Registration and Breakfast — 8:30 AM

Opening and Keynote — 9-9:55 AM

Steve Springett

Evolving Security: Empowering Change in the OWASP Foundation

In this talk we'll dive into how asking the right questions and making small tweaks can lead to major breakthroughs. We'll shine a spotlight on some OWASP projects and how they're revolutionizing the game. As a fresh face on the OWASP Foundation's board, I've got some big ideas brewing to make our community even better, more sustainable, and way more impactful. From brainstorming sessions to community collaborations, we'll uncover how these small changes can snowball into something massive. So grab your seat and let's start changing the world, one small step at a time!

Capture The Flag Challenge 10 AM-3:55 PM

Resume Workshop Morning10-11:55 AM

Morning Workshops  — 10 AM-12:25 PM

Track 1

Sahaj Vaidya

AI-Powered Incident Response and Recovery in Web Applications

As the threat landscape continues to evolve, web applications face increasingly sophisticated cyber attacks. This workshop aims to explore the integration of Artificial Intelligence (AI) in incident response and recovery processes, enhancing the capabilities of security teams in mitigating and recovering from security incidents. Participants will gain practical insights into leveraging AI technologies for rapid incident identification, analysis, and effective recovery strategies. Incident response is a pivotal aspect of web application security, requiring swift and accurate actions to minimize the impact of security incidents. This workshop will delve into the application of AI techniques to optimize incident response and recovery workflows. Participants will be introduced to AI-driven technologies that enhance the entire incident lifecycle:

Automated Incident Identification: Explore how machine learning algorithms can analyze patterns in log data, network traffic, and user behavior to automatically identify potential security incidents. Participants will gain hands-on experience with AI tools for real-time incident detection. Dynamic Incident Analysis: Discuss the use of AI in dynamically analyzing incident data, correlating multiple sources of information to identify the scope and severity of an incident. Practical exercises will guide participants in using AI-driven analysis tools to understand and contextualize security incidents. AI-Driven Response Strategies: Examine how AI can assist in formulating effective response strategies, including automated containment, isolation, and mitigation measures. Participants will learn how to integrate AI-powered decision-making into incident response playbooks. Efficient Recovery Mechanisms: Explore the role of AI in expediting the recovery process by identifying compromised assets, assessing the impact, and prioritizing recovery efforts. Practical scenarios will be presented to illustrate AI-driven recovery strategies. Continuous Improvement with AI Metrics: Discuss the use of AI to measure and analyze incident response performance, allowing organizations to continuously improve their security posture. Participants will gain insights into using AI-generated metrics for optimizing incident response workflows. By the end of the workshop, participants will have a comprehensive understanding of how AI can revolutionize incident response and recovery in web applications. Practical exercises and case studies will empower attendees to implement AI-enhanced incident response strategies within their organizations, improving overall resilience against evolving cyber threats.

Track 2

Robert Hurlbut

Hands on Threat Modeling

Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of Threat Modeling in secure software design or, they have tried Threat Modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. Threat Modeling should be part of your secure software design process. Using Threat Modeling and some principles of risk management, you can design software in a way that makes security one of the top goals, along with performance, scalability, reliability, and maintenance.


Morning Talks10-10:55 AM

Track 1

Jack Fei

Shubham Agrawal

How to Secure Isolated AWS Accounts

An isolated Amazon Web Services (AWS) account is a non-internet facing account that runs important processes like log indexing, CI/CD, big data, and more. In this presentation, we show new ways to identify and secure these accounts by using the same old hacking phrases to identify and fix the vulnerabilities. These are fixes that we identified and implemented, and that AWS has deployed worldwide.

To test our method, we used a real-world example of a centralized logging system as suggested by Splunk. This example has multiple AWS accounts sending logs to a centralized account’s Amazon S3 bucket. When a new log is received, it sends a notification through Amazon Simple Notification Service (SNS), which is then sent to and parsed by AWS Lambda and stored in Splunk.

