OWASP 2023 Global AppSec Washington, DC: Full Schedule

5:00pm EDT

Women in AppSec Reception

**RSVP is required**

Are you a woman in appsec who would like to connect with other women in the industry? If so, join us on Sunday, October 29th from 5:00pm - 6:30pm for a light reception and networking!

Please RSVP on your eventbrite registration form or by emailing events at events@owasp.com

Information on location within the hotel will be shared to our RSVP list close to the event dates.

Sunday October 29, 2023 5:00pm - 6:30pm EDT
The Dignitary

Meals provided by OWASP

6:30pm EDT

New Global AppSec Conference Attendee Icebreaker Reception

**For first time OWASP Global AppSec Conference Attendees, haven't been to an OWASP Global AppSec in a whilte attendees, project leaders, chapter leaders and OWASP Board of Directors**

RSVP is required on your initial registration form or by emailing events at events@owasp.com.

If this is your first OWASP Global AppSec or you have simply not attended for a few years we invite you to join us on Sunday, October 29th from 6:30pm - 8:00pm for appetizers and networking. Come connect with OWASP board members and leaders during this icebreaker event.

Information about where to meet at the hotel will be shared to our RSVP. list closer to the event date.

Sunday October 29, 2023 6:30pm - 8:00pm EDT
10th Floor Terrace

Meals provided by OWASP

7:00pm EDT

Havana Nights Happy Hour Mixer (open to ALL)

Before we all meet at another awesome OWASP Global AppSec Conference, Jit, Semgrep, Oligo, Impart, and Pangea invite you to their Havana Nights Party on Sunday, October 29th, from 7:00 pm - 10:00 pm.

Join them at this fun mixer where you'll have a unique networking opportunity before the event starts.

Event info:
Venue: Cuba Libre
Address: 801 9th St NW suite a, Washington, DC 20001
Time: 7:00pm - 10:00pm | October 29th
Please RSVP to reserve your spot!RSVP Here

Join us for an evening of drinks, light bites, great company, and fun.

Sunday October 29, 2023 7:00pm - 10:00pm EDT
Cuba Libre Restaurant 801 9th St NW suite a, Washington, DC 20001

Audience all

7:30am EDT

Speaker Ready Room

Monday October 30, 2023 7:30am - 5:00pm EDT
Room: Penn

Speakers Only

8:00am EDT

Breakfast

Monday October 30, 2023 8:00am - 9:00am EDT
Room: Liberty Ballroom

Meals provided by OWASP

8:00am EDT

Exhibitor Hall

Monday October 30, 2023 8:00am - 8:30pm EDT
Room: Liberty Ballroom

Exhibitor Hall

9:00am EDT

Global AppSec: Beyond Boundaries

Here we are, attending one of OWASP’s esteemed Global AppSec conferences. Solutions, security technologies, processes, maturity models, etc., are often implicitly assumed as working for everyone, in most if not all situations, i.e., are “global”. Do we really understand what “global” has come to mean? Who writes code today? Where? Just as important, who’s lives depend on the software we are trying to “secure”? Do most coders have access to the tools that we believe are required to “secure the code”? Does the majority of code get written within some type of AppSec programme, formal/casual/ad hoc? Or, and this may be a frightening thought, is most code generated far away from the practices that so many of us have contributed large portions of our lives to build? Join author and longtime AppSec iconoclast, Brook S.E. Schoenfield to explore just what “global” could mean for AppSec. We’ll look dispassionately at what we do well, as well as what we might change. Maybe, just maybe, we have to widen our circle of influence, perhaps considerably, given current circumstances and in response to upcoming shifts. Come explore “global AppSec”.

Speakers

Brook S.E. Schoenfield

CTO,Resilient Software Security and True Positives' Chief Software Security Strategist

Books by Brook S.E. Schoenfield include Building In Security At Agile Speed (Auerbach, 2021, co-authored with James Ransome), Secrets Of A Cyber Security Architect (Auerbach, 2019) and Securing Systems: Applied Security Architecture and Threat Models (CRC Press, 2015). He co-authored... Read More →

Keynote v4 final publish pptx

What Does Global Mean v4 final.pptx pdf

Monday October 30, 2023 9:00am - 10:00am EDT
Room: Independence Ballroom A-E

Keynote

10:00am EDT

AM Break

Monday October 30, 2023 10:00am - 10:30am EDT
Room: Liberty Ballroom

Meals provided by OWASP

10:30am EDT

OWASP Mobile Application Security - MASVS and MASTG

The OWASP Mobile Application Security (MAS) flagship project provides a security standard for mobile apps (OWASP MASVS) and a comprehensive testing guide (OWASP MASTG) that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.

Speakers

Carlos Holguera

Mobile Security Research Engineer, NowSecure

Carlos is a mobile security research engineer and one of the two leaders of the OWASP Mobile App Security (MAS) project who has gained many years of hands-on experience in the field of security testing for mobile apps and embedded systems such as automotive control units and IoT devices... Read More →

Sven Schleier

Principal Security Consultant, Crayon

Sven is living in Austria and a Principal Security Consultant at Crayon, specialised in Cloud Security. He has extensive experience in offensive security engagements like Penetration Testing and Application Security by supporting and guiding software development projects for Mobile... Read More →

OWASP AppSec US 2023 Project Showcase MAS pdf

Monday October 30, 2023 10:30am - 11:05am EDT
Room: Mint

Project Showcase

10:30am EDT

ASVS Testing: You Keep Using Those Words

As the Application Security Verification Standard (ASVS) grows in popularity, companies have an increasing interest in assessing the security of their web applications against the verification requirements outlined in the ASVS. Although the standard itself claims that all the requirements can be verified through penetration testing, source code, system configuration, documentation, and access to application developers, some companies are not willing to accept documentation and attestation by developers as legitimate evidence for verification, as the veracity of their claims is not guaranteed. However, these companies are not aware of the extensive access necessary to truly test against all the standard’s verification requirements, and they are not to blame. In fact, the ASVS does not outline the exact access necessary for testing applications against level two and level three requirements.

This presentation will cover an analysis of the entire 286 verification requirements listed in the standard to identify the exact access necessary to accurately verify each one. While almost all level one requirements can, by definition, be verified by penetration testing, level two and level three requirements require a mix of penetration testing, documentation, and access to infrastructure, such as logging systems, CI/CD pipelines, and server configuration. Not only will this newly outlined detail assist in the generation of test cases, but it will also provide context to the companies that seek testing against the ASVS so that they understand the effort required for that work.

Speakers

Shanni Prutchi

Security Consultant, Bishop Fox

Shanni Prutchi is a security consultant at Bishop Fox focused on threat modeling, architecture security assessments, and application penetration testing and has experience in GRC, incident response, and security education. She graduated from Rowan University in New Jersey with a B.A... Read More →

Shanni Prutchi You Keep Using Those Words pdf

Monday October 30, 2023 10:30am - 11:15am EDT
Room: Archives

Breakout: Breaker

Audience Intermediate

10:30am EDT

Fixing Broken Access Control

Broken Access Control is #1 on the OWASP top 10 list for good reason. Every cloud-native application needs some form of access control to secure protected resources. Unfortunately, only a very limited few have the expertise and teams required to build centralized authorization systems that avoid broken access vulnerabilities.

Google, Airbnb, Intuit, Netflix and Carta have successfully built fine-grained access control systems. The common application has not. In fact, an astonishing 94% of applications tested by the OWASP exhibited some form of broken access!

When trying to tackle this most applications implement role-based access control (RBAC), which allows restricting certain functions to privileged users. But a zero-trust approach to application security requires that we go further. Following the principle of least privilege, modern cloud apps implement fine-grained access controls. With a fine-grained model, access rules can be defined on the application’s resources, often down to individual items.

Two ecosystems have emerged around cloud-native authorization: Policy-as-code and policy-as-data. The first expresses authorization logic as code that is versioned and stored separately from application code, and the latter bases authorization logic on relationships between application resources.

Open Policy Agent (OPA) brings a policy-as-code approach to fine-grained authorization, and is rooted in an attribute-based access control (ABAC) approach. Google’s Zanzibar, the unified authorization system Google uses across its clients, including Gmail, Drive, Cloud, and Calendar, represents the policy-as-data camp. Zanzibar is based on a relationship-based access control (ReBAC) model, and has inspired other systems, such as Airbnb’s Himeji and Carta’s AuthZ, as well as numerous open-source implementations.

In this talk, we’ll explore the principles and patterns of cloud-native authorization, and compare the strengths and weaknesses of OPA and Zanzibar as foundational models for a robust access control system. We will also share a couple open-source projects you can use today to add fine-grained access controls to your applications and APIs.

Speakers

Omri Gazitt

Co-Founder/CEO, Aserto

Omri is the co-founder/CEO of Aserto.com, an authorization startup, and his third entrepreneurial venture. He's spent the majority of his 30-year career working on developer and infrastructure technology, most recently as the CPO of Puppet. Previously he was the VP and GM of HP's... Read More →

Global AppSec 2023 Fixing Broken Access Control Final pptx

Monday October 30, 2023 10:30am - 11:15am EDT
Room: Independence Ballroom A-E

Breakout: Builder

Audience Beginner

10:30am EDT

The evolution of exploiting memory vulnerabilities in Linux

This talk will provide an in-depth exploration of the process of exploiting binary files and focuses on the outdated techniques used to exploit binary hardening in the past, the rise of binary hardening and the cutting edge exploiting techniques that developed to bypass them. It provides insight into the prevalence of binary hardening in real-world applications. The presentation begins with a brief overview of the ELF structure, laying the foundation for understanding the rest of the talk. It then delves into the various types of binary hardening techniques and provides a detailed explanation of each one. We then present the developed bypass binary hardening techniques along with real-world CVEs and PoCs used to attack binaries.

Finally, we will explore how binary hardening is implemented in common platforms and provide statistical data to offer insight into its prevalence in the wild. Attendees will come away with a comprehensive understanding of each type of binary hardening, the importance of implementing them, and the value of combining them to prevent the attacks discussed.

Speakers

Ofri Ouzan

Security Researcher

Ofri Ouzan is an experienced Security Researcher who has been working in the field of cybersecurity for over four years. She specializes in conducting security research for Windows, Linux, cloud platforms, and containerized applications, with a focus on vulnerabilities. In addition... Read More →

Monday October 30, 2023 10:30am - 11:15am EDT
Room: Capital-Congress

Breakout: Defender

Audience Intermediate

10:30am EDT

Influencing Without Authority: The Foundations of a Successful Security Department of Yes

In today’s technology and business landscape, security is a critical component of any successful organization. However, driving the goals of a security organization can be challenging, particularly when that organization resides in a separate line of business than the product engineering organization they wish to influence. The speakers will discuss how to leverage several key concepts of “influencing without authority” to successfully partner with non-security stakeholders and drive the strategic objectives of a security organization.

This talk will explore the telltale signs of the security “Department of No,” well-meaning obstructionists who too often impede the larger business through bureaucracy, and how to shift security practices to empowering the organization through measured, contextual security achievements and partnered collaboration with the rest of the business.

This is not a practice relegated to startups with limited concerns nor only achievable by large institutions with a commensurately large security staff. The security “Department of Yes” is tangible and achievable for organizations of all sizes, including heavily regulated programs.

The speakers will outline several key concepts of influencing without authority and provide practical examples of how these concepts can be applied to a security organization to increase their influence and drive the adoption of security best practices. The talk will also delve into common challenges that security organizations may face when trying to influence others, and provide strategies for overcoming these challenges. The audience will gain a deeper understanding of how to build effective relationships, establish credibility, and create coalitions with other stakeholders to amplify their influence and achieve their goals.

Attendees will leave this talk with a set of actionable strategies that they can use to increase their influence within their organizations, drive the adoption of security best practices, and improve the overall security posture of their business. They will gain an appreciation for the importance of influence and learn how to apply these concepts to drive positive change in their organizations.

Speakers

Timothy Lisko

Senior Director of Security Engineering, DigitalOcean

Tim Lisko is the Senior Director of Security Engineering at DigitalOcean. He oversees defensive capabilities, including Product Security, Infrastructure Security, Security Software Engineering, Security Observability and Data Analysis, and Trust and Governance. Leaning into nautical... Read More →

Ari Kalfus

Product Security Manager, DigitalOcean

Ari Kalfus is a security leader and developer enabler who has tricked people like Tim into letting him run application security programs. In the past, he has worked as a security engineer and penetration tester. Ari believes security programs must be rooted in a partnership with the... Read More →

Influencing Without Authority The Foundations of a Successful Security Department of Yes pdf

Monday October 30, 2023 10:30am - 11:15am EDT
Room: Treasury

Breakout: Manager/Culture

Audience Beginner

11:10am EDT

OWASP SAMM

Join us in the morning for an in-depth exploration of the OWASP SAMM project, where we'll shed light on its essence, the benchmark, and our future roadmap of OWASP SAMM.

During this session, attendees will gain valuable insights into:

The integral components of the OWASP SAMM project.
Exciting updates leading towards version 2.1.
Key takeaways from the SAMM User survey and its outcomes.
A comprehensive update on the SAMM benchmark.
A sneak peek into our SAMM roadmap.
By attending this session, you'll be well-equipped with a deeper understanding of SAMM and its continuous evolution.

