Twilight Room, 3rd Floor, Flamingo Corporate Convention Center

All times are in Pacific Time(GMT -7)

Day 1 - Friday, August 12, 2022

Wartime AppSec

Keynote 09:00 - 10:00 August 12, 2022

Chris Kubecka

To understate things, the 2020s have been a challenging time for AppSec. First, Corona took the hardware out of the office for everyone. Now, with a war in Ukraine activating hacktivists, patriotic hackers, and nation-state level actors are wreaking havoc on our apps and websites. Cyber-attacks are...

Continue reading...

Agility Broke AppSec. Now It's Going to Fix It.

Panel Intermediate 10:00 - 11:15 August 12, 2022

Vandana Verma Sehgal

Roy Erlich

Emil Vaagland

Seth Kirschner

Jim Manico

In today's high-tech industries, security is struggling to keep up with rapidly changing production systems and the chaos that agile development introduces into workflows. Application security (AppSec) teams are fighting an uphill battle to gain visibility and control over their environments. Rather...

Continue reading...

Hacking 8+ million websites - Ethical dilemmas when bug hunting and why they matter

Talk Intermediate 13:45 - 14:45 August 12, 2022

Rotem Bar

Many companies are reluctant to pay bug hunters to find and report vulnerabilities in software produced by a 3rd party.

In this lecture, we explore the pros and cons of this approach and demonstrate why taking responsibility for 3rd party vulnerabilities is actually better for everyone.

Using sh...

Continue reading...

Hands-on threat modeling

Workshop Intermediate 14:45 - 16:45 August 12, 2022

Chris Romeo

Everyone from security teams to CISOs wants to ingrain threat modeling across the organization, but how do you teach threat modeling that sticks? We’ll provide a two-hour security threat modeling workshop to engage participants and help them put security-focused threat modeling into action. Each ses...

Continue reading...

Day 2 - Saturday, August 13, 2022

The Log4J Rollercoaster - from an incident response perspective

Talk All Audiences 11:00 - 12:00 August 13, 2022

Guy Barnhart-Magen

Brenton Morris

Log4J was a merry Christmas call for many teams around the world. This talk will share our story of how we were among the first to respond to in-the-wild attacks, helping the community manage and understand how to prepare for such an incident.

Log4J did not catch us unaware, but we did not connect...

Continue reading...

Implementing E2E multi-client communication (for fun, work or profit) - what could go wrong?

Talk Intermediate 12:00 - 13:00 August 13, 2022

Nicolas Boeckh

End-to-end encryption is a concept we've been hearing about a lot these last few years, and has gained a lot of prominence in the public eye due to various platforms (WhatsApp, Signal, Telegram) implementing a variation of it.

In this talk I want to cover E2E encryption in detail, it's usages, as...

Continue reading...

Running system tests with active authn/z

Talk Intermediate 13:30 - 14:30 August 13, 2022

Lars Skjorestad

Experience has shown that we spend most of our test effort on unit testing. Many team reports that a key blocker for spending more time on system testing is the effort required to manage/mock the authentication and authorization parts of the system. In this talk we will briefly explore this problem...

Continue reading...

No Code Security Review - What should I review in applications without code?

Talk Intro 14:30 - 15:30 August 13, 2022

Inaae Kim

No-code application platforms emerged a few years ago. They are a very attractive platform to many business organizations because they use modular and pre-built configurations for quick and efficient software development and delivery without writing code. Secure code review is one of the major proce...

Continue reading...

Hacking & Defending Blockchain Applications

Talk Intermediate 15:30 - 16:30 August 13, 2022

Kennashka DeSilva

Aimee Reyes

Blockchain is a technology that is rapidly gaining widespread adoption; however, security standards, frameworks, or methodologies that incorporate the OWASP principles are not widely available. Frameworks such as OWASP as it relates to Blockchain Application Security (BAS) can ensure accountability,...

Continue reading...

One Low, Two Informational: Why Your Pentest Findings are so Boring

Talk All Audiences 16:30 - 17:30 August 13, 2022

Robyn Lundin

Application Pentests are costly, sometimes six-figures costly, and can be very time consuming for the hosting AppSec team. Even so, application pentests often yield very few meaningful findings, leaving potential security bugs in the wild for malicious actors to find and exploit. The goal of a pen...

Continue reading...

Day 3 - Sunday, August 14, 2022

The Simple, Yet Lethal, Anatomy of a Software Supply Chain Attack

Talk Intermediate 09:00 - 10:00 August 14, 2022

Elad Rapoport

tzachi(Zack) zorenshtain

Security teams nowadays are struggling to contain the risk of software supply chain attacks on their organizations, implementing control of that sort varies from internal controls hardening CI services /hardening developer workstations to demanding compliance to standards from vendors\contactors. Ho...

Continue reading...

How to find 0-days in your “memory safe” stack?

Talk Intermediate 10:00 - 11:00 August 14, 2022

Cezary Cerekwicki

Your memory-safe stack is not memory-safe at all. For instance, many popular Python libraries have substantial amounts of memory-unsafe code. Python is not unique here. You can find some potential for memory safety bugs in practically every software stack. If three simple, realistic conditions are m...

Continue reading...

Offensive Application Security for Developers...

Workshop Intro 11:00 - 13:00 August 14, 2022

James McKee

Application developers are the first line in defending applications from attack, there are thousands of software and hardware solutions to attempt to make your software more safe and secure. In the end if the software isn't developed properly and securely no amount of software or hardware is going t...

Continue reading...

Layer 7 matters at Layers 2/3 : Appsec on Network Infrastructure

Workshop All Audiences 13:00 - 15:00 August 14, 2022

Ken Pyle

How does a stored XSS on a switch become a covert, firewall bypassing protocol? How does rebooting a switch using unsanitized input allow an attacker to eavesdrop or poison traffic? When do these bugs become weapons?

In this lecture / interactive lab environment, attendees will learn bug hunting,...

Continue reading...

Village Activities

Code Busters - Appsec Code Review Challenges

Challenge

Raphael Silva

Put your skills to the test in this challenge and try to find all the vulnerabilities in the code. We have a wide range of challenges, from easy to advanced in various languages. Can you find them all?

Continue reading...

c{api}tal - API Security CTF

Competition

Ravid Mazon

Alex Livshiz

Experience API security with our hands-on c{api}tal CTF! Learn about the API security top 10 risks and get ready to exploit them! The top 3 winners will win awesome prizes!

Continue reading...

Software Supply Chain Attacks From an Attacker's POV

Demo

Zack (Tzachi) Zorenshtain

Guy Nachshon

Elad Rapoport

Trojan & Shell Games: The (un)intentional risks

Demo
Fri, 12 Aug, 1 pm – 5 pm
Sat, 13 Aug, 9 am – 1 pm

Diogo Rispoli

Log4Shell and Trojan Source are two prominent risks introduced in the last year. We will demonstrate an exploit for each vector and provide an easy-to-understand analysis of the behavior. Mitigation and detection of each will also be discussed.

Continue reading...

Thanks to our Sponsors

Gold Sponsors

Is your organization passionate about application security and want to sponsor?

Read on how to become a sponsor and checkout our available sponsorship opportunities.