First, we enumerated Amazon Resource Names (ARN) both actively and passively. An ARN uniquely identifies AWS resources. By understanding its structure, we created an automation tool for enumeration. To gain initial assess, we found multiple ways a service can be misconfigured and looked for application vulnerabilities like XXE, Command Injection, etc. We enumerated the logging account’s SNS topic’s ARN and found it misconfigured. We then sent a specifically crafted payload to the topic’s message body, which got parsed by a lambda with an assumed vulnerable parsing logic. The lambda executed and payload and sent its metadata credentials to our Command and Control (C2) server, thus giving us access to is role globally.

Further, we gained root access by abusing a secret manager called Credstash and retrieved high-privilege secret-like SSH keys stored in AWS services and shared among all OS accounts. We SSH’ed to the application server and looked for its IAM role permissions. We found a vulnerable Amazon EC2 Autoscaling API that could lead to privilege escalation to a higher role. We reported it to AWS in late 2022. AWS fixed the vulnerability and pushed the changes to production, including deploying the fix worldwide.

Track 2

Or Katz

Deep Sea Phishing: Unraveling a Bottomless Scam Infrastructure

Combating phishing attacks is endless. Security pros have fought hard, but we are entirely reactionary when it comes to this threat. This plays a big part in why we are consistently “behind the 8 ball” when it comes to identifying and shutting down malicious sites. We’re addressing the symptom of phishing, but not the problem: large-scale and resilient attack infrastructure. Attackers are deeply aware of our defense TTPs and have built operations curated for obfuscation and continuous operation making it difficult to defend against. Our research on “Natalie Hamiilton,” a previously known phishing persona used to feign legitimacy of these scams, discovered her reemergence was part of a backend attack infrastructure. We discovered many templated sites used as front-ends for the scam tied to 40,000+ malicious routing domains. At one point there were 13,000 sites active concurrently hosted on more than 20 different providers. We’ll show how adversaries created an infrastructure for delivering scams weaponized by cloud services capabilities to create distributed, stealthy and persistent attacks. In spite of the landing pages being taken down, there have been millions of visitors rerouted through this infrastructure. Our analysis of a single routing site traffic paints a picture of how lucrative these scams are for attackers. We estimate they rake in at least a 7 figure operational scam yearly on the monitored infrastructure. The presentation will dive into the current state of internet scams: what makes them effective, engaging, and long lived. We’ll cover attack tactics like social engineering, anti-detection techniques and resilient infrastructure used to avoid mitigation. We’ll correlate these tactics to tools, threat intelligence capabilities and processes. As defenders we mainly focus on the detection and mitigation on the front end rather than the infrastructure powering these scams. Adversaries know and adapt to maximize longevity and revenue. We’ll discuss the research to discover this web of domains and redirects, and introduce the concept of an “inside-out” approach to phishing detection and protection: analyzing the infrastructure powering these scams. It is incredibly lucrative for attackers to engage in resilient setups like these, so defenders have to take from the adversary’s book - use their own game against them. Finally, we’ll explore what the future might hold and the changes needed from the defense to close these gaps today and in the future.

Track 3

Jacob Goldblatt

API Secret Tokens Exposed: Insights from Analyzing 1 Million Domains Reveal Critical Risks of the Modern Web

Join Escape's co-founders Tristan Kalos and Antoine Carossio for insights on critical risks from exposed API tokens. Their groundbreaking research, analyzing 1 million domains, uncovered 18,000+ API tokens and RSA keys accessible without authentication. 41% were highly critical. They will share their unique web scanning methodology, delve into sensitive API data found revealing potential severe financial losses, and draw parallels to standard API security threats. Going beyond the findings, they'll present actionable remediation strategies and provide a practical API security checklist. Leave equipped with a clear path to secure your APIs.