This talk is for you if you want to learn about the SAMM project and community.
We have another talk on Monday afternoon that will provide an overview of the OWASP SAMM 2.1 framework.
More details on https://owasp2023globalappsecwashin.sched.com/event/1OUlG/bootstrap-your-software-security-with-owasp-samm-21

Speakers

Sebastien Deleersnyder

CTO and Co-Founder, Toreon

Sebastien Deleersnyder, also known as Seba, is a highly accomplished individual in the field of cybersecurity. He is the CTO and co-founder of Toreon, as well as the COO and lead threat modeling trainer of Data Protection Institute. Seba holds a Master's degree in Software Engineering... Read More →

Monday October 30, 2023 11:10am - 11:45am EDT
Room: Mint

Project Showcase

11:15am EDT

How to write a good CfT/CfP Submission

ATTENTION FUTURE SPEAKERS AND TRAINERS! Have you been thinking of becoming a conference trainer or speaker? Join Izar as he walks you through the process of how to write a good submission for Call for Training and Call for Papers! This is a complimentary event to all attendees.

* choosing a subject
* finding out your approach - am I unique, is this an overview?
* choosing your track
* short abstract and lengthy outline - what are reviewers looking for?
* choosing a title
* create a dummy submission, shuffle among participants and review as a group

Speakers

Izar Tarandach

How to write a good CfT CfP submission pdf

Monday October 30, 2023 11:15am - 1:15pm EDT
Room: Independence Ballroom H

BONUS TRACK

Audience All

11:30am EDT

Discovering Shadow Vulnerabilities in Popular Open-Source Projects: A Journey Through Reverse-Fuzzing

In a world full of vulnerabilities, there is an untold story of those libraries that are insecure by design. For example, libraries that by using them in a certain way, the application could be compromised. Not all libraries' security issues are treated as vulnerabilities and addressed with a patch or CVE, hence addressed with minor documentation warnings at best. These vulnerabilities pose a significant risk to organizations as they are nearly impossible to detect, we named them "Shadow Vulnerabilities".

We discovered a new shadow vulnerable code pattern in a widely used OSS library and wondered who might be vulnerable.

We developed a tool that automatically analyzed more than 100k repositories to determine whether each repository is vulnerable and prioritized them based on their potential to create vast damage. We were able to validate the exploitability of hundreds of high-profile targets such as Apache Cassandra, Prometheus, PyTorch, and many more…

In this presentation, we will review the discovered vulnerabilities, and discuss the challenges of scaling the triage, validating exploitation, and building a reliable infrastructure. We will use Apache Cassandra to demonstrate how we validated the attack vector for each target, sharing the exploitation details of the critical RCE we found, and its implications on a database-as-a-service used by multiple cloud providers.

Both project owners and library owners claimed the responsibility to use it “safely” is on the users themselves. The result is that most users are vulnerable and have no process to fix this or even be aware of it.

We believe it is vital to raise community awareness of shadow vulnerabilities, as we only scratched the surface with one example out of many more that are still out there.

Speakers

Guy Kaplan

Security Researcher, Oligo Security

Guy Kaplan is a Security Researcher in the CTO Office of Oligo Security. His experience in software development and vulnerability research spans more than a decade. In his previous jobs, Guy held various roles in various cyber security startups in which he acquired skills in vulnerability... Read More →

Gal Elbaz

Co-Founder and CTO, Oligo Security

Gal is the co-founder and CTO at Oligo Security, where he leverages his decade-long experience in vulnerability research and ethical hacking. Previously, he served as a Senior Security Researcher at CheckPoint, specializing in vulnerability research, exploitation, and fuzzing across... Read More →

Monday October 30, 2023 11:30am - 12:15pm EDT
Room: Archives

Breakout: Breaker

Audience Intermediate

11:30am EDT

DevSecOps Worst Practices

Quite often when we read best practices we are told ‘what’ to do, but not the ‘why’. When we are told to ensure there are no false positives in the pipeline, the reason seems obvious, but not every part of DevOps is that intuitive, and not all ‘best practices’ make sense on first blush. Let’s explore tried, tested, and failed methods, and then flip them on their head, so we know not only what to do to avoid them, but also why it is important to do so, with these DevSecOps WORST practices.

Speakers

Tanya Janca

CEO and Founder, We Hack Purple

Tanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning community that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty five years, won countless awards, and has been everywhere from public service to tech... Read More →

Global AppSec DC Tanya Janca DevSecOps Wrost Practices pptx

Monday October 30, 2023 11:30am - 12:15pm EDT
Room: Independence Ballroom A-E

Breakout: Builder

Audience Intermediate

11:30am EDT

Using an Application Performance Monitoring (APM) Environment for Security Insights

An Application Performance Monitoring (APM) environment can be used to gain security insights by collecting and analyzing data on application performance and behavior. By monitoring factors such as user activity, network traffic, and system resources, anomalies or potential security threats can be identified and addressed in real-time. APM tools can also provide visibility into application dependencies and potential attack vectors, enabling proactive security measures to be implemented. Overall, leveraging an APM environment for security insights can improve an organization's ability to detect and respond to security incidents, and ultimately enhance its overall security posture.

Speakers

Rafael Ferreira

Rafael Ferreira has 18 years in the Information Security Industry. He specializes in Penetration Tests, Threat Hunting and Incident Response. Over those years he has led numerous projects about implementation of corporate security and has delivered talks, workshops and courses to... Read More →

Monday October 30, 2023 11:30am - 12:15pm EDT
Room: Capital-Congress

Breakout: Defender

Audience Beginner

11:30am EDT

Moving Forward By Looking Back: Data Collection and Analysis at OWASP

We are eternally searching for answers to the questions "How are we doing?", "How do we compare?", "What should we do next?", "Are we improving?". To help answer these questions and move forward, we can leverage data to learn from the past. We will discuss lessons learned from OWASP Top 10 and OWASP SAMM data collection and analysis, and walk through the new data collection project at OWASP. This project provides a centralized service for the data collection needs of almost any OWASP project. Including governance, legal, data collection and processing, and analytics and visualizations. Join us on this merry journey to find the data that can be used in context to improve your organization and the global discipline of information security.

Speakers

Brian Glas

Assistant Professor, Union University

Brian has 22 years of experience in various roles in IT with the majority of that in application development and security. His day job is serving as an Assistant Professor teaching a full load of Computer Science and Cybersecurity classes at Union University. He helped build the FedEx... Read More →

Global AppSec DC BGlas MovingForwardByLookingBack pdf

Monday October 30, 2023 11:30am - 12:15pm EDT
Room: Treasury

Breakout: Manager/Culture

Audience Beginner

12:15pm EDT

Lunch

Monday October 30, 2023 12:15pm - 1:15pm EDT
Room: Liberty Ballroom

Meals provided by OWASP

1:15pm EDT

OWASP Coraza WAF

OWASP Coraza is a golang enterprise-grade Web Application Firewall framework that supports Modsecurity's seclang language and is 100% compatible with OWASP Core Ruleset.
Enrich your web application's security with powerful rules that comprehensively enforce good cybersecurity behavior.

Speakers

José Carlos Chávez

Software Engineer, Tetrate

Monday October 30, 2023 1:15pm - 1:50pm EDT
Room: Mint

Project Showcase

1:15pm EDT

From Traditional to Intelligent Fuzzing: Embracing AI in Security Testing

Our presentation will focus on innovative ways to perform dynamic application security testing processes specific to fuzzing. Traditionally, fuzzing has been limited to prepopulated DAST tools, penetration testing dumps, or manual creation of crafted payloads. However, with the use of AI, traditional fuzzing strategies can now be supplemented with large language models (LLMs) giving a new level of depth.

Our team has explored the use of LLM’s to generate payloads to be used for deep and focused fuzzing for two separate use cases: the first with JavaScript and the second with an Ethereum smart contract. Using an LLM to automatically generate a payload dump it’s conceivable that organization may reduce delivery time by speeding up the development process making it a tool for application security practitioners and developers alike. Some other advantages may include improved fuzzing quality with realistic and sophisticated test cases, improved coverage with test cases that cover a wide range of scenarios and inputs, and lastly, relatively simple integrated into automated testing workflows, allowing for continuous testing of web applications.

While there are benefits to using LLMs for fuzzing testing, there are also limitations that must be considered. Our team will discuss some of these limitations and provide potential workarounds to overcome them. Attendees will leave the presentation with a better understanding of how AI can be used to enhance application security testing and the benefits and limitations of using LLMs for fuzzing.

Speakers

James Beegen

Software Engineer

James is a software engineer with a background in application security. His focus areas and objectives include rapid development of prototypes and POC's, and creation of new solutions and tools with emerging technology.

Jamal Webster

Director within a Strategic Operations group

Jamal is a Marine with 13 years of experience in the information assurance field. At his current company he is a director within a Strategic Operations group supporting various federal lines of business. His objectives include go-to-market support for emerging technology, rapid development... Read More →

Cory Murray

Systems Architect and Technologist

Cory Murray is a systems architect and technologist. With experience ranging from DevOps work, cloud security, and backend web development, he now currently builds proof of concepts for varying clients and use cases in both the public and private sectors. Holding degrees in arts concentrations... Read More →

Monday October 30, 2023 1:15pm - 2:00pm EDT
Room: Archives

Breakout: Breaker

Audience Beginner

1:15pm EDT

Reflections on Trust in the Software Supply Chain

This talk delves into the current state of software supply chain security and the challenges organizations face in ensuring the security and trustworthiness of their software.

The current efforts to secure the software supply chain, including Supply-chain Levels for Software Artifacts (SLSA), Software Bill of Materials (SBOM), code signing, and the security of the build tool chain, will be critically evaluated. While many of these efforts are key to securing the software supply chain - a demonstration will highlight how some of the current efforts may just be security theater.

The talk concludes with a discussion of binary-source validation as a promising solution to enhancing the security of the software supply chain.

Speakers

Jeremy Long

Principal Security Engineer, ServiceNow

Jeremy Long is a highly accomplished security professional, serving as a Principal Security Engineer at ServiceNow. With a passion for security automation, he empowers developers by streamlining the secure development process and reducing the time it takes to identify potential threats... Read More →

AppSecUS23 Long ReflectionsOnTrustInTheSoftware SupplyChain complete pdf

Monday October 30, 2023 1:15pm - 2:00pm EDT
Room: Capital-Congress

Breakout: Builder

Audience Intermediate

1:15pm EDT

AppSec Threats Deserve Their Own Incident Response Plan

We've been hearing a lot about software supply chain attacks over the last two years, and with good reason. The cybersecurity ecosystem and industry at large have been inundated with warnings about this attack vector, with high-profile attacks leading to a stark increase in vendor solutions, and government regulations keep trying to catch up. Yet despite the popularity of AppSec-related incidents, our research has shown that most organizations do not have an incident response plan in place specifically for these attacks. Others that do have an IR playbook, often prepare to respond to infra-related attacks such as ransomware, rather than attacks based on application channels. Given the prevalence of these attacks, this presentation will focus on software supply chain incident response. It will include a quick response playbook, trends, and characteristics that make AppSec incident response deserving of its own plan.

Speakers

Omer Yaron

Security Researcher, Snyk

Omer Yaron is a security researcher at Snyk, formerly the Head of Research at Enso Security. Omer has practical experience in securing scale cloud-computing and serverless environments from complex authorization architecture design to monitoring and incident response. Furthermore... Read More →

Global AppSec 2023 Fixing Broken Access Control Final pptx

Monday October 30, 2023 1:15pm - 2:00pm EDT
Room: Independence Ballroom A-E

Breakout: Defender

Audience Beginner

1:15pm EDT

“Shift Left” Isn’t What You Expected

Let’s address the elephant in the room — “Shift left” hasn’t had the impact on our software security as many of us expected it to have. While it has influenced security in an indispensable way, I argue that “shift left” should be viewed as a tactic in a larger management strategy rather than a solution to solve appsec woes. I will review the success and limitations of “shift left” and how we can “restart” the process by applying it a little differently.

Speakers

Clinton Herget

Field CTO, Enso Security

Clinton Herget is Field CTO at Snyk, the leader in Developer Security, where he focuses on craftingand evangelizing our strategic vision for the evolution of DevSecOps. A seasoned technologist,Clinton spent his 20-year career prior to Snyk as a web software developer, DevOps consultant... Read More →

Monday October 30, 2023 1:15pm - 2:00pm EDT
Room: Treasury

Breakout: Manager/Culture

Audience Beginner

1:55pm EDT

OWASP pytm

pytm is a Pythonic framework for threat modeling.
Define your system in Python using the elements and properties described in the pytm framework. Based on your definition, pytm can generate, a Data Flow Diagram (DFD), a Sequence Diagram and most important of all, threats to your system.

Speakers

Izar Tarandach

OWASP Pytm Global DC 2023 pdf

Monday October 30, 2023 1:55pm - 2:30pm EDT
Room: Mint

Project Showcase

2:15pm EDT

Credential Sharing as a Service: the Dark Side of No Code

Why focus on heavily guarded crown jewels when you can dominate an organization through its shadow IT?
Low-Code applications have become a reality in the enterprise, with surveys showing that most enterprise apps are now built outside of IT, with lacking security practices. Unsurprisingly, attackers have figured out ways to leverage these platforms for their gain.

In this talk, we demonstrate a host of attack techniques found in the wild, where enterprise No-Code platforms are leveraged and abused for every step in the cyber killchain. You will learn how attackers perform an account takeover by making the user simply click a link, move laterally and escalate privileges with zero network traffic, leave behind an untraceable backdoor, and automate data exfiltration, to name a few capabilities. All capabilities will be demonstrated with POCs, and their source code will be shared.

Speakers

Michael Bargury

Co-Founder and CTO, Zenity

Michael Bargury is a security researcher passionate about all things related to cloud, SaaS and low-code security, and spends his time finding ways they could go wrong. He is the Co-Founder and CTO of Zenity, where he helps companies secure their low-code/no-code apps. In the past... Read More →

Monday October 30, 2023 2:15pm - 3:00pm EDT
Room: Independence Ballroom A-E

Breakout: Breaker

Audience Intermediate

2:15pm EDT

Metrics, metrics everywhere - from which ones I should be scared?

