Schedule & Presenters

10-10:50 AM

Defense-in-depth engineering - John Poulin

The 2021 OWASP Top Ten introduced a category “Insecure Design” to focus on risks related to design flaws. In this talk, we will focus on techniques we can use to build defense-in-depth software. What can we do to proactively architect software to be more resilient to attacks? What type of findings may not be discovered via automated static analysis? How can we design our software to be more friendly during incident response scenarios? Throughout this talk, we will focus on identifying often-overlooked architectural anti-patterns and vulnerabilities to be on the lookout for. We will source code to analyze patterns for improvement in both real-world applications as well as intentionally vulnerable applications. Engineers will leave this talk with a solid understanding of defense-in-depth software architecture and design. Security engineers or consultants can expect to leave with an increased understanding of insecure design patterns and vulnerabilities.

11-11:50 AM

Security Research with Open Source Software: This is the way - Yesenia Yser

While the new media is blooming with the latest and greatest security breach or exploit, it's up to the world’s behind the curtain superheroes to clean up the mess within the open source ecosystem. Join the OpenSSF Alpha-Omega team to explore the opportunities of software development, software security, and vulnerability research in the open source software (OSS) world. The Omega engineering team will illuminate the OSS security threats, share the mission of producing automated security patches, provide guidance on how the open source connects folks around the world to industry leaders and subject matter experts trying to solve global security concerns.

10-10:50 AM

Defending Your Cloud Native Apps Against the Serverless Top 10 - Chris Koehnecke

Serverless architecture and patterns have changed the velocity and scale at which modern business applications can be delivered, enabling engineering teams to focus on business value, without having to manage compute resources. As serverless gains adoption, the would-be attackers come prowling - and this means serverless security needs to level up. That said, serverless security knowledge is still not a commodity, as most of the current security tools, apps and practices are targeted at more legacy architecture patterns, making it challenging to ramp up security at the pace of engineering.

Excellent resources have been created over the years, including the OWASP Serverless Top 10, however, understanding how to practically apply these takes time and research if you aren't a domain expert. In this talk, we'll take a deep dive on what a typical serverless app composed of lambda functions and containers looks like, including the various layers it's comprised of: code, infrastructure , runtime and its supply chain. We'll map each of these to the possible risks based on the OWASP Top 10 list, and demo through excellent open source tools how you can defend your application against these threats on each of your application's layers. You'll come away from this talk able to immediately start better securing your serverless apps.

11-11:50 AM

Client Side Web Application Security and Third Party Javascript - Jim Weiler

Large web applications can have more bytes of 3rd party javascript code executing in the users browser than bytes of java code executing in the back end application servers. This 3rd party code is generally never reviewed, can change without notice, can control the page look and behavior and can access any part of the browser document object model to send data back to the third party servers. When this 3rd party code is hacked on the 3rd party servers hosting it, the hacker code inside the legitimate code that is delivered to the users browser can get any data the user enters including passwords, credit data, loyalty accounts etc. This is known as the 'Magecart' style attack and has happened to hundreds of large and small ecommerce sites in the last 5 years. This attack does not involve the usual network, edge, endpoint or server security, not does it involve vulnerable source code in the web site. This presentation will illustrate these attacks, and will describe various technologies and obstacles (technical, organizational, operational) involved in their detection and prevention. This presentation will also cover how to meet the PCI v 4.0 new sections 6.4.3 and 11.6.1 on payment page script controls.

1-1:50 PM

JavaScript Obfuscation - It’s All About the P-a-c-k-e-r-s - Or Katz

The usage of JavaScript obfuscation techniques have become prevalent in today’s threats, from phishing pages, to Magecart, and supply chain injection to JavaScript malware droppers all use JavaScript obfuscation techniques on some level. The usage of JavaScript obfuscation enables evasion from detection engines and poses a challenge to security professionals, as it hinders them from getting quick answers on the functionality of the examined source code. Deobfuscation can be technically challenging (sometimes), risky (if you don’t know what you are doing), and time consuming (if you are lazy, as I am). Yet, the need to find and analyze high scaled massive attacks using JavaScript obfuscation is a task I’m faced with on a daily basis.

In this presentation I will present a lazy, performance cost effective approach, focusing on the detection of JavaScript packer templates. Once combined with threat intelligence heuristics, this approach can predict the maliciousness level of JavaScript with high probability of accuracy. In addition to the overview of what I’ve developed, I’ll share the techniques used, including representation of JavaScript by using AST parsing, obfuscation pattern matching, and the machine learning techniques involved followed by demo for “its_all_about_the_p-a-c-k-e-r” open source tool for detecting obfuscated JavaScript.