Morning Talks — 11-11:25 AM

Track 1

Andrew Park

Why you don’t need a Bug Bounty Program

Bug Bounty programs are a popular way for organizations to assist in responsible disclosure reporting with security researchers. It is also a great way for security to be rewarded, either through prestige and money. However investing in such a program may not be the best use of time and money for an organization. The security research community is a vast pool, with extreme variation of expertise. There’s always a massive amount of people trying to enter the cybersecurity industry. Unless your organization / product is well known and used by many, maintaining a program is a costly endeavor for a security team with limited resources. As a former program owner for 1upHealth (healthcare API) and for Lastpass, Andrew Park will discuss his experiences regarding - Learn about how bug bounty programs are run (scope, exclusions, environments, rewards, taxonomy, communication) What program owners look for in accepting reports (reporting outline, tone, patience) Why you would need a bug bounty program (brand name recognition) Better options than a bug bounty program (security tooling)

Track 2

Matt Bosack

Zero to AppSec: Building our DevSecOps Practice from Scratch

This is the true story about building a practical Application Security program from the ground up, including some of our objectives, design decisions, strengths, weaknesses, and pitfalls. We'll discuss our approaches to SAST and DAST (do them!), vulnerability management (democratize!), bug bounties, and our AppSec flavored Design Assurance - which combines pen testing, tooling, and threat modeling to help secure new features and our biggest assets. In doing so, we will also look at some of our tooling and instrumentation processes (tl;dr GitHub Actions) and take a look at some of our best (worst?) vulnerability discoveries. There's always work to be done, and we can always improve, and so we'll close with a quick look at what we are thinking about next. Going from Zero to AppSec starts with the first step, but it can be in any direction!

Track 3

Bipin Gajbhiye

Amol Deshpande

Partners in Crime: Scaling Security with Partnership

Security Partnership is a collaborative process where engineering teams work closely with security to ship secure-by-design products. However, collaboration is a two-way street. The goal of Security Partnership is to improve the security posture of products by understanding the risk surface, deciding the success metric, and working with stakeholders to reduce the overall risk and security debt. Security Partners leverage strong relationships with both product teams and the rest of the security organization to be successful. Their scope is primarily focused on reviewing early-stage designs, helping develop threat models, scaling impact via automation, curating security patterns, enabling paved roads, authoring security guidance, training, and championing security initiatives. In this talk, through our experience, we will discuss how to structure a partnership program and establish SMART objectives. We will also delve into the criteria for short-term and long-term success, stakeholder management, and stairway to collectively make this program a value addition to the organization. While the partnership program is rewarding, it comes with its own set of challenges which will also be covered along with the avenues to overcome them. At the end of this talk, attendees will gain valuable insights to initiate a security partnership program or grow the existing one in their respective organizations.

Morning Talks — 11:30-11:55 AM

Track 1

Jeffrey Friedman

Dynamic Defense: Drawing Inspiration from Financial Fraud Detection for Next-Gen Cybersecurity

As the landscape of cyber threats evolves, traditional cybersecurity approaches categorized by Gartner, such as SIEM, CWPP, CSPM, CIEM, and even CNAPP, have proven to be largely static and defensive in nature. This talk aims to explore a paradigm shift by delving into the innovative strategies employed in the financial services industry to combat fraud. Drawing inspiration from the dynamic nature of financial fraud detection and response, we will delve into the realms of behavioral analysis, network analysis, and anomaly detection. A more proactive, adaptive, and behavior-focused approach will ensure that defenders can stay ahead of ever-evolving cyber threats.

Track 2

Tejpal Garhwal

From Compliance to Commitment: Going Beyond Checklists in Application Security

I would like to speak about how organizations can be successful, can further mature their appsec program and come out from compliance checklist mindset. To achieve robust application security, I believe organizations must embrace a culture of security commitment. This approach recognizes security as a continuous journey towards excellence, requiring proactive risk management, continuous improvement, and a security-first mindset ingrained in the organizational culture. I would be emphasizing key elements of a security commitment include strong leadership support, employee engagement, and a culture of accountability. As a leader, I understand the importance of prioritizing security as a core business objective and demonstrating a genuine commitment to its importance. How can we encourage employees at all levels to be actively involved in security initiatives and feel empowered to contribute to a culture of security excellence? Some of the elements of my speech would be:

1. Commitment - Cultivating a security commitment entails setting clear security objectives aligned with business goals, establishing robust governance structures, and integrating proactive risk management processes into the software development lifecycle. Education, training, and awareness initiatives are also crucial for empowering employees to be active participants in the security effort.