The rapidly evolving landscape of application security (Appsec) necessitates the implementation of effective metrics to gauge the effectiveness of security measures. However, the abundance of available metrics can overwhelm organizations, making it crucial to identify the metrics that truly matter and those that should instill concern. This session will explore the realm of Appsec metrics and guide attendees on distinguishing between valuable indicators and potentially alarming ones. Drawing upon industry best practices and real-world examples, participants will gain insights into selecting metrics that align with their organization's security goals and risk appetite, aiming to raise the AppSec maturity of the organization. The session will delve into the various categories of Appsec metrics, including vulnerability density, time to remediation, and exploitability. By examining these metrics in-depth, participants will learn to discern whether specific metrics reflect healthy security practices or signal potential vulnerabilities that demand immediate attention. The session will also address the challenges associated with interpreting and contextualizing Appsec metrics. Attendees will acquire the understanding and will get a review of some tools necessary to effectively communicate security metrics to stakeholders, facilitating informed decision-making and fostering a proactive security culture within their organizations. The goal of his session is to empower attendees to navigate the ocean of Appsec metrics, enabling them to identify metrics that warrant concern, prioritize remediation efforts, and drive continuous improvement in their organization's application security posture.

Speakers

Maria Schwenger

Associate Director Cyber Security : DevSecOps, BotCopy

Maria is an innovative cloud transformation and cybersecurity leader well-known for leading multiple successful implementations of the modern vision of cloud optimization, DevSecOps, and data protection, and for her leadership in executing complex digital transformation programs in... Read More →

Srdan Reljic

Srdan Reljic is an accomplished technology executive and a cyber security practitioner with a knack for driving innovation and creating strategic value with extensive hands-on experience in applying cloud native and open source technology to infuse security at every level. His interests... Read More →

Monday October 30, 2023 2:15pm - 3:00pm EDT
Room: Archives

Breakout: Builder

Audience Intermediate

2:15pm EDT

Fishing for Security: Reeling in Phishing Attacks Across a Global Organization

Phishing an employee , getting their credentials (bypassing MFA ain’t that hard), then using that to gain access to slack/code/vpn/internal-tools and then hunting for leaked credentials to gain access to PII…. sound familiar????

As much as cyber security has advanced, the kill chain of a lot of breaches remains quite simple and unchanged. There is a reason for that, protecting a remote workforce against such attacks is not easy. And no, phishing simulations and then blaming the user for clicking the link is not the answer.

In this talk I will discuss our journey to a land not so far away where user’s are inherently protected from phishing, through SSO , biometrics, yubikeys , device based auth , and other heuristics while navigating supply chain challenges , customs issues that we had to navigate as a globally spread out company. I will spend time talking about what worked, what did not work, some creative solutions we had to come up with, lessons we learned and successes we had in implementing a program where we protect our users and enable them to do what they do best.

Speakers

Yashvier Kosaraju

CSO, Sendbird

Yash is the CSO at Sendbird where he oversees Security , Compliance & IT. He has worked with Twilio, Box and iSEC Partners in the past. He has been working in security for about a decade. He has worked in a variety of roles ranging from consulting to enterprise product security teams... Read More →

Monday October 30, 2023 2:15pm - 3:00pm EDT
Room: Capital-Congress

Breakout: Defender

Audience Intermediate

2:15pm EDT

Bootstrap your Software Security with OWASP SAMM 2.1

This presentation will provide an overview of the OWASP SAMM 2.1 framework.
SAMM stands for Software Assurance Maturity Model.
Our mission is to provide an effective and measurable way for you to analyze and improve your secure development lifecycle. SAMM supports the complete software lifecycle and is technology and process agnostic. We built SAMM to be evolutive and risk-driven in nature, as there is no single recipe that works for all organizations.

In this talk we will explain what SAMM is, and how you use it to bootstrap and improve your secure development journey (will include a demo of the assessment tools).
Plus we will introduce the new self-paced OWASP SAMM training.

This talk is for you if you want to learn about SAMM to use it in your organization.
We have another talk on Monday morning that will cover how the SAMM project is evolving towards SAMM 2.1 and the Benchmark. More details on https://owasp2023globalappsecwashin.sched.com/event/1OUz8/owasp-samm

Speakers

Sebastien Deleersnyder

CTO and Co-Founder, Toreon

global appsec dc 2023 zip

Monday October 30, 2023 2:15pm - 3:00pm EDT
Room: Treasury

Breakout: Manager/Culture

Audience Intermediate

2:35pm EDT

OWASP Top Ten for Kubernetes

When adopting Kubernetes, we introduce new risks to our applications and infrastructure. The OWASP Kubernetes Top 10 is aimed at helping security practitioners, system administrators, and software developers prioritize risks around the Kubernetes ecosystem. The Top Ten is a prioritized list of these risks. In the future we hope for this to be backed by data collected from organizations varying in maturity and complexity.

Speakers

Jimmy Mesta

Co-Founder, KSOC

Jimmy Mesta is the Co-Founder and CTO at KSOC. He is a veteran security engineering leader focusing on building cloud-native security products. Prior to KSOC, Jimmy held senior leadership positions at a number of enterprises including Signal Sciences (acquired by Fastly) where he... Read More →

Monday October 30, 2023 2:35pm - 3:10pm EDT
Room: Mint

Project Showcase

3:00pm EDT

PM Break

Monday October 30, 2023 3:00pm - 3:30pm EDT
Room: Liberty Ballroom

Meals provided by OWASP

3:15pm EDT

OWASP Drill

As Security Engineers we are often dealing with a lot of structured and unstrutured data in multiple sources and formats. This project is a set of extnesions, tools, and sample queries/code based around Apache Drill to act as "The Security Engineer's Data Tool Kit"

Speakers

Charles Givre

Monday October 30, 2023 3:15pm - 3:50pm EDT
Room: Mint

Project Showcase

3:30pm EDT

Hacking & Securing Android applications

I'll talk through two separate security vulnerabilities, in two android applications - both disclosed on hackerone, and both leading to stolen auth tokens. I'll then talk about how we could have caught the two vulnerabilities - both from a process point of view (i.e. SAST tools, threat modelling etc) and discuss how 'safe to run' - an open source library - could have caught both

Speakers

Daniel Llewellyn

Head of Engineering (tech enablement), xDesign

I currently work as a head of engineering at xDesign - I'm responsible in my role security from the corporate, application and operational sides. Before working at xDesign, I worked at BT Security as a software engineer, working on a number of security specific things. My main area... Read More →

Monday October 30, 2023 3:30pm - 4:15pm EDT
Room: Archives

Breakout: Breaker

Audience Beginner

3:30pm EDT

No Code you shall use, malware you shall get

**Speaker will be live presenting remotely due to the current challenges facing Israel at this time.

Our research explores the possibility of spreading malware and launching supply chain attacks through the marketplace functionality of leading Low Code / No Code application development platforms. Low-Code/No-Code (LCNC) platforms are quickly becoming the go-to technology for building enterprise applications. As the usage of these platforms becomes widespread, they all adopt some type of code reuse and code sharing mechanism using a marketplace approach. Whether it’s Forge for Outsystems, AppSource for Microsoft PowerApps or the UiPath Marketplace - all platforms adopted the concept of allowing app developers to get a head start (or completely rely on) by taking content created and publicly shared by other developers. Introducing applications that are based on marketplace components and templates exposes an enterprise to two types of threats: malicious (no) code and vulnerabilities.

The first involves a threat actor that creates a component with intentional, undesired, functionality. The component is then placed into the marketplace by the threat actor. When developers introduce the malicious component / application into their LCNC environment the malicious functionality is executed in the context of enterprise permissions, providing the attacker internal access into data and machines. T

he second threat pertains to applications and components that were shared through the marketplace without thorough security review. These components contain security vulnerabilities and when introduced by developers into the organization’s LCNC environment expose enterprise data to these same vulnerabilities. The two threats are imminent in the LCNC domain as there are very few tools and practices for weaving out security vulnerabilities from no-code applications and even fewer to detect the existence of undesired, malicious, functionality.

The session discusses and demonstrates our attempts to introduce vulnerable and malicious components into the marketplace of various LCNC platforms. We will show what worked and what didn’t and also discuss methods that could be used to overcome existing guardrails. We will also discuss methods to promote the use of our malicious or vulnerable components and applications in a way that increases the chances of them being used by unsuspecting developers. This session will include demonstrations of some potential outcomes of malicious and vulnerable LCNC components

Speakers

Amichai Shulman

CTO and co-founder, Nokod Security

Amichai Shulman is the CTO and co-founder of Nokod Security. He is a cyber security researcher, entrepreneur and investor with more than 30 years of cyber security experience in military, government and commercial environments. He co-founded Imperva in 2002 and served as CTO for the... Read More →

OWASP Appsec 2023 DC Amichai Shulman pdf

Monday October 30, 2023 3:30pm - 4:15pm EDT
Room: Independence Ballroom A-E

Breakout: Builder

Audience Intermediate

3:30pm EDT

Obfuscation Nation: Detecting Malicious Dependencies at Scale with Static Analysis

Incidents of malicious dependencies in open source package managers continue to grow in number every year. However, we are not defenseless. Techniques to identify and neutralize malicious packages are also improving, and we add our own static analysis techniques to the mix.

Static analysis has become more accessible in recent years, making it a great tool for inspecting source code with speed and accuracy. By studying the code in malicious packages, combined with our own experience, we developed Semgrep rules for code patterns that are common to malicious packages and uncommon to normal software. We further used static analysis plus package metadata to identify features which, when examined collectively, signal possible inclusion of malicious code into existing packages.

Finally, we discuss how static analysis can speed up auditing third-party software in highly-controlled environments.

Speakers

Kurt Boberg

Security Research Team, Semgrep

Kurt is a member of the Security Research team at Semgrep, where he currently works on building the next generation of open-source supply chain security tools. Previously he was an AppSec practitioner and team-builder, and in the long, long ago he started his career in what is now... Read More →

OWASP DC Malicious Dependencies pptx

Monday October 30, 2023 3:30pm - 4:15pm EDT
Room: Capital-Congress

Breakout: Defender

Audience Intermediate

4:30pm EDT

22 Years of Application Security – Where did it get us?

Ask software developers to name the 10 categories of the OWASP Top 10 and how many do you think could do it? How many could even accurately tell you what the OWASP Top 10 is? For application security professionals, the effort to ensure safer, more secure code can often feel like we’re stuck in Groundhog Day. But have we really failed to make progress? In her keynote address, Alyssa Miller will talk about perspectives gained and the true progress we’ve made since OWASP was founded in 2001. She’ll also examine the challenges we’ve yet to conquer. And most importantly, Alyssa will dive into the mistakes we’ve made along the way and how we can put those lessons to use as we attempt to move application security forward. Hop on for this sometimes happy, sometimes sad, sometimes downright comical ride down memory lane and hopeful launch into the future of application security.

Speakers

Alyssa Miller

Chief Information Security Officer, Epiq Global

Alyssa Miller is a life-long hacker, programmer, and security executive. She’s always had a passion for computers. She bought her first PC at age 12 and taught herself BASIC programming. Her career began as a software developer and later pivoted to security as a penetration tester... Read More →

Global AppSec DC Presentation AlyssaMiller pdf

Monday October 30, 2023 4:30pm - 5:15pm EDT
Room: Independence Ballroom A-E

Keynote

5:30pm EDT

Addressing Supply Chain Issues for Application Security Specialists: The CREST OVS Business Accreditation Initiative, ASVS, and more!

In an era marked by escalating cyber threats, hiring qualified application security specialists has become imperative for businesses. However, this hiring process is fraught with challenges that often resemble supply chain issues: the integrity and consistency of qualifications, understanding the depth of the specialist's expertise, and ensuring they align with industry-standard best practices.

Join Tom Brenan of CREST Americas as he delves into these pressing challenges. Brenan will illuminate the parallels between supply chain management and hiring application security professionals, highlighting the vulnerabilities and inefficiencies businesses encounter.

Key Takeaways:

An in-depth understanding of the problems faced by organizations when recruiting application security experts.
A comparative analysis of supply chain issues and the hiring process of application security personnel.
An introduction to the CREST OVS Business Accreditation - a groundbreaking initiative designed in collaboration with leading industry stakeholders.
Insights into how the CREST OVS Business Accreditation emphasizes a profound understanding of software security, bridging the knowledge gap and ensuring businesses have access to consistently high-quality professionals.

Attendees will leave with a fresh perspective on the importance of robust and standardized hiring practices, and the invaluable role CREST's new initiative plays in fortifying the future of application security.

Speakers

Ajoy Kumar

Head of App Security, Wells Fargo

Ajoy Kumar is an industry professional with over 20 years of experience in information technology, technology risk, and cyber security. He has a deep understanding of several financial industry regulatory obligations and skills to balance the needs of diverse businesses. He thrives... Read More →

Tony UV

Founder, VerSprite

Founder of VerSprite – a risk-focused security consulting firm in Atlanta – Tony works with global Fortune 500 organizations seeking something beyond compliance- driven approaches to security challenges. With nearly 20 years of IT/ IS experience across three continents, Tony has... Read More →

Tom Brenan

Executive Director, CREST International

Tom Brennan stands out as a distinguished cybersecurity executive and the U.S. division leader at CREST International, renowned for his profound impact on cybersecurity standards and practices. He excels in steering CREST's mission as a foremost accreditation body, ensuring robust... Read More →

Monday October 30, 2023 5:30pm - 6:30pm EDT
Room: Mint

BONUS TRACK

Audience All

5:30pm EDT

OWASP Jeopardy

Join us for a challenging, active, and exciting game of OWASP Jeopardy hosted by Jerry Hoff (AKA the original Waspy)

Monday October 30, 2023 5:30pm - 6:30pm EDT
Room: Independence Ballroom

Gaming-Networking

6:30pm EDT

Networking Reception (costume optional)

Networking events are an excellent opportunity to connect with others and learn about the latest developments.

