is AI our doom or our savior? How can AI systems attack? How can they be attacked? How do we build security and privacy into them? In this session we will go through what makes AI systems so special by discussing several actual AI disasters and by reviewing the key principles behind the European AI act and the new US AI Bill of rights. The material presented is based on 30 years of experience with AI software engineering and extensive research that served as input for the new ISO/IEC 5338 standard on AI lifecycle and the upcoming AI security OWASP project.

Speakers
avatar for Rob Van der Veer

Rob Van der Veer

AI Application Security, Software Improvement Group
Since 1992, Rob van der Veer has pioneered AI businesses, as AI engineer and CEO. At the Software Improvement Group, Rob established the security & privacy and AI practices. He is author and co-author of various security and AI standards including the new ISO/IEC 5338 standard on... Read More →



Wednesday February 15, 2023 11:30am - 12:30pm GMT
Room: The Liffey A

11:30am GMT

Don't let bug bounty kill your appsec posture
Bug bounty is a wonderful thing, and over the last few years it has completely overturned the industry focus, where more and more organizations direct money and resources to operating thriving programs. But there is another side to bug bounty - the side that can side-track your entire appsec strategy. As bug bounty becomes more and more popular, more and more researchers focus on scale and wide-spread issues that can be discovered by automation, rather than spending their time on deeper technical research of a particular target. Your team might easily get bombarded with low impact (valid) issues such as subdomain takeovers and XSS on random domains, and less and less focused on higher risk issues that require deep technical understanding. While this can be sometimes subverted by carefully aligning your scope and educating your researchers, you might end up spending more time on refining your program than on actually solving issues. As an enthusiastic bug bounty researcher myself, I truly believe in bug bounty. As an appsec manager, I understand bug bounty will never be enough to replace penetration testing. In this talk I’ll cover some of the pitfalls we fell into within our own program, and how you need to calibrate your expectations from bug bounty - and perhaps recalibrate your appsec strategy.

Speakers
avatar for Zohar Shachar

Zohar Shachar

Head of Application Security, Wix
After years focusing on offensive penetration tests and leading red team simulations, in the last ~2.5 years I'm leading the application security team in Wix. You can check out some of my past research here - www. ehpus.com... Read More →


Wednesday February 15, 2023 11:30am - 12:30pm GMT
Room: Liffey Meeting Room 1

11:30am GMT

Ten DevSecOps Culture Failures
Rolling out DevOps + Security has its series of pitfalls. In this talk, we'll explore real-world challenges, sprinkling in a bit of humor on behalf of the Internet, and work out the solutions to how to avoid these pain points using security culture. You'll experience what can go wrong, to expose how to do things right. We'll cover a sampling of the failures: name and brand, the infinity graph, security as a special team, vendor-defined DevOps, and a lack of collaboration. You'll receive actionable best practices for changing your DevOps security culture.

Speakers
avatar for Chris Romeo

Chris Romeo

CEO, Devici
Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling... Read More →



Wednesday February 15, 2023 11:30am - 12:30pm GMT
Room: Liffey Hall 2

11:30am GMT

Squeezing the last drop out of OWASP Juice Shop
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications! In this session we will go far beyond the basics of hacking the application! You will learn about the new Coding Challenges, all available tutorial options for newcomers, CTF mode for some added competition, the built-in cheat detection, integration and metrics, and the possibilities of custom theming!

Speakers
avatar for Bjoern Kimminich

Bjoern Kimminich

Product Group Lead Application Ecosystem, Kuehne + Nagel
Bjoern Kimminich works as Product Group Lead Application Ecosystem at Kuehne + Nagel, responsible – among other things – for the Application Security program in the corporate IT. He is an OWASP Lifetime Member, the project leader of the OWASP Juice Shop, and a co-chapter leader... Read More →


Wednesday February 15, 2023 11:30am - 12:30pm GMT
Room: Liffey Meeting Room 2

12:30pm GMT

Lunch with Exhibitors
Wednesday February 15, 2023 12:30pm - 2:00pm GMT
Liffey B

2:00pm GMT

Why winning the war in cybersecurity means winning more of the everyday battles
As complexity grows in how we defend our business, or proactively innovate technology, how think about cybersecurity collaboratively also has to change. How well we adapt continues to influence our security strategies, our creativity, and our culture, in our companies and in our industry. It seems starting with ourselves is a natural place to begin. Join this conversation on what the evolution of the security practitioner, and leader, will look in the future to keep up with the pace of this ever-growing industry.

Speakers
avatar for Jessica Robinson

Jessica Robinson

Executive Officer, PurePoint International
Jessica Robinson is the Executive Officer of PurePoint International helping CEOs and C-level leaders bridge the gap among data security, cyber risk and privacy and is currently the vCISO for Women In Cybersecurity. PurePoint International provides cybersecurity consulting, advisory... Read More →


Wednesday February 15, 2023 2:00pm - 3:00pm GMT
Room: The Liffey A

3:00pm GMT

PM Break with Exhibitors
Wednesday February 15, 2023 3:00pm - 3:30pm GMT
Room: Liffey B

3:30pm GMT

Credential Sharing as a Service: the Dark Side of No Code
Why focus on heavily guarded crown jewels when you can dominate an organization through its shadow IT? Low-Code applications have become a reality in the enterprise, with surveys showing that most enterprise apps are now built outside of IT, with lacking security practices. Unsurprisingly, attackers have figured out ways to leverage these platforms for their gain. In this talk, we demonstrate a host of attack techniques found in the wild, where enterprise No-Code platforms are leveraged and abused for every step in the cyber killchain. You will learn how attackers perform an account takeover by making the user simply click a link, move laterally and escalate privileges with zero network traffic, leave behind an untraceable backdoor, and automate data exfiltration, to name a few capabilities. All capabilities will be demonstrated with POCs, and their source code will be shared. Next, we will drop two isolation-breaking vulnerabilities that allow for privilege escalation and cross-tenant access. We will explain how these vulnerabilities were discovered and assess their pre-discovery impact. Finally, we will introduce an open-source recon tool that identifies opportunities for lateral movement and privilege escalation through low-code platforms.

