Global AppSec 2020: Virtual
Attending this event?

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, October 19


3 Day Training: Hacking Modern Web & Desktop apps: Master the Future of Attack Vectors
This course is the culmination of years of experience gained via practical penetration testing of Modern Web and Desktop applications as well as countless hours spent doing research. We have structured this course around the OWASP Security Testing Guide, it covers the OWASP Top Ten and specific attack vectors against Modern Web and Desktop apps. This course provides participants with actionable skills that can be applied immediately from day 1.

Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. Training then continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.

Each day starts with a brief introduction to the Modern platform (i.e. Node.js, Electron) for that day and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.

Day 1​: Focused specifically on Hacking Modern Web Apps: We start with understanding Modern Web Apps and then deep dive into static and dynamic analysis of the applications at hand. This day is packed with hands-on exercises and CTF-style challenges.

Day 2: Focused on Hacking Modern Desktop Apps: We start with understanding Modern Desktop apps and various security considerations. We then focus on static and dynamic analysis of the applications at hand. The day is filled with hands-on exercises ending with a CTF for more practical fun.

Day 3: Dedicated to Advanced Modern Web & Desktop App Attacks: We cover advanced attacks specifically targeting Modern Web & Desktop Apps, such as dumping memory, prototype pollution, deserialization attacks, OAuth, JWT flaws and more. The day is full of hands-on exercises and ends with CTF-style open challenges for additional practice. Training Outline
Course Objectives
This course will take any student and make sure that:
- The general level of proficiency is much higher than when they came
- The skills acquired can be immediately applied to modern Web and Desktop app security assessments
- Skills can be sharpened via continued education in our training portal for free
- The student is equipped to defeat common Web and Desktop app assessment challenges
- Everybody will learn a lot in this training.
- Advanced students will come out with enhanced skills and more efficient workflows
- The skills gained are highly practical and applicable to real-world assessments
Attendees will be provided with
- Lifetime access to training portal, with all course materials
- Unlimited access to future updates and step-by-step video recordings
- Unlimited email support, if you need help while you practice at home later
- Interesting vulnerable apps​ to practice
- Digital copies of all training material
- Custom Build Lab VMs
- Purpose Build Vulnerable Test apps
- Source code for test apps
- A USB pendrive
- A T-shirt
Topics Included
1. Review of Common Flaws in Source Code and at Runtime
2. Desktop App Modification of Behavior Through Code/Configuration Changes
3. Web & Desktop - Interception of Network Communication and MitM-proxy techniques to find security flaws in these platforms
4. Platform-specific attack vectors against Modern Web apps & mitigation
5. Platform-specific attack vectors against Modern Desktop apps & mitigation
6. CTF Challenges for Attendants to Test Their Skills

Why should you take this course?
This is more than a physical attendance course: You get the physical course but also lifetime access to a training portal with step-by-step video recordings, slides and lab exercises, including all future updates for free.

Students can take the course at their own pace and training portal access ensures topics can be reviewed on an ad-hoc basis as required by the student online after the course.

This training has been built from real issues seen in real applications, not fabricated vulnerabilities that you will never see in practice.

The goal is to start from the basics and ensure that each student comes out of the training with a significantly higher level of proficiency in the artistry of pentesting.

Students will be taught ways to identify the attack surface of Modern Web and Desktop apps, exploit interesting vulnerabilities and means to fix them. The course walks students through the process of performing security audits of Modern apps. The training also covers effective identification, exploitation and mitigation of common vulnerability patterns against these platforms.

As the course has been written and carefully created by professional penetration testers, after many years of experience, many practical tips will be shared to leverage automation and make penetration testing more efficient as soon as the student goes back to their workplace.
Top three takeaways
- Learn how to find Modern Web and Desktop App vulnerabilities due to common misconfigurations and typical mistakes in framework setups

- Identify and exploit Modern Web and Desktop App security vulnerabilities as efficiently as possible

- Improve your Modern Application Security Testing process leveraging a number of open source tools, as well as lots of tips and tricks shared by the instructors after years of Modern Web and Desktop App penetration testing.
Upon Completion of this training, attendees will know

Completing this training ensures attendees will be competent and able to:
- Review and tamper network communications to exploit security vulnerabilities
- Bypass certificate and public key pinning protections on Desktop apps
- Bypass inadequate Modern Web and Desktop App defences
- Analyze Modern Web and Desktop Apps from a blackbox perspective
- Review Modern Web and Desktop App source code to identify security flaws
- Perform Modern Web and Desktop App security reviews

Course Content (ToC)
Day 1: Hacking Modern Web apps by Example

Part 0 - Modern Web App Security Crash Course
- The state of Modern Web App Security
- Modern Web App architecture
- Introduction to Modern Web App apps
- Modern Web App apps the filesystem
- JavaScript prototypes
- Recommended lab setup tips

Part 1 – Static Analysis, Modern Web App frameworks and Tools
- Modern Web App frameworks and their components
- Finding vulnerabilities in Modern Web App dependencies
- Common misconfigurations / flaws in Modern Web App applications and frameworks
- Tools and techniques to find security flaws in Modern Web App apps

Part 2 - Finding and fixing Modern Web App vulnerabilities
- Identification of the attack surface of Modern Web App apps and general information
- Identification of common vulnerability patterns in Modern Web App apps:
+ Access control flaws
+ NOSQL Injection, MongoDB attacks
+ SQL Injection
+ Crypto
- Monitoring data: Logs, Insecure file storage, etc.

Part 3 - Test Your Skills
- CTF time

Day 2: Hacking Modern Desktop apps by Example

Part 0 - Modern Desktop App Security Crash Course
- The state of Modern Desktop App Security
- Modern app security architecture and its components
- Modern Desktop apps and the filesystem
- Recommended lab setup tips

Part 1 - Static Analysis and Tools
- Tools and techniques to reverse and review Modern apps
- Finding vulnerabilities in Modern app dependencies
- Identification of the attack surface of Modern apps & information

avatar for Abraham Aranguren

Abraham Aranguren

CEO, 7ASecurity
After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Former senior penetration tester / team lead at Cure53 (cure53.de) and Version 1... Read More →

Monday October 19, 2020 9:00am - Wednesday October 21, 2020 5:00pm


Seth & Ken's Excellent Adventures (in Secure Code Review)
Have you been tasked with reviewing too much code in too little of time? What about new frameworks or languages you are unfamiliar with? This course addresses these common challenges in modern secure code review. Sharpen your code review techniques by gleaning from our adventures in code review and the lessons we’ve learned along the way.Overview
What to Expect
The Circle-K Framework
Tools/Lab Setup
OWASP Top 10
Code Review Methodology
Introduction to Methodology
General Code Review Principles
Application Overview & Risk Assessment
Behavior Profile
Technology Stack
Application Archeology
Note Taking
Application Overview & Risk Assessment Exercise
Information Gathering
Info Gathering Activities
Generic Web App Mapping
Application Flow
Mapping Exercise
Authorization Functions
How are users identified?
Identify its purpose
What could go wrong?
Authorization Functions Exercise
Authorization Review
Authorization Review Vulnerabilities
Broken Access Control
Sensitive Data Exposure
Mass Assignment
Business Logic Flaws
Authorization Review Checklist
Authorization Exercise
Authentication Review
Authentication Review Vulnerabilities
Broken Authentication
User Enumeration
Session Management
Authentication Bypass
Brute-Force Attacks
Authentication Review Checklist
Authentication Exercise
Auditing Review
Auditing Review Vulnerabilities
Sensitive Data Exposure
Logging Vulnerabilities
Auditing Review Checklist
Auditing Review Exercise
Injection Review
Injection Review Vulnerabilities
SQL Injection
Cross-Site Scripting (XSS)
XML External Entities (XXE)
Server-Side Request Forgery (SSRF)
Injection Review Checklist
Injection Review Exercise
Cryptographic Analysis
Cryptographic Analysis Review
Cryptographic Analysis Vulnerabilities
Encoding vs. Encryption
Stored Secrets
Cryptographic Analysis Checklist
Cryptographic Analysis Exercise
Configuration Review
Configuration Review
Configuration Review Vulnerabilities
Framework gotchas
Configuration files
Dependency Analysis
Configuration Review Checklist
Reporting and Retesting
Technical Hands-On Review
Django Vulnerable Task Manager
Lab Review of Open Source Applications
Students divide in groups
Review an OSS application

avatar for Seth Law

Seth Law

President and Principal Security Consultant, Redpoint Security, Inc.
Seth Law is the President and Principal Consultant at Redpoint Security, Inc. (rdpt.io). During the last 15 years, Seth has worked within multiple security disciplines, including application development, cloud architecture, and network protection, both as a manager and individual... Read More →

Monday October 19, 2020 9:00am - Wednesday October 21, 2020 5:00pm
Tuesday, October 20


Advanced Web App Security Essentials
Application Security is constantly evolving. Engineering teams use new technologies, frameworks and tools to make apps more responsive, easy-to-use and functional. At the same time attackers are constantly looking to infiltrate and find new security weaknesses in modern applications.

This program is a defense-focused training that delves deep into advanced topics of Application Security. The training expounds attacks and defenses against modern full-stack applications, right from client-side vulnerabilities to advanced server-side vulnerabilities and defenses.

* The training is replete with hands-on exercises where participants can engage with vulnerable applications and more secure variants to identify the real impact of these vulnerabilities on their applications.
* The training contains code snippets and implementation examples from various platforms, programming languages and frameworks, thereby delivering a rich experience of application security to the participants Application Security - Revisiting the Basics
Application Security - OWASP Top 10, Proactive Controls
Common Vulnerabilities and Exploits
Introducing the OWASP Application Security Verification Standard (ASVS)
Application Security Nuances and Challenges for Micro-Services

Advanced Injection
SQL Injection Deep-dive
Hands-on: Exploring Blind SQL Injection, Causes, Attack Patterns and Remediation
Hands-on: Time-Based SQL Injection, Causes, Attack Patterns and Remediation
Hands-on: Out-of-band/Second Order SQL Injection, Causes, Attack Patterns and Remediation
Object-Relation Mappers (ORM) Deep-Dive with SQLAlchemy and Sequelize
Common Flaws and Misconfigurations in ORMs
NoSQL Injection Deep-dive
Hands-on: Common-types of NoSQL Injection => MongoDB, DynamoDB/ElasticSearch
Hands-on: Advanced NoSQL Injection attack patterns:
Dynamic Scripting
Injections leveraging the JavaScript engine
Protection against NoSQL Injection
Hands-on: Common Query Mistakes and secure alternatives => MongoDB, aws-sdk for DynamoDB
Hands-on: Use of ODM (Object-Document Mapping) Libraries to interact with NoSQL Databases
Hands-on: Handling loosely scoped queries (scan) queries and preventing Database enumeration

Server-Side Template Injection
Hands-on: Server-Side Template Injection to root => Attack exercise with Jinja2 and Marko Templates
Common errors with Server-side Template Injection
Hands-on: Protecting against Server-side Template Injection:
Format String Errors and Template Injection
Common Template Misconfigurations and their Secure Variants
More Secure Templating through Low-Logic Template Systems
Template utility functions - tojson, etc

Client-Side Vulnerabilities and Protections
Cross-Site Scripting (XSS) Refresher and Hands-on Exercises:
Persistent XSS
Reflected XSS
Client-Side Vulnerabilities Deep-dive
Hands-on: Client-Side Template Injection with AngularJS
Hands-on: Client-Side Template Injection/Script Injection Flaws with ReactJS and VueJS
JSON Hijacking
Hands-on: Websocket Hijacking with DOM-based XSS
XSS Protections - Deep-Dive
Contextual Escaping and its many challenges
Hands-on: Output Encoding/Escaping across Contexts
DOMPurify and Bleach
ReactJS, AngularJS, VueJS Controls for Output Escaping
Use of Secure templating Frameworks for escaping
Common Mistakes with Encoding (slot scope, trustAsHtml) => ReactJS, VueJS and Angular
Hands-on: Secure Coding in Reactive JavaScript Frameworks
Component Prop Validation with React and Vue
Strict Contextual Escaping with AngularJS
Hands-on: Designing Content Security Policy Implementations for your applications
Other Browser Security Directives (Hands-on):
SubResource Integrity
Validating Origins and Origin Whitelisting => Introduction to CORS

Authentication & Access Control
Authentication Basics - Quick overview
Password Reset based flaws
Session Flaws => Hijacking, Fixation, Validation and Attributes
Request Authentication Flaws with Cross-Site Request Forgery (CSRF)
Credential Stuffing and Prevention:
Credential Stuffing Attacks and their impact on your application
Implementing Credential Stuffing checks for your application with the PwnedPasswords API

Authorization Deep-dive
Hands-on: OAuth2
Implement your own oAuth2 Authorization and Resource Server
Simulating Redirect flaws with OAuth
Improper Secrets Management with oAuth2 Applications
OAuth2 Security Protections
Hands-on: JSON Web Token Implementations
Algorithm Confusion Attacks with vulnerable JWT libraries
HMAC Bruteforce Attacks with JWT
JWK and JKU Based Flaws for PKI-based JWT Implementations
Claim Validation based on Non-Unique Claim values
JWT Best Practices based on fixes for above security vulnerabilities
Other Authorization Attacks
Insecure Direct Object Reference = Mass Assignment Variant
Hands-on IDOR-Mass Assignment Flaws due to deserialization
Hands-on IDOR Mass Assignment with GraphQL
Hands-on: Permissions and Privilege Management Patterns:
Role Based Permissions
Access-Control Lists
User-Per Object Permissions

XML External Entities and Insecure Deserialization
Real-world applications for XXE Attacks
XXE Detailed Explanation and Deep-Dive
Specific issues with XML Parsers and weak implementations
Hands-on: XXE with Remote Code Execution and SSRF
Hands-on - XXE Protections:
Parser Security Configuration parameters
Logging XML Exceptions
Preventing Network Exfil with Parser Configuration
Serialization Flaws in the Real World – Case Studies and Detailed Explanations
Examples of Serialization flaws against different platforms
yaml.load() deserialization flaws in Node and Python
Java Deserialization flaws
Hands-on: Protection Against Deserialization:
Look-Ahead Deserialization Protection with Java
Safe Mode Libraries for Deserialization
Deserialization Execution in low-privileged environments (Docker Containers)
Signature for Deserialization Prevention