Everyone is welcome to join us from 6:30 to 8:30 pm in Liberty Hall (Expo Hall). Bump elbows with speakers, hear about the latest and greatest as you visit our exhibitors, catch up with old friends, and meet new ones!
This year the event will be a costume reception (optional) and prizes will be given away to the best costumes!

Monday October 30, 2023 6:30pm - 8:30pm EDT
Room: Liberty Ballroom

Gaming-Networking

7:30pm EDT

Leaders Meeting

Monday October 30, 2023 7:30pm - 9:30pm EDT
Room: Capital-Congress

7:30am EDT

Speaker Ready Room

Tuesday October 31, 2023 7:30am - 5:00pm EDT
Room: Penn

Speakers Only

8:00am EDT

Breakfast

Tuesday October 31, 2023 8:00am - 9:00am EDT
Room: Liberty Ballroom

Meals provided by OWASP

8:00am EDT

Exhibitor Hall

Tuesday October 31, 2023 8:00am - 5:00pm EDT
Room: Liberty Ballroom

Exhibitor Hall

9:00am EDT

The Threat Actors We Forgot to Model: Profiling Socially-Motivated Cyber Criminals

This Halloween, delve into the eerie realm of Internet hate forums and discover the chilling, real-life tale of an unassuming man who is mercilessly pursued by a novel breed of cyber aggressor. The innovative research of our Keynote Speaker, grounded in firsthand interactions with these perpetrators, reveals the terrain of the Socially Motivated Threat Actor. These networked adversaries distinctively manipulate both digital infrastructures and human procedures, operating en masse and through specific engagements, to exert influence and inflict damage upon their selected targets. For security professionals, grasping this evolving dimension is essential for reducing uncertainty and crafting an efficient defensive approach in the face of a cyberattack.

Speakers

Jackie Singh

Independent Consultant, Hacking, but Legal

Jackie Singh is an American security consultant whose technology interests began at an early age-she was once an active participant in an established New York City hacker/cyberpunk collective. Jackie began her professional career in the U.S. Army and first deployed to Iraq as a young... Read More →

Public Keynote Slides Global AppSec DC 2023 pdf

Tuesday October 31, 2023 9:00am - 10:00am EDT
Room: Independence Ballroom A-E

Keynote

10:00am EDT

AM Break

Tuesday October 31, 2023 10:00am - 10:30am EDT
Room: Liberty Ballroom

Meals provided by OWASP

10:30am EDT

OWASP Low-Code No-Code Top 10

Low-Code/No-Code development platforms provide a development environment used to create application software through a graphical user interface instead of traditional hand-coded computer programming. Such platforms reduce the amount of traditional hand-coding, enabling accelerated delivery of business applications.
As Low-Code/No-Code platforms proliferate and become widely used by organizations, there is a clear and immediate need to create awareness around security and privacy risks related to applications developed on such platforms.

The primary goal of the "OWASP Low-Code/No-Code Top 10" document is to provide assistance and education for organizations looking to adopt and develop Low-Code/No-Code applications. The guide provides information about what the most prominent security risks are for such applications, the challenges involved, and how to overcome them.

Speakers

Michael Bargury

Co-Founder and CTO, Zenity

Tuesday October 31, 2023 10:30am - 11:05am EDT
Room: Independence Ballroom A-E

Project Showcase

10:30am EDT

Could Passwordless be Worse than Passwords?

The use of passwordless technologies has increased lately, and more companies are providing their support for it; this includes big names such as Microsoft, Apple, and Google. Passwordless is a no-brainer for increasing account security since passwords are one of the most common targets of attacks still in 2023. While Passwordless technologies are inherently more secure than traditional password-based authentication, there seems to be an overall idea of this technology being unhackable, and a perception that account takeover and user impersonation are not even possible when using it.

This talk will cover real-world risks and vulnerabilities of passwordless solutions for Web applications and how a faulty implementation can lead to a more significant security breach than when using passwords alone. We will see how as a consequence of an attacker managing to compromise the passwordless authentication, users will not have that tiny piece of protection preventing other people from accessing their details: ironically, a password.

This talk will also cover the best practices for developers looking to integrate a passwordless mechanism (WebAuthn) into their Web application. Recommendations will be included for pentesters, enterprises, and end-users, too.

Speakers

Aldo Salas

Application Security Lead, HYPR

With more than 15 years of experience, Aldo has had the opportunity to work on all stages of Application Security, from penetration testing to program management and everything in between. He is currently on a quest to get rid of passwords by leading the Application Security program... Read More →

Tuesday October 31, 2023 10:30am - 11:15am EDT
Room: Archives

Breakout: Breaker

Audience Advanced

10:30am EDT

Ignoring the hype: how to design your cloud architecture regardless of your cloud of choice

DevOps and security teams want to ensure that security and observability are embedded at every critical juncture of their cloud environment and in their software development lifecycle (SDLC), including post-deployment. Countless best practice guides for cloud environments make it difficult to choose which one to use as a baseline, but many building blocks remain true in all of these. In this webinar, we’ll cover what those building blocks are and how you can apply them to your environment, regardless of your cloud provider by:

Exploring why each cloud’s best practices are mostly the same
Providing actionable takeaways that you can implement right now
Demonstrating how to architect your cloud to meet your goals

Speakers

Nathan Case

Ciso, Corsha

Nathan Case is a successful executive and builder, pushing for change in security and the culture surrounding it. Leading strategic initiatives and the creation of new technologies in the healthcare, information technology and cloud industries, focusing on security. A passion for... Read More →

Tuesday October 31, 2023 10:30am - 11:15am EDT
Room: Capital-Congress

Breakout: Defender

Audience Intermediate

10:30am EDT

How to avoid potholes when scaling your Application Security program

Have you ever wondered what it is like to build an Application Security program at a very large organization? Or an organization that had experienced hyper-growth and the security team’s growth was not at the same pace as Engineering? What about an organization that had acquired a lot of different companies with vastly different tech stacks?

This talk will go through where you need to focus your energy to build a scaled Application Security program and how to avoid pitfalls along the way. It will deep dive into topics such as:
• The different levels of maturities for Application Security programs
• How to hire the right individuals for a scaled program
• How to best leverage your tools to bring out the value of them
• And how to build a democratized vulnerability management program, so that Engineering is responsible for vulnerabilities

Speakers

Jeevan Singh

Director of Product Security, Twilio

Jeevan Singh is the Director of Product Security at Twilio, where he is embedding security into all aspects of the software development process. Jeevan enjoys building security culture within organizations and educating staff on security best practices. Jeevan is responsible for a... Read More →

2023 10 Global AppSec Building a Scaled Application Security Program pdf

Tuesday October 31, 2023 10:30am - 11:15am EDT
Room: Treasury

Breakout: Manager/Culture

Audience Intermediate

10:30am EDT

Mastering the Recipe: Scaling Threat Modeling in Large Organizations

Threat modeling, much like the art of cooking, demands a delicate balance of skills, processes, and tools. In this engaging talk, we delve into the intricacies of scaling threat modeling practices within large organizations, drawing parallels to the culinary world.

Just as anyone can whip up a meal, threat modeling is a skill that everyone can grasp. However, not everyone achieves the status of a star chef in this domain. Scaling threat modeling presents its own set of challenges, akin to orchestrating a grand feast in a hospital's bustling kitchen or catering to a banquet of epic proportions.

In a hospital environment, compliance with dietary requirements holds paramount importance, mirroring the significance of security and compliance in the threat modeling landscape. Similarly, in the culinary realm, restaurants must adhere to stringent food safety regulations. Standardization plays a pivotal role in both domains, where we draw parallels between crafting a menu and adhering to standard reference architectures.

Join us for a stimulating discussion on how to master the recipe for scaling threat modeling practices, as we explore the commonalities and best practices that bridge the worlds of security and culinary expertise.

Speakers

Sebastien Deleersnyder

CTO and Co-Founder, Toreon

Tuesday October 31, 2023 10:30am - 11:15am EDT
Room: Mint

Breakout: Manager/Culture

Audience Intermediate

11:30am EDT

Refactoring Mobile App Security

In this talk we will present the new iteration of the OWASP MASTG v2, including brand new MAS profiles (previously known as “levels”), news about automation and “compliance as code”, and a walkthrough of some of the new “atomic tests”.

Since 2016, when the OWASP MASVS and MASTG became part of the OWASP universe, many contributions have been made by 100s of people, making it the de facto “industry standard for mobile app security”. Acknowledging the changes in the industry, the first major refactoring of MASVS was done between 2021 and early 2023 to bring it to v2 and address the limitations identified during real-world pentest engagements. To complement this, we have started refactoring the MASTG test cases to align them with the new controls and to make them more automation-friendly.

Want to secure your mobile apps? See you there!

Speakers

Carlos Holguera

Mobile Security Research Engineer, NowSecure

Sven Schleier

Principal Security Consultant, Crayon

OWASP AppSec US 2023 Refactoring Mobile App Security pdf

Tuesday October 31, 2023 11:30am - 12:15pm EDT
Room: Archives

Breakout: Breaker

Audience Beginner

11:30am EDT

Using WebAssembly to run, extend, and secure your application!

WebAssembly (WASM) has come a long way since its first release in 2017. As a technology stack running inside the web browser, it even allows products like Adobe Photoshop to run in that context, and with for example Blazor WebAssembly .NET runs inside of the browser as well. Now, WASM is expanding beyond the browser to run in a server-based context. With the introduction of WebAssembly System Interface (WASI), the technology leverages a standardized API that allows it to run on any system that supports it, for example to support cloud-based workloads.
Had WASM and WASI been around in 2009, Docker would not have existed according to one of its founders, Solomon Hykes. WASM has a strong security posture given how it works with linear memory space and how it supports a sandboxed-based environment called “nano-process”, which uses a capabilities-based security model. Users can even take any language that targets WASM and, with the help of WASI, run it on a Trusted Execution Environment (TEE) to add an additional layer of security.

In this session we'll start out with going through some of the basic security features of WASM and then move to running and extending an application it with WASM. After that we'll focus on the security features and run on a TEE and use the sandbox and the capabilities based security model to limit what it's allowed to do in both in resources and compute.

Speakers

Niels Tanis

Sr. Principal Security Researcher, Veracode

Niels Tanis has got a background in .NET development, pentesting and security consultancy. He is Microsoft MVP and has been involved in breaking, defending and building secure applications. He joined Veracode in 2015 and right now he works as a security researcher on a variant of... Read More →

AppSecDC2023 Wasm pdf

Tuesday October 31, 2023 11:30am - 12:15pm EDT
Room: Independence Ballroom A-E

Breakout: Builder

Audience Intermediate

11:30am EDT

Policy-as-Code: Across the Stack

In today's world of rapidly evolving technology and the increasing complexity of software systems, ensuring the security and compliance of applications across the stack has become paramount. This talk will provide an in-depth exploration of Policy-as-Code (PaC) and how it can be employed to implement decoupled security practices across the stack. PaC serves as a unified framework that enables organizations to define, manage, and enforce policies in a consistent, transparent, and automated manner. This approach facilitates better security, compliance, and risk management, while also reducing the need for manual intervention.

The talk will focus on the use of Open-Source Policy-as-Code Frameworks to do policy composition, management and enforcement across the stack

Speakers

Abhay Bhargav

Founder, AppSecEnginner

Abhay Bhargav is the founder at AppSecEngineer, a revolutionary training platform committed to solving the Security Skills Shortage. He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps... Read More →

Tuesday October 31, 2023 11:30am - 12:15pm EDT
Room: Capital-Congress

Breakout: Defender

Audience Intermediate

11:30am EDT

Level Up Your Security Champions (and Your Program)

Security Champions are a mainstay of current application security programs. A number of great documents and presentations are available to help you get a program started. Datadog security engineers had used those resources to build and maintain programs at a number of organizations – and they had unfortunately seen many of the same problems arise in those different situations. For example, Security Champions may not have the authority needed to prioritize security tasks, they may vary widely in their security knowledge, they may lose interest, they may have different security goals, and management may not see the value that they provide.

In 2022, Datadog sought to address these shortcomings in building a next-generation Security Champions program. This session will outline the program, with a particular focus on its distinguishing aspects: clear definition of multiple roles within the program (champion, proponent, observer, mentor), inclusion of mentorship for champions, regular program feedback and improvement, and generation of meaningful metrics to illustrate the program’s value to leadership. Attendees will be provided with information and tools that can be readily applied to level up all, or a portion, of the program at their own organizations.

Speakers

Chuck Willis

Security Engineering Manager, Datadog

Chuck Willis is an industry-recognized leader in cyber security, with over twenty years of experience in software security, application security, product security, penetration testing, secure development programs, and computer investigations. His past experiences include study of... Read More →

Chuck Willis 2023 OWASP AppSec DC Level Up Your Security Champions (and Your Program) pdf

Tuesday October 31, 2023 11:30am - 12:15pm EDT
Room: Treasury

Breakout: Manager/Culture

Audience Intermediate

12:15pm EDT

Lunch

Tuesday October 31, 2023 12:15pm - 1:15pm EDT
Room: Liberty Ballroom

Meals provided by OWASP

1:15pm EDT

OWASP Defectdojo

An open source vulnerability management tool that streamlines the testing process by offering templating, report generation, metrics, and baseline self-service tools.
DefectDojo is an Application Security Program tool written in Python / Django. DefectDojo was created in 2013 and open-sourced on March 13th, 2015. The project was started to make optimizing vulnerability tracking less painful. The top goal of DefectDojo is to reduce the amount of time security professionals spend logging vulnerabilities. DefectDojo accomplishes this by offering a templating system for vulnerabilities, imports for common vulnerability scanners, report generation, and metrics.