Speakers
avatar for Michael Bargury

Michael Bargury

Co-Founder and CTO, Zenity
Michael Bargury is a security researcher passionate about all things related to cloud, SaaS and low-code security, and spends his time finding ways they could go wrong. He is the Co-Founder and CTO of Zenity, where he helps companies secure their low-code/no-code apps. In the past... Read More →



Wednesday February 15, 2023 3:30pm - 4:30pm GMT
Room: Liffey Hall 1

3:30pm GMT

Trusting Software - Runtime Protection Is the Third Alternative
For 20 years, OWASP has been recommending two approaches to achieving trustworthy software: people and perimeters. The people approach is attempting to coerce your developers into making perfect software with requirements, vulnerability testing, threat modeling, security architecture, training, etc... The perimeter approach is attempting to monitor network traffic and perfectly detecting and blocking attempts to exploit vulnerabilities. Unfortunately, and despite Herculean effort by smart and dedicated people…these approaches simply aren't working. But there is a third approach.... consider how ASLR and DEP changed the curve on kernel exploits in the mid-2000's. Imagine we could automatically inject exactly the right defenses into your code, in exactly the right places, without having to change anything about the way you develop, build, test, or deploy your applications. In this talk, you’ll learn how easy it is to eliminate entire classes of vulnerability, like those in the OWASP Top Ten, by automatically infusing simple, lightweight trust boundaries into apps/APIs. This "runtime protection" is available in for a huge range of languages and platforms, and is widely used in large companies to secure apps/APIs at massive scale with almost no performance impact. Forrester reports 65% of companies are adopting runtime protection and 17% of companies are planning to adopt. Attendees will learn how runtime protection works, how you can deploy at scale, and about accuracy and performance. But more importantly, we'll explore real world runtime protection use cases that will benefit your entire appsec program, your development teams, and even your security culture.

Speakers
avatar for Jeff Williams

Jeff Williams

Founder and CTO, Contrast Security
Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. Previously, Jeff was co-founder and CEO of Aspect Security, a successful and innovative application security consulting company acquired by EY. Jeff is... Read More →



Wednesday February 15, 2023 3:30pm - 4:30pm GMT
Room: The Liffey A

3:30pm GMT

Preventing subdomain takeover with OWASP Domain Protect
At OVO Energy we have a complex hybrid cloud environment, with multiple autonomous development teams who manage their own cloud accounts. Last year we started a private Bug Bounty program. The security researchers found a significant number of issues, over half of which were subdomain takeovers. To protect against malicious attackers and slow down ever-increasing reward payments, we developed and open-sourced a new tool to prevent subdomain takeovers: OWASP Domain Protect

OWASP Domain Protect uses serverless functions to automate scans of our DNS environments in AWS, GCP and Cloudflare, test for vulnerabilities, and create Slack and email alerts. This substantially reduced the number of subdomain takeover issues reported through our Bug Bounty program.

However new subdomain vulnerabilities can arise at any time, and we noticed that some Bug Bounty researchers were quickly taking over the organisation's subdomains after new vulnerabilities arose, before they were even detected by Domain Protect, let alone fixed. To combat this, we increased our scan frequency and introduced automated takeover of resources in our central security account, to stop anyone else from doing so.

In this presentation, I’ll review the basics of domain takeover, talk about the Bug Bounty program findings, describe the system architecture of OWASP Domain Protect, and give a live demonstration of vulnerable domain detection followed by automated takeover.

Speakers
avatar for Paul Schwarzenberger

Paul Schwarzenberger

Cloud Security Architect and Engineer, Celidor
Paul Schwarzenberger is a cloud security architect and engineer, leading security engagements and cloud migration projects for customers across sectors including financial services and Government. He has in-depth enterprise experience and certifications across all three major cloud... Read More →



Wednesday February 15, 2023 3:30pm - 4:30pm GMT
Room: Liffey Meeting Room 1

3:30pm GMT

Do more with less screen-time, a modern Application Security Toolchain.
Automated security testing has brought security teams an abundance of signal about codebases and infrastrucure without much manual effort. However, we now spend a lot of time triaging false positives and managing findings This doesn’t scale and results in us hiring more security experts as vulnerability pushers.
Due to that, many teams struggle to achieve time-saving features like per-team configuration, conditional tool execution and automated reporting to different sinks based on code ownership.

In this talk, we bring you a new free and open source Application Security Toolchain Framework with integrations for several scanners both under the OWASP umbrella and not.

This allows security teams to schedule tool execution against both code and infrastructure, aggregate the results from many different tools, enrich them using several processors and finally consume them with a multitude of visualization platforms. All in a safe, performant and platform-agnostic way.

Speakers
avatar for Spyros Gasteratos

Spyros Gasteratos

security engineer, owasp
Spyros is an OWASP volunteer and professionally is currently helping Fintechs with AppSec. He maintains several Open Source projects including Dracon, opencre.org and others. Also, he usually doesn’t speak about himself in the third person... Read More →


Wednesday February 15, 2023 3:30pm - 4:30pm GMT
Room: Liffey Hall 2

3:30pm GMT

Bootstrap and increase your software assurance with OWASP SAMM v2.1
Are you looking for an effective and measurable way to analyze and improve your organization's software security posture? Look no further! During this talk, Seba and Bart, the co-leaders of the OWASP SAMM project, will introduce you to OWASP SAMM v2.1 - the premier maturity model for software assurance. They will provide a thorough overview of how to use SAMM in your organization and highlight the new features of the recently released v2.1. In addition, they will share the results of our 2022 SAMM survey and provide an update on the revamped SAMM benchmark initiative. Don't miss this opportunity to learn from the experts and take your organization's software security to the next level!