Input Validation
The Unfortunate reality of Generic Input Validation Recommendation
Reducing Attack Surface with String interface reduction
Alternatives to Openly scoped strings
Validating Strategies (Hands-on):
Validating Early
Client-Side Validation
Request Validation
Business Logic Validation
Data Validation
Validation Code:
Input Validation Libraries
Building your own input validation library
Whitelist Validation
Whitelist Validation Libraries and Frameworks
Serialization Validation
Validating Serialized Objects - JSON, etc
Schema Validation

Security Misconfiguration - Cloud Focus
Common Misconfiguration
Hands-on: Security Misconfiguration in the cloud
Object Storage
Virtual Private Network
IAM Roles and Privileges
Hands-on: Identifying Security Misconfigurations in the Cloud

Secrets Management
Deep-Dive - Cryptography:
Symmetric and Asymmetric Ciphers
Block and Stream Ciphers
Modes of Encryption - Best Practices
Key Management Essentials
Secrets Management Essentials
Secrets Management Concept
Tour of Hashicorp Vault and Amazon KMS
Dynamic Secrets
One-way hashing
Hashing Concept Overview
Hashing Best Practices
Hashing vs. “Key Stretching” Algorithms - Engineering Choices and Trade-offs

Logging and Log Management - Best Practices
Logging Overview - Security Need
Enterprise Logging and Log Management Practices
Failures in Logging and Log Ma

avatar for Abhay Bhargav

Abhay Bhargav

Founder, we45
"Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron"", a leading Application Vulnerability Correlation and Orchestration Framework.  He has created some pioneering... Read More →

Tuesday October 20, 2020 9:00am - Wednesday October 21, 2020 5:00pm


Kubernetes MasterClass
Kubernetes has emerged as the leading container orchestration and management platform for on-prem and cloud environments. However, Kubernetes is a multi-headed beast with several minute and nuanced security configuration parameters. In addition, attackers take advantage of these insecurely configured and designed Kubernetes deployments and perform deep-incursions into the organization’s assets.

This training is a hard-core hands-on view of Kubernetes Security from an Attack and Defense perspective. The course takes the participants through a journey where they start with setting up a Kubernetes cluster (simulating an on-prem Kubernetes) deployment, attack the cluster and learn, through multiple deep-dive examples and cookbooks on how they can effectively secure Kubernetes clusters.

The course is aimed at providing a view of attacking, auditing and defending Kubernetes clusters on-prem or on the cloud Kubernetes is the world’s leading Container Management and Orchestration Platform. However, Kubernetes is often deployed without understanding some of its security features, limitations, available tools or security-oriented design. This has caused many an organization to run extremely critical infrastructure, very insecurely on Kubernetes. In addition, organizations incorrectly assume that Kubernetes in cloud-native environments and managed cloud environments is automatically secure, which is also far from the truth. While certain configuration parameters are abstracted away from the operators, Kubernetes clusters can still be subject to a plethora of misconfigurations and application security lapses.

This MasterClass is meant to prepare practitioners and operators alike, on the depths of Kubernetes Security. We start off with participants setting up and running their own Kubernetes clusters on a simulated “on-prem” environment. This ensures that they understand the intrinsic aspects of the cluster and underlying technology without blindly depending on managed cloud providers to secure them.

Subsequently, the class takes a firm toward the “Red-Team” by delving deep into Kubernetes attacks. The participants use a variety of known exploits, vulnerable apps and container escape techniques to attack and privilege-escalate on Kubernetes clusters, including some of the latest DNS Spoofing attack possibilities against Kubernetes. This segment is meant to train participants on “security through insecurity”. By understanding techniques from the attacker’s playbook, participants have a deep understanding of not only the cluster, but some of the ways these misconfigurations can impact the cluster, in terms of security.

The training then takes a “Blue Team” turn where we dive deep into Kubernetes defenses. Here we explore in depth, a variety of areas, tools and strategies to define a more secure Kubernetes cluster. The participants, through hands-on, cookbook-style sessions, learn how they can audit and secure Kubernetes clusters. In addition, they are exposed to a smorgasbord of useful OSS tools to help them assess, audit and defend against attackers looking to leverage vulnerable Kubernetes clusters. This segment focuses on, not limited to:
* Kubernetes Security Maturity Model
* Authentication, Authorization and Admission Control
* Secrets Management for Kubernetes deployments
* Vulnerability Assessment for Kubernetes Deployments
* Runtime Container Protections for Kubernetes Security
* Introduction to Service Mesh Security concepts, with Istio
* Introduction to Security Policy Management with Kubernetes with Open Policy Agent
* Kubernetes Logging API and Monitoring Practices
* CI/CD Pipelines for Kubernetes with Security

At the end of the training, we (trainers) are of the opinion that participants will walk away with a comprehensive and practical view of Kubernetes security. We believe that they will be equipped to address these and many other security concerns with Kubernetes within their own organizations, with a great deal of assurance.

The labs are highly advanced and per-student environments on the cloud that the students can access throughout the length of the training. In addition, we will be giving students a useful repository of OSS Kubernetes Security Tools and 30 Day access to our online platform to learn more about Container Security, AppSec and Kubernetes Security concepts.

Course Syllabus/Outline:
Day 1
Introduction to Kubernetes
* Role of Kubernetes in Container Orchestration
* Kubernetes Architecture Deep-Dive
* Understanding multiple components in a Kubernetes Cluster
* Hands-On: Setting up a Kubernetes Cluster from scratch
* Hands-On: Deep-Dive into Objects on Kubernetes
* Exploring the Kubernetes Landscape
* Deploying Services and Applications on Kubernetes Clusters
* Hands-on: Deploying a multi-stack application on Kubernetes Cluster
* Hands-on: Leveraging Helm to simplify complex deployments
Kubernetes - Red Team
* Kubernetes Threat Model and its counterpoint in Security Practices
* Understanding the Threats posed by:
* Vulnerable Cluster Configuration
* Vulnerable components in the cluster
* Malicious Application/Service deployed on the Cluster
* Kubernetes Trust boundaries & Attack Trees
* Case study of Real-World Cluster Attacks
* Analysis of Common Attack Vectors and patterns
* Attacking Kubernetes Clusters
* Privilege Escalation on Kubernetes Deployments
* Hands-on: Leveraging Cluster-Roles to Escalate Privileges on Kubernetes Clusters
* Hands-on: Attacking Helm Deployments to perform Privilege Escalation on Kubernetes Clusters
* Hands-on: Bypassing PodSecurityPolicies to gain persistence on Kubernetes Clusters
* Attacking Kubernetes Cluster components
* Hands-on: Attacking the cluster through exposed Kubelets
* Hands-on: Enumerating resources from vulnerable etcd deployments
* Hands-on: Spoofing DNS to perform a MITM attack on Kubernetes Clusters
* Hands-on: Analysing and Exploiting Kubernetes API server Vulnerability CVE-2018–1002105
Day 2
Kubernetes - Blue Team
* Kubernetes Authentication, Authorization and Admission Control
* Hands-on: Authentication
* Certificate Based Authentication Setup
* Webhook Authentication and Authorization with oAuth and OIDC
* Hands-on: Authorization
* Role Based Access Control (RBAC) Deployment for Kubernetes
* Impersonate RBAC contexts in Kubernetes to reduce attack surface
* Authorization Testing with Kubernetes can-i
* Hands-on: (Security) Admission Controllers
* LimitRanger and ResourceQuota
* PodSecurityPolicy - with AppArmor and Seccomp
* DenyEscalatingExec
* Kubernetes Secrets
* Hands-on:
* Leveraging Hashicorp Vault for Kubernetes Secrets Management
* Leveraging Hashicorp Vault for Certificate Management and Authorization
* Leveraging Sealed Secrets for Kubernetes Cluster
* Leveraging Kamus for Kubernetes Cluster-level secrets
* Monitoring Kubernetes Clusters
* Hands-on:
* Kubernetes API Events Deep-dive and Logging Strategies
* OSQuery Monitoring for Nodes on Kubernetes Clusters
* Detecting Malicious events with EFK(ElasticSearch, Fluentd, Kibana) and Falco
* Open Policy Agent(OPA) on Kubernetes Clusters
* Understanding the need and use-cases of OPA
* Hands-on: Leveraging OPA to validate Ingress on Kubernetes
* Container Runtimes and Impact on Kubernetes Security
* Hands-on: Docker Container Security Engineering Practices
* Reducing Attack-Surface with DockerSlim
* Building minimal containers with Distroless containers
* Hands-on: Kata Containers and MicroVMs as Kube runtimes
* Hands-on: Container Vulnerability Assessment Techniques
* Scanning Containers using Clair,

avatar for Nithin Jois

Nithin Jois

Senior Security Solutions Engineer, we45
"Nithin Jois is a Solutions Engineer at we45 - a focused Application Security company. He has helped build ‘Orchestron’ - A leading Application Vulnerability Correlation and Orchestration Framework. He is experienced in Orchestrating containerized deployments securely to Production... Read More →

Tuesday October 20, 2020 9:00am - Wednesday October 21, 2020 5:00pm


Offensive Cloud Security Training
While security awareness and collective experience regarding the Cloud has been steadily improving, one common difficulty is applying theoretical knowledge to real-life scenarios. This training’s goal is to help attendees bridge this gap by understanding how conventional technologies integrate with Cloud solutions. The training is scenario-based and focusses on applied exercises.

Attendees will experience first-hand how security vectors that exist in such ecosystems present opportunities for abuse. Throughout the training, we will also cover detection and mitigation of the attacks covered in the course. While security awareness and collective experience regarding the Cloud has been steadily improving, one common difficulty is applying theoretical knowledge to real-life scenarios. This training's goal is to help attendees bridge this gap by understanding how conventional technologies integrate with Cloud solutions. The training is scenario-based and focusses on applied exercises.

Attendees will experience first-hand how security vectors that exist in such ecosystems present opportunities for abuse. Throughout the training, we will also cover detection and mitigation of the attacks covered in the course.

Below is a summary of the training's modules:

* Introduction to the Multi-Cloud
* Overview of AWS, Azure & GCP
* Differences, similarities and important characteristics of Cloud Providers
* Overview of security in the Cloud
* Identity and Access Management (IAM), Metadata Services and Credentials
* Networking and firewalls
* Fingerprinting cloud-hosted resources
* Typical application vulnerabilities and how they translate to the Cloud
* Review of the Cloud hacker's arsenal
* Scenarios (non-exhaustive)
* Leveraging CI/CD systems to gain a foothold into Cloud environments
* Attendees will gain a foothold into a CI/CD deployment, and leverage this initial compromise to access additional environments.
* Lateral movement and privilege escalation
* A number of scenarios will have attendees move laterally to gain access to additional sensitive resources, not accessible through the initial compromise.
* Azure Applications – implementation and weaknesses
* This scenario will introduce attendees to Azure's implementation of programmatic identities, and highlight how design choices present an opportunity for abuse.
* Pivoting around Hybrid Clouds
* Many organizations maintain hybrid cloud environments, which contain a mix of on-premises, private cloud and third party, public cloud services. Throughout the training, attendees will pivot between these environments
* Compromising Cloud-Synched Active Directory Deployments
* Corporate environments that contain Cloud components will oftentimes synchronize Active Directory with Azure Active Directory (AAD). The training will cover a number of implementations and compromise vectors for AD/AAD.
* Tying it all together
* The training will end with a CTF-type exercise, which will have attendees leverage the skills acquired throughout the course to compromise a realistic Cloud environment.

The scenarios are based on NCC Group's research, incident response experience and on the knowledge acquired through countless cloud assessments carried out every year.

avatar for Xavier Garceau-Aranda

Xavier Garceau-Aranda

Senior Security Consultant, NCC Group
"Xavier is a senior security consultant at NCC Group, with experience in both academia and the private sector. He has worked as a developer, security researcher and consultant. Xavier currently spends most of his time focusing on application and cloud security, as well as driving... Read More →

Tuesday October 20, 2020 9:00am - Wednesday October 21, 2020 5:00pm
Wednesday, October 21


Android secure development crash course
Our Android workshop aims to provide an insight into every aspect of secure mobile application development. In order to cover everything a developer needs to commit and publish secure code through the Play Store, the agenda is built from the ground up and has been designed to provide practical exercises throughout the entire training, with a heavy focus on how Android as a development platform offers security features to developers. We'll use several demo apps and also work with our vulnerable Kotlin app (Vulnabank).

After a short introduction, we take a look at the overall Google/Android philosophy, the OS security features and their implications on the daily life of a developer. We take a look at typical issues in Android applications with some now-infamous bugs and exploits from the past, how problematic challenges can be tackled and how typical pitfalls can be avoided.

We'll provide a solid overview about how mobile applications on Android can be viewed from a hacker's perspective. Besides introducing the audience to concepts and ideas, the participants are also provided with examples and demo applications for common hacking tools, exploiting security pitfalls, design and implementation mistakes. Attendees will leave the course with:

* An understanding of the Android OS philosophy and how it is translated into actual architectural decisions
* A view how the API is designed and how the OS security services should and should not be used
* Get a solid understanding of typical misconceptions regarding application design and implementation
* Take away field stories about how others failed in the past and how the failures could have been avoided
* Strengthen the knowledge what security services the OS provides to developers and how they can be integrated into application projects
* Enhance the cryptography hygiene that every developer should know

The course has been tested and used successfully with a number of mobile heavy developer companies.