Speakers

Matt Tesauro

CTO and Founder, DefectDojo Inc

Matt Tesauro is a DevSecOps and AppSec guru who specializes in creating security programs, leveraging automation to maximize team velocity and training emerging and senior security professionals. When not writing automation code in Go, Matt is pushing for DevSecOps everywhere via... Read More →

Fred Blaise

Tuesday October 31, 2023 1:15pm - 1:50pm EDT
Room: Mint

Project Showcase

1:15pm EDT

AI Red Teaming LLM: Past, Present, and Future

Explore the world of AI Red Teaming Large Language Models (LLMs) - their origins, current challenges, and future possibilities. Since 2014, AI Red Teaming has been used to identify security risks in AI, mostly in computer vision. With advancements in ChatGPT and other LLMs, risks such as Prompt leakage, prompt injection, jailbreaks, poisoning, and logic manipulation attacks remain. As LLMs become more common in business applications, it is crucial to have AI Red Teaming skills which require expertise in computer hacking, ai, social engineering, psychology, neuroscience, mathematics, and logic.

Speakers

Adarsh Nair

Global Head - Information Security, UST

Adarsh Nair serves as the Global Head - Information Security at UST. He is an information security strategist, author, keynote speaker and is a recognized Fellow of Information Privacy (FIP) of International Association of Privacy Professionals (IAPP). He has been recognized for his... Read More →

Mohit Joshi

Co-Founder & CDO, AppSentinels.ai

Casey Ellis

Founder Chairman CTO, Bugcrowd

Casey Ellis, Founder, Chairman and CTO of Bugcrowd: Casey is a 20-year infosec veteran, servicing clients as a pen tester, security and risk consultant, solutions architect, and most recently as a career entrepreneur. Casey pioneered the Crowdsourced Security as a Service model, launching... Read More →

Tom Brenan

Executive Director, CREST International

Tuesday October 31, 2023 1:15pm - 2:00pm EDT
Room: Archives

Breakout: Breaker

Audience Intermediate

1:15pm EDT

From SBOMs to F-Bombs: Vulnerability Analysis, SCA Tools, and False Positives & Negatives

Managing vulnerabilities in third party software has become an important application security activity. Vulnerabilities like Log4Shell and various supply chain attacks such as SolarWinds or CodeCov and numerous others have given many of us haunting nightmares resulting us sleeping with one eye open. Fortunately, Software Composition Analysis (SCA) tools coupled with Software Bill of Materials (SBOMs) have done so much to relieve that anxiety. Or not. This talk explores the vulnerability management process through the eyes of a FOSS security library provider and examines what we can do as AppSec engineers and developers to make the whole process a bit less painful.

Speakers

Kevin Wall

Senior Application Security Engineer, Verisign

I have been involved in application security for almost the past 20+ years, but I still considers myself a developer first and an AppSec engineer second. During most of those past 20 years, I have specialized in applied cryptography and web AppSec. Before transitioning to AppSec... Read More →

kwwall notes OWASP 2023 SBOMs to F Bombs pdf

Tuesday October 31, 2023 1:15pm - 2:00pm EDT
Room: Independence Ballroom A-E

Breakout: Builder

Audience Intermediate

1:15pm EDT

OSC&R - Open Software Supply Chain Attack Reference

The past decade the software development lifecycle evolved dramatically with the wide adoption of DevOps culture, cloud-first strategy and the surge of SaaS business application and the ever-growing use of open source code. This served as a ground to the current emerging attack vector - the software supply chain. The attackers goals did not change they are still attempting to stealing data and infecting machines. The attacker tactics may be utilizing common attack techniques such as exploiting vulnerabilities and misconfigurations. However, the technology, people, and culture of the software supply chain ecosystem have unique characteristics that require a distinct understanding and approach. The Open Software Supply Chain Attack Reference (OSC&R) is a new security framework that aims to address these issues and provide a common language for the software supply chain. In this talk, we will provide an in-depth exploration of the OSC&R model through real-world examples, including analyzing past attacks, assessing supply chain security posture, conducting tabletop exercises, and addressing incident response and crisis management. By the end of this presentation, attendees will have the better knowledge and skills necessary to evaluate their DevSecOps programs and a good idea of how they can improve their overall software supply chain security posture.

Speakers

Eyal Paz

VP of Research, OX Security

Eyal Paz is the VP of Research at OX Security, a software supply chain security startup. His work includes hands-on security research toward a holistic DevSecOps solution. Before joining OX Security, Eyal spent eleven years at Check Point working on security research for product innovation... Read More →

Ronen Atias

Security Researcher, OX Security

Ronen Atias is a seasoned security professional working as a security researcher at OX Security, a leader in software supply chain security. Before joining OX Security, Ronen spent 15 years a security researcher in various cyber security companies: Finjan (Trustwave). Incapsula, Cato... Read More →

OSC&R OWASP Final.pptx pdf

Tuesday October 31, 2023 1:15pm - 2:00pm EDT
Room: Capital-Congress

Breakout: Defender

Audience Intermediate

1:15pm EDT

OpenCRE.org - Universal translator for security

In security, it is important to understand the whole chain: from regulation to business risk, to requirement, to code example, to vulnerability, to test method, to tool configurations. However, so far there hasn’t been a solid way to interconnect standards, documentation, and tooling. Standards writers often work in isolation, and tooling authors rightly focus on quality results instead of comprehensive information about those results. The open source initiative OpenCRE.org connects all these sources of information: It links topics across multiple standards, including the Top 10, ASVS, Pro-active controls, Testing guide, Cheat sheets, SAMM, SSDF, ISO27001, CSA CCMv3, CWE, CAPEC, PCI-DSS, NIST 800-53 and 63b. It further links code samples and offensive tooling configurations or rules. That way it serves as a universal translator, to connect every role involved: executive, compliance officer, procurement, architect, developer,and tester. This talk takes you through how openCRE.org works, how we have brought all these standards together, how we used AI in a revolutionary way, and how you can benefit in your work as a manager, builder, breaker, buyer, or standard maker! The intended audience for this talk is anyone involved with Application Security and looking for an easy-to-use guide, mapping standards to regulations to code and configurations.

Speakers

Spyros Gasteratos

security engineer, owasp

Spyros is an OWASP volunteer and professionally is currently helping Fintechs with AppSec. He maintains several Open Source projects including Dracon, opencre.org and others. Also, he usually doesn’t speak about himself in the third person... Read More →

Rob van der Veer

Principal consultant, Software Improvement Group

Rob van der Veer has a 30 year background in building secure software and running software businesses. AI, cyber security and privacy have been constant themes in his career, from hacking into the British RAF in 1986, to building AI solutions for national security. At the Software... Read More →

2023OpenCRE at WashingtonDC pdf

Tuesday October 31, 2023 1:15pm - 2:00pm EDT
Room: Treasury

Breakout: Manager/Culture

Audience Intermediate

1:55pm EDT

OWASP Developer Guide

This guide is one of the original documents from OWASP and so has a long history. The DevGuide repository has many of the previous versions going back to the original version 1.0 from 2002. Note that the original DevGuide repository has been deprecated in favour of this one.
The source code for the latest draft developer guide can be found under the 'draft' directory. The source is in markdown and is used to create the developer guide HTML (PDF and ePub are not in place yet). The content is subject to large scale changes with no notice, as it is being actively worked on for the next release of the Developer Guide.

Speakers

Shruti Kulkarni

Cyber Security Architect, 6point6

Andra Lezza

Application Security Analyst, Checkout.com

Tuesday October 31, 2023 1:55pm - 2:30pm EDT
Room: Mint

Project Showcase

2:15pm EDT

Automated Security Testing with OWASP Nettacker

OWASP Nettacker project (a portmanteau of "Network Attacker") is a relatively new yet an awesome and powerful "swiss-army-knife" automated penetration testing framework fully written in Python. Nettacker recently gained a lot of interest from the European and Asian penetration testing communities and was even included in the specialist Linux distribution for penetration testers and security researchers. Nettacker is able to run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features - for example an ability to chain different scan methods. This talk will feature a live demo and several practical usage examples of how organisations can benefit from this OWASP project for automated security testing

Speakers

Sam Stepanyan

Independent Application Security Consultant and Security Architect, OWASP London

Sam Stepanyan is an OWASP London Chapter Leader and an Independent Application Security Consultant and Security Architect with over 20 years of experience in the IT industry with a background in software engineering and web application development. Sam has worked for various financial... Read More →

Nettacker Global AppSec DC.pptx pdf

Tuesday October 31, 2023 2:15pm - 3:00pm EDT
Room: Archives

Breakout: Breaker

Audience Intermediate

2:15pm EDT

Cutting to the chase: Security Design and Guidance at scale

In 2021, OWASP added A04:2021 – Insecure Design as a new category focusing on risks related to design and architectural flaws, with a call for more use of threat modeling, secure design patterns, and reference architectures.

In a cloud-native, agile environment with hundreds of services operating at scale for products, security needs to be proactive, comprehensive, context and data driven with a focus on risk reduction.
Security in such fast paced, engineering heavy organizations need a shared ownership model. In order to do so, application security truly needs to be decentralized by design .

How does a lean team of security engineers achieve this with an emphasis on trust and partnership?
In this talk, I’ll cover my learnings as a software security engineer working on security design and guidance at scale. The talk will mainly focus on:
1. The three pillars of a application security success:
- Building self-service for security design reviews
- The Cost: Value proposition of different security activities throughout the SDLC
2. Partnership with developers and product teams
- We will go over our security champions program journey and look at some success stories and roadblocks
3. Developer experience patterns and anti-patterns

I'll be sharing plenty of examples covering learnings on what works and what does not work, both from reflections on successes and failures for anyone building security at scale.

Speakers

Nielet D'mello

Software Security Engineer, Datadog

Nielet D'mello is a software security engineer at Datadog where she focuses on security design and guidance. She works closely with developers, product and engineering teams to design, build and ship secure products/ services.Her work includes research and implementation of tooling... Read More →

Tuesday October 31, 2023 2:15pm - 3:00pm EDT
Room: Independence Ballroom A-E

Breakout: Builder

Audience Intermediate

2:15pm EDT

Zero Trust Threat Modeling

Zero trust is all the rage. Nevertheless, zero trust has vast implications for application security and threat modeling. Zero trust threat modeling means the death of the trust boundary. Zero trust security models assume attackers are in the environment, and data sources and flows can no longer hide. This uncovers threats never dreamed of in classic threat modeling. We'll begin by laying a foundation of zero trust against the lens of application security. What does Zero Trust architecture mean as it reaches the top of the technology stack? Zero-trust architecture brings us back to when it was all about objects and subjects. The essence of zero trust is only allowing certain subjects to access particular objects. From there, we'll apply the concept of zero trust to threat modeling by understanding what changes with threat modeling in a zero-trust world and by considering a threat model of the zero-trust architecture. We'll explore using new design principles in a zero-trust threat model and introduce a mnemonic to help apply the major threats impacting zero trust to threat modeling and expose a new taxonomy of threats specific to the zero-trust application. So long live the threat model but say goodbye to the trust boundary.

Speakers

Chris Romeo

CEO, Devici

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling... Read More →

Global AppSec DC Zero Trust Threat Modeling pdf

Tuesday October 31, 2023 2:15pm - 3:00pm EDT
Room: Capital-Congress

Breakout: Defender

Audience Intermediate

2:15pm EDT

The Problems with SBOMs — And How to Fix Them

Starting with the U.S. government’s 2021 cybersecurity executive order — which, in part, requires federal government agencies to obtain an SBOM (software bill of materials) with each product they purchase — a growing number of organizations have prioritized SBOMs as a software supply chain security initiative.

At their best, SBOMs are comprehensive, accurate inventories of an organization’s software components, including up-to-date and actionable security intelligence. They’re also machine-readable and able to be ingested and analyzed at scale, which can go a long way toward helping consumers understand and control software supply chain risks.

But for all of their promise, SBOMs have several issues that currently prevent many organizations from using them in supply chain security initiatives at scale. These include data accuracy concerns related to the lack of standardized component metadata, inconsistent distribution, and limited adoption of VEX (Vulnerability Exploitability eXchange), which, in theory, helps SBOM consumers understand whether they are actually impacted by a specific vulnerability.

In this presentation, we’ll provide a detailed breakdown of the root causes of these problems. We’ll also highlight several tools and strategies that can help your team more effectively integrate SBOM insights into risk management programs. We think you’ll come away with an improved understanding of the modern SBOM landscape along with specific solutions you can use to elevate your organization’s SBOM program.

Speakers

Cortez Frazier Jr

Product Lead, FOSSA

Cortez Frazier Jr. is the product lead for FOSSA’s SaaS and on-premises enterprise applications. FOSSA is a developer tool (in the software composition analysis category) for managing open source license compliance and security vulnerabilities. Before joining FOSSA, Cortez served... Read More →

Tuesday October 31, 2023 2:15pm - 3:00pm EDT
Room: Treasury

Breakout: Manager/Culture

Audience Intermediate

2:35pm EDT

OWASP Top 25 Parameters

Feedback Survey

For basic researches, top 25 vulnerable parameters based on frequency of use with reference to various articles, bug bounty reports and write-ups. These parameters can be used for automation tools or manual recon.

Although the prevalence percentages of these parameters cannot be proven precisely, they were prepared by a community which I founded, and myself.

OWASP Project Page: https://owasp.org/www-project-top-25-parameters/
GitHub Repo: https://github.com/lutfumertceylan/top25-parameter

The OWASP Top 25 Parameters project aims to research the frequency of parameters of today's most popular web-based vulnerability types that are at the highest risk of harboring vulnerabilities.