Speakers
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

CEO, Toreon
Sebastien (Seba) Deleersnyder is co-founder and CTO of Toreon. He started the Belgian OWASP chapter and was an OWASP Foundation Board member. With a development background and years of security experience, he has trained countless developers to create more secure software. Co-leading... Read More →
avatar for Bart De Win

Bart De Win

Director of Cyber and Privacy Unit, PwC
Bart De Win has been serving as the director of the Cyber&Privacy unit at PwC since 2011. In this role, he oversees all software security services and leads a team of highly skilled security specialists. He has a wealth of experience in application testing, secure software development... Read More →



Wednesday February 15, 2023 3:30pm - 4:30pm GMT
Room: Liffey Meeting Room 2

4:30pm GMT

Server Side Prototype Pollution
Detecting server side prototype pollution legitimately is quite difficult because it involves changing the state of Object prototypes on the server and that can almost certainly cause DoS. I've created multiple techniques that allow you to detect SSPP without bringing the server to its knees and without needing the source code.

I'll talk about how you can detect server side prototype pollution and the pros and cons of each technique and show you how to detect the type of JavaScript engine being used on some sites all blackbox with specially crafted requests. Finally I'll share an open source Burp extension that will help you detect SSPP using Burp Suite and wrap up with defensive measures you can take, takeaways and leave 5 minutes for questions.



Speakers
avatar for Gareth Heyes

Gareth Heyes

Researcher and Co-Author, PortSwigger
PortSwigger researcher Gareth Heyes is probably best known for his work escaping JavaScript sandboxes, and creating super-elegant XSS vectors. When he's not co-authoring books (like the recent title, Web Application Obfuscation), Gareth is a father to two wonderful girls and husband... Read More →



Wednesday February 15, 2023 4:30pm - 5:30pm GMT
Room: Liffey Hall 1

4:30pm GMT

Passwordless future: Using WebAuthn and Passkeys in practice
With the WebAuthn specification, a promising option for passwordless authentication in web browsers was published in March 2019. Until last year, adaption in websites and applications only grew slowly. In 2022, both Google and Apple introduced the integration of passkeys in their identity systems, giving hope for further progress. This session will explain the basics of WebAuthn and passkeys and evaluate the state of adoption both on client and server side. It will then focus on the practical realization when developing a web application: How to build a passwordless authentication yourself? Which features make it easier or more difficult to use in web applications? What are the impressions from practical use? In the end, the talk will also shed a light on future developments in the WebAuthn environment. During the session, attendees will understand the principles of WebAuthn. They will get to know the possibilities and use cases of Passkeys. They will also learn how to integrate these features in new or existing applications.

Speakers
avatar for Clemens Hübner

Clemens Hübner

Software Security Engineer, inovex GmbH
For more than ten years, Clemens Hübner has been working at the interface between software and security. After roles as a software developer and in penetration testing, he joined inovex in 2018 as a software security engineer. Today, he supports development projects at the conception... Read More →



Wednesday February 15, 2023 4:30pm - 5:30pm GMT
Room: The Liffey A

4:30pm GMT

Philosophizing security​ in a "mobile-first" world
A speaker examines in detail the core problems of Mobile App Security subject by applying philosophical methods to avoid technical biases. Among these problems, the speaker distinguishes the following topics: - the engineering bias (streetlight effect) causing engenders to propose solutions for security problems that are "comfortable to solve or they have the technology to apply." - the ambivalence of perception of security by engineers and users. Users welcome individual safety feelings and can be irritated by security measures. I.e., the Security and Freedom dilemma defines individual user safety perception. - Complexity of managing Social Contracts in the Apps world for users. Related to Privacy, Personal Data Processing, Surveillance, ... - The challenge to make the security level of the App verifiable by users. How to make the security visual and clear for users. - Problems of engaging users in the security journey without boring and annoying. - How to approach the collective defense concept to share the attack vectors' data and use the exploits to improve the defense.

Speakers
avatar for SergiyYakymchuk

SergiyYakymchuk

CEO, Talsec
CEO of Talsec. We have created freeRASP (see GitHub). It is an in-App security SDK to protect Apps and APIs.



Wednesday February 15, 2023 4:30pm - 5:30pm GMT
Room: Liffey Meeting Room 1

4:30pm GMT

Empowering the Guardians of Your Code Kingdom
When it comes to repo protection and security - we often have the tradeoff between two extremes, general rules that cause a lot of friction and result in reduced velocity or GitOps policy tools that provide little coverage for the code itself.

In the context of the age-old mono vs. multi-repo debate, it is actually much harder to secure the mono repo (due to its size and complexity) - and all too often developers will choose velocity over security. A good way to maintain good security hygiene for large mono-repos is by adopting the hierarchal repo model, that enables the enforcement of policy and access control for specific code folders - meaning DevOps can be sure no one has overly privileged access to IaC, and developers will have the ability to ensure greater quality and security than just some simple git checks.

In this talk we'll demo with a working code example how to build custom policies and rules using a combination of static analysis tools and Open Policy Agent (OPA), git actions and native git tools to enforce security policies on the code itself without compromising developer velocity.

Speakers
avatar for Gabriel Manor

Gabriel Manor

DevRel Engineering Director, Permit.io
Gabriel is a senior full-stack developer who blends his passion for technical leadership, security, authorization, and devtools into his current role as the Head of Growth and DevRel at Permit.io. As a developer, Gabriel derives the most enjoyment from learning new technologies, designing... Read More →


Wednesday February 15, 2023 4:30pm - 5:30pm GMT
Room: Liffey Hall 2

4:30pm GMT

Improving supply chain security with OWASP Dependency Track
With the need to deliver software faster to clients, it is typical not to "reinvent the wheel" and instead rely on open source/3rd party components.With increased adoption of open source/3rd party components the complexity and inherited risk of software supplychain is rising. It is crucial to have a complete and accurate inventory of the open source/3rd party component usage and risk associated with it."Our software supply chain security is our responsibility".In order to achieve a complete inventory, Bill Of Material (BOM) is a fundamental building block. OWASP Dependency Track consumes BOM and helps to continuously monitor risk associated with these components.In this talk, we will explain and demonstrate OWASP Dependency Track and how it can be a foundational platform to add to your arsenal of tools to improve software supplychain security.