The instructor will provide access to a portal with labs and the course syllabus.Kickoff [15']
- Welcome speech, expectation management

Intro [25']
- 'Into the middle of things' demo: "Bugs and flaws in your app help bad guys"
- Security mechanisms in Android

Application Design [35']
- Common design patterns
- Architecture of and Android app
- Secure API design
- Designing a reasonable communication flow
- Hands-on: the manifest.xml

Secure data storage [45']
- Storage locations, which one to use?
- Different formats (sqlite, xml, prefs file etc.) and security implications
- Threats to stored data (backups, data leak etc.)
- Logging
- Hands-on: Exploiting weak data storage methods

Network security [45']
- Designing and implementing a secure communication flow
- Hands-on: TLS/SSL cert pinning implementation and bypass

Inter-process communication [45']
- Securing activities
- Securing content providers
- Securing broadcast listeners
- Hands-on: typical IPC issues

Secure crypto implementation [25']
- Libraries
- Hands-on: extraction of hard coded crypto material

Tampering detection [30']
- Rooting, implications of running on a rooted device
- Hands-on: dynamic hooking exercise
- Hands-on: bypassing root detection in several ways

avatar for Zsombor Kovacs

Zsombor Kovacs

Zsombor Kovacs

Wednesday October 21, 2020 9:00am - 5:00pm


Secure your SDLC using OWASP SAMM - ASAP!
Building security into the software development and management functions of a company can be a daunting task. There are many variables in the equation: company structure, different stakeholders, technology stacks, tools and processes, and competing priorities. Implementing software assurance can have a significant, positive impact on the organization. Yet, trying to achieve this without a good framework is likely to produce only marginal and unsustainable improvements. The OWASP Software Assurance Maturity Model provides a structural and measurable framework to overcome this challenge. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organization.

This one-day training - delivered as a mix of presentation, discussion, and interactive workshop - is intended for CSOs, directors, security architects, security analysts, and other application security professionals with responsibility for improving your organization's security posture. You will leave with an in-depth understanding of OWASP SAMM, as well as pragmatic steps and tools for increased agility and compliance. Protect the confidentiality, integrity and availability of your data by implementing an application security assurance program in your organization - ASAP!

The training is structured in four parts:

In part one, we'll review the history of software assurance, application security, and the secure development lifecycle; an overview of the OWASP SAMM model; and similarities and differences with other maturity models. The five Business Functions - Governance, Design, Implementation, Verification, and Operations - are reviewed, and the constituent practices (e.g., education, metrics, testing) will be discussed. We'll review various usage scenarios of the model, and discuss how OWASP SAMM can help you in your journey.

In part two, we'll look at existing tools available to support your program, as well as additional resources available make your program a success.

Part three will be an interactive session, performing an actual OWASP SAMM evaluation of a hypothetical organization or one that you have worked for. Using freely available tools, we will go through an evaluation of the SAMM functions, practices and activities, and discuss the results as a group. In the same effort, we will identify the most important challenges facing your organization, define a target maturity level as a goal, and generate a prioritized roadmap that will give all participants a solid understanding of the organization’s maturity in software assurance.

The final part of the training will be dedicated to best practices, lessons learned, and specific questions or challenges that you are facing about secure development in your organization. In this group discussion, experiences will be shared among participants to address these questions.


Part One: SDLC Overview and OWASP SAMM Introduction
The Application Security Challenge
Software Development Life Cycle (SDLC) Overview
OWASP SAMM - Vision, History, Structure
OWASP SAMM As an Assessment Tool

Part Two: OWASP SAMM Tools
SAMM Assessment Toolkit
SAMM Web Application Toolkit
SAMM Benchmark Project
Leveraging OWASP Projects and Tools

Part Three: Applying OWASP SAMM
Establishing Assessment Scope
Assessing Governance
Assessing Design
Assessing Implementation
Assessing Verification
Assessing Operations
Setting Maturity Targets & Improvement Activities

Part Four: OWASP SAMM Best Practices
Choosing the Right Starting Points
Metrics and Management
Achieving Security by Design
Critical Success Factors

avatar for John Ellingsworth

John Ellingsworth

Security Principal, JohnEllingsworth.com
John Ellingsworth is a security principal at an S&P 500 company where he helps software development teams build and deliver secure enterprise solutions. John is on the core team for the OWASP Software Assurance Maturity Model (SAMM) Project, and a co-author of OWASP SAMM 2.0. He is... Read More →

Wednesday October 21, 2020 9:00am - 5:00pm


Threat Modeling: Getting from None to Done
This session offers participants an interactive introduction to Threat Modeling, based on the instructor's learning and experience over the past several years. A primary focus of this course is the introduction of threat modelling activities into your organisation's software development processes, to improve the overall quality and security of the applications we build.

As a recent "convert" to the application security world, your instructor has developed his "expertise" in threat modelling by gathering information from a variety of sources. He's combined those learning with his own experience to create a practical threat modeling approach he has successfully applied within his organisation.

In addition to addressing key questions around the "Five Ws," the presentation will cover the "Four Questions" approach to developing a model, and include several interactive exercises to provide direct experience. A brief review of available modeling tools will also be included, as well as a discussion of the opportunities and challenges for introducing Threat Modeling into your SDLC.Course Objectives - In this course, attendees can expect to:
* Gain a better understanding of the motivations for, and benefits of, threat modeling
* Learn the process for building a threat model, using the "four questions" approach
* Learn how to introduce threat modeling into existing organizations, and development projects working with "legacy" applications
* Learn about available tools for creating and managing threat models
* Learn about integrating threat modeling into the software development lifecycle

Topic Outline:
* Introduction - Overview, and Initial Modeling Exercise
* The Five Ws of Threat Modeling
* Our Modeling Approach - Shostack's Four Questions
* Identifying the Scope
** Case Study, Introduction and Part I
* Identifying Threats
** Case Study, Part II
* Risk Management Overview
* Identifying Mitigations
** Case Study, Part III
* Verification and Validation
* Getting Started - Incremental Threat Modeling
* Tools for Creating Threat Models
* Integration with the SDLC
** Phase-based approaches ("waterfall")
** Sprint-based approaches ("agile") - "Continuous" Threat Modeling

avatar for John DiLeo

John DiLeo

Application Security Architect, Air New Zealand
"Dr. John DiLeo is the Auckland-area leader of the OWASP New Zealand Chapter, and works as an Application Security Architect, with responsibility for managing enterprise software assurance programs, with emphasis on governance, secure development practices, and security training... Read More →

Wednesday October 21, 2020 9:00am - 5:00pm


Your Application Security Program
Bring your application Security Program from zero to hero with this day-long intensive planning course. We will learn; planning, launching, running, scaling, measuring and improving your AppSec Program. We will cover; tooling, where to start, how to measure, setting up SLAs, creating a security champions program, developer education, and more. Course will include written exercises and handouts; you will be expected to complete exercises to bring back to your office for implementation. Title: Your Application Security Program

Length: 1 Day

1) What is AppSec, What is DevSecOps, Why do they matter?
A tiny bit of history, quite a few definitions.

2) The Goals of any AppSec Program
We will set our own goals later today

3) Types of AppSec Activities - What do they actually mean, how to do you do them and which ones do you *need* to do

4) Types of AppSec Tooling, what they do, when you may or may not need them, approximate costs for budgeting purposes

5) Recruiting your team, training your team, keeping your team

6) Scaling your team: Security Champions, Coaching, Delegation & Automation

7) Developer Education and advocacy

8) Setting Standards and Policies (with take home examples to start you off)

9) Incident Response and Post Mortem - The importance of tracking your numbers

10) Metrics and Improvement - Strategies and future justifications for budget

11) Setting Goals, for your work place
Includes justification for budgets, tooling and resourcing
Setting SLAs

12) Advanced AppSec Activities - Time-Permitting

Conclusion & Summary

1) Intro and Definitions

2) AppSec Program Goals

3) AppSec Activities

4) AppSec Tooling

5) Scaling your team: Security Champions, Coaching, Delegation & Automation

6) Developer Education and advocacy

7) Setting Standards and Policies (with take home examples to start you off)

8) Incident Response and Post Mortem - The importance of tracking your numbers

9) Metrics and Improvement - Strategies and future justifications for budget

10) Setting Goals, for your work place
Includes justification for budgets, tooling and resourcing
Setting SLAs

11) Advanced AppSec Activities - Time-Permitting

12) Conclusion & Summary

avatar for Tanya Janca

Tanya Janca

Tanya Janca, also known as ‘SheHacksPurple’, is the founder of We Hack Purple, a tech startup specializing in online and virtual security training for IT professionals. Tanya has been coding since she was a teen, has worked in IT for over twenty years, has won numerous awards... Read More →

Wednesday October 21, 2020 9:00am - 5:00pm
Thursday, October 22


Advanced REST APIs exploitation
Application security threats are evolving. Traditional vulnerabilities such as SQL injection, CSRF & XSS are less prevalent thanks to modern technologies and security education. Attackers leverage the predictable and oversharing nature of REST APIs to exploit new types of vulnerabilities that are focused on business logic abuse and authorization. Come learn from the leader of the "OWASP Top 10 for APIs" about: - The required mindset, as a pentester, to exploit APIs, and why is it different than traditional pentests. - The holy grail of API vulnerabilities - lack of authorization. How to exploit function-level and object-level authorization, including advanced tricks to bypass WAFs and API gateways. - How to leverage the predictable nature of REST APIs to perform a better pentest and find admin endpoints/hidden versions/hidden features & more


Inon Shkedy


Thursday October 22, 2020 9:00am - 10:00am


Chinese Surveillance and CloudPets
This talk offers an entertaining balance between outrageous vulnerabilities, politics, privacy and surveillance, it will not leave any attendant indifferent and eyebrows may raise beyond what you thought possible before, come and have fun :)

We cover a summary of 4 different security audits with an interesting background:

First CloudPets, their epic track record, what we found and what happened afterwards.

Next, 2 mobile apps by Chinese Police: “BXAQ” and “IJOP”, both related to surveillance of ethnic minorities, but in different ways, stay tuned.

Finally, a Chinese Government app: “Study the Great Nation”, related to a point-based reward system that depends on how much you know about China, its history and leaders. The more you know, the more points and the more benefits :)

avatar for Abraham Aranguren

Abraham Aranguren

CEO, 7ASecurity
After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Former senior penetration tester / team lead at Cure53 (cure53.de) and Version 1... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Cloud-Native Apps: Multi-Tenant SaaS Attack Surfaces Exposed!
Take a deep-dive into threat modeling a cloud-native multi-tenant SaaS application. We uncover and show the attack surface of a common AWS "quickstart" architecture deployment pattern. Our goal is to understand how Cloud-native applications work holistically and to dive deep into topics such as: container orchestration, microservices, advanced authentication, secrets management, and data processing risks.We then apply attack methodologies from the Open Source community and attack libraries from Mitre (e.g., ATT&CK, CAPEC), and also from the Common Architectural Weaknesses and Exposures (CAWE) taxonomy. We show how to disrupt the service mesh and take over a microservice and command it at our will.

avatar for Richard Tychansky

Richard Tychansky

Technical Program Manager, NA
Mr. Tychansky, CISSP-ISSEP, CSSLP is a Security Architect with over 15 years of experience in cryptographic systems and software security engineering. He has in worked in higher education conducting applied cryptographic research, defense systems engineering, biometric software development... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Containers: Attack and Defense
In this talk we are presenting a compendium of various offensive and defensive techniques on containers and its ecosystem. From Threat modeling of Kubenetes to breaking out of containers, we will provide answers to a whole bunch of things you wished to know and things you wished you didn't.

This talk has 2 sides to it:
- Presenting it from a point of offensive security on how to break, exploit and bend containers to your will.
- Defending against the attacks. Understanding the threat model and how to mitigate and proactively defend and secure against them.

This talk is for you regardless of whether you are a pentester/red-teamer working on pivoting your way through a dockerized environment or whether you are trying to defend against said attackers.


Rohit Pitke

Rohit works with LinkedIn's InfoSec team and focusses on application and infrastructure security.
avatar for Emmanuel Law

Emmanuel Law

Emmanuel Law is currently a Staff Security Engineering working at LinkedIn. When not spending his time solving security issues at scale for some of the largest organizations on the planet, he can be found researching on offensive security techniques. He has presented his work at various... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Going Deep with Adversarial ML Attacks
Machine and Deep Learning algorithms have shown to be susceptible to perturbation attacks where slight modifications to input can totally change the output of machine learning models. This problem has been found in virtually all modern machine learning models from image recognition to NLP. Imagine every machine learning application having a parameter tampering vulnerability by default. Join this talk for a detailed explanation of the attack techniques and current defenses.

avatar for Abraham Kang

Abraham Kang

Senior Director Software, Samsung Research America
Abraham Kang is fascinated with the nuanced details associated with machine learning algorithms, programming languages and their associated APIs. Kang has a B.S. from Cornell University and JD from Lincoln Law School of San Jose. He has worked for various companies helping to drive... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Graph Smashing: A Structured GraphQL Security Testing Methodology
GraphQL is a hot area right now, with plenty of quality information online about its security, but each disparate source is limited in scope to individual attacks and controls.

In this talk, I'll take you on a tour of how GraphQL APIs can be abused, and present an overall testing approach that stitches these bits into a structured methodology. This isn't just about introspection queries and types of DoS attacks. We will cover the reconnaissance phase, various classes of attack, and specific tools to carry them out. Along the way, we'll note specific quirks in a few popular GraphQL implementations, and wrap up with a brief look at security controls to protect your APIs.

Participants will leave with a conceptual understanding of the GraphQL attack surface, and practical steps to identify gaps in GraphQL APIs. This talk will primarily benefit breakers, but builders and defenders should also find the content useful. Prior knowledge of GraphQL is helpful, but not strictly required.

avatar for Jack Sullivan

Jack Sullivan

One Medical
Jack is an application security engineer with a background in software development. His focus is on security testing, tool development, and helping developers build more secure systems.

Thursday October 22, 2020 9:00am - 10:00am


How the latest MASVS & MSTG Specs Make the Best Mobile Pen Testing Cocktails
The mobile security world celebrated with a big drink at the birth of the MASVS and MSTG in January 2018. Since then, the OWASP Mobile Security Project has advanced the state of mobile app security testing dramatically. As supporters and contributors to the Mobile Security Project at OWASP, we have pen tested thousands of mobile apps over the years and continue to evolve our best practices training resources. As contributors to FRIDA and RADARE, we love our mobile reversing tools! Oh and we love a great cocktail!