2. Sr. Leadership buy-in - Transitioning from compliance to commitment may present challenges, including resistance to change, organizational inertia, and resource constraints. Effective communication, leadership buy-in, and addressing cultural barriers are essential for overcoming these obstacles and fostering a collaborative environment where security is everyone's responsibility.

3. Measure the success as program matures - Measuring the success of security commitment efforts requires the use of meaningful metrics and key performance indicators (KPIs). These metrics provide insights into the effectiveness of security initiatives and facilitate continuous improvement efforts. Other points that I plan on elaborating on, will be: 1. How to develop Strategies (without boiling the ocean approach) 2. How to overcome challenges (how to deal with them) 3. How KPI looks like (how to show progress on maturity of the program

Track 3

John Bergland

Caroline Lee

Hidden Risks Exposed: Unlock Secure Software with SBOM Analysis

Worried about hidden risks in your vendor software? You're not alone. 80% of organizations lack full visibility, exposing them to security vulnerabilities, compliance issues, and outdated libraries. Join us to discover how SBOM analysis can save your organization. Learn how IBM uses SBOMs to: - Reduce risk: Identify critical vulnerabilities and outdated dependencies. - Improve compliance: Ensure license adherence and regulatory requirements. - Build trust: Gain transparency and foster stronger vendor relationships. Uncover: - The essential tools, approach, and methodology for SBOM analysis. - Key attributes we analyze beyond vulnerabilities. - Real-world results and the insights they reveal. - Customizations for enhanced effectiveness. - Common challenges and proven solutions. - Future goals and the path to secure software supply chains. Don't leave your organization vulnerable. Take control with SBOM analysis.

LunchNoon-12:55 PM

Resume Workshop Afternoon1-2:55 PM

Afternoon Workshops1:30-3:55 PM

Track 1

Roy Wattanasin

Kitty Huang

A Binary Hack in Making the Right Decision

Our tomorrow is often the outcome of the decisions that we make today. We decide where to live, who to hire or which job to take. Some decisions are trivial, and we can afford to make a mistake. Some decisions, however, have a major impact and have long-lasting effects. Looking back, it is clear if we had made the right choice. Looking forward and facing the unknown; it is difficult to tell if one option is better than the other. Please bring a decision that you have yet to make to the workshop. You will learn the factors to consider, apply a strategy and then use a “binary device” to help you find a solution that best meets your needs. Whether it is a big business decision or a small personal matter that concerns you, join us to practice making a decision that you will not regret.

Workshop Agenda

Track 2

Michael McCabe

Ken Toler

Infrastructure as Remote Code Execution: How to abuse Terraform to elevate access

In this workshop, we will explore the potential security risks associated with the use of Terraform, a popular infrastructure-as-code tool. We will demonstrate how a malicious actor can exploit Terraform to elevate privileges, exfiltrate sensitive data, and gain unauthorized access to cloud environments. The presentation will include live demos showcasing real-world attack scenarios and will conclude with practical recommendations for securing Terraform implementations.

Terraform is a widely used tool for managing cloud infrastructure as code. While it offers numerous benefits, it can also be a target for attackers seeking to compromise cloud environments. This talk will provide an in-depth analysis of Terraform's security features and vulnerabilities and demonstrate how attackers can exploit them to achieve remote code execution and privilege escalation. We will also discuss best practices for securing Terraform and mitigating potential threats.