Speakers
avatar for Vinod Anandan

Vinod Anandan

SVP of Application Security
Vinod is an SVP of Application Security, he is leading a team of DevSecOps engineers and architects to develop tools and services which will help to improve the security and developers' experience. Vinod spends most of the time helping open source projects and standards
avatar for Meha Bhargava

Meha Bhargava

DevSecOps Engineer, Citi
I am a software developer from India with more than 8 years of experience. Have been to different places around the world for work and currently living in London as I work for Citi. My open source contribution journey started with Dependency Track. Enjoy working with new technologies... Read More →
avatar for Niklas Jan Duster

Niklas Jan Duster

Cloud Native Engineer, ControlPlane
Niklas is a Cloud Native Engineer @ ControlPlane, and is passionate about AppSec, DevSecOps, and Open Source. He co-leads the OWASP Dependency-Track project and is a contributor to the OWASP CycloneDX Bill of Materials standard, for which he maintains the official Go tooling.


Wednesday February 15, 2023 4:30pm - 5:30pm GMT
Room: Liffey Meeting Room 2

5:30pm GMT

Networking Reception
Wednesday February 15, 2023 5:30pm - 7:30pm GMT
Room: Liffey B

7:30pm GMT

Leaders Meeting and Public Board Meeting
Wednesday February 15, 2023 7:30pm - 10:00pm GMT
Room: Liffey Meeting Room 2
 
Thursday, February 16
 

8:00am GMT

Exhibitor Hall
Thursday February 16, 2023 8:00am - 5:00pm GMT
Room: Liffey B

9:00am GMT

Shifting Security Everywhere
As AppSec pro, you may feel that marketing has ruined the meaning of ‘shift left’. It was supposed to mean ‘starting security as early as possible in the SDLC’, but was transformed into “buy our product, put it in your CI/CD, then your apps will be secure”. But we can't just throw a bunch of tools into a CI/CD and call it a day. With this in mind, let’s focus on comprehensive programs, developer buy-in, and making security work for the entire business, by shifting security everywhere.

Speakers
avatar for Tanya Janca

Tanya Janca

CEO and Founder, We Hack Purple
Tanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning community that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty five years, won countless awards, and has been everywhere from public service to tech... Read More →



Thursday February 16, 2023 9:00am - 10:00am GMT
Room: The Liffey A

9:00am GMT

Member Lounge
Thursday February 16, 2023 9:00am - 5:00pm GMT
Dublin Convention Center

10:00am GMT

AM Coffee Break with Exhibitors
Thursday February 16, 2023 10:00am - 10:30am GMT
Room: Liffey B

10:30am GMT

compRCEssed : Compressed File Manipulation
In my research, besides the use of a new technique as compressed file(hpi,deb,jar etc.) manipulation in the field of remote code execution; this includes implementing this on popular web apps and publishing this 0day at the time of presentation.

In most web applications, uploading harmful files is allowed with the precautions taken in the file upload section. One of these protection methods is file hash,extension,head,type etc control mechanisms. However, in this presentation, you will see how we can add a file to the system that we can run the code remotely with compressed file manipulation, how we can become an authorized user in the system, and how to increase the privileges of the seized application user on a popular applications. You will be able to see both a new method and 0Day in the presentation.

Speakers
avatar for Mehmet Önder Key

Mehmet Önder Key

vulnerability researcher and penetration tester, Turkish Aerospace Industries(TAI)
Mehmet Önder Key is a vulnerability researcher and penetration tester and currently works at Turkish Aerospace Industries(TAI) in Türkiye. While working in red team, he also works in blue team and uses the information he acquired in his works to develop bypass methods. His purpose... Read More →


Thursday February 16, 2023 10:30am - 11:30am GMT
Room: Liffey Hall 1

10:30am GMT

Removing Secrets to Make Your Mobile Apps More MASVS-Secure
Secrets and credentials are hardcoded in mobile app packages, saved in persistent storage, exposed in API calls, and mistakenly left in project repos. Mobile has become the easiest place for hackers to steal what they need to abuse your APIs and backend services. It might seem odd that removing secrets from your apps improves your platform security, but not only is it safer, it lets your operations team centrally manage your credentials and security policies on the fly. In this session, you'll learn how to combine mobile app attestation techniques with cloud-based credential services and channel hardening to ensure secrets are never at rest inside your apps. These techniques are fully compatible with your existing API protocols and integrate easily into your app's networking stack. We'll demonstrate and then blunt common static analysis, rooting, instrumentation framework, and man-in-the middle attacks, showing how this approach meets many of the defense-in-depth and resiliency (L2+R) levels of the MASVS mobile app security verification standard.

Speakers
avatar for Skip Hovsmith

Skip Hovsmith

Principal Engineer and VP Americas, CriticalBlue
Skip Hovsmith is a Principal Engineer and VP Americas for CriticalBlue, working on securing API usage between mobile apps and backend services. Previously, Skip consulted with CriticalBlue customers on accelerating mobile and embedded software running on multicore and custom coprocessor... Read More →


Thursday February 16, 2023 10:30am - 11:30am GMT
Room: The Liffey A

10:30am GMT

What We've Learned from Scanning 10K+ Kubernetes Clusters
The number of misconfigurations, unpatched vulnerabilities, and overly-privileged users in Kubernetes systems is ASTOUNDING. We learned this from analyzing the telemetry data from the open source tool Kubescape, that has scanned more than 10K+ unique Kubernetes clusters, and we have learned a great deal about the state of Kubernetes risk, compliance, and security vulnerabilities.

In this talk we'll shed light on the most common misconfigurations across Kubernetes deployments (managed and self-managed) according to multiple frameworks (such as the NSA-CISA, MITRE ATT&CK®, and the OWASP Kubernetes Top 10), alongside known software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline. We will demonstrate how you can instantly calculate your own risk score, and you'll walk away able to discover and manage your own risks, over time, through constantly changing security trends.

We'll also provide interesting insights on why and where Kubernetes deployments mostly commonly fail and statistics on which controls fail most, as well as the weak spots and gotchas to pay attention to. Stick around though, as we'll wrap up with some simple measures your can take immediately to work towards eliminating these risks and improving your overall cloud native security posture.