Whether you are new to mobile pen testing or a veteran looking for the latest tools and tactics, join this session to learn the latest updates to the MASVS/MSTG specs and a shaker full of practical tips for mobile appsec testing to take home. On the rocks or straight up, this is guaranteed to be a refreshing session.

avatar for Brian Reed

Brian Reed

Mobile AppSec Guy, NowSecure Mobile
As Chief Mobility Officer, Brian Reed leads the mobile appsec and DevSecOps charge at NowSecure helping orgs deliver secure mobile apps faster. He brings decades of experience in mobile, apps, security, dev and operations helping Fortune 2000 global customers and mobile DevSecOps... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Learn to exploit TOCTOU race-condition vulnerabilities with OWASP TimeGap Theory
OWASP TimeGap Theory is an auto-scoring capture-the-flag game. Unlike other CTFs, TimeGap theory focuses only on TOCTOU vulnerabilities. There are seven unique challenges and all of them can be solved by using browser dev tools. This means no need for fiddling with proxy setup. Setting up the TimeGap theory lab is also very easy. You can either issue a docker command or just do a one-click install on Heroku to get the lab running.

TimeGap Theory is free and open-source. This means all these amazing stuff are going to cost you exactly ZERO money. On top of that, you get books, videos, and even a support channel on Slack in case you get stuck on the TOCTOU journey.

avatar for Abhi Balakrishnan

Abhi Balakrishnan

Abhi M Balakrishnan is an application security consultant from SecurityCompass, San Francisco. Abhi is here to introduce his new project - OWASP TimeGap Theory. In the past, he has been the project leader for OWASP Mantra, OWASP Bricks, Alert Labs, Bricktown, web-app security testing... Read More →

Thursday October 22, 2020 9:00am - 10:00am


OWASP IoTGoat: Project Overview and Roadmap
OWASP's IoTGoat Project is a deliberately insecure firmware based on OpenWrt, intended to serve as a platform for testing commonly found vulnerabilities in IoT devices. It is intended to educate software developers as well as security professionals about identifying commonly found vulnerabilities in IoT devices, and subsequently mitigate these vulnerabilities. The firmware contains deliberately injected vulnerabilities such as hardcoded credentials, insecure network services, buffer overflows, web vulnerabilities, and others based on the 2018 OWASP IoT Top 10. The firmware also contains “easter eggs” from project contributors.

This presentation will provide an overview of the project and details about its design and development. We will provide high-level technical details about IoTGoat and highlight vulnerabilities included in the firmware. Going further into the presentation, we will also provide a hands-on walkthrough on how software developers, security professionals, and educators can get started with using IoTGoat. Our presentation will also include a demonstration of exploiting a vulnerability challenge in IoTGoat. We will also talk about how IoTGoat can be used in a classroom environment by educators to help students learn about and identify commonly occurring vulnerabilities in IoT firmware.

Finally, the presentation will conclude with a discussion about the future roadmap of the project and opportunities to contribute to the project.

avatar for Abhinav Mohanty

Abhinav Mohanty

I am a final year Ph.D. candidate at UNC Charlotte, working as a Research Assistant with my advisor Dr. Meera Sridhar (Ph.D. Computer Science), in the Information Security Lab at UNC Charlotte. My research focuses on leveraging Language-based Security (LBS) techniques to design robust... Read More →

Thursday October 22, 2020 9:00am - 10:00am


With how many apps are running in the cloud, hacking these instances becomes easier with a simple vulnerability due to an unsanitized user input. In this talk, we’ll discuss a number of different methods that helped us exfil data from different applications using Server-Side Request Forgery (SSRF). Using these methods, we were able to hack some of the major transportation, hospitality, and social media companies and make $50,000 in rewards in 3 months.

avatar for Ben Sadeghipou

Ben Sadeghipou

Ben is the Head of Hacker Operations at HackerOne by day, and a streamer and hacker by night. He has helped identify and exploit over 600 security vulnerabilities across 100s of web and mobile applications for companies such as Yahoo, Airbnb, Snapchat, The US Department of Defense... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Practical Mobile App Attacks By Example
If you are the kind of person who enjoys talks with practical information that you can immediately apply when you go back to work, this talk is for you, this talk is all action, no fluff :)

This talk is a comprehensive review of interesting security flaws that we have discovered over the years in many Android and iOS mobile apps: An entirely practical walkthrough that covers anonymized juicy findings from reports that we could not make public, interesting vulnerabilities in open source apps with strong security requirements such as password vaults and privacy browsers, security issues in government-mandated apps with considerable media coverage such as Smart Sheriff, apps that report human right abuse where a security flaw could get somebody killed in the real world, and more.

The talk offers a thorough review of interesting security anti-patterns and how they could be abused, this is very valuable information for those intending to defend or find vulnerabilities in mobile apps.

This talk is for those who are intending to broaden their knowledge of mobile security with actionable information derived from real-world penetration testing of mobile apps.

Please come caffeinated, the audience will be challenged to spot vulnerabilities at any moment and there may be giveaways to the winners :)

avatar for Abraham Aranguren

Abraham Aranguren

CEO, 7ASecurity
After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Former senior penetration tester / team lead at Cure53 (cure53.de) and Version 1... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Practical Modern Web & Desktop App Attacks By Example
If you are the kind of person who enjoys talks with practical information that you can immediately apply when you go back to work, this talk is for you, this talk is all action, no fluff :)

Long are the days since web servers were run by perl scripts and desktop apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server. What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client.

This talk is a comprehensive review of interesting security flaws that we have discovered over the years in many Node.js and Electron apps: An entirely practical walkthrough that covers anonymized juicy findings from reports that we could not make public, interesting vulnerabilities in open source apps with strong security requirements such as secure vaults, privacy apps, messengers, and more.

The talk offers a thorough review of interesting security anti-patterns and how they could be abused, this is very valuable information for those intending to defend or find vulnerabilities in Node.js and Electron apps.

This talk is for those who are intending to broaden their knowledge of JavaScript security with actionable information derived from real-world penetration testing of Node.js and Electron apps.

Please come caffeinated, the audience will be challenged to spot vulnerabilities at any moment and there may be giveaways to the winners :)

avatar for Abraham Aranguren

Abraham Aranguren

CEO, 7ASecurity
After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Former senior penetration tester / team lead at Cure53 (cure53.de) and Version 1... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Pwning WhatsApp - The Dark Side Of Web-based Messaging Apps
WhatsApp is one of the most used instant messaging apps in the world. Therefore, we’d expect attackers all over the world to try and hack it, but also we’d expect WhatsApp to responsibly maintain their app in such a way that those attackers will mostly fail. And yet, flaws are being found in WhatsApp every few months, some of them are rather big and put us, the users, at great risk.
Why is securing WhatsApp such a hard task? Why are instant messaging apps under such great attacks? How safe can we really feel using our favorite messaging apps?
And how are native web-based apps such as Electron such great contributors to putting us, the users, at risk when misused?
This talk will go step by step through the research, which led to finding one of the most critical security flaws found in WhatsApp in the past few years which allowed reading files from the victim’s OS filesystem. Attendees will learn the answer to these questions, the security issues that products such as WhatsApp have to cope with, and what messaging apps vendors should learn from these answers in order to ship safer products.

avatar for Gal Weizman

Gal Weizman

Trained to be an offensive web security expert in the Israeli Intelligence Unit, Gal has studied the field of web security in depth. After his military service, He continued his training by working for companies that specialize in related fields such as ad recovery and bot detection... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Understanding the Threats and Attacks on Data Science Applications and Models
Data Science applications are one of the biggest security blind spots in most enterprises. In many cases, there is little to no interaction between the security and data science teams. In addition, because data science applications make decisions in aggregate, security vulnerabilities in your data science applications inherently affect many users. Come to this talk if you want a better understanding of the security risks in your data science applications.

avatar for Abraham Kang

Abraham Kang

Senior Director Software, Samsung Research America
Abraham Kang is fascinated with the nuanced details associated with machine learning algorithms, programming languages and their associated APIs. Kang has a B.S. from Cornell University and JD from Lincoln Law School of San Jose. He has worked for various companies helping to drive... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Yes, you too can break crypto: Exploiting common crypto mistakes
Cryptography is tricky. Sure, everybody knows not to roll out their own crypto, but is it enough? Are the standard algorithms, libraries, and utilities always used the right way? This is of course a rhetorical question! Humans keep making mistakes that other humans can exploit, and Murphy’s law continues to prove true: “If there is a wrong way to do something, then someone will do it.”

In this talk, not only will we discuss what can go wrong, but also how attackers could take advantage of that. Insufficient entropy? Static initialization vector? Key reuse in stream cipher? Lack of ciphertext integrity? We’ve heard these terms and may be familiar with them in theory, but let’s see actual examples of these and other crypto mistakes and corresponding exploits, and understand how they could lead to real life problems.

Are you not on a red team and not interested in exploitation? Then this talk is for you too! Come and learn how to avoid common crypto mistakes in your code!

avatar for Alexei Kojenov

Alexei Kojenov

Lead Product Security Engineer, Salesforce
Alexei began his career as a software developer. A decade later, he realized that breaking code was way more fun than writing code, and decided to switch direction. He is now a full-time application security professional, with several years of assisting various development teams in... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Enabling Message Level Protection at Uber
A common trope in the security industry is “encrypt all the things”. But how is this actually accomplished in an environment with thousands of geographically distributed engineers, thousands of highly diverse microservices, hybrid cloud environments, and thousands of daily builds ? As a large technology company, Uber faces these challenges as well as the unique responsibilities of a heavy operational/non-tech workforce with a low tolerance for technical friction. To solve this challenge, we explored message-level encryption to enable protection to billions of messages, including platform-specific implementations into datastore, logging, and rpc clients.

The strategy of applying message-level encryption has some significant benefits:

* Gives additional security regardless of transport security via an added layer of confidentiality; for example messages with encrypted PII, could even be sent over http.
* Prevents unwanted internal access to data by default (e.g., users who perform data analysis).
* Mitigates risk for companies with cloud services.
* Provides flexibility and scalability via platform-specific implementations in datastore, logging, and RPC clients.

avatar for Debosmit (Debo) Ray

Debosmit (Debo) Ray

Software Engineer, Uber Technologies, Inc.
Debosmit Ray (Debo) is an engineer on Uber's Product Security team. His most recent work includes extending Uber's data stores to have encryption support, integrating security primitives into various components of Uber's SDLC, infrastructure security and anomaly detection. He received... Read More →

Jovon Itwaru

Security Engineer, Uber

Thursday October 22, 2020 9:00am - 10:00am


Eradicating Vulnerability Classes by Shelving SAST and Embracing Secure Defaults and Invariants
We’re in the middle of a significant shift in how security teams operate and prioritize their limited budget and person-time.

Historically, as an industry, we've focused on building tools to identify vulnerabilities. While we've built impressive tools, these approaches have failed to address the challenges of modern engineering teams.

Specifically, these tools often are too slow, require a prohibitive amount of security engineer time and domain expertise to tune, overwhelm users with false positives, and most importantly, do not ultimately raise a company's security bar.

But there’s another way.

Rather than investing in finding more bugs, some modern security teams are instead focusing on providing developers with frameworks and services with secure defaults (“guard rails”) so that developers can build features quickly and securely. When done correctly, combining secure defaults and lightweight checks that enforce invariants (properties that must always hold), organizations can solve *classes* of vulnerabilities by construction, preventing bug whack-a-mole.

In this talk, we’ll present a practical step-by-step methodology for:

* Choosing what to focus your AppSec resources on
* How to combine secure defaults + lightweight invariant enforcement to eradicate entire vulnerability classes
* How to integrate continuous code scanning into your CI/CD processes in a way that’s fast, high signal, and low friction for developers
* How to use an open source, lightweight security linting tool to find bugs and anti-patterns specific to your company
* How to build collaborative partnerships with open source maintainers to help embed secure defaults and reduce potential gotchas for the frameworks and libraries they support

We’ll also be releasing a set of open source checks created during our research that found a number of CVEs in popular open source repositories on GitHub, so that others can reproduce and extend our work.

avatar for Clint Gibler

Clint Gibler

Clint Gibler (@clintgibler) is the Head of Security Research for r2c, a small startup working on giving security tools directly to developers. Previously, Clint was a Research Director at NCC Group, a global security consulting firm, where he helped companies implement security automation... Read More →
avatar for Isaac Evans

Isaac Evans

Isaac Evans is the leader of r2c, a small startup working on giving security tools directly to developers. Previously, he conducted research into binary exploitation bypasses for techniques like control-flow integrity and novel hardware defenses on new architectures like RISC-V as... Read More →

Thursday October 22, 2020 9:00am - 10:00am


OAuth 2.0 and OpenID Connect for Single Page Applications
Ever since the introduction of OAuth 2.0, the framework has been in continuous evolution. The initial specification addressed a strong need for delegation. However, since then, various addendums focus on the needs of modern applications. Today, many of the original OAuth 2.0 flows are deprecated, and the best practices for Single Page Applications are in constant evolution.

In this talk, we will investigate these recent changes. We look at the use of the “Proof of Key for Code Exchange” (PKCE) flow in the browser. We also investigate how Single Page Applications handle tokens, and why localStorage is not as evil as you may think. We look at refresh tokens in the browser, and what you need to do to make them work. You will walk away with a solid overview of recent evolutions in OAuth 2.0, and where to use them in your applications.

avatar for Philippe De Ryck

Philippe De Ryck

Founder, Pragmatic Web Security
Philippe De Ryck helps developers protect companies through better web security. As the founder of Pragmatic Web Security, he travels the world to train developers on web security and security engineering. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional... Read More →

Thursday October 22, 2020 9:00am - 10:00am


OAuth 2.0 Threat Models via P.A.S.T.A
PASTA's risk centric threat modeling methodology will be applied to highlight threat modeling vignettes for the OAuth2.0 protocol. These vignettes will depict the authorization protocol along with its overall design, historical flaws, and current weaknesses that can undermine a broader application threat model. The talk will evolve beyond the protocol's use and current implementation and highlight use cases, abuse cases from an attack library, weakness lists, threat lists, and more - all that are core to stages within the Process for Attack Simulation & Threat Analysis.