The patterns datas in this project, where these top 25 parameters are listed, were determined by half-manual, half-automation analysis. While listing these parameters, hundreds of important cyber security articles, write-ups, blog posts and vulnerability reports written since about 2007 were examined and a priority was defined according to these false positive rates and they were included in the list.

Speakers

Lütfü Mert Ceylan

Security Researcher

Lütfü Mert Ceylan is a 19-years-old Security Researcher, especially specializes in the Web Application area of Cybersecurity. He is an OWASP Project Leader and owner of the OWASP Top 25 Parameters project. He is an OWASP Project Leader and also the OWASP Poland Chapter Board Member... Read More →

OWASP Top 25 Parameters Project 2023 Global AppSec DC Speaker Slide pptx

Tuesday October 31, 2023 2:35pm - 3:10pm EDT
Room: Mint

Project Showcase

3:00pm EDT

PM Break

Tuesday October 31, 2023 3:00pm - 3:30pm EDT
Room: Liberty Ballroom

Meals provided by OWASP

3:15pm EDT

OWASP State of AppSec Survey Project

In 2022 and 2023, a team of volunteers collected data through the OWASP New Zealand Chapter's "State of Application Security in New Zealand" industry survey. Each year, we published a white paper outlining the survey results. Building on these initial experiences, we've launched the OWASP State of AppSec Survey Project.

The project's goals are to improve on our initial efforts and to make the resulting materials (e.g., questions, report templates) and our learnings available to other organizations around the world, so they can easily repeat the process locally. The primary audience for the project's deliverables are local OWASP chapters.

In this presentation, we'll review our experiences and lessons learned from the two New Zealand surveys, then showcase the resources we've created to help your chapter build on that experience to create and administer your own State of AppSec in [YEAR] survey.

Speakers

Dr. John DiLeo

Solution Architect, IriusRisk

Dr. John DiLeo is the Auckland-area leader of the OWASP New Zealand Chapter and, for his day job, is a lead Solution Architect at IriusRisk, covering the Asia/Pacific region. Before joining IriusRisk, John led the Application Security Services team at Datacom, providing support and... Read More →

Slide Deck Security Testing 20231101 pdf

Tuesday October 31, 2023 3:15pm - 3:50pm EDT
Room: Mint

Project Showcase

3:30pm EDT

Everything-as-Code: Pushing the boundaries of SAST

Static Application Security Testing (SAST) is the well-known practice of analyzing a program's source code using automated techniques to detect potential security problems. Such tools implement two distinctive styles of algorithms. The first one is structural. This is like advanced pattern matching and is also common in code-quality oriented tools. The second one is dataflow analysis, also known as taint analysis. In this case, the SAST tool tries to find paths between entry points of potential attacks, such as web request parameter, and program locations where such an attack could manifest itself, such as non-escaped SQL statements.

While this is a tried-and-true approach for many important cases, such as Java and C# web applications, it’s no longer enough as we’re entering the “everything as code” era. As infrastructure becomes code (CloudFormation, Terraform, Bicep, etc.), contracts become code (Solidity, Viper), circuits become code (VHDL, Verilog), etc., all these things could potentially be analyzed using SAST technology. SAST users are seeing this potential and are demanding SAST providers to extend their offerings in this direction. However, doing so is not a straightforward extension of standard SAST functionality into new languages and libraries. Threat models are quite different. As it turns out, the differences are fundamental that the common notion of “taint analysis” isn’t particularly useful here. We’ll have a closer look at two cases to examine this in more detail.

The first one is Bicep. This is Microsoft’s language for Infrastructure-as-Code in the Azure cloud. The main (but far from only) risk here is misconfiguration of infrastructure from a security perspective. Since it’s a rich language including functions, templates, parameters, etc., simple structural analysis will not suffice. Taint analysis isn’t very useful here. The core SAST algorithm required is constant propagation. It’s also an interesting case because Bicep is a declarative language whereas dataflow analysis algorithms generally assume an imperative language.

Finally, there’s the aspect of Bicep/ARM interoperability that should be considered. The second case is Solidity. This is the most popular language to implement smart contracts on the Ethereum blockchain. While its syntax is Java-like, its semantics and threat model are radically different. Some of the things that a SAST tool should do for Solidity are different from other cases, but easy to implement (such as compiler version checks). But some other things pose a challenge: the analysis of some Solidity vulnerabilities hinges on a notion of “being influenced by” which has different propagation rules than “taint” in the classical case. Attending this session will give you a refresher of existing SAST technology as well as an awareness of its limitations, an introduction to Bicep and Solidity security, and some things to look for in SAST solutions over the coming years.

Speakers

Frans van Buul

Senior Product Manager, Fortify SAST

Based out of the Netherlands, Frans van Buul is senior product manager for Fortify SAST at OpenText. As such, he leads the further development of the SAST product by a global team of developers and researchers. While it’s not officially part of his job description, Frans loves to... Read More →

AppSec DC 2023 FvB Pushing boundaries of SAST pptx

Tuesday October 31, 2023 3:30pm - 4:15pm EDT
Room: Archives

Breakout: Breaker

Audience Advanced

3:30pm EDT

Better Protect Sensitive Data in the Cloud with Client-Side Application Layer Encryption

Cloud providers have made significant progress in securing their infrastructure and data centers. However, application owners are still responsible for securing their own data. In this talk, we will discuss the benefits of using client-side application layer encryption to bring your own encryption and protect sensitive data in the cloud. We will explain how to use this technique to provide encryption controls and key management, which can reduce the risk of data breaches and ensure that your data is protected when stored within a cloud-hosted environment. We will also share practical tips for implementing client-side application layer encryption, and how to address the challenges that come with this approach.

Speakers

Wias Issa

Ubiq Security

Wias Issa has twenty years of experience in the cybersecurity industry with a concentration in threat response countermeasures. This provides him with a deep understanding of how the threat landscape has evolved from (mostly) benign attacks to those that directly impact national security... Read More →

Tuesday October 31, 2023 3:30pm - 4:15pm EDT
Room: Independence Ballroom A-E

Breakout: Builder

Audience Intermediate

3:30pm EDT

Scaling Content Security Policy: Enterprise Compliance and Third Party Resource Management

With the rise of supply chain attacks, it is critical for web applications to keep track of their web resources (Javascript, CSS, Ajax Calls). However, managing and monitoring these resources at scale is more difficult than it appears. In this talk, we will address how to make web applications more secure by using Content Security Policy (CSP) and web resources monitoring at scale.

We will provide content on supply chain attacks and their impact on web applications, and explain how CSP can provide valuable insight and security to your applications. We will share our experience of scaling our CSP program to hundreds of applications using automation, and discuss how we generate quality insights for our development team to take the right action.

In addition, we will discuss how we manage the wild javascript inventory and monitoring challenges that organizations face today. With PCI requirements changing, it is more important than ever for organizations to keep track of their payment pages and the javascript on them. We will cover the practical solutions we have to put in place to tackle this problem and manage the PCI requirements.

By the end of this talk, attendees will have a better understanding of the challenges of managing and scaling frontend supply chain security solutions, as well as practical solutions to implement CSP and monitor web resources at scale.

Speakers

Jon Kulisz

Info Sec Engineer, eBay

With a broad information security foundation in areas including proxies, DLP, CASB, and email security, Jon has spent the better part of last decade focusing on application security from the perspectives of both perimeter defenses like WAF and bot mitigation as well as client security... Read More →

Piyush Pattanayak

Application Security Architect, eBay

Piyush is an experienced application security architect who has been with eBay for the past decade. He holds a pivotal role in designing the CSP solution. With a deep passion for resolving security challenges, Piyush has contributed to numerous projects encompassing bot detection... Read More →

ScalingCSPand WebResources pptx

Tuesday October 31, 2023 3:30pm - 4:15pm EDT
Room: Capital-Congress

Breakout: Defender

Audience Advanced

3:30pm EDT

The State of Secure DevOps - Security enables Velocity

As technology teams continue to accelerate and evolve, so do the quantity and sophistication of security threats. It's easy to emphasize the importance of security and suggest that teams need to prioritize it, but doing so becomes an extensive change management exercise. How can we rise to the challenge without slowing our software delivery velocity?

Our own lived experience combined with a multi-year research program led by the DevOps Research and Assessment (DORA) team can be used to help you and your team move beyond implementation of specific tools to a people-centric approach to organizational transformation.

This talk will dive into some findings of the DORA research and recommendations including:

• How to measure software delivery and operations performance.
• A secure software development lifecycle is both essential and drives organizational performance.
• The essential elements necessary to transform a product security program.
• Healthier, collaborative cultures have a head start on implementing a mature security program.

Learn how top performers that met or exceeded their reliability targets were twice as likely to have security integrated into their software development process.

Spoiler alert! The best security teams focus on collaboration and getting better at getting better. You can do this, too!

Speakers

Michele Chubirka

Cloud Security Advocate, Google

Michele Chubirka, AKA Mrs. Y., is a recovering Unix and network engineer currently working as a cloud security advocate for Google. Formerly the creator and official nerd stalker of the Healthy Paranoia Security Podcast, she has also been a freelance writer for various B2B publications... Read More →

Nathen Harvey

Developer Relations Engineer, Google

Nathen Harvey, Developer Relations Engineer at Google, has built a career on helping teams realize their potential while aligning technology to business outcomes. Nathen has had the privilege of working with some of the best teams and open source communities, helping them apply the... Read More →

Final The State of DevOps Security Enables Velocity AppsecUS pdf

Tuesday October 31, 2023 3:30pm - 4:15pm EDT
Room: Treasury

Breakout: Manager/Culture

Audience Intermediate

4:25pm EDT

Unsafe at Any Speed

We humans have a long history of doing some really dumb things, including things that kill people, for a long time before correcting ourselves and changing course. And changing course is not easy – it often takes a combination of advocacy, regulation, consumer demand, and good old perseverance to pivot society’s path. In the closing keynote, Lisa will explain what Corvairs and Pintos have in common with cross-site scripting and SQL injection. Where is Ralph Nader when you need him?

Speakers

Lisa Plaggemier

Executive Director, National Cybersecurity Alliance

Lisa Plaggemier is Executive Director at the National Cybersecurity Alliance. She is a recognized thought leader in security awareness and education with a proven track record of engaging and empowering people to protect themselves, their families, and their organizations. Lisa has... Read More →

Tuesday October 31, 2023 4:25pm - 5:15pm EDT
Room: Independence Ballroom A-E

Keynote

Audience Beginner

5:15pm EDT

Closing Ceremony and Raffle

Attendance is mandatory to receive raffle prizes

Tuesday October 31, 2023 5:15pm - 5:30pm EDT
Room: Independence Ballroom A-E

Keynote

Audience all

8:00am EDT

Breakfast

Wednesday November 1, 2023 8:00am - 9:00am EDT
Room: Liberty Ballroom

Meals provided by OWASP

9:00am EDT

1-Day Training:Application Security Testing: Verifying the Right Things Were Done Right

**NOTE:A SEPARATE TICKET PURCHASE IS NEEDED TO ATTEND OWASP TRAINING COURSES. Please visit: https://www.eventbrite.com/e/owasp-global-appsec-washington-dc-2023-tickets-519195877847

Software Security Testing is a key component of any organization’s software assurance program. The importance of these practices is reflected by their presence throughout OWASP's Software Assurance Maturity Model (SAMM), where they're represented by two of the model's 15 core Practices (Requirement-driven Testing and Security Testing), and factor into numerous activities in the remaining Practices.

This class covers recommended Application Security Testing (AST) practices, along with supporting AST tools and ways to better leverage penetration testing, to verify and validate an application’s security features:

Verify – How do we confirm our application’s security features were built right?
Validate – How do we confirm we built the right security features, to secure the application's functionality?

Topic coverage will include establishing your overall AST strategy and aligning it with the OWASP ASVS; defining and implementing security tests cases; utiliizing AST tools; and using third-party penetration tests effectively within your testing strategy.

Speakers

Dr. John DiLeo

Solution Architect, IriusRisk

Wednesday November 1, 2023 9:00am - 5:00pm EDT
Room: Union Station

1-Day Training

Audience Beginner

9:00am EDT

SAMM User Day

**NOTE - A SEPARATE TICKET PURCHASE IS NEEDED TO ATTEND THIS COURSE. Please visit https://www.eventbrite.com/e/owasp-global-appsec-washington-dc-2023-tickets-519195877847

OWASP SAMM User Day is back! join us to share our practical experiences and lessons learned when using SAMM to improve secure development practices.The goal is to really involve SAMM users, sharing experiences and learnings gained from their exposure to OWASP SAMM.

For more details and the latest agenda check out:
https://owaspsamm.org/user-day/

Speakers

Sebastien Deleersnyder

CTO and Co-Founder, Toreon

Wednesday November 1, 2023 9:00am - 5:00pm EDT
Room: Dupont

1-Day Training

9:00am EDT

2 Day Training:Adam Shostack's Threat Modeling Intensive

**NOTE:A SEPARATE TICKET PURCHASE IS NEEDED TO ATTEND OWASP TRAINING COURSES. Please visit: https://www.eventbrite.com/e/owasp-global-appsec-washington-dc-2023-tickets-519195877847

This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start with a guided threat modeling exercise, and we'll then iterate and break down the skills they're learning in more depth. We'll progressing through the Four Questions of Threat Modeling: what are we working on, what can go wrong, what are we going to do about it and did we do a good job. This is capped off with an end-to-end exercise that brings the skills together.

