All times are in Pacific Time(GMT -7)
Day 1 - August 07, 2020
Applying Pysa to Identify Python Security Vulnerabilities
Workshop
11:00
-
13:00
August 07, 2020
Graham Bleaney
Graham Bleaney
The Product Security teams at Facebook make extensive use of static analysis to find security vulnerabilities. We use systems like Zoncolan and the open source Python Static Analyzer (Pysa) on a daily basis. Using static analysis helped us find more than 1100 security bugs in 2018, accounting for mo...
Continue reading...2FA in 2020 and Beyond
Talk
11:00
-
11:45
August 07, 2020
Kelley Robinson
Kelley Robinson
Security professionals agree: SMS based Two-factor Authentication (2FA) is insecure, yet thousands of companies still employ this method to secure their customer-facing applications. This talk will look at the evolution of authentication and provide a data-driven analysis of the tradeoffs between th...
Continue reading...Android Bug Foraging
Talk
12:00
-
12:45
August 07, 2020
In this session, we will analyze four real-world examples of different high impact android vulnerabilities. We will show how we discover, developed, and leveraged the vulnerabilities into a fully working proof-of-concept, devised meaningful attack scenarios (demos included), and how our work was app...
Continue reading...Think Like A Hacker To Defend Your Application
Roundtable
12:00
-
13:00
August 07, 2020
Jerry Gamblin
Jerry Gamblin
Join our open discussion on how to put on your hacker hat. We will explore application security from the hacker, consultant, and enterprise perspectives. Come with an open mind and a good story to share.
Continue reading...Our journey into turning offsec mindset to developer's toolset
Talk
13:00
-
13:45
August 07, 2020
Security is hard. Especially for people not in this specific field. Hundreds of vulnerabilities are getting disclosed each week and it's hard for security folks to keep up with that pace. How can developers follow up with this including business constraints/deadlines? In this talk, we will talk abou...
Continue reading...API (in)Security TOP 10: Guided tour to the Wild Wild World of APIs
Talk
15:00
-
15:45
August 07, 2020
Do you speak API? Surely you do, even if you don't notice them in your world wide web everyday use. APIs are proved to be beneficial for business, but with great power comes great responsibility and some of them have serious problems. Last year we put a lot of effort to build and release the OWASP A...
Continue reading...Threat Modelling the Death Star
Talk
16:00
-
16:45
August 07, 2020
Mário Areias
Mário Areias
It is a known fact the Empire needs to up their security game. The Rebellion hack their ships, steal their plans, and even create backdoors! In this talk, we will help the Empire by threat modeling the Death Star. Traditionally, Threat Models have been a slow and boring process that ends up with a g...
Continue reading...Day 2 - August 08, 2020
Be Like Water: What Bruce Lee Can Teach Us About AppSec
Keynote
09:00
-
10:00
August 08, 2020
Fredrick “Flee” Lee
Fredrick “Flee” Lee
Every few years, security “thought leaders” tell us what is the one, proper way to practice application security. I’m just as guilty of this as anyone else in the “industry”. But, it turns out there isn’t just one true style of effective AppSec. This talk walks through my path of letting go of dogma...
Continue reading...Introduction to application security threat hunting - background for Web Shell Threat Hunting
Workshop
10:00
-
11:00
August 08, 2020
Joe Schottman
Joe Schottman
A prerequisite background for the Web Shell Threat Hunting workshop.
Continue reading...10,000 Dependencies Under The Sea: Exploring and Securing Open source dependencies
Talk
10:00
-
10:45
August 08, 2020
Gregg Horton
Ryan Slama
Gregg Horton
Ryan Slama
Come on our journey of creating scalable tooling and processes to automatically identify vulnerabilities in third-party libraries and handle the question of “ok we found this, who’s going to fix it?”
Continue reading...Hackium: a browser for web hackers
Talk
11:00
-
11:45
August 08, 2020
Jarrod Overson
Jarrod Overson
The web has changed. Sites went from being a few kilobytes of static, hand-written HTML to monstrosities of tangled JavaScript that eat hundreds of megs of RAM. Web sites are applications now, complete with security controls, complex state, and custom protocols. Our tools need to become smarter.
Ha...
The DevOps & Agile Security Toolkit
Talk
12:00
-
12:45
August 08, 2020
David Waldrop
David Waldrop
The DevOps & Agile Security Toolkit - In this talk, we will look at integrating security into Agile and DevOps. We will discuss strategies, training, tools, and techniques that will let your organization move quickly while doing so safely.