In order to best depict these threat modeling vignettes, we will begin by dissecting the OAuth2.0 protocol to its own unique threat model. From there, we'll demonstrate how issues around the protocol itself and its implementation could spell viable risks for API teams and we'll cover 2-3 case studies across multiple sectors employing the use of the authorization protocol. We'll examine the secrecy of token values, how they and other shared secrets are exchanged and how poor implementation scenarios and other environmental factors could compound overall application weakness. The talk is geared towards API developers, security architects, and security champions who may be leading application threat modeling efforts for their organization.

avatar for Tony UcedaVelez

Tony UcedaVelez

CEO/ Owner, VerSprite
Tony UV is CEO at VerSprite, an Atlanta based security services firm assisting global MNCs on various areas of cyber security, secure software development, threat modeling, application security, governance, and risk management. Tony has worked and led teams in the areas of application... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Open Source, Cross Platform Threat Modelling with OWASP Threat Dragon
OWASP Threat Dragon is an open source, cross-platform tool for STRIDE based threat modelling. It is an OWASP labs project. Although it has some things in common with other tools, it also has some fundamental differences in approach that are aimed to make it more developer-friendly than other tools. This session will showcase the tool, talk about how it's built under-the-hood, what it can do today and what the future vision for the tool is.

avatar for Mike Goodwin

Mike Goodwin

Mike is the VP of Product Security and Architecture and Technical Fellow at Sage Software - a FTSE100 company providing accounting, payroll and HR software to businesses in 23 countries worldwide. After short careers as an academic and then as a nuclear engineer, Mike settled into... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Secure React Native Apps Against API Abuse
Planning on introducing a React Native app into your product mix? Expect new attacks on your app and API infrastructure. Follow the battle between RideFast and RideRaider using and abusing a ride hailing app. Learn to build a solid security base in React Native, which requires consideration of both the React javascript framework and the underlying native platform modules. We'll evolve application security by patching common app and API weaknesses exploited by RideRaider. You'll see best practice approaches strengthening API keys, OAuth2, man-in-the-middle and TLS defenses, and app code, data, and run-time protections. Examples use open-source packages, and full source code is provided.

avatar for Skip Hovsmith

Skip Hovsmith

CXO, CriticalBlue
Skip Hovsmith is a Principal Engineer and VP Americas for CriticalBlue, working on securing API usage between mobile apps and backend services. Previously, Skip consulted with CriticalBlue customers on accelerating mobile and embedded software running on multicore and custom coprocessor... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Tales from the Trenches: Open Source Security at Scale
Today’s applications rely heavily on open source software. But several security vulnerabilities are identified in open source components pretty much on a daily basis. Some of those could result in catastrophic breaches if your applications are not patched on time. Is your organization prepared? How quickly can your organization respond? Do you know your current risk exposure? Can you patch/upgrade your entire application fleet on time? Come hear the tales from the trenches of a successful rollout and deployment of open source security scanning and remediation at scale.

Never go in it alone! Applying “Systems Thinking” principles and building a cross-functional partnership are the keys to success – where the security team provides the scanning and enforcement “stick” while your framework and infrastructure teams provide the “carrots”, via ease of upgrade automation.

How do you influence developers to fix security issues at scale? What level of friction is healthy and won't cause developer mutiny? How do you empower your developers to make the right security decisions? Come hear about an AppSec team’s journey to build a sustainable program to fix open source security issues in thousands of applications.

Learn what worked, what proved challenging and what didn’t. Walk away with actionable guidance to help organizations scale up scanning and enforcement while at that same time convincing developers (by providing valuable security insights) to treat security as a first-class citizen. We’ll also present and discuss about the tool that we’ve open sourced to help automate remediation at scale.

avatar for Laksh Raghavan

Laksh Raghavan

Head of AppSec & Innovation, PayPal Inc.
Laksh Raghavan is the Head of Security Products Development at PayPal Inc. He is currently responsible for managing the Secure Product Lifecycle Program for all PayPal applications including the web and mobile apps supporting PayPal's more than 325 million active accounts. Laksh has... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Why Developers Struggle with AppSec
We’ve all heard the buzz around pushing application security into the hands of developers, but if you’re like most companies, it has been hard to actually make this a reality. You aren’t alone - putting the culture, processes, and tooling into place to make this happen is tough. Join StackHawk CSO Scott Gerlach as he shares his triumphs and failures while building DevSecOps practices and tools at companies such as GoDaddy, SendGrid, and Twilio. Dig into specific reasons why developers struggle with AppSec and what you can do to make it work better. Whether you’re a seasoned DevSecOps pro or just starting out, this will be an entertaining (and judgement-free!) talk you won’t want to miss!

avatar for Scott Gerlach

Scott Gerlach

Scott Gerlach is Co-founder and Chief Security Officer at StackHawk, a Denver-based startup focused on empowering engineers to easily identify and remediate security bugs. Scott brings over two decades of security and engineering experience to his current role, having served as CSO... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Don’t Worry, Be API: Addressing AppSec’s Newest Challenge
Today’s software-driven world is built on APIs, which are increasingly
becoming the heartbeat of every modern mobile, B2B, IoT, and web
application. APIs enable developers to write data-driven and flexible
applications that all end-users and organizations require and desire.
However, while APIs have clear and obvious benefits, they’re also
creating a rapidly-growing attack surface that isn’t widely understood
and sometimes completely overlooked by developers and architects.
With recent reports suggesting that by 2022, API abuses will be the
most responsible vector for data breaches within enterprise web
applications, securing them is a top challenge and must be a top
In this talk, I'll highlight the security risks presented by the naive use
of APIs, and why an increased level of awareness is required to
mitigate the risks. We'll dive into the top 10 API security risks
presented in the OWASP API Top 10 list and provide example attack
scenarios for each. Finally, I will share what we can expect to see
when it comes to API implementation and exploitation moving
forward. From API-specific issues like broken object-level
authorization and excessive data exposure to more familiar issues
like injection and insufficient logging and monitoring risks, the list
rounds up the most critical API threats, while also providing example
attack scenarios and protection recommendations.

avatar for Erez Yalon

Erez Yalon

Director of Security Research, Checkmarx
Erez Yalon heads the Security Research team at Checkmarx, a provider of software security solutions for DevOps. With vast defender and attacker experience, and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez is also a Co-Founder... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Election Security: The post-pandemic acceleration of secure web-based voting
Securing the 2020 United States General Election is a critical challenge facing both federal and local governments. Elections in the United States are highly decentralized, with the federal government giving wide authority to states on how they administer elections. As the world has become more connected and records are digitized, bad actors worldwide have increased their attempts to interfere with elections in the United States. In September 2017, the United States Department of Homeland Security informed 21 states they were targeted by Russian-backed hackers during the 2016 General Election. Not much has changed since then; our election systems are still vulnerable to compromise. Under normal circumstances, this would be of great concern: however, where voting may be conducted via web or mobile applications, an attack on these apps could be catastrophic.
COVID-19 trends in the United States indicate that the traditional voting method for many Americans — congregating at a local precinct (schools, town halls, or similar) — may be nonviable. Significant modifications will be required to ensure all registered voters are given a reasonable opportunity to cast a ballot. One potential solution involves internet voting via web-based applications. However, this approach is not well-tested and controversial. How are these systems being set up? Are some states better suited to implement such a solution? How should security controls be enacted? How would contested votes be handled? The questions are substantial.
We are proposing a timely panel discussion with a group of technology experts who can address election security broadly, as well as address individual components of the voting technologies to determine whether web-based voting is an appropriate solution. We will also present potential solutions to common election interference methods such as protecting voter registration systems, phishing attacks on campaigns, and social media weaponization. Audience interaction will be a key factor at the end of the panel discussion, and we will allot time for their participation.

avatar for Bryson Bort

Bryson Bort

Founder and CEO, SCYTHE
Bryson is the Founder of SCYTHE, a start-up building a next generation attack emulation platform, and GRIMM, a cybersecurity consultancy, and Co-Founder of the ICS Village, a non-profit advancing awareness of industrial control system security. He is a Senior Fellow for Cybersecurity... Read More →
avatar for Anita D'Amico

Anita D'Amico

CEO, Code Dx, Inc.
Anita D’Amico, PhD. is CEO of Code Dx, Inc., which provides application security orchestration and correlation solutions that automate AppSec workflows. Prior to taking on the role of CEO, Anita was the Director of Secure Decisions, a cybersecurity R&D organization that developed... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Expose Yourself Without Insecurity: Cloud Patterns for Breaches
Cloud providers continue to increase in usage for the next generation of internet services. Dynamic and ephemeral exposures are being created on an unprecedented level and your old generation of internet scanners can’t find them. Let us show you how they can be found and what it means for the future of unwanted internet exposures.

Right now, at the click of a button, can you answer the question “What in my cloud environments is internet-facing?”. For most security teams the answer to this question would be a sigh and then “No.” We know that complexity is the enemy of security. We also know a comprehensive asset inventory is step one to any capable security program. How can we monitor for unnecessary exposures without knowing what’s on the internet?

In this presentation we will look at the most pragmatic ways to continuously analyze your cloud environments and operationalize that information to identify vulnerabilities.

Through examination of exposure patterns and analysis of passive DNS data, we explore real-world examples of global cloud breaches waiting to happen. There are thousands of vulnerable systems for the commonly used services (e.g. ElasticSearch) and more from the up and coming services you may not even know your organization is using yet.

Main Takeaways:
* Most security orgs are maintaining their inventory the old way (i.e. IP ranges) which doesn’t cut it in a dynamic cloud world
* IPv4 scanners can’t find virtual host services that are ephemeral or require specific paths in the request to function properly
* Global exposures are only going to increase unless we look at the solution differently and understand the patterns for these breaches waiting to happen

avatar for Rob Ragan

Rob Ragan

Partner, Bishop Fox
Rob Ragan is a Principal Researcher with 15+ years experience in penetration testing, red teaming, and offensive security. These days he's mostly interested in innovative techniques to to map out the domains, subdomains, exposed services, and vulnerabilities of large and complex... Read More →

Thursday October 22, 2020 9:00am - 10:00am


How to select between SAST, DAST, IAST, RASP, and AST
Security teams are inundated by the marketing literature around SAST, DAST, IAST, and RASP tools. It is difficult to know when to use what. Come to this talk to better understand the advantages and disadvantage of each of these methods as well as learn an overall process on how to choose between these tools.

avatar for Abraham Kang

Abraham Kang

Senior Director Software, Samsung Research America
Abraham Kang is fascinated with the nuanced details associated with machine learning algorithms, programming languages and their associated APIs. Kang has a B.S. from Cornell University and JD from Lincoln Law School of San Jose. He has worked for various companies helping to drive... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Insider Threat Detection & Automation by Behaviour Analytics
This talk is about behavioral analysis of threats at organizations, on how to automatically log & detect them. It highlights on how User Behavior analysis will help the Service account misuse, Compromised System Device Detection, Data Exfiltration Detection, Zero day & Known threats.

As Covid-19 continues to expand to various geographies has necessitated homeworking by many millions of employees, leading to rise in system infra compromises due to remote logging. This has severe consequences on organizational security posture, providing opportunities to enable Level zero of trust frameworks at mass level. There is a challenge as most threats are caused by users inside the company. According to the surveys 60% of the organizations experience insider cyber-attacks and they are incredibly difficult to detect. 85% of them find it difficult to determine the actual damage being caused. The insider had legitimate access to the organization's info and assets, and it is extremely difficult to differentiate normal activity and potential malicious one.
This hands on Session focuses on , what is user behavior analytics , how it’s important to utilize this data based on certain patterns , how it helps the organizations to identify the risks using the data. This also mention how data science romances with Security , how technology can be utilized to analyze the user behavior based on the large datasets and identify the insider threats mentioned below.
The “User/Insider’s Behavior” is linked to organization culture and their reaction to a situation at a workplace. According to the current statistics the most pressing issues are from the insiders, those who are careless user’s responsible for increase in insider threats which lead to huge damage for the organizations. Careless users may steal, leak data unintentionally causes concern about Information Security, Data Leakage, Modifications, Sharing by accident.
● Clicking on malicious Covid-19 graphs / links for free tests & medicine
● Large data Uploads/downloads
● Performing unauthorized system access
● Taking other’s credentials or elevating existing access
● Deleting, editing critical data
● Connecting to organizational critical data sources unsecured WIFI
● Connected from borrowed machine that do not have antivirus installed
The problem of insider threat detection or System Compromise can be dealt with by using classic Machine Learning (ML) techniques. We can train a machine learning model to calculate the probabilities hence apply the model to new activity to estimate their authenticity.
We will mention about the methodologies and how raw data gets transformation; how do we pump data into datasets.
This talk walk through on hands, real time on use cases - about the 2 major Machine Learning Algorithms i.e. Liner Regression & Random Forest the insider threat use cases, how can we detect using the behavioral analytics. This talk will focus on detecting suspicious behavior and sending the alerts to appropriate people, providing solution to that suspicious behavior is out of scope. We might not cover all the use cased of insider threats but we are 2 speakers will present the 2 majorly detected use cases in detailed along with the data sets.

avatar for Hima Vejella

Hima Vejella

Architect, OpenText Technologies Pvt Ltd
Hima Bindu Veerarmachaneni – Co-Founder for WiCSP Women in Cyber Security and Privacy. She won hackathons organized by NASSCOM & HYSEA. Author, Speaker, Toastmaster, Security Evangelist with 17+ years of experience in the IT industry. She is currently working as Sr. Engineering... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Magecart 2020: The New Face of XSS
Digital skimming and Magecart attacks continue to be lucrative for cybercriminals and expensive for web application owners. Attacks have evolved from simple XSS to complex skimming toolkits, fake checkout pages and compromised iframe scripts. The PerimeterX has recently uncovered a novel technique for bypassing hosted fields iframe protection, which enables Magecart attackers to skim credit card data while allowing successful payment transactions. This stealthy attack technique gives no indication of compromise to the user or the website admin, enabling the skimming to persist on checkout pages for a long time. The users don’t suspect any malicious activity since the transaction succeeds as expected. In this session, we explore the anatomy of an attack that targets websites using the popular payment provider Braintree, a subsidiary of PayPal.

avatar for Ameet Naik

Ameet Naik

Ameet Naik is a cybersecurity evangelist at PerimeterX with more than twenty years of experience in information security and data networks. Having held senior solutions engineering roles at Netskope, Juniper Networks and Cisco Systems, Ameet has advised multiple global service providers... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Measure and Improve Software Supply Chain Assurance with OWASP SCVS
Third-party and open source software is the ultimate supply chain. It's diverse, it's complicated, and current methods of consuming it are inherently flawed. Organizations that consume and build software using third-party components often unknowingly make assumptions about build processes leaving them vulnerable and open to exploitation. Are you one of them?