Speakers

Adam Shostack

Shostack + Associates

Adam Shostack is a leading expert in threat modeling, and the author of "Threats: What Every Engineer Should Learn from Star Wars" and "Threat Modeling: Designing for Security"

Wednesday November 1, 2023 9:00am - 5:00pm EDT
Room: LeDroit

2-Day Training

Audience Intermediate

9:00am EDT

2 Day Training:Advanced Whiteboard hacking – aka hands-on Threat Modeling

**NOTE:A SEPARATE TICKET PURCHASE IS NEEDED TO ATTEND OWASP TRAINING COURSES. Please visit: https://www.eventbrite.com/e/owasp-global-appsec-washington-dc-2023-tickets-519195877847

The threat modeling training based on real life hands-on practical threat modeling, and delivered every year at OWASP since 2016, and Black Hat USA since 2017. Our latest Black Hat training score was 4.7/5 with great feedback!

You will get insight into our practical industry experience, helping you to become a Threat Modeling Expert. We included an exercise on MITRE ATT&CK, and we focus on embedding threat modeling in Agile and DevOps practices.

We levelled up the threat modeling war game released at Black Hat 2023. Engaged in CTF-style challenges, your team will battle for control over an offshore wind turbine park.

The level of this training is Intermediate/Advanced. Participants who are new to threat modeling are required to follow our self-paced Threat Modeling Introduction training (which is about 2 hours and is included in this training). As highly skilled professionals with years of experience under our belts, we're intimately familiar with the gap between academic knowledge of threat modeling and real-world practice. To minimize that gap, we have developed practical use cases, based on real-world projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling:

Diagram techniques applied on a travel booking service
Threat model a cloud-based update service for an IoT kiosk
Create an attack tree against a nuclear research facility
Create a SOC Risk Based Alerting system with MITRE ATT&CK
Mitigate threats in a payment service build with microservices and S3 buckets
Apply data protection by design and default on a loyalty app
Apply the OWASP Threat Modeling Playbook on agile development
Threat modeling the CI/CD pipeline
Battle for control over "Zwarte Wind", an offshore wind turbine park

After each hands-on exercise, the results are discussed, and students receive a documented solution.

All participants get a copy of “Threat Modeling: A Practical Guide for Development Teams”, by Izar Tarandach and Matt Coles, as well as our Threat Modeling Playbook to improve you threat modeling practice, and a one-year access to our online threat modeling learning platform.

As part of this training, you will be asked to create and submit your own threat model, on which you will get individual feedback. One month after the training we organize an online review session with all the participants.

Speakers

Sebastien Deleersnyder

CTO and Co-Founder, Toreon

Wednesday November 1, 2023 9:00am - 5:00pm EDT
Room: Farragut North

2-Day Training

Audience Advanced

9:00am EDT

2 Day Training:AppSec Automation Masterclass (AVAILABLE IN PERSON OR VIRTUALLY)

Hands-on SAST for Apps and Infrastructure-as-Code, with a focus on Semgrep and CodeQL. Develop Custom SAST rules like a bawse!
Supply-Chain Security Automation: SBOMs, Source Composition Analysis and Security Engineering techniques. This segment will additionally have several approaches to building secure base images for containers
Supply-Chain Assurance and Provenance for artifacts. Supply-Chain Security attacks are largely caused by lack of assurance and poor provenance of software supply-chain artifacts. We’ll be diving into the SLSA (Supply-Chain Levels for Software Artifacts) Standard and how automation can help achieve levels of compliance. In addition we’ll be diving into Cosign from Project sigstore. This can be used to generate keyed/keyless signatures for container images and other build artifacts including packages and SBOMs.
Secret Management - This segment of the class will dive into Secrets Management and Encryption tools like Hashicorp Vault. This will have examples of advanced implementations for Encryption, Key Management and Dynamic Secrets
DAST Automation with OWASP ZAP and Nuclei. We’ll be exploring API based scanning with OWASP ZAP and Test Automation Frameworks. In addition, we’ll explore using and building custom DAST automation with Nuclei. This will not only aid in integrating DAST into Automation Pipelines, but also be used for Security Regressions for more complex vulnerabilities
Policy-As-Code with Open Policy-Agent (OPA). OPA is a powerful framework that can be used to create and enforce policies across a variety of deployment environments. From being used to perform Access Control and Input Validation in API Gateways, to be used in Container Registries and Operating Systems for deploying and enforcing security policies. You’ll learn OPA’s Domain Specific Language, rego in order to understand policy-as-code frameworks.
Integrating Security Automation with CI/CD tooling. Here we’ll be exploring integrating Security Automation with CI/CD tools including Github Actions, Gitlab and Jenkins. In addition, we’ll be leveraging Data Flow Automation tools like Robot Framework, Gaia and Prefect to provide alternatives to typical CI/CD tools for AppSec Automation.

Each section of the training will contain a challenge section that will enable the trainees and the trainers to identify levels of student learning

Participants get a 2 month access to our online lab environment for DevSecOps training

Speakers

Abhay Bhargav

Founder, AppSecEnginner

Wednesday November 1, 2023 9:00am - 5:00pm EDT
Room: Shaw

2-Day Training

Audience Beginner

9:00am EDT

2-Day Training: Mobile Application Security Testing Guide (MASTG) - Hands-On (AVAILABLE IN PERSON OR VIRTUALLY)

**NOTE:A SEPARATE TICKET PURCHASE IS NEEDED TO ATTEND OWASP TRAINING COURSES. Please visit: https://www.eventbrite.com/e/owasp-global-appsec-washington-dc-2023-tickets-519195877847

***This course is available in person or virtually. Please visit the link above to register for either option.

This 2-day hands-on training teaches you how to analyze Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering by relying on the OWASP Mobile Application Security Testing Guide (MASTG). The OWASP MASTG is a comprehensive and open source guide about mobile security testing for both iOS and Android and offers a methodology and very detailed, technical test cases for penetration testers to ensure completeness and the latest attack techniques against mobile apps.

At the beginning of the first day we start by giving an overview of the Android Platform and it’s Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student, by using Corellium. Topics include:

- Frida crash course to kick-start with dynamic instrumentation on Android apps

- Intercepting network traffic of apps written in mobile app frameworks such as Google’s Flutter

- Identifying and exploiting a real word Deep-link vulnerability

- Explore the differences and effectiveness of Reverse Engineering Android Apps through patching Smali, Xposed and Dynamic Instrumentation with Frida

- Analyze Local Storage of an Android App

- Usage of dynamic Instrumentation with Frida to:

- bypass Frida detection mechanisms

- bypass multiple root detection mechanisms

On day 2 we are focusing on iOS and will begin with an overview of the iOS Platform and Security Architecture. After explaining what an IPA container is and the iOS file system structure, we start creating an iOS testing environment with Corellium and deep dive into various topics, including:

- Analyzing iOS applications that use non-HTTP traffic including ways of intercepting the traffic

- Frida crash course to kick-start with dynamic instrumentation for iOS apps

- Bypassing SSL Pinning with SSL Kill Switch and Objection (Frida)

- Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida Gadget

- Using Frida for Runtime Instrumentation of iOS Apps to bypass:

- Anti-Jailbreaking mechanisms

- Frida detection mechanism

- and other client-side security controls

At the end of each day a CTF will be played to investigate two apps with the newly learned skills and you can win a prize!

Whether you are a beginner interested in learning mobile app testing from scratch or an experienced professional who would like to enhance their existing skills to perform more advanced attack techniques, or for fun, this training will help you accomplish your goals.

The course consists of many different labs developed by the trainer and the course is roughly 65% hands-on and 35% lecture.

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile apps, how to propose the right mitigation techniques to developers and how to execute tests consistently.

Speakers

Sven Schleier

Principal Security Consultant, Crayon

Wednesday November 1, 2023 9:00am - 5:00pm EDT
Room: Capitol Hill

2-Day Training

Audience Beginner

9:00am EDT

3 Day Training -Web Application Security Essentials

**NOTE:A SEPARATE TICKET PURCHASE IS NEEDED TO ATTEND OWASP TRAINING COURSES. Please visit: https://www.eventbrite.com/e/owasp-global-appsec-washington-dc-2023-tickets-519195877847

This course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures.

The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.

The topics covered include:

Introduction to Web Application Security
Technologies used in Web Applications
The Security Tester Toolkit
Critical Areas in Web Applications
Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server Side Request Forgery (SSRF)

Format: The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.

Speakers

Fabio Cerullo

Certified Instructor, Cycubix

Fabio delivered this training to thousands of developers and security professionals. He also regularly delivers training to technical audiences on various topics such as application security, cloud security, and information security. Here is a reference from one attendee of his courses... Read More →

Wednesday November 1, 2023 9:00am - 5:00pm EDT
Room: Mount Vernon

3 Day Training

Audience Beginner

9:00am EDT

3 Day Training: Hacking Modern Web & Desktop apps: Master the Future of Attack Vectors (AVAILABLE IN PERSON OR VIRTUALLY)

**NOTE:A SEPARATE TICKET PURCHASE IS NEEDED TO ATTEND OWASP TRAINING COURSES. Please visit: https://www.eventbrite.com/e/owasp-global-appsec-washington-dc-2023-tickets-519195877847

***This course is available in person or virtually. Please visit the link above to register for either option.

This course is the culmination of years of experience gained via practical penetration
testing of Modern Web and Desktop applications as well as countless hours spent doing
research. We have structured this course around the OWASP Security Testing Guide, it
covers the OWASP Top Ten and specific attack vectors against Modern Web and
Desktop apps. This course provides participants with actionable skills that can be
applied immediately from day 1.

Please note our courses are 100% hands-on, we do not lecture students with boring
bullet points and theories, instead we give you practical challenges and help you solve
them, teaching you how to troubleshoot common issues and get the most out of this
training. Training then continues after the course through our frequently updated training
portal, for which you keep lifetime access, as well as unlimited email support.
Each day starts with a brief introduction to the Modern platform (i.e. Node.js, Electron)
for that day and then continues with a look at static analysis, moves on to dynamic
checks finishing off with a nice CTF session to test the skills gained.

Get a FREE taste for this training, including access to video recording, slides and
vulnerable apps to play with:
1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps
1 hour workshop - https://7asecurity.com/free-workshop-web-apps

Day 1: Focused specifically on Hacking Modern Web Apps: We start with understanding
Modern Web Apps and then deep dive into static and dynamic analysis of the
applications at hand. This day is packed with hands-on exercises and CTF-style
challenges.

Day 2: Dedicated to Advanced Modern Web App Attacks: We cover advanced attacks
specifically targeting Modern Web Apps, such as dumping memory, prototype pollution,
deserialization attacks, OAuth, JWT flaws and more. The day is full of hands-on
exercises and ends with CTF-style open challenges for additional practice.

Day 3: Focused on Hacking JavaScript Desktop Apps: We start with understanding
JavaScript Desktop apps and various security considerations. We then focus on static
and dynamic analysis of the applications at hand. The day is filled with hands-on
exercises ending with a CTF for more practical fun.

Teaser Video: https://www.youtube.com/watch?v=Qckegc2gbfo

Speakers

Abraham Aranguren

Managing Director, 7ASecurity

After 15 years in itsec and 22 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Co-Author of the Mobile, Web and Desktop (Electron) app 7ASecurity courses. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. Former senior... Read More →

Ashwin Shenoi

Security Trainer, 7A Security

Ashwin Shenoi is a Senior Security Engineer at CRED, with an avid passion for application security. He is highly skilled in application penetration testing and automation. Ashwin is a core member of team bi0s, a top-ranked Capture The Flag (CTF) team, according to CTFTime. In his... Read More →

Wednesday November 1, 2023 9:00am - 5:00pm EDT
Room: Judiciary

3 Day Training

Audience Intermediate

10:00am EDT

AM Break

Wednesday November 1, 2023 10:00am - 10:30am EDT
Marriott Marquis

Meals provided by OWASP

12:30pm EDT

Lunch

Wednesday November 1, 2023 12:30pm - 1:30pm EDT
Marriott Marquis

Meals provided by OWASP

3:00pm EDT

PM Break

Wednesday November 1, 2023 3:00pm - 3:30pm EDT
Marriott Marquis

Meals provided by OWASP

8:00am EDT

Breakfast

Thursday November 2, 2023 8:00am - 9:00am EDT
Marriott Marquis

Meals provided by OWASP

9:00am EDT

1 Day Training: Container and Kubernetes Security 101 Training

The increasing adoption of containers and orchestration systems like Kubernetes has led to an exponential surge in the need for effective security solutions. In this training, we aim to provide a foundational understanding of the principles and best practices for securing containers and Kubernetes clusters.

Beginning with an introduction to containers and Kubernetes, we will explore the underlying technology and core concepts to develop an understanding of how they work. We will delve into the nuances of container security, discussing container isolation, potential vulnerabilities, and the best practices for maintaining security.

Our exploration of Kubernetes security will be thorough, taking into account Kubernetes' components, API, and control plane security, as well as pod security and network policies. We will also examine Kubernetes' built-in Role-Based Access Control (RBAC) to manage access permissions.

A significant portion of our training will focus on securing the container lifecycle, covering areas like secure image development, vulnerability scanning, secure deployments, runtime security, and secure disposal of containers.

We will then move into practical applications, discussing real-world strategies for securing Kubernetes environments, clusters, and secrets. Our focus will be on using Kubernetes security tools like kube-bench and kube-hunter.

In the advanced section, we will delve into topics like Admission Controllers, Security Contexts, and security in managed Kubernetes services, among others. We will discuss service meshes and their role in ensuring secure communication within the cluster.

Finally, we will cover incident response and forensics in a Kubernetes and container environment. This will involve detecting attacks, responding to security incidents, and the unique challenges posed by forensics in these environments.

By the end of this training, participants should have a comprehensive understanding of the essential principles and practices for securing containers and Kubernetes, as well as practical skills and knowledge to apply these principles in real-world settings.