Continue reading...Web Shell Threat Hunting
Workshop
12:00
-
14:00
August 08, 2020
Joe Schottman
Joe Schottman
Web shells are malicious web applications used for remote access to and control of compromised servers. This workshop covers methods to detect web shells at the system and network level.
Continue reading...Sec Engineering
Roundtable
12:00
-
13:00
August 08, 2020
Jerry Gamblin
Jerry Gamblin
Building the application security tools your company needs to be safer and more secure is a challenge. How do you decide where to start? When not to take short cuts? What is the process like? What have you built? Join the roundtable discussion and bring a horror story or two.
Continue reading...localghost: Escaping the Browser Sandbox Without 0-Days
Talk
13:00
-
13:45
August 08, 2020
Parsia Hakimian
Parsia Hakimian
Many modern desktop applications use a localhost server for IPC and seamless interaction with websites. These servers usually have no authentication. JavaScript running in browsers can connect to these servers. I will discuss a dozen publicly disclosed bugs where malicious websites can connect these...
Continue reading...Can't Touch This: Detecting Lateral Movement in Zero-Touch Environments
Talk
15:00
-
15:45
August 08, 2020
Phillip Marlow
Phillip Marlow
Zero-touch environments are a product of the fast-moving world of DevOps which is being adopted by an increasing number of successful companies. This session will show that by leveraging the constraints of this environment, we can identify malicious network traffic which would otherwise blend into t...
Continue reading...Day 3 - August 09, 2020
Threagile - Agile Threat Modeling with Open-Source Tools from within Your IDE
Talk
09:00
-
09:45
August 09, 2020
Christian Schneider
Christian Schneider
The open-source tool Threagile enables agile teams to create a threat model directly from within the IDE using a declarative approach: Given information about the data assets, technical assets, communication links, and trust boundaries as input in a simple to maintain YAML file, it executes a set of...
Continue reading...The Elephant in the Room: Burnout
Talk
10:00
-
10:45
August 09, 2020
Chloe Messdaghi
Chloe Messdaghi
Burnout. We all go through it at one point, especially during a pandemic. It feels like you are low on battery and it can cause emotional and physical issues. This talk shares an overview of the warning signs, symptoms, and practices to prevent burnout and how to deal with burnout to keep balanced.
Continue reading...Kubernetes Container Orchestration Security Assessment
Workshop
10:00
-
12:00
August 09, 2020
Ali Abdollahi
Ali Abdollahi
In this workshop, we will first discuss the fundamentals. After grasping underlying containerization technology, we will go deep about technology vulnerabilities, exploitation techniques, auditing, and hardening solutions.
Continue reading...A Heaven for Hackers: Breaking a Web Security Virtual Appliances
Talk
11:00
-
11:45
August 09, 2020
Mehmet D. Ince
Mehmet D. Ince
Most security products require to be placed in the heart of the organization's IT configuration. Even though we are highly paranoid and security aware about every single third party tool that we include in our IT structure; we lose these concerns when it comes to security products. We forget to see...
Continue reading...Securing Your SDLC
Roundtable
12:00
-
13:00
August 09, 2020
Martín Villalba
Martín Villalba
Securing your SDLC (software development lifecycle) is appsec 101. Yet so many organizations struggle with the best way to embed security into their DevOps. Join our discussion to learn which sSDLC practices work where and how to implement them. Come ready to share best practices and lessons learned...
Continue reading...Secure Your Code — Injections and Logging
Talk
12:00
-
12:45
August 09, 2020
Philipp Krenn
Philipp Krenn
This talk combines two of the OWASP top ten security risks to highlight some widespread "this is fine" issues:
- Injections (A1:2017): We are using a simple application exploitable by injection and will then secure it with the Web Application Firewall (WAF) ModSecurity.
- Insufficient Logging & Mo...
Running an appsec program with open source projects
Talk
13:00
-
13:45
August 09, 2020
Vandana Verma Sehgal
Vandana Verma Sehgal
We are all heading towards the modernization of applications. However, we still see the companies being impacted with the most common website vulnerabilities like SQL Injection, Sensitive data exposure, security misconfiguration, etc.
OWASP has many projects which can be tied seamlessly into the ap...