Speakers
avatar for Ben Hirschberg

Ben Hirschberg

ARMO
Ben is a veteran cybersecurity and DevOps professional, as well as computer science lecturer. Today, he is the co-founder at ARMO, with a vision of making end-to-end Kubernetes security simple for everyone, and a core maintainer of the open source Kubescape project. He teaches advanced... Read More →


Thursday February 16, 2023 10:30am - 11:30am GMT
Room: Liffey Meeting Room 1

10:30am GMT

Developer Driven Security in high-growth environments
I will present a case study of a scalable and autonomous AppSec program that allows to manage the risk and review security for each code change in an organization that grows their Engineering group 50% YoY. I will talk about establishing principles and metrics to measure the success of that program, managing and motivating security champions, scalable threat modeling methodologies and tools. I will show you how each engineer and security champion can model the threats by themselves, effectively and preserving good quality. On top of that, I will explain how structured Threat Modeling as Code and deliverables from all security review phases can be used for AppSec innovations.

Speakers
avatar for Jakub Kaluzny

Jakub Kaluzny

Principal Product Security Engineer, Snowflake
I lead AppSec initiatives at Snowflake with innovative and scalable ideas. Author of multiple threat modeling workshops and Instant Threat Modeling - a 5-min video series on the topic. Speaker at OWASP AppSec EU, Blackhat Asia and HackInTheBox.



Thursday February 16, 2023 10:30am - 11:30am GMT
Room: Liffey Hall 2

10:30am GMT

Testability Patterns for Web Applications - a new OWASP project
Motivated by our promising research results (see anonymized attached document), also presented at OWASP AppSec last year, and by their successful initial evaluation in industrial settings, we have just started a new OWASP project to make our Testability Patterns for Web Applications consumable to and improvable by the entire community. In this presentation, we will present the goals of our OWASP project and the importance of the testability dimension for the security and privacy of Web Applications. We will showcase our approach in the context of Static Application Security Testing (SAST). First, we will present with concrete examples what testability patterns for SAST are and how they impede the ability of state-of-the-art SAST tools to analyze web application code. Second, we will present our open source framework to operate these patterns. The framework allows for evaluating SAST tools against the testability patterns so to know which patterns are problematic for which tool. The framework also allows the discovery of patterns within web applications source code so to make developers aware of which code areas will be problematic for SAST. Third, we will introduce the three main targeted audience groups: web developers, SAST tool developers, and security central teams. For each one of these groups, we will clarify which added-values these SAST patterns provide and how that group can join our project community and contribute to create and mature testability patterns. Last, but not least, we will expose the plan for our OWASP project.

Speakers
avatar for Dr. Luca Compagna

Dr. Luca Compagna

Senior Scientist / Research Architect, SAP Security Research
Dr. Luca Compagna is part of the Security Research team at SAP where is contributing to the research strategy and to the software security analysis area in particular. He received his Ph.D. in Computer Science jointly from the U. of Genova and U. of Edinburgh, working on security... Read More →



Thursday February 16, 2023 10:30am - 11:30am GMT
Room: Liffey Meeting Room 2

11:30am GMT

Down the Rabbit Hole: A journey towards a weakness in Chrome & a new hacking technique
Two vulnerable websites which were found to be vulnerable to CRLF injection, caused Google Chrome to behave differently. This trigged an exciting research journey ending in finding weaknesses in reverse proxies, Chrome and other browsers as well as a new hacking technique named Frontend server hijacking or Frontjacking in short. Frontjacking combines CRLF injection, poorly configured servers and shared hosting, enables attackers to execute any reflected XSS and phishing related payloads while bypassing any defensive mechanisms including CSP (Content Security Policy), HttpOnly cookie attributes, WAFs (Web Application Firewalls), CORS (Cross Origin Resource Sharing) and HTTPS certificate validation.

Speakers
avatar for Gil Cohen

Gil Cohen

Head of Appsec & SDLC, CYE
Gil is a highly experienced information security architect, consultant, researcher and penetration tester with more than 16 years of experience. Previously a senior consultant and team leader, mentor for colleagues, head of penetration testing and training and the CTO of Comsec Group... Read More →
avatar for Omri Inbar

Omri Inbar

Cyber Security Expert and Researcher, CYE Security
Omri brings 8+ years of experience to his role as a senior Cyber security expert and reseacher at CYE security. Being a former software developer, he now focuses his time and expertise towards application security research. In his free time, he likes to investigate whatever he can... Read More →



Thursday February 16, 2023 11:30am - 12:30pm GMT
Room: Liffey Hall 1

11:30am GMT

Reduce your permissions management time while effectively protecting your users, it's possible! (Project Feedback)
In 2019, users of the Ameli, the french welfare website, could read other users' messages and attachments containing confidential information by trivially changing a parameter in the URL. Unfortunately, this flaw is much more common than we think and access control has been listed as the Top 1 flaw by OWASP.

Historically, developers manage permissions directly in code and the product team is not always well aware of the conditions which leads to flaws in access control. It is also one of the most complex vulnerabilities to manage and it is easy for a developer to forget a condition in their API and open up access to sensitive data to anyone.

On a fund management site using django-admin, we needed very fine-grained management of vertical (permission levels) and horizontal (compartmentalisation between users) permissions with a need for some administrators to manage their own teams independently.

We were able to implement an extremely easy-to-use and manageable system using both Django's internal permissions management and a SaaS: Okta.

During this talk, I will cover the following topics:

- Vertical and Horizontal Permissions using a django-admin example
- Adding a SaaS for login and permissions
- The pros and cons of Okta

At the end of this talk, you will know the best practices for implementing and using permissions with django-admin example. You will also understand the pros and cons of using a SaaS to outsource permissions management and simplify it for your administrators.