Speakers

Vandana Verma

Thursday November 2, 2023 9:00am - 5:00pm EDT
Room: Chinatown

1-Day Training

Audience Beginner

9:00am EDT

2 Day Training:Adam Shostack's Threat Modeling Intensive

**NOTE:A SEPARATE TICKET PURCHASE IS NEEDED TO ATTEND OWASP TRAINING COURSES. Please visit: https://www.eventbrite.com/e/owasp-global-appsec-washington-dc-2023-tickets-519195877847

This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start with a guided threat modeling exercise, and we'll then iterate and break down the skills they're learning in more depth. We'll progressing through the Four Questions of Threat Modeling: what are we working on, what can go wrong, what are we going to do about it and did we do a good job. This is capped off with an end-to-end exercise that brings the skills together.

Speakers

Adam Shostack

Shostack + Associates

Adam Shostack is a leading expert in threat modeling, and the author of "Threats: What Every Engineer Should Learn from Star Wars" and "Threat Modeling: Designing for Security"

Thursday November 2, 2023 9:00am - 5:00pm EDT
Room: LeDroit

2-Day Training

9:00am EDT

2 Day Training:Advanced Whiteboard hacking – aka hands-on Threat Modeling

Diagram techniques applied on a travel booking service
Threat model a cloud-based update service for an IoT kiosk
Create an attack tree against a nuclear research facility
Create a SOC Risk Based Alerting system with MITRE ATT&CK
Mitigate threats in a payment service build with microservices and S3 buckets
Apply data protection by design and default on a loyalty app
Apply the OWASP Threat Modeling Playbook on agile development
Threat modeling the CI/CD pipeline
Battle for control over "Zwarte Wind", an offshore wind turbine park

Speakers

Sebastien Deleersnyder

CTO and Co-Founder, Toreon

Thursday November 2, 2023 9:00am - 5:00pm EDT
Room: Farragut North

2-Day Training

Audience Advanced

9:00am EDT

2 Day Training:AppSec Automation Masterclass (AVAILABLE IN PERSON OR VIRTUALLY)

Hands-on SAST for Apps and Infrastructure-as-Code, with a focus on Semgrep and CodeQL. Develop Custom SAST rules like a bawse!
Supply-Chain Security Automation: SBOMs, Source Composition Analysis and Security Engineering techniques. This segment will additionally have several approaches to building secure base images for containers
Supply-Chain Assurance and Provenance for artifacts. Supply-Chain Security attacks are largely caused by lack of assurance and poor provenance of software supply-chain artifacts. We’ll be diving into the SLSA (Supply-Chain Levels for Software Artifacts) Standard and how automation can help achieve levels of compliance. In addition we’ll be diving into Cosign from Project sigstore. This can be used to generate keyed/keyless signatures for container images and other build artifacts including packages and SBOMs.
Secret Management - This segment of the class will dive into Secrets Management and Encryption tools like Hashicorp Vault. This will have examples of advanced implementations for Encryption, Key Management and Dynamic Secrets
DAST Automation with OWASP ZAP and Nuclei. We’ll be exploring API based scanning with OWASP ZAP and Test Automation Frameworks. In addition, we’ll explore using and building custom DAST automation with Nuclei. This will not only aid in integrating DAST into Automation Pipelines, but also be used for Security Regressions for more complex vulnerabilities
Policy-As-Code with Open Policy-Agent (OPA). OPA is a powerful framework that can be used to create and enforce policies across a variety of deployment environments. From being used to perform Access Control and Input Validation in API Gateways, to be used in Container Registries and Operating Systems for deploying and enforcing security policies. You’ll learn OPA’s Domain Specific Language, rego in order to understand policy-as-code frameworks.
Integrating Security Automation with CI/CD tooling. Here we’ll be exploring integrating Security Automation with CI/CD tools including Github Actions, Gitlab and Jenkins. In addition, we’ll be leveraging Data Flow Automation tools like Robot Framework, Gaia and Prefect to provide alternatives to typical CI/CD tools for AppSec Automation.

Speakers

Abhay Bhargav

Founder, AppSecEnginner

Thursday November 2, 2023 9:00am - 5:00pm EDT
Room: Shaw

2-Day Training

Audience Beginner

9:00am EDT

2-Day Training: Mobile Application Security Testing Guide (MASTG) - Hands-On (AVAILABLE IN PERSON OR VIRTUALLY)

**NOTE:A SEPARATE TICKET PURCHASE IS NEEDED TO ATTEND OWASP TRAINING COURSES. Please visit: https://www.eventbrite.com/e/owasp-global-appsec-washington-dc-2023-tickets-519195877847

***This course is available in person or virtually. Please visit the link above to register for either option.

This 2-day hands-on training teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering by relying on the OWASP Mobile Application Security Testing Guide (MASTG). The OWASP MASTG is a comprehensive and open source guide about mobile security testing for both iOS and Android and offers a methodology and very detailed, technical test cases for penetration testers to ensure completeness and the latest attack techniques against mobile apps.

At the beginning of the first day we start by giving an overview of the Android Platform and it’s Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student, by using Corellium. Topics include:

- Frida crash course to kick-start with dynamic instrumentation on Android apps

- Intercepting network traffic of apps written in mobile app frameworks such as Google’s Flutter

- Identifying and exploiting a real word Deep-link vulnerability

- Explore the differences and effectiveness of Reverse Engineering Android Apps through patching Smali, Xposed and Dynamic Instrumentation with Frida

- Analyze Local Storage of an Android App

- Usage of dynamic Instrumentation with Frida to:

- bypass Frida detection mechanisms

- bypass multiple root detection mechanisms

On day 2 we are focusing on iOS and will begin with an overview of the iOS Platform and Security Architecture. After explaining what an IPA container is and the iOS file system structure, we start creating an iOS testing environment with Corellium and deep dive into various topics, including:

- Analyzing iOS applications that use non-HTTP traffic including ways of intercepting the traffic

- Frida crash course to kick-start with dynamic instrumentation for iOS apps

- Bypassing SSL Pinning with SSL Kill Switch and Objection (Frida)

- Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida Gadget

- Using Frida for Runtime Instrumentation of iOS Apps to bypass:

- Anti-Jailbreaking mechanisms

- Frida detection mechanism

- and other client-side security controls

At the end of each day a CTF will be played to investigate two apps with the newly learned skills and you can win a prize!

Whether you are a beginner interested in learning mobile app testing from scratch or an experienced professional who would like to enhance their existing skills to perform more advanced attack techniques, or for fun, this training will help you accomplish your goals.

The course consists of many different labs developed by the trainer and the course is roughly 65% hands-on and 35% lecture.

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile apps, how to propose the right mitigation techniques to developers and how to execute tests consistently.

Speakers

Sven Schleier

Principal Security Consultant, Crayon

Thursday November 2, 2023 9:00am - 5:00pm EDT
Room: Capitol Hill

2-Day Training

Audience Beginner

9:00am EDT

3 Day Training -Web Application Security Essentials

**NOTE:A SEPARATE TICKET PURCHASE IS NEEDED TO ATTEND OWASP TRAINING COURSES. Please visit: https://www.eventbrite.com/e/owasp-global-appsec-washington-dc-2023-tickets-519195877847

This course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures.

The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.

The topics covered include:

Introduction to Web Application Security
Technologies used in Web Applications
The Security Tester Toolkit
Critical Areas in Web Applications
Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server Side Request Forgery (SSRF)

Speakers

Fabio Cerullo

Certified Instructor, Cycubix

Thursday November 2, 2023 9:00am - 5:00pm EDT
Room: Mount Vernon

3 Day Training

Audience Beginner

9:00am EDT

3 Day Training: Hacking Modern Web & Desktop apps: Master the Future of Attack Vectors (AVAILABLE IN PERSON OR VIRTUALLY)

**NOTE:A SEPARATE TICKET PURCHASE IS NEEDED TO ATTEND OWASP TRAINING COURSES. Please visit: https://www.eventbrite.com/e/owasp-global-appsec-washington-dc-2023-tickets-519195877847

***This course is available in person or virtually. Please visit the link above to register for either option.

This course is the culmination of years of experience gained via practical penetration
testing of Modern Web and Desktop applications as well as countless hours spent doing
research. We have structured this course around the OWASP Security Testing Guide, it
covers the OWASP Top Ten and specific attack vectors against Modern Web and
Desktop apps. This course provides participants with actionable skills that can be
applied immediately from day 1.

Please note our courses are 100% hands-on, we do not lecture students with boring
bullet points and theories, instead we give you practical challenges and help you solve
them, teaching you how to troubleshoot common issues and get the most out of this
training. Training then continues after the course through our frequently updated training
portal, for which you keep lifetime access, as well as unlimited email support.

Each day starts with a brief introduction to the Modern platform (i.e. Node.js, Electron)
for that day and then continues with a look at static analysis, moves on to dynamic
checks finishing off with a nice CTF session to test the skills gained.

Get a FREE taste for this training, including access to video recording, slides and
vulnerable apps to play with:
1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps
1 hour workshop - https://7asecurity.com/free-workshop-web-apps

Day 1: Focused specifically on Hacking Modern Web Apps: We start with understanding
Modern Web Apps and then deep dive into static and dynamic analysis of the
applications at hand. This day is packed with hands-on exercises and CTF-style
challenges.

Day 2: Dedicated to Advanced Modern Web App Attacks: We cover advanced attacks
specifically targeting Modern Web Apps, such as dumping memory, prototype pollution,
deserialization attacks, OAuth, JWT flaws and more. The day is full of hands-on
exercises and ends with CTF-style open challenges for additional practice.

Day 3: Focused on Hacking JavaScript Desktop Apps: We start with understanding
JavaScript Desktop apps and various security considerations. We then focus on static
and dynamic analysis of the applications at hand. The day is filled with hands-on
exercises ending with a CTF for more practical fun.

Teaser Video: https://www.youtube.com/watch?v=Qckegc2gbfo

Speakers

Abraham Aranguren

Managing Director, 7ASecurity

Ashwin Shenoi

Security Trainer, 7A Security

Thursday November 2, 2023 9:00am - 5:00pm EDT
Room: Judiciary

3 Day Training

Audience Intermediate

10:00am EDT

AM Break

Thursday November 2, 2023 10:00am - 10:30am EDT
Marriott Marquis

Meals provided by OWASP

12:30pm EDT

Lunch

Thursday November 2, 2023 12:30pm - 1:30pm EDT
Marriott Marquis

Meals provided by OWASP

3:00pm EDT

PM Break

Thursday November 2, 2023 3:00pm - 3:30pm EDT
Marriott Marquis

Meals provided by OWASP

8:00am EDT

Breakfast

Friday November 3, 2023 8:00am - 9:00am EDT
Marriott Marquis

Meals provided by OWASP

9:00am EDT

3 Day Training -Web Application Security Essentials

**NOTE:A SEPARATE TICKET PURCHASE IS NEEDED TO ATTEND OWASP TRAINING COURSES. Please visit: https://www.eventbrite.com/e/owasp-global-appsec-washington-dc-2023-tickets-519195877847

This course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures.

The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.

The topics covered include:

Introduction to Web Application Security
Technologies used in Web Applications
The Security Tester Toolkit
Critical Areas in Web Applications
Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server Side Request Forgery (SSRF)

Speakers

Fabio Cerullo

Certified Instructor, Cycubix

Friday November 3, 2023 9:00am - 5:00pm EDT
Room: Mount Vernon

3 Day Training

Audience Beginner

9:00am EDT

3 Day Training: Hacking Modern Web & Desktop apps: Master the Future of Attack Vectors (AVAILABLE IN PERSON OR VIRTUALLY)

**NOTE:A SEPARATE TICKET PURCHASE IS NEEDED TO ATTEND OWASP TRAINING COURSES. Please visit: https://www.eventbrite.com/e/owasp-global-appsec-washington-dc-2023-tickets-519195877847

***This course is available in person or virtually. Please visit the link above to register for either option.

This course is the culmination of years of experience gained via practical penetration
testing of Modern Web and Desktop applications as well as countless hours spent doing
research. We have structured this course around the OWASP Security Testing Guide, it
covers the OWASP Top Ten and specific attack vectors against Modern Web and
Desktop apps. This course provides participants with actionable skills that can be
applied immediately from day 1.

Please note our courses are 100% hands-on, we do not lecture students with boring
bullet points and theories, instead we give you practical challenges and help you solve
them, teaching you how to troubleshoot common issues and get the most out of this
training. Training then continues after the course through our frequently updated training
portal, for which you keep lifetime access, as well as unlimited email support.

Each day starts with a brief introduction to the Modern platform (i.e. Node.js, Electron)
for that day and then continues with a look at static analysis, moves on to dynamic
checks finishing off with a nice CTF session to test the skills gained.

Get a FREE taste for this training, including access to video recording, slides and
vulnerable apps to play with:
1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps
1 hour workshop - https://7asecurity.com/free-workshop-web-apps

Day 1: Focused specifically on Hacking Modern Web Apps: We start with understanding
Modern Web Apps and then deep dive into static and dynamic analysis of the
applications at hand. This day is packed with hands-on exercises and CTF-style
challenges.

Day 2: Dedicated to Advanced Modern Web App Attacks: We cover advanced attacks
specifically targeting Modern Web Apps, such as dumping memory, prototype pollution,
deserialization attacks, OAuth, JWT flaws and more. The day is full of hands-on
exercises and ends with CTF-style open challenges for additional practice.

Day 3: Focused on Hacking JavaScript Desktop Apps: We start with understanding
JavaScript Desktop apps and various security considerations. We then focus on static
and dynamic analysis of the applications at hand. The day is filled with hands-on
exercises ending with a CTF for more practical fun.

Teaser Video: https://www.youtube.com/watch?v=Qckegc2gbfo

Friday November 3, 2023 9:00am - 5:00pm EDT
Room: Judiciary

3 Day Training