For years, the focus on third-party components has revolved around known vulnerabilities, license compliance, and keeping components up to date. While these are important, they represent a fraction of the risk in a software supply chain. This session will shift the narrative from reactionary games of Whac-A-Mole to focus on providing lightweight guidance for organizations to start thinking in terms of supply chains.

Attendees will be introduced to the OWASP Software Component Verification Standard (SCVS), a community-driven effort to establish a framework for identifying activities, controls, and best practices which can help in identifying and reducing risk in a software supply chain. SCVS consists of over 80 controls spread over 6 domains. SCVS is designed to be implemented incrementally, and to allow organizations to phase in controls at different levels over time.

Attendees will be armed with information necessary to start assessing their own organization's software supply chain, and will be provided guidance on which organizational roles may be necessary to partner with to get cross-functional support for moving forward.

avatar for Steve Springett

Steve Springett

Senior Security Architect, ServiceNow
Steve educates teams on the strategy and specifics of developing secure software. He practices security at every stage of the development lifecycle by leading sessions on threat modeling, secure architecture and design, static/dynamic/component analysis, offensive research, and defensive... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Modeling and Building Event-Driven Automation for your SIEM
In this session, come learn how to effectively model and put to work your deluge of data from scans, to event-based user data, and syslogs from your ever-increasing inventory of deployed assets.

As security practitioners, we are constantly adapting to a shifting environment of threats. If we cannot quickly and efficiently respond to new, novel attacks, teams and organizations will suffer. The use of SIEMs (Security Information and Event Management) is not new to the industry; however, just like us, it’s application and use must evolve.

Aggregation of alerts for the purpose of alerting is sufficient in some ways, but in order to reduce the time from detection to action, we’re going to need to build in automation that allows our security tooling to not just alert, but also respond autonomously. Gain an in-depth understanding of how to build data models, ETL your data, and create triggers that will direct automation. Building an event orchestrator from trends within your SIEM is doable, learn how.

avatar for Aaron Brown

Aaron Brown

When Aaron was a full-stack engineer, when not deep in product code, he spent time partnering with the security team. Taking part in hackathons, incorporating security trainings into his everyday coding practices, and otherwise acting as the security lead for his teams. Then one... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Overwhelmed by Vulnerability Triage? Hear a Blend of Finest Best Practices
Having worked with Static Application Security Testing (SAST) solutions for years, we’ve seen how these solutions are fully capable of detecting and identifying large numbers of suspected security vulnerabilities in the software we’ve scanned. SAST solutions are great at detecting vulnerabilities in source code, before the code is compiled and running. However, at the same time, the sheer number of test results can be someone terrifying due to the work required to triage the significant number of coding errors that were detected. Remediating coding errors that could lead to exploitation takes lots of time and effort.

We often ask ourselves, “What if there's a critical vulnerability that was triaged incorrectly? What if that vulnerability could lead to an attacker compromising the application? What if we, as application security (AppSec) analysts, missed something due to a time/resource constraint?” Questions like these are always top of mind for anyone performing a SAST results analysis. There is no shortage of things that can go wrong when trying to triage the large number of results.


Jorge Bastos

Jorge Bastos is an information security aficionado from the north of Portugal. He holds a master's degree in Telecommunications and Informatics Engineering and is currently working as an application security analyst at Checkmarx. Free time is split between exploring new technologies... Read More →

Eduardo Silva

Eduardo is a security enthusiast with a degree in telecommunications and informatics, currently working as an Application Security Analyst at Checkmarx. Analyzing source code for vulnerabilities and review SAST results is part of his daily routine as well as always trying to learn... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Purple Team Strategies for Application Security
Purple Team testing, or the active collaboration of offensive and defensive staff during penetration tests, can help organizations address their most immediate security threats, increase the accuracy of testing, and create a feedback loop where both teams contribute to the success of the other. Typical Dynamic Application Security Testing (DAST) does not lend itself well to Purple Team practices. This talk covers the basics of conventional Purple Team exercises, the ways that application testing environments and tools often differ from penetration testing, and how application defenders and breakers can adapt to those differences to enable each other in an integrated fashion.

For defenders, learn how your insights into the overall environment and risks, knowledge of security controls, and the state of and output from applications being tested can lead to better, faster, and more actionable application security tests. For breakers, learn how to help defenders better recognize threats in logs and alerting systems and increase their ability to spot, stop, and mitigate real-world attacks. Both sides can benefit from fewer missed opportunities to work together to increase the security of their organization while reducing the friction that the often adversarial nature of security testing creates.

avatar for Joe Schottman

Joe Schottman

Security Analyst focused on R&D, Truist (not speaking on behalf of them)
Joe Schottman is an application security focused security professional with experience ranging from web application development to purple team engagements. He has spoken at regional and national conferences on threat hunting, web shells, purple teams, and more.

Thursday October 22, 2020 9:00am - 10:00am


Real Time Vulnerability Alerting by Using Principles from the United States Tsunami Warning Center
Vulnerabilities and attacks are like tsunamis caused by earthquakes that hit without warning, causing high damage and leave us scrambling. Although one cannot predict earthquakes, there are two Tsunami warning systems operated by NOAA in United States which produce reliable results in the nick of time. Based on the same core concepts and principles we have built an open source Vulnerability Warning Center that alerts on highly seismic vulnerabilities before they hit your organization shore.

In this session we will demonstrate how a real time vulnerability alerting system can be built in AWS cloud using public data. With more than 2000 unique vulnerabilities disclosed every month CSOs and security practitioners have an impossible task of cutting through the noise and prioritize the most critical issues for remediation. And doing this daily is excruciating and weekly is too slow. Won't it be nice if there was an automated system that alerted on the most gruesome high-profile vulnerabilities in real time to produce actionable insights?

Unlike getting data from honeypots and sensors, we decided to take a different approach to harnessed public data on attacks, exploits, data leaks, vulnerabilities, blogs, twitter and numerous other data points to create simple alerts and graphs that warn on actionable insights in real time. The system in this initial phase itself has shown remarkable results which we will demonstrate to the audience. In the live demo we will ask the audience to pick a day or week or month and demonstrate the system's capability to identify the most pressing security vulnerabilities during that timeframe.

We will examine the design and implementation details to show how the system can eliminate noise and rank the most relevant real-time vulnerability information. We believe that we have just scratched the surface and in the future, we plan to implant NLP with AI and ML to process even more public data from different regions, languages and sources that will increase coverage, accuracy and industries that are currently targeted by the system. To conclude, we will demonstrate that a system based on public data can accurately and in real-time curate, identify and prioritize high priority vulnerabilities to provide actionable insights.

avatar for Amol Sarwate

Amol Sarwate

Head of Security Research, CloudPassage
Amol Sarwate heads CloudPassage worldwide security research lab responsible for cloud security scrutiny, vulnerability and compliance, as well as endpoint analysis. He has devoted his career to protecting, securing and educating the community from security threats. Sarwate has presented... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Real world static analysis for real humans
Static Analysis is often seen as two extremes of a spectrum. At one end are the classic stories of 100% managed, black boxed solutions. These solutions are historically high-noise, low-signal, turn key systems that end up causing more hassle for developers than good. At the opposite end, some large tech companies have been able to hire fleets of PhDs to build the perfect solution for their highly specific environment. While impressive feats, it can often lead to very little actionable takeaway for the rest of the community.

This talk is for medium size companies that can’t or won’t invest the time and effort on a custom tool and would rather use an off the shelf solution but still need the integration with their modern pipelines, and their agile and devops SDLCs. We factor in the highly diverse environment we work in, with no centralized testing or code pipeline, plenty of languages and platforms, no ability to modify developer’s repositories, and a total repository count over one thousand.

In this presentation, we’ll show you how we got an off the shelf SAST product, took it apart, and put it back together in a cloud friendly, automated, scalable, and high-signal way. We’ll detail what you should look for in an off-the-shelf tool for maximum customization, what parts of their products you should consider keeping and which ones you should rewrite, and we’ll show our specific implementation. We’ll present how we deal with an extremely complex environment and how you can build your own platform with a couple of dedicated engineers and lots of ingenuity.

avatar for Nick Gonella

Nick Gonella

Nick is a Security Engineer, specifically focused on offensive security. He currently works primarily in web security, both as an internal pentester and building tools to automate vulnerability discovery. Before this, he worked as a security researcher and part-time lecturer of systems... Read More →
avatar for Adrian Bravo

Adrian Bravo

Adrian Bravo (@adrianbravon) has more than ten years of experience in the security industry working in areas such as application security, penetration testing, and red teaming. He currently works as Principal Product Security Engineer for Workday Inc. where his focus is on application... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Social Media Botnet Detection with Linkage Analysis and Machine Learning
Attackers heavily rely on botnets to distribute spam content on social media to gain profit from user traffic. They operate numerous bot accounts to launch a spam campaign in order to perform malware/porn distribution, promote online gambling or publish misinformation.
The presentation will introduce the concept “case linkage analysis” from crime investigations and how to adopt it for spam botnet detection. The methodology helps correlate independent spam bots in the wild, identify campaigns and transfer insights into machine learning models to build automated detection systems.
The talk will illustrate an innovative approach to build unsupervised/semi-supervised machine learning models with behavior analysis and detect spam bots with graph learning algorithms. It achieves large scale detection power with low false positive rates.
The session will also go through several bot detection pipelines currently in production and demonstrate their efficacy.

avatar for Rundong Liu

Rundong Liu

Rundong Liu is a seasoned security professional with years of experience designing large scale risk prevention systems. His main research interest focuses on using big data and AI to fight against cyber attacks. Now Rundong works in Trust and Safety team at Pinterest leading the... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Weakest in the herd: EoL softwares and a journey to secure it
Ancient architecture like The Great Wall of China was built to protect the territories of Chinese states. Does this work with computer hardware and software? No. These technologies have a very short lifecycle and are often replaced as and when newer technology stops supporting older versions of softwares. Vendors stop offering security patches, upgrades and support for these ancient End of Life Softwares and eventually these unsupported softwares become the weakest link in Cybersecurity.

EoL Software is a growing concern among many organizations nowadays. The varied risks associated with EoL Software are numerous. Attackers often seek unguarded pathways to software which are EoL or nearing End of Life and will no longer be supported by the vendor for patches and upgrades. Such software is difficult to patch in the future and their maintenance is painful with the steeping operating cost. There is no such protecting wall that can secure these EoL softwares and eventually becoming the easiest target for the attackers. As a result, they are more prone to APTs (Advanced Persistent Threats), malware and other security threats.

In this session, we will talk about EoL softwares in terms of “the weakest link” giving a brief overview of how these softwares are becoming a growing concern among organizations. Finally, sharing guidelines an organization can follow to deal with EoL softwares.

avatar for Anuprita S Patankar

Anuprita S Patankar

J2 Global
Anuprita Patankar is currently working as an Application Security Engineer at J2 Global, currently focused on deploying new tools and techniques within J2 Global's environment to barricade application security-related flaws and also serving as a Director of Security Awareness for... Read More →
avatar for Aastha Sahni

Aastha Sahni

Flatiron School
Aastha is currently working as the Lead CyberSecurity Instructor in Flatiron School. Since the time she started her master’s program in Information Security, she has been connecting the dots and moving ahead. Aastha has worked in IAM, Vulnerability Management and SIEM domain with... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Application logging in the era of GDPR
Applications log their activities for a variety of purposes. Among other things, log data are invaluable for security in identifying incidents, monitoring policy violations, facilitating diagnosis, providing evidences for forensics, establishing audit trails, and so on. Due to the importance, OWASP has a security logging project that provides APIs for logging security-related events. The OWASP logging cheat sheet serves as a guidance on building application logging mechanisms, especially security logging. Developers and operation personnel adopt these tools and other ones in their daily work enhancing the security posture of their products and services.

On the one hand, various businesses can have different sets of security requirements based on risks faced by and trust levels required of their products or services. More relevant and practical security guidance is often needed for developers or operations. On the other hand, the European Union’s General Data Protection Regulation (GDPR) has become the law safeguarding privacy of individual EU citizens. This affects all products and services sold or being operated in EU. Developers often raise questions regarding to what data can or cannot be logged to keep GDPR compliance. Although there are many material and trainings on GDPR, few provides guidance on application logging.

In this talk, we describe how we address the above issues to share good practices and lessons learned. We discuss security and privacy topics regarding to application logging, protection of log data, and impacts of GDPR to logs. The audiences will take away with recommendations and tips on these subjects.

avatar for Karen Lu

Karen Lu

Dr. Karen Lu is a principal security architect at Thales. She has over 15 years of experience in security, risk assessment, identity and access management, and privacy protection. Karen holds 28 patents with many pending, and has 50+ publications over several research fields. She... Read More →

Thursday October 22, 2020 9:00am - 10:00am


AppSec is dead. Long live DevSecOps!
In the ancient times of software creation, we had AppSec, and we had developers.

Generally, AppSec was aware of security problems, their impact, and code-level fixes. However, these remedies would rarely work in the custom tech stack of the company. Developers cranked out software features in a fast, functional and reliable way, but also released their code for security review as late as possible. Why? To shorten the AppSec feedback window, ensuring their out-of-context security recommendations would bounce back well after the release window and not halt proceedings. A little dysfunctional, to say the least.

Fast-forward to today, and our demand for software is greater than ever before, as is the risk of data breaches from common vulnerabilities. This fractured process cannot work, and the DevSecOps movement is here to change the game. DevSecOps creates an environment of shared responsibility for security, where developers become responsible for effective deployment, and the lines between AppSec and development teams are increasingly blurred and more collaborative.

The days of a hands-off security approach for developers are over, and with the right training and tools, they can take advantage of this process, upskill their security awareness and stand out among their peers.