2-2:50 PM

How to scan at scale with OWASP ZAP - Tiago Mendo

Have you tried scanning hundreds of web applications in a single day?

In this talk, I will explain how we use OWASP ZAP to scan web applications at scale, detailing the various challenges we faced and what solutions we implemented.

The talk will cover various challenges:

- Queueing and organizing URLs for scanning

- Authentication and session renewal

- Slow web applications and blockages

- Duplicate vulnerabilities

- Resource management (CPU / RAM / HD)

- Scan monitoring

All the work was done on top of OWASP ZAP, with various changes submitted to the project. ZAP was used for scanning, with the - crawling being done by a third-party component.

3-3:50 PM

The Darkside of GraphQL - Parth Shukla

GraphQL is a query language for APIs that provides a powerful and efficient way to query and manipulate data. As powerful and versatile as GraphQL is, its downside is that it can be vulnerable to certain security threats. In this presentation, we will discuss the security vulnerabilities associated with GraphQL, from the basics to more advanced threats, and how to best protect against them. After this presentation, attendees will have a better understanding of security vulnerabilities in GraphQL, as well as an understanding of the steps needed to protect against them.

1-1:50 PM

Advancing Your Threat Modeling Approaches in an Agile / DevOps World - Robert Hurlbut

Threat #A04:Insecure Design was added as a new category in the most recent OWASP Top 10 2021, highlighting the risks related to

secure design flaws. Threat Modeling is a great tool to help introduce secure software design into software development, but it can be

viewed as tedious and not applicable to the fast-paced world of Agile or DevOps environments.

In this session, we will look at some of the latest advances in Threat Modeling integrated with Agile / DevOps processes by using new Threat Modeling approaches that are iterative and meant to keep step with Agile / DevOps Development practices.

The three approaches, user stories, abuser stories, and knowledge bases, will help you learn how to:

• Go granular by enumerating threats against relevant user stories / abuser stories

• Understand common threats in your domain so you can quickly identify the design flaws in your solutions

• See how these processes facilitate the creation of multiple segues into Security Test Cases and Mitigation Plans

2-2:50 PM

Why can't tools automatically fix security vulnerabilities? Or can they? - Eitan Worcel

For years appsec vendors tried (and failed) to develop automatic remediation capabilities to add to their toolset. Not for nothing, their customers often asked for such a capability "if you can automatically detect issues, why can't you also automatically fix them?"

When I heard such requests years ago, I politely dismissed them, knowing in my engineering heart that it could never be done. "How can any tool automatically fix human code errors without breaking something?" For me, a security vulnerability was no different from any "regular" defect, and no one ever expected to have automatic defect remediation.

Over the past year, as I was involved in creating an automatic remediation solution, I learned I was wrong on oh so many levels, definitely on that "never" part.

I learned that most security vulnerabilities differ from most "regular" defects. Fixing an SQLi or XSS usually doesn't involve changing any business logic or a significant architectural change. The number of different kinds of security vulnerabilities detected is, on a grand scale, smaller than the defects.

I also learned that building an automatic secure code remediation tool is achievable. It is challenging, of course, but not impossible.

As we dived deep into our project, we better understood the real complexities of automatic remediation and why earlier solutions failed.

We want to use this opportunity to share some of our insights with you here.

To do that, we will take you through some examples that, on the surface, will seem very simple to fix automatically, and together we will see that that is not the case. We will also see how we can overcome some of these complexities.

At the end of this session, you will better understand the challenges involved in creating such a technology, but also be optimistic as it is coming.

3-3:50 PM

Your MASA Mission: Automating MASVS L1 Checks! Impossible or Highly Probable? - Ryan Lloyd

Join us for a valuable learning experience on how you can boost speed and reliability of your mobile app security testing. Dive into the Mobile App Security Assessment (MASA) requirements, and discover how easily you can execute required OWASP MASTG L1 tests within your CI/CD pipelines. Automation is key to ensuring consistent, regular evaluations. Learn how using frameworks that align with OWASP standards like the App Defense Alliance’s MASA, developers easily integrate security into their mobile app development process.

We'll explore the importance of having a comprehensive mobile security strategy that includes standards-based testing. Attendees will learn about MASA and its many benefits for reducing security risks in your mobile apps. But we won't stop there - we'll also cover how automated testing benefits pentesting down the line.

You'll walk away with a clear understanding of best practices for automating tests according to MASA and OWASP MSTG L1 as part of your DevOps pipeline. Finally, we'll highlight the crucial need for moving security testing further to the forefront of the SDLC.