Speakers
avatar for Marine du Mesnil

Marine du Mesnil

Head of Security Tribe, Theodo
Tech Lead and Head of Security Tribe @ Theodo, Marine du Mesnil is particularly interested in computer security and is involved in the Theodo Security Guild to help developers create compliant products by training them and helping them fix flaws in their projects.She follows the OWASP... Read More →


Thursday February 16, 2023 11:30am - 12:30pm GMT
Room: The Liffey A

11:30am GMT

Hacking and Defending APIs - Red and Blue make Purple
APIs are a foundational technology in today’s app-driven world and increasingly becoming the main target for attackers. How do you protect yourself? This talk will walk you through the techniques attackers use against APIs like broken object level authorization (BOLA) by following a typical API pen testing methodology. For each phase and attack, the tables are turned by covering how the attack looks from the defender's point of view including proactive ways to catch attacks early. You’ll understand how attackers find and exploit vulnerabilities and gain insight into why many traditional AppSec approaches fall short for APIs. The goal is to provide a complete overview of API vulnerabilities from both attack and defense perspectives so you can ramp up your testing and protection of all the new APIs in your AppSec life.

Speakers
avatar for Matt Tesauro

Matt Tesauro

Engineer, NoName Security
Matt Tesauro is a DevSecOps and AppSec guru with specialization in creating security programs, leveraging automation to maximize team velocity and training emerging and senior professionals. When not writing automation code in Go, Matt is pushing for DevSecOps everywhere via his involvement... Read More →



Thursday February 16, 2023 11:30am - 12:30pm GMT
Room: Liffey Meeting Room 1

11:30am GMT

How to have visibility and security OF a CICD pipeline
In this talk I will be presenting how an organization can approach the visibility and thus security OF CICD pipeline along with some common attack areas like access controls, credentials hygiene, misconfiguration etc. and their possible solutions.

Also, I will introduce two new open source projects:
First, CICDGuard - a graph based CICD pipeline visualizer and security analyzer, which 1. Represents entire CICD pipeline in graph form, providing intuitive visibility and solving the awareness problem 2. Identifies common security flaws across supported technologies and provides industry best practices and guidelines for identified flaws 3. Technologies supported as of now: - GitHub - GitHub Action - Jenkins - Spinnaker
Second, ActionGOAT - a deliberate damn vulnerable GitHub Action for learning purposes

Speakers
avatar for Pramod Rana

Pramod Rana

Manager - Application Security, Netskope
Pramod Rana is author of below open source projects: 1) Omniscient - LetsMapYourNetwork: a graph-based asset management framework 2) vPrioritizer - Art of Risk Prioritization: a risk prioritization framework 3) sec-depend-aider - Dependabot pull request monitoring automation platform... Read More →


Thursday February 16, 2023 11:30am - 12:30pm GMT
Room: Liffey Hall 2

11:30am GMT

OWASP SERVERLESS TOP 10
When adopting serverless technology, we eliminate the need to develop a server to manage our application and by doing so, we also pass some of the security threats to the infrastructure provider. However, serverless functions, even without provisioning or managing servers, still execute code. If this code is written in an insecure manner, it can still be vulnerable to traditional application-level attacks. The OWASP Serverless Top 10 project recently launched. In this talk, I will examine how the original Top 10 stack up for serverless apps. In particular, we’ll examine the differences in attack vectors, security weaknesses, and the business impact of successful attacks on applications in the serverless world, and, most importantly, how to prevent them. As we will see, attack vectors and prevention techniques are completely different from the traditional application world.

Speakers
avatar for Tal Melamed

Tal Melamed

Sr Director, Cloud Native Security Research, Contrast Security
With over 15 years’ experience in security research and engineering, Tal, Sr. Director at Contrast Security, possesses an unprecedented understanding of the Application and the Serverless Security landscape. Recently, Tal co-founded CloudEssence, a cloud-native security company... Read More →


Thursday February 16, 2023 11:30am - 12:30pm GMT
Room: Liffey Meeting Room 2

12:30pm GMT

Lunch with Exhibitors
Thursday February 16, 2023 12:30pm - 2:00pm GMT
Liffey B

2:00pm GMT

AI-Assisted Coding: The Future of Software Development; between Challenges and Benefits
The use of AI in software development is on the rise, and for a good reason. AI-assisted coding has the potential to revolutionize the way we write code, making the process faster, more efficient, and more accurate, and especially more secure.

In this keynote, we will discuss the current state of AI-assisted coding and its potential future impact on the software development industry and cybersecurity.
We will explore the different ways AI can support code writing, such as code completion, error detection, and automated testing.

However, the use of AI in software development also comes with a set of challenges, including intellectual property ownership, legal issues, and privacy concerns.

This keynote will provide a comprehensive understanding of how AI can be used in software development, its potential impact on the industry, as well as the challenges and opportunities that come with it. It will also equip attendees with the knowledge and tools to understand the legal and ethical issues surrounding AI-assisted coding.

Speakers
DM

Dr. Magda Chelly

Managing Director, Chief Information Security Officer, Responsible Cyber Pte. Ltd.
Dr. Magda Lilia Chelly is a world-renowned leader in the field of cybersecurity, having been honored as one of the top 20 most influential personalities in the industry in both 2017 and 2021 by ISFEC Global. As an accomplished author, she has written three books that provide in-depth... Read More →


Thursday February 16, 2023 2:00pm - 3:00pm GMT
Room: The Liffey A

3:00pm GMT

PM Break with Exhibitors
Thursday February 16, 2023 3:00pm - 3:30pm GMT
Room: Liffey B

3:30pm GMT

OpenSSL Deep Dive - The Good, The Bad and The Not-So-Ugly
On October 25, OpenSSL notified users that it had found two new vulnerabilities in OpenSSL 3.0.0 through 3.0.6. One of these was apparently “critical” – the same level as the notorious 2014 Heartbleed flaw. That captured everyone’s attention because Heartbleed affected many high-profile organizations, could compromise encrypted information of all kinds, and actually showed up in the wild. It was bad. But by November 1, when OpenSSL released its version 3.0.7 fix, it more clearly understood the two new vulnerabilities and downgraded them to “high” severity. Since AppSec researchers are in the business of scanning servers, applications and APIs for vulnerabilities, we can add value by illuminating why this was done, with a focus on how attackers might try to exploit these flaws – and why they probably can’t.