The speaker will demonstrate the changes the industry has faced in the journey from Waterfall to DevSecOps, as well as reveal how you, the developer, can become a powerful piece of the DevSecOps pipeline, without compromising the work you love most, all while upskilling and become an even more sought-after engineer in the process.

avatar for Matias Madou

Matias Madou

CTO, Secure Code Warrior
Matias is the CTO and co-founder of Secure Code Warrior. Matias holds a Ph.D. in computer engineering from Ghent University, where he studied application security through program obfuscation, working primarily on static analysis solutions. With his Ph.D., he moved to the U.S. to join... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Detecting session hijacking using rotating refresh tokens in web applications
Session hijacking can be used to gain unauthorised access to an already authenticated user account. This means that it is an effective way to bypass login protections such as 2FA.

Traditionally, developers use IP address or device fingerprinting pattern matching to detect session theft. However, these are unreliable as they often lead to false negatives or positives - resulting in suboptimal security and user experience

Rotating (or one-time use) refresh tokens can be used to detect session theft in a far more robust way. This is also recommended by the IETF in their RFC 6819. Using this technique, along with the traditional techniques results in a very secure session management solution.

avatar for Rishabh Poddar

Rishabh Poddar

I am the co-founder and CTO of SuperTokens, a Y Combinator backed company. We offer a solution for user authentication - specifically for managing user sessions. SuperTokens is used by 100s of developers and companies globally to secure their user’s accounts. Before SuperTokens... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Does “diversity” really have an impact on software and security teams?
Software development and security are typically performed by teams of people. In recent years organizations have been asserting the importance of adding diversity to these teams. But does adding diversity really make a difference in the quality and productivity of teams, such as software and security teams? And what constitutes diversity?

This session is different from other ones you’ve probably attended on diversity: It extends the discussion of diversity beyond demographics such as race or gender identity; there are other types of diversity that are equally at play in software and security teams, such as cognitive, personality, neural and value diversity. This session does not offer personal experiences and anecdotes about diversity. Rather, the material presented is grounded completely in the results of scientific studies on the impact of diversity on team performance.

The results may surprise you. There is no universal, positive impact of adding all types of diversity to software and security teams. The data show a far more complex and nuanced impact of diversity on team performance. This presentation will cover how factors such as gender, race, age, cognitive, knowledge and values diversity have positive, negative or no impact on team performance. It will also address the social dynamics that happen when you pull together a diverse team, and how that may affect their performance. And this talk will cover the impact of psychological safety on how well software and security teams perform.

avatar for Anita D'Amico

Anita D'Amico

CEO, Code Dx, Inc.
Anita D’Amico, PhD. is CEO of Code Dx, Inc., which provides application security orchestration and correlation solutions that automate AppSec workflows. Prior to taking on the role of CEO, Anita was the Director of Secure Decisions, a cybersecurity R&D organization that developed... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Falling Water Vulnerability disclosure for Medical Devices
The design of life saving software plays a vital role in the Medical Manufacturing industry. The way in which medical devices are being revolutionised is staggering and breathtaking, but it hasn’t necessarily resulted in a corresponding revolution in how these devices are built. With the advancement and evolution of research into chronic illness; newer, more advanced, methods are found to more effectively treat these chronic illnesses. Medical technologies can be defined as products, services or solutions which are used to improve and prolong life. Statistics done in 2019 showed that there are more than 500,000 medical technologies such as implantable devices, patient monitors and robotic surgery aids are available to hospitals and patients. The medical device industry is poised for a steady increase in growth, with a global forecasted annual sales growth of over 5% a year and estimated to reach 800 Billion US dollars by 2023. This results in an increase in demand on developers to build better (and safer) technologies. The increase in hacking or breaking medical devices over the last few years, with the biggest issue now being the response time to a disclosed vulnerability. The divide between Medical Manufacturers and Researcher has slowly started to close but the disconnect between Researcher expectations and Medical Manufacturers’ processes still exists. This talk uses a hypothetical disclosed vulnerability and walks that through the software development life-cycle in a pipeline for a medical device showing how a disclosure of a vulnerability fits within that context. The talk also touches on the regulatory statutes which dictate the design process. The main aim of the talk is to push the conversation about how medical device vulnerability disclosure works from a developers perspective.

avatar for Veronica Schmitt

Veronica Schmitt

Veronica Schmitt’s forensic career began in 2008. She is considered a leading authority in the field of digital forensics and incident response by her peers, both in South Africa and Internationally. As a Lead Forensic Analyst within DFIRLABS, she is responsible for digital forensics... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Mobile DevSecOps: 5 Tips from Building Mobile Apps Used by Millions
With 12 million mobile app developers and 4.5 million apps in Apple AppStore™ and Google Play™ Store, it’s no surprise that 68% of ALL digital time is spent in mobile apps vs Web. Join us for some amazing stories from the working with the biggest mobile brands and many top global mobile app developers and security teams. Then we'll roll out the 5 key mobile appsec and mobile DevSecOps best practices we've learned from them. Don’t miss this chance to get the inside scoop on securing and testing the mobile apps that you use every day.

This could be presented as Security Essentials or Security Governance, can tune to fit if preferred.

avatar for Brian Reed

Brian Reed

Mobile AppSec Guy, NowSecure Mobile
As Chief Mobility Officer, Brian Reed leads the mobile appsec and DevSecOps charge at NowSecure helping orgs deliver secure mobile apps faster. He brings decades of experience in mobile, apps, security, dev and operations helping Fortune 2000 global customers and mobile DevSecOps... Read More →

Thursday October 22, 2020 9:00am - 10:00am


OSINT to Compromise
One of the most important aspects of a penetration test is reconnaissance. Oftentimes we diminish this step and move straight into the scanning and the attack phase. By spending more time in the discovery phase, we can do a complete analysis.
There are reconnaissance techniques that target networks, some techniques target people, and other techniques that target websites. The problem is that sometimes we treat the output of this data as different areas when we should be considering it holistically.
This presentation will focus on using multiple OSINT tools and techniques to learn about the target and how the data can work together to in a coordinated effort to learn more about the attack surface.
Starting with the network, we will get a footprint of the site and then use open source tools to build a better picture and discover access points into the target site. Then scraping the site for more information, we will gain a good attack vector.
The next step is to feed that information into an attack tool that can lead to compromise.

avatar for Frank Vianzon

Frank Vianzon

Denver OWASP
Frank has been in I.T. since the early 90's, focusing the last 15 years on security. He have worked in a variety of roles, including an individual contributor to Director. His career spans from Blue Teams to Red Teams including Penetration Testing, Incident Response, Threat Intelligence... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Secure application design with high data privacy requirements
Applications handling sensitive data tend to focus on protecting access to the data and later confront the details of increasing regulatory requirements, new use patterns, and the security challenges we all face. Applications built (or refactored) with isolation and protection designed in will prove more resilient as they age and regulatory restrictions increase. The design patterns and guiding principles behind this talk have been primarily applied to large volumes of data subject to HIPAA, but are equally applicable to GDPR, CCPA and other regulations. The intention is to not only meet all of those requirements, but to be well positioned for what comes next, and to meet the test of time in managing data that might be stored for many years.
We’ll quickly cover what those regulations actually require you to do, and why those requirements are often misinterpreted, and sometimes difficult to meet during and after an incident leading to a potential disclosure.
We’ll look at design goals for managing sensitive user data lifecycles, covering storage, cryptography, logging, and anonymizing data for less restrictive use.
Use cases and patterns in the real world often challenge well-intended security designs; in order to avoid compromising data safety, we’ll look at some techniques for storage and encryption that have been successfully applied to with large data sets over long periods of time.
The specific challenges of incident handling, potential breach determination, and end user’s rights, such as the right to be forgotten, present operational challenges to consider in designing tools and logging events.
Finally, we’ll discuss the external expectations one can expect, from providing detailed information to third parties, undergoing audits, and the supporting practices that should be in place to complement a solid design.

avatar for James Bohem

James Bohem

Security Architect, Leviathan Security Group
James is the Healthcare Practice Lead for Risk and Advisory Services at Leviathan Security Group, where he assists clients with information security strategy to align business needs with regulatory and industry compliance requirements. Previously James has served as the security officer... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Start me up, safe! – AppSec for startup and small companies
A startup company came up with a fantastic idea and now it is time to execute it. How a startup company could benefit from the vast application security resources available? What practices could be implemented to obtain some quick and valuable wins? How they could be integrated into DevOps and Agile practices? This presentation brings some light on those questions and presents a practical perspective on various resources such as documentation, procedures, people and tooling, from code to deploy!

avatar for Ismael Goncalves

Ismael Goncalves

Ismael Goncalves has been working in the cyber security industry for over 13 years. During his career he has played various roles on different companies and verticals related with information and cyber security, such as a developer and team leader for security related products, security... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Systems Thinking: How not to fail at AppSec!
Many AppSec programs struggle and/or fail to deliver the outcomes they planned for - this is very evident in the number of vulnerabilities identified over time, endless patch cycles, number of security breaches, etc. It sometimes feels like we are fighting a losing battle. In short, we are living through a global crisis that is unfolding in slow motion.

Systems Thinking principles are used to solve some of the biggest problems that humanity faces - from pandemics to climate change. With mathematical rigor, we can easily prove that improving the performance of the parts of a system taken separately will NOT necessarily improve the performance of the whole. In most cases, doing so actually deteriorates the performance of the whole. And yet, many organizations try to improve the security of their applications without any serious consideration about how profoundly it impacts quality, usability, release velocity and productivity of their developers.

Also, many AppSec practitioners gripe about not having enough budget/funding to buy the BEST security products in the market. This is a non-issue that can be easily disproven - take the best car engine in the market, say from a Ferrari and try to fit in your own car. You can't even bolt it in, and the car will become inoperable. Most of the emphasis during security product selection and rollout is about the part (security product) and its capabilities/features. Yes, we definitely need to evaluate the parts, but we must think and obsess deeply about its interactions too - with this approach you can solve many complex security challenges even if you don't have the budget to buy the best security product(s) in the market.

This talk will introduce Systems Thinking principles and concepts to the audience followed by a deep dive into real-world examples and case studies that explain how to apply them. Brace yourself for some myths to be broken and walk away with actionable guidance on what changes you need to institute in your own AppSec programs to measurably improve the outcomes.

avatar for Laksh Raghavan

Laksh Raghavan

Head of AppSec & Innovation, PayPal Inc.
Laksh Raghavan is the Head of Security Products Development at PayPal Inc. He is currently responsible for managing the Secure Product Lifecycle Program for all PayPal applications including the web and mobile apps supporting PayPal's more than 325 million active accounts. Laksh has... Read More →

Thursday October 22, 2020 9:00am - 10:00am


WAFs! WAFs! We don't need no Stinkin' WAFs! - Extending WAFs at the Application Layer
The application security community has embraced Web Application Firewalls (WAFs) as a fundamental control to help secure applications. As WAFs are external the applications they are protecting, they do not provide a granular security control for applications, but rather they block are broad range of threats for many applications fronted by the WAF. Once a request passes thru a WAF, it is considered partially secure and could potentially provide a false sense of protection as developers might consider the WAF to be a security barrier that cannot be bypassed.

This presentation discusses common issues that arise when implementing WAFs to protect legacy applications. That is, security gaps are created when WAFs are configured is a manner that otherwise would break the application. Common configuration changes which open gaps include:
1. Disabling WAF rules
2. Whitelisting parameters/headers/cookies & URIs
3. Adding custom rules to bypass WAF rules

In modern application development, security is addressed from requirement to delivery, however when working with legacy applications this is rarely the case.

In an effort to standardize protecting the security gaps in WAFs, this presentation proposes using a not-so-new form of control using a modern approach: The “Sanitation Web Application Filter” (SanWAF). The SanWAF a generic Webapp filter that is tasked with providing an application layer of protection addressing the security gaps in WAFs.

SanWAFs are intended to be part of the application, providing cookie/header/parameter & URI validation ensuring proper datatype, data length, and custom mechanisms to sanitize application inputs prior to being processed by application code. Unlike WAFs, SanWAFs are configured per application providing a fine grained security control that developers can rely on.

avatar for Bernardo Sanchez

Bernardo Sanchez

Bernardo Sanchez is the Senior Application Security and Performance Architect for PointClickCare, the world’s largest cloud-based EHR platform in the LTPAC (long-term post-acute care) Industry. He is responsible for Application Security in the engineering department and has achieved... Read More →

Thursday October 22, 2020 9:00am - 10:00am


A Dancefloor that is Literally Just Banana Peels – AppSec Awareness Program Pitfalls
Application security education (a.k.a. secure coding education) is an integral part of any application security program. Without a continuous and engaging AppSec awareness program, it’s challenging to squeeze Sec between Dev and Ops (DevSecOps), or add one more S to SDLC (SSDLC). Providing developers some training as OpenSAMM suggests seems to be the easiest security practice; however, there are many ways to get stuck and miss the goals of the program. This talk covers the major pitfalls organizations face as they implement a security awareness program and provides a way to avoid these pitfalls altogether.

avatar for Eugene Rojavski

Eugene Rojavski

Application Security Researcher, Checkmarx
A passionate appsec specialist who loves to poke things until they explode. 9 years in infosec and appsec constantly pursuing a goal to unravel the mystery of security. I enjoy coaching others on how to create "securer things". Currently, I take part in building the AppSec awareness... Read More →

Thursday October 22, 2020 9:00am - 10:00am


A Warrior's Journey: Building a Global AppSec Program
"Adapt what is useful, reject what is useless, and add what is specifically your own." - Bruce Lee
This talk covers critical foundations for building a scalable Application Security Program. Drawing on warrior-tested strategies and assurance frameworks such as OWASP SAMM and BSIMM, this session gives actionable guidance on building and advancing a global application security program. Whether you are starting a fledgling security journey or managing a mature SDLC, these foundational elements are core for achieving continuous security at scale. The presenter is Senior Director of Product Security for an enterprise software provider, delivering hundreds of software products and cloud services to global Fortune 2000 enterprises and government agency customers.

avatar for Brian Levine

Brian Levine

CISO, Axway Software
As Senior Director of Product and Cloud Security, Brian leads a global AppSec organization delivering security training, tools, precesses and DevSecOp practices to a diverse engineering organization. With a career spanning two decades as a technology provider to security-conscious... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Breaches Are Everywhere; What's a Good Security Leaders to Do?
Breaches are on the news seemingly weekly, as organizations are struggling to secure their data. Phishing attacks are proliferating and seemingly at will compromising our workforce. Ransomware has taken several victims and payment demands are escalating. All organizations seem to have become prime targets.