Afternoon Talks — 1-1:55 PM

Track 1

Don Mckeown

Implementing and maturing the security development lifecycle (SDL)

The objective of this talk is for the audience to understand the SDL, to learn practical insights for implementing several of its stages, and to understand how to use the OWASP Software Assurance Maturity Model (SAMM). While I'll cover the whole SDL, I'll focus on the Training, Requirements, Threat Modeling, and Implementation stages. With respect to Training, I'll outline the importance of metrics driven, outcome-based training initiatives and Security Champion programs. I'll cover Requirements and Threat Modeling together and argue that Threat Modeling should be renamed and integrated into the Requirements stage. Then I'll offer tips for deploying tools during the Implementation state. Finally, I'll relate the SDL to the SAMM, and discuss benefits and weaknesses of maturing application security using the SAMM. After this talk, the audience should understand the SDL and SAMM more deeply and be able to mature their application security programs.

Track 2

Gautam Peri

The Art of Auth Bypass: How to Identify, Exploit and Remediate Insecure Token Validation Code Patterns

Modern auth protocols such as OpenID Connect and OAuth enable services to depend on identity providers for verifying identities and issuing bearer tokens to clients. These clients attach the bearer tokens to requests and send them to backend services. It is the services’ responsibility to validate the incoming token's signature and extract claims for further processing.

There are a lot of intricacies in validating bearer tokens and hence developers often use auth libraries with secure defaults to perform token validations. These libraries have settings that can override the secure defaults behavior resulting in the introduction of insecure code patterns. This talk aims to highlight some of these code patterns and demonstrates how an attacker can exploit them to obtain an authentication bypass. In addition, the talk also covers token validation best practices and provide tools to identify these in large code bases. The demos used in this session leverage Microsoft Entra ID (formerly known as Azure AD) as the identity provider and ASP.NET as the relying party. However, the key takeaways are generic and are applicable to broader tech stacks.

Track 3

Chris Smith

Security At Speed: How Discord's ProdSec team secures dozens of releases a day

At Discord, features and fixes can go from idea, to code, to deployment for hundreds of millions of users in under a day. The Product Security team is in charge of securing that blazing fast SDLC. From supporting no code boundaries, reviewing designs for cutting edge technology, and securing a <30 minute PR-to-release cycle, this talk will reveal how we make opinionated tradeoffs and deliver security knowledge to the right people at the right time.

Afternoon Talks — 2-2:55 PM

Track 1

Ayse Kaya

Numbers at the Frontline: Shifting Winds in Cloud Native Security

Recent joint research from ESG and Slim.AI, polled from SREs, DevOps & Platform Engineers explores the state of cloud native security, shedding light on an increasingly worrying attack surface that is only growing. Analyzing the data we learn that a mere 12% are managing to achieve security SLOs. This is compounded by regulatory pressures, the complexity of the supply chain with its own set of exploits & challenges, all this with a fragmented tooling ecosystem that is making it difficult to understand how to prioritize & remediate rapidly in a single consolidated place.

This session will dive into these new findings, on how container & OSS security continues to add difficulty with triaging security––as well as the cascading impact of the continuous rise in cloud native sec, vulns, and the supply chain as a whole. Join this session to learn how to take cloud native security from reactive to proactive along with real practical tips for minimizing the noise & achieving security SLOs.

Track 2

David Melamed

GenAI-Powered Security with Digital Threads

Organizations have vast amounts of knowledge dispersed across many services, resulting in limited visibility - and this is particularly true with domain expertise such as security.

A digital thread offers an integrated approach to combine disparate data sources across enterprise systems to drive traceability, visibility, and collaboration. In this talk, you will learn how to create your own intelligent thread for your Engineering organization, using a combination of a Knowledge Graph built with Amazon Neptune using data from the Product Development Lifecycle and GenAI technologies using Amazon Bedrock in order to improve your product security.

This session will showcase novel concepts like combining knowledge graphs and LLMs, and applying that to security. It will include a full demo and the associated project will be released as open source so that all the attendees will be able to experiment with it.