Speakers
avatar for Dan Murphy

Dan Murphy

Dan Murphy has 20+ years of experience in the security space, specializing in web security, distributed systems, and software architecture. As a distinguished architect at Invicti, his focus is on ensuring that Invicti products across the entire organization work together to provide... Read More →
avatar for Frank Catucci

Frank Catucci

CTO and Head of Security Research, Invicti
Frank Catucci is a global application security technical leader with over 20 years of experience, designing scalable application security specific architecture, partnering with cross-functional engineering and product teams. Frank is a past OWASP Chapter President and contributor... Read More →



Thursday February 16, 2023 3:30pm - 4:30pm GMT
Room: Liffey Hall 1

3:30pm GMT

Get On With The Program: Threat Modeling In and For Your Organization
You've read, heard, sensed and worried about Threat Modeling for a while now. Apparently, all the cool kids are doing it and there's a strong movement for everyone to do it. But what does that mean for your organization? What are the dials you can read and the levers you can push to build a Threat Modeling program that actually works for your environment? In this session we will look at what are the indicators in your organization that may help shape your Threat Modeling program, what this program may look like, and what data you'll be collecting in order to measure and improve its impact and efficacy. Do you do it yourself? Do you bring external help? Is it your Security Team or your developers who lead it? Security Champions? All teams do the same, or...? We will ask and answer these questions and more. You will leave with ideas of your next steps, equipped with ways to go and succeed, and to fail fast if necessary.

Speakers
avatar for Izar Tarandach

Izar Tarandach

Sr. Staff Engineer
Long-time security practitioner, currently a Sr. Staff Engineer, previously Principal Security Engineer at Squarespace, where he also acted as (Interim) Head Of Security. With experience ranging from Bridgewater Associates to DellEMC via RSA, Autodesk, startup founder, investor and... Read More →


Thursday February 16, 2023 3:30pm - 4:30pm GMT
Room: The Liffey A

3:30pm GMT

Log story short: Chopping through forests of data
I work at a large SaaS enterprise. We have dedicated SOC, application & infrastructure security teams and a thriving bug bounty program. We invest millions of dollars in cutting edge security tools & SDLC processes. Sounds like we should be covered for the basics, right? Still, one day I started looking for signs of vulnerabilities in server error logs, and to my horror found some 'SQL syntax' errors. This opened up Pandora's box. 'You have an error in your SQL syntax' - in the context of security everyone knows what this error means. Surprisingly, AppSec teams probably don't actively search for such exceptions in server error logs. Error and exception logs can often contain indications of application vulnerabilities, and with the right methodology you can identify many vulnerabilities that are already present in your production environment. In this talk I will present our journey through the dark forest of server error logs, which resulted in detection of many vulnerabilities of all sorts and creating a reliable application security monitoring pipeline.

Speakers
avatar for Moti Harmats

Moti Harmats

Application Security Team Leader, Wix
I love to understand how things are made, and then break them! I am an experienced application security architect with a decade of experience in offensive security, bug bounty & application security design at high-scale environments. I like to think outside the box and apply scientific... Read More →



Thursday February 16, 2023 3:30pm - 4:30pm GMT
Room: Liffey Meeting Room 1

3:30pm GMT

When is a vulnerability not a vulnerability? Overcoming the inundation of noisy security alerts
The growth in security threats has overwhelmed organizations. All too frequently, security teams are forced to prioritize compliance-related checkboxes, as opposed to work that makes a real dent in their organization’s security. Since few teams can afford to simply expand their teams to keep up — they must take a new approach to evaluating and prioritizing threats. This talk presents a counterintuitive approach to strengthening security: one that ignores over 90% of security vulnerability alerts. Using specific examples, it illustrates how organizations can ignore alerts with high confidence, and how this enables a marked shift in security workflows and behavior, thus significantly improving security posture.

Speakers
avatar for Adam Berman

Adam Berman

Head of Semgrep Supply Chain, Semgrep
Adam Berman is Head of Semgrep Supply Chain. In this role, he focuses on developing new products to help security teams work hand-in-hand with developers and scale their security programs. Previous to Semgrep, Adam led the engineering team for Meraki Insight at Cisco Meraki. Adam... Read More →


Thursday February 16, 2023 3:30pm - 4:30pm GMT
Room: Liffey Hall 2

3:30pm GMT

Automated Security Testing with OWASP Nettacker
OWASP Nettacker project (a portmanteau of "Network Attacker") is a relatively new yet an awesome and powerful 'swiss-army-knife' automated penetration testing framework fully written in Python. Nettacker recently gained a lot of interest from the European and Asian penetration testing communities and was even included in the specialist Linux distribution for penetration testers and security researchers. Nettacker is able to run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features - for example an ability to chain different scan methods. This talk will feature a live demo and several practical usage examples of how organisations can benefit from this OWASP project for automated security testing

Speakers
avatar for Sam Stepanyan

Sam Stepanyan

Independent Application Security Consultant and Security Architect, OWASP London
Sam Stepanyan is an OWASP London Chapter Leader and an Independent Application Security Consultant and Security Architect with over 20 years of experience in the IT industry with a background in software engineering and web application development. Sam has worked for various financial... Read More →



Thursday February 16, 2023 3:30pm - 4:30pm GMT
Room: Liffey Meeting Room 2

4:30pm GMT

Constructing a Precise Dynamic Control-flow Graph for EVM based Smart Contracts
Blockchain Technology is trending in recent years. financial losses and impacts increase rapidly, however. By reviewing and investigating past incidents, it's obvious that "Security" is mostly neglected or underestimated for projects of DeFi and NFT fields. Though we have several auditing companies nowadays, it's still important for the industry to have ways of generating precise dynamic CFGs, which is the fundamental component of static analysis. Due to the nature of the limitation of EVM's available computing resource (gas), we're able to do a full simulation in EVM and get all possible paths to construct a CFG and refine it iteratively. In this talk, I'll demonstrate how we can leverage the full-functional, working EVM implementation to construct a precise CFG, and use it to do reverse engineering upon EVM-based smart contracts step by step.