In this talk, I will share strategies to combat the rise of cybercrime, and how to make your networks more secure. I will discuss administrative, technical, and physical security controls. Have you built a sustainable and dynamic Information Security Program? Have you shared this with upper management and gotten their buy-in and support?

Have you initiated a balanced Security Awareness Program? Are you regularly running scans of both your network and your applications? Are you monitoring your network to detect unusual activity? What about when that dreaded intrusion into your network occurs? Do you know what to do? Are you testing and evaluating your security controls on a regular basis? How often do you test your Disaster Recovery Plan and your Incident Response Plan? Do you have the right people on your IR team?

We are entrusted with highly sensitive data. We must utilize best practices and ensure we have a comprehensive Cyber Security Program. Come learn if you are doing this and ensure that you indeed are properly protecting your confidential information. Don't allow your organization to become the next victim of a breach.

avatar for Richard Greenberg

Richard Greenberg

Global Board of Directors, OWASP
Richard Greenberg, CISSP is a well-known Cyber Security Leader and Evangelist, CISO, Advisor, and speaker. Richard brings over 30 years of management experience and has been a strategic and thought leader in IT and Information Security. His Project Management, Security Management... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Creating a Security Policy Framework - That works
Distributing, reviewing, collaborating, and creating corporate security policies and standards can seem like a necessary evil. However, it can be made interesting and effective by creating a model that is scalable, leverages by crowd sourcing experts, and automating the review process. Come learn from Adobe’s security team on how to build an effective security policy and governance framework that will stand the test of time.

avatar for Isaac Painter

Isaac Painter

While working on a bachelor’s degree in accounting from Utah Valley University, Isaac was introduced to the world of security through a college job. This lead to an interest in the ever changing world of security. He eventually went on to earn a Master’s in Accounting with an... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Data Classification with Serverless Functions
Problem Statement
Every company is a data company today. Companies produce, process and store all of their data in the databases and log files. More external data sources are introduced over time. Compliance teams need data inventory and data classification because sensitive data will need to be monitored, retained, and processed due to different legal/compliance requirements. Information Security teams need to understand where the sensitive data is stored and how they are processed for risk analysis. The current way of doing data classification is either 1) granting employees audit access to the database, leaving the risk of human error, client-side attack (with the loss of their credentials). Also the large number of databases, tables, and fields also create challenges for manual (human-based) reviews; or 2) allowing 3rd party applications to access production databases to perform data classification tasks, while risking data leaving their trusted boundaries and assuming the data in the 3rd party software is properly secured.

Current Gaps
Data classification
- Manual classification is challenging for large databases
- Correlate multiple data fields and continuous monitoring is difficult
- Data-related policy enforcement entirely on the database reviewer
Sensitive data access
- Allow reviewers to see the sensitive data creates extra risk (insider threat)
- Database access is compromised if the user credential is stolen.
- 3rd party software accessing production database creates risk
Server and application maintenance
- Introducing vendors solutions create extra maintenance tasks
- Compliance and security team does NOT need to maintain an extra tool for data security/privacy monitoring

Solution Summary
This talk covers how to build a maintenance-free, cloud-native application that scans databases for continuous data classification and monitoring. Key components include:
- Cloud-native application architecture: leverage serverless architecture provided by cloud service providers, such as AWS Lambda/Google Cloud Functions;
- Strong access control: access is only granted to the application. Customers do NOT share applications or platforms. Data never leaves the customer’s trust boundary;
- Smart detection: the NLP algorithm learns & classifies data fields and outperforms the matchings using regular expressions;
- Broad User base: how the solution could potentially benefits compliance teams, information security teams, 3rd auditing service providers

avatar for Yitao Wang

Yitao Wang

Yitao Wang has 10+ years of experience in information security. Coming from the other side of the GFW he has great passion for internet and computer security since the wild 90s. Yitao is currently working as a Security Engineer for a FinTech startup company. Previously he led the... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Full Life-cycle Security: Internal / Corp Code --> Open Source Project
When your organization decides it is time to release part of your codebase as open source software it is important to consider security implications for your internal stakeholders as well as downstream users of your project. After the release of your project to the public, you have a responsibility to actively monitor and maintain your code. In this talk we will explore how to prepare your code and organize your project to ensure that security is baked in from the first release and that you lay the foundation for ensuring all stakeholders remain secure throughout the entirety of the projects's lifecycle.

Participants will learn how to build and improve their outbound open source security processes with initial and ongoing governance and security processes. We will also discuss planning for responsible disclosure, securing related infrastructure and documentation, as well as end of life and end of support considerations for your open source project.

avatar for Eric Goldman

Eric Goldman

Eric Goldman is an application security professional who specializes in training and human factors. Eric's focus is on getting developers excited about security and making their lives easier so their apps can be more secure from that first commit.

Thursday October 22, 2020 9:00am - 10:00am


OD approach to the champions dilemma
The notion of security champions had been created many years before it became hyped, then after many years its implementation in production use is still vague (besides the basic postulates). In our presentation we propose a new wave (just another) approach of implementing security champions in an organization with many development teams/projects. As S-SDLC consultants with backgrounds also in organizational development (OD) and enterprise software delivery we propose measures which could result in a sustainable secure development practice across development teams. A practice with security champions being the key figures of security but still only agents in a self-sustaining (tacit and explicit) practice involving all developers and leaders.

In our experience even in a situation of mature S-SDLC there are persistent root causes of failures with security quality. The weakest link problem: the security quality of a software depends on the weakest developer security-wise, who will introduce a security bug into the system sooner or later. So for achieving good security quality every developer has to fully understand every security know-how related to his job. Which is a strong requirement (while almost all other fields of knowledge work perfectly dedicated to different specialists in a team). Delegating security knowledge to champions may create a false sense of security. Meanwhile security knowledge and skills accumulate poorly -- again an atypical feature of security as compared to other domains. A security champion will not likely be able to help or pass on the needed knowledge efficiently if her colleagues were not trained on a gut level when to call her for advice or a review. And we end up relying on good old security gates.

We address these problems by postulating that software security is rather a complex organizational issue. We propose a methodology to foster routines that: help both oldboys and onboarded new members to learn the basics fast; facilitate permanent knowledge transfer; effectively use the knowledge of those more experienced in security. The measures in the mix are classic ones with some custom glue: yearly trainings and webinars for devs, devops and testers; daily security-aimed code-reviews; one-click away and usable documentation; multiple security champions roles; persistent means of spreading knowledge and skills; coaching, etc.


Thursday October 22, 2020 9:00am - 10:00am


OWASP SAMM 2: Your Dynamic Software Security Journey
After three years of preparation, the OWASP Software Assurance Maturity Model (OWASP SAMM) project team delivered version 2.0 in January 2020!

OWASP SAMM 2.0 provides a structural and measurable framework designed to overcome the challenges of building security into the software development and management practices of a company. It enables CSOs, directors, security architects, security analysts, and other application security professionals to formulate a strategy and implement a security program that is tailored to the risk profile of your organization.

Learn more about OWASP SAMM, and begin the dynamic journey towards improved software maturity with agility and assurance.

avatar for John Ellingsworth

John Ellingsworth

Security Principal, JohnEllingsworth.com
John Ellingsworth is a security principal at an S&P 500 company where he helps software development teams build and deliver secure enterprise solutions. John is on the core team for the OWASP Software Assurance Maturity Model (SAMM) Project, and a co-author of OWASP SAMM 2.0. He is... Read More →

Thursday October 22, 2020 9:00am - 10:00am


OWASP Top 10 Maturity Categories for Security Champions
You have heard of this term - Security Champions or was it Satellites (that sounds weird..)? But what are they really? Is it a good idea? How many companies are doing this? If you're convinces it needs to be done, how do you manage a Security Champions programme (at scale)? What methods and tools exist? This presentation is introducing the new OWASP Top 10 Maturity Categories for Security Champions - method and tool.

avatar for Lucian Corlan

Lucian Corlan

OWASP Cluj Leader & AppSec Manager, Sage
Lucian Corlan is Director of Application Security at Sage Group plc having previously worked in InfoSec/AppSec roles for SagePay, Betfair, Deloitte UK, Orange, NBG and Infologica Silverline Bucharest. Additionally, Lucian has led the Romanian Cluj-Napoca OWASP Chapter and is currently... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Privacy Threat Modeling: Analysis of Cloud Services Against Privacy Regulations
While threat modeling techniques and methodologies have markedly evolved and matured in the cybersecurity field, privacy threat modeling processes have been inadequately developed, discussed, and utilized. However, this does not indicate that threat modeling concepts are not applicable to the privacy analysis of systems and applications.
In the past, several privacy threat modeling techniques have been proposed and put into use, including LINDDUN (Likability, Identifiability, Non-repudiation, Detectability, information Disclosure, content Unawareness, and Non-compliance), Cloud Privacy Threat Modeling (CPTM), and Quantitative Threat Modeling Methodology (QTTM).
Cloud-based services are becoming the obvious choice in many cases today, considering their advantages, which include the elasticity, scalability, and measurability of services.
The range and complexity of offerings can make the security and privacy analysis of these services, and the processes composed of them, complicated and perplexing.
In this work, we aim to present an abstract form of cloud services that are offered by major cloud providers in a few patterns. These services include storage, logging, backup, load balancing, and identity management services. Subsequently, we use threat modeling techniques, informed and fed by privacy goals, to perform a privacy threat analysis on those patterns. These privacy goals have been derived from major compliance regulations (GDPR, LGPD, and CCPA), and we will demonstrate how their nuances can affect the process of modeling threats.

avatar for Farbod H Foomany

Farbod H Foomany

Security Compass
Farbod H Foomany is a Technical Product Manager (previously Technical Program Manager, Technical Lead, and Senior Security Researcher) of security content research at Security Compass. He holds degrees in electrical and computer engineering and a Ph.D. with a focus on criminological... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Time for a Change: Why It's More Important Than Ever to Revisit the CFAA
After 40 years of hard-fought battles, the internet has finally reached a place where it knows that hackers aren’t always burglars. Many of us are locksmiths: we think bad, but do good, and we view technology, and often the world, through a different lense than the people who build it and form the immune system for our digitally-connected society.

Since the inception of the Computer Fraud and Abuse Act (CFAA), public perceptions of the white hat hacking community have evolved immensely, as have the functionalities of black hat hacking. As we speak, thousands of companies are actively inviting good-faith hackers to hack into their systems via vulnerability disclosure, bug bounty, and crowdsourced security programs. However, the law hasn’t caught up with this reality.

The risk of prosecution under anti-hacking and anti-circumvention laws still casts a cloud over the hackers who are trying to help protect systems, and to report security issues in good faith. As a result, 60% of hackers do not report vulnerabilities in fear of prosecution. Safe harbor is no longer a hypothetical best-practice, it’s now key for trust in vital relationships between hackers and organizations.

What is Safe Harbor, and what is its relationship with the CFAA – an act that was enacted before much of the current understanding of cybersecurity was conceptualized?

Of all the problems with the internet, there seems to be one that rules them all: It doesn’t understand how to work with its immune system.

This presentation will explore the past, present, and future of vulnerability disclosure and safe harbor, provide updates and practical calls to action creating grass-roots drivers for change, and present options for CFAA reform. As part of this, we’ll give a run-through of disclose.io: an open-source and vendor-agnostic initiative to make conversations between builders and breakers safe, standardized, and simple.

The takeaways for the audience include an understanding of why the law is set up this way, and the role it has played in shaping the cybersecurity industry; why it’s time for an open discussion on policy change; why there is a credible argument for inverting the central assumption of the bill and how we move forward; and a better understanding of current initiatives to shift the policy and how every member of the audience can become involved and have their opinions heard. The ultimate call to action is for all participants to get involved with normalizing disclosure.

avatar for Casey Ellis

Casey Ellis

Founder Chairman CTO, Bugcrowd
Casey Ellis, Founder, Chairman and CTO of Bugcrowd: Casey is a 20-year infosec veteran, servicing clients as a pen tester, security and risk consultant, solutions architect, and most recently as a career entrepreneur. Casey pioneered the Crowdsourced Security as a Service model, launching... Read More →

Thursday October 22, 2020 9:00am - 10:00am


Using the OWASP Top 10 As The Foundation for Security and Privacy Programs Across Your Organization
GDPR, CCPA, PCI, ISO, and so on. The number of acronyms, and the security and privacy frameworks they represent, continues to grow. With each new standard comes the governance headaches - who needs to know and do what when. Getting your arms around all of these is essential, but not simple. The costs of not doing so can be high, a combination of fines, lost productivity, legal fees, remediation costs, training costs, lost revenue, and more.

One thing that many of these frameworks share is a reference to the OWASP Top 10 as a standard by which one can meet certain requirements. OWASP is a respected organization, recognized worldwide for its effectiveness.

What if we flip the script?

This presentation will examine how the OWASP Top 10 can be used to coalesce and address seemingly disparate cyber security and privacy governance while at the same time managing your AppSec program. We will crosswalk the Top 10 against some common security and privacy standards and mandates, such as Secure by Design, Privacy by Design, CCPA, GDPR, and ISO 27001, to see how it can provide an infrastructure for the management and governance of security and privacy programs.

Learn how to use this widely-referenced list of the most common and critical web application security weaknesses to improve security and privacy compliance across the organization.

avatar for Marina Kelly

Marina Kelly

Global Learning Systems
5 Fast Facts About Marina Lail Kelly 1. She first learned to code at the age of 10 on a TRS-80 Micro Computer System from Radio Shack ® . She can still code in BASIC in case of emergencies. 2. Her career path to her current position in life has been unusual, to say the least. She... Read More →

Thursday October 22, 2020 9:00am - 10:00am