Track 3

Pranav Shikarpur

Getting AI to Do the Unexpected

In an era where AI features in apps are no longer a novelty but a necessity, developers are creatively embedding Large Language Models (LLMs) into applications ranging from “dad joke generators” to critical healthcare tools like “automated EHR systems”. But amidst this innovative surge, a crucial question often lingers: "What if a bad actor decides to toy with my LLM app, making it behave in ways it was never intended to?" In October 2023, the OWASP Foundation released its top 10 vulnerabilities in LLM apps. In the report, the top 3 vulnerabilities were Prompt Injections, Insecure Output Handling, and PII data leakage. Thus, in this session, through live demos, attendees will learn about these prompt hacking vulnerabilities, mitigation strategies, and the importance of 'secure by design' practices in app development. The goal is to equip attendees with the knowledge to build secure LLM apps.

Afternoon Talks — 3-3:55 PM

Track 1

Eitan Worcel

How Not to Use AI for Security and What Companies Should Do Instead

The desire to use Artificial Intelligence (AI) for security challenges is tempting in the rapidly evolving cybersecurity landscape and challenges. However, not all AI implementations are created equal.

This session is made up of two parts.

First, we delve into a research study where we naively employed OpenAI to remediate reported code vulnerabilities. The results were extremely underwhelming, underscoring the pitfalls of a one-size-fits-all approach to AI in security.

Second, we will detail a different and more responsible approach one can take after understanding the advantages and disadvantages of the Gen AI technology. We will walk attendees through the following:

• The methodology and rationale behind our research which in fact made the task easier for the tool compared to how a developer would use ChatGPT.

• Specific examples of where OpenAI's generic Generative AI (GenAI) technology failed in addressing code vulnerabilities, emphasizing the risks of an over-reliance on such solutions.

• The broader implications of these findings, particularly the dangers of blindly trusting AI without a nuanced understanding of its capabilities and limitations.

• Details on a different approach for using GenAI in security, in a responsible way, specifically in automatic remediation of code vulnerabilities.

• Recommendations for vendors on how to approach AI integration in security solutions, ensuring efficacy without compromising integrity.

This session is not just a cautionary tale but a guidebook. Attendees will leave with a clear understanding of the potential pitfalls of AI in security and a blueprint for its responsible and effective use.

Track 2

Brendan Hann

Mobile Rules the World - Jump into Mobile AppSec with the OWASP MAS Project

Mobile apps dominate all digital time spent online - but mobile AppSec programs often lag. Jumpstart your team and skills by stepping inside the OWASP Mobile AppSec Project (MAS) to learn about the fundamentals of mobile app security and the most recent updates released in OWASP MASVS v2.1.0 launched in January 2024. Learn the differences between Mobile AppSec and Web AppSec and how to put OWASP MAS project, tools and resources to work. In this session we will drill down into the top 5 most frequent security issues found in testing thousands of mobile apps. Learn how to test for them, and how to teach your dev teams to prevent them with code examples, test examples, links to additional resources and how to build your own toolkit. Along the way we will hit the latest privacy and security updates with iOS and Android.

Mobile apps dominate all digital time spent online - but mobile AppSec programs often lag. Jumpstart your team and skills by stepping inside the OWASP Mobile AppSec Project (MAS) to learn about the fundamentals of mobile app security and the most recent updates released in OWASP MASVS v2.1.0 launched in January 2024. Learn the differences between Mobile AppSec and Web AppSec and how to put OWASP MAS project, tools and resources to work. In this session we will drill down into the top 5 most frequent security issues found in testing thousands of mobile apps. Learn how to test for them, and how to teach your dev teams to prevent them with code examples, test examples, links to additional resources and how to build your own toolkit. Along the way we will hit the latest privacy and security updates with iOS and Android.

Track 3

Joe Nicastro

The Real Weakness is Your Supply Chain: As supply chain attacks become more sophisticated are we as an industry focusing efforts to reduce risk in the right areas?

In the last decade, an explosion of AppSec tools has come to market designed to help find and remediate vulnerabilities. However, organizations are still getting breached as attackers have shifted their focus to software pipelines – using exploits such as secrets harvesting and SCM and pipeline misconfigurations – areas that traditional AppSec tools don’t cover. Join us to learn how you can get comprehensive software supply chain visibility and security and avoid putting your organization at risk.

Happy Hour4-4:55 PM

2023 Boston Application Security Conference