Speakers
avatar for Syue Siang Su

Syue Siang Su

Senior Cyber Security Researcher, CyCraft Technology
Boik Su currently focuses on cloud security, AD security, web security, and threat hunting as a senior cyber security researcher at CyCraft Technology. He takes an active role in the cyber security community and has lectured at multiple cyber security conferences across the globe... Read More →


Thursday February 16, 2023 4:30pm - 5:30pm GMT
Room: Liffey Hall 1

4:30pm GMT

Not your parents’ cryptography – non-traditional encryption problems and solutions
Encrypted data is essentially random... All you can do is store it or decrypt it... right? These statements are largely true for traditional encryption schemes, and unfortunately those schemes preclude the use of encryption in certain situations. Sometimes sensitive data needs to be protected, but also searchable, indexable, deterministic, and/or in a specific format. This presentation will discuss these and other non-traditional use cases for encrypting data at rest, along with technologies and techniques to satisfy your security requirements.

Speakers
avatar for Chuck Willis

Chuck Willis

Security Engineering Manager, Datadog
Chuck Willis is an industry-recognized leader in cyber security, with over twenty years of experience in software security, application security, product security, penetration testing, secure development programs, and computer investigations. His past experiences include study of... Read More →


Thursday February 16, 2023 4:30pm - 5:30pm GMT
Room: The Liffey A

4:30pm GMT

Let’s Cook: Contextual Vulnerabilities are the Ingredients and OWASP Top 10 Mapping the Seasoning
When you’re hungry it’s hard to focus and some even get hangry (portmanteau of hunger + anger). This session will feed the brain with methodology for how to analyze vulnerabilities given their context. When there is too much data our brains strain to find patterns, organization, and categorization. Context, frequency mapping, and using data to tell a larger story via trend analysis helps us parse the signal to noise ratio into something meaningful and into something actionable.

This talk seeks to share a methodology for categorization of vulnerabilities gathered from open source data and bug bounty data from 2022. The methodology focuses on how to categorize those vulnerabilities, and then once categorized how to connect meaningful context for defenders and builders.

All of the vulnerabilities that will be covered in this talk are related to application security and each will be mapped to the most recent OWASP Top Ten list (2021). The vulnerabilities will be grouped into 2 case studies. The first case study will focus on vulnerabilities found in the Google Project Zero report and other Open Source Intelligence (OSINT) sources that relate to Application Security. The second case study will focus on disaggregated and anonymous data that the presenter has access to related to a bug bounty program. All the vulnerabilities shared from this data will connect with Application Security and they will all be mapped to OWASP Top Ten. Then a cumulative trend and frequency analysis will be discussed.

To provide additional context, when data is available and known, it will be shared if the vulnerability was also being actively exploited in the wild, if there is a published proof-of-concept (PoC), and if there is a mitigation plan. Be prepared for visualization of data and story based data telling. At the end of the talk, the speaker will share resources for research and further development for skills around OSINT, threat intelligence, and vulnerability management.

The content of this talk could be used by devops to further understand the context behind vulnerabilities that affect the platforms they are building, vulnerability management teams, threat modelers, cyber threat intelligence teams, and incident responders.

Speakers
avatar for Meghan Jacquot

Meghan Jacquot

Security Engineer, Inspectiv
Meghan Jacquot is a Security Engineer with Inspectiv and focuses on vulnerabilities and attack surface management. She is particularly interested in cloud security, threat intelligence, investigating vulnerabilities, and the ethical use of data. Meghan shares her research via conferences... Read More →



Thursday February 16, 2023 4:30pm - 5:30pm GMT
Room: Liffey Meeting Room 1

4:30pm GMT

The Power of DevSecOps in Web3 and Blockchain
Web3 and blockchain are the next set of buzzwords and initiatives plaguing application security professionals, but fear not! All of your cloud and appsec skills can help you become a web3 blockchain security guru. Blockchain is an incredibly diverse space with a new eye towards security as a priority in software development. This security first mindset and support of the blockchain community coupled with the open source nature of decentralized software make it a very real candidate to see DevSecOps practices blossom. This talk will cover real world examples and techniques used in blockchain that make it a fertile ground for growing your devsecops skills, practices, and client base.

Speakers
avatar for Ken Toler

Ken Toler

Director - Application and Blockchain Security
Ken is an application and cloud security consultant that is passionate about work that brings security and product engineers (developers) together and has dedicated a podcast to finding some weight in the buzzword of DevSecOps at www.r2dso.com. A tinkerer at heart, Ken breaks, builds, and puts things back together for a living. When he's not digging into code and cloud he enjoys heading out to karaoke, but these days that's a pass-time he can only hope comes back. Ken is always open to conversations about cloud, application... Read More →


Thursday February 16, 2023 4:30pm - 5:30pm GMT
Room: Liffey Hall 2

4:30pm GMT

“Mobile Wanderlust”! Our journey to Version 2.0!
There are numerous ways of developing mobile apps today, but how do you ensure that your app is properly secured? What are the threats you should be concerned about and what can you do to avoid being an easy target? If you don't want to miss anything, leveraging a standard is essential. Google understands this very well and since April 2022 acknowledges developers who had their apps independently validated against the OWASP MASVS. In this talk we'll introduce you to the OWASP MASVS (Mobile Application Security Verification Standard), which works together with the OWASP MASTG (Mobile App Security Testing Guide) to help you understand the attack surface of mobile apps, how to exploit them and how to protect them and the transitioning into version 2.0. Both resources are crafted and are curated by a team of numerous experts and community contributors. Want to secure your mobile apps? See you there!

Speakers
avatar for Sven Schleier

Sven Schleier

Principal Security Consultant, Crayon
Sven is living in Austria and a Principal Security Consultant at Crayon, specialised in Cloud Security. He has extensive experience in offensive security engagements like Penetration Testing and Application Security by supporting and guiding software development projects for Mobile... Read More →


Thursday February 16, 2023 4:30pm - 5:30pm GMT
Room: Liffey Meeting Room 2

5:30pm GMT

Closing Ceremony
Join us in the Keynote room for closing ceremonies and for the raffle prize giveaways!

Thursday February 16, 2023 5:30pm - 6:00pm GMT
Room: The Liffey A
 
Filter sessions
Apply filters to sessions.