All times are in Pacific Time (GMT -7)
Day 1 - August 07, 2020
Applying Pysa to Identify Python Security Vulnerabilities
August 07, 2020
The Product Security teams at Facebook make extensive use of static analysis to find security vulnerabilities. We use systems like Zoncolan and the open source Python Static Analyzer (Pysa) on a daily basis. Using static analysis helped us find more than 1100 security bugs in 2018, accounting for mo...Continue reading...
2FA in 2020 and Beyond Talk 11:00 - 11:45 August 07, 2020
Security professionals agree: SMS based Two-factor Authentication (2FA) is insecure, yet thousands of companies still employ this method to secure their customer-facing applications. This talk will look at the evolution of authentication and provide a data-driven analysis of the tradeoffs between th...Continue reading...
Android Bug Foraging Talk 12:00 - 12:45 August 07, 2020
In this session, we will analyze four real-world examples of different high impact android vulnerabilities. We will show how we discover, developed, and leveraged the vulnerabilities into a fully working proof-of-concept, devised meaningful attack scenarios (demos included), and how our work was app...Continue reading...
Think Like A Hacker To Defend Your Application Roundtable 12:00 - 13:00 August 07, 2020
Join our open discussion on how to put on your hacker hat. We will explore application security from the hacker, consultant, and enterprise perspectives. Come with an open mind and a good story to share.Continue reading...
Our journey into turning offsec mindset to developer's toolset Talk 13:00 - 13:45 August 07, 2020
Security is hard. Especially for people not in this specific field. Hundreds of vulnerabilities are getting disclosed each week and it's hard for security folks to keep up with that pace. How can developers follow up with this including business constraints/deadlines? In this talk, we will talk abou...Continue reading...
API (in)Security TOP 10: Guided tour to the Wild Wild World of APIs Talk 15:00 - 15:45 August 07, 2020
Do you speak API? Surely you do, even if you don't notice them in your world wide web everyday use. APIs are proved to be beneficial for business, but with great power comes great responsibility and some of them have serious problems. Last year we put a lot of effort to build and release the OWASP A...Continue reading...
Threat Modelling the Death Star Talk 16:00 - 16:45 August 07, 2020
It is a known fact the Empire needs to up their security game. The Rebellion hack their ships, steal their plans, and even create backdoors! In this talk, we will help the Empire by threat modeling the Death Star. Traditionally, Threat Models have been a slow and boring process that ends up with a g...Continue reading...
Day 2 - August 08, 2020
Be Like Water: What Bruce Lee Can Teach Us About AppSec Keynote 09:00 - 10:00 August 08, 2020
Every few years, security “thought leaders” tell us what is the one, proper way to practice application security. I’m just as guilty of this as anyone else in the “industry”. But, it turns out there isn’t just one true style of effective AppSec. This talk walks through my path of letting go of dogma...Continue reading...
10,000 Dependencies Under The Sea: Exploring and Securing Open source dependencies
August 08, 2020
Come on our journey of creating scalable tooling and processes to automatically identify vulnerabilities in third-party libraries and handle the question of “ok we found this, who’s going to fix it?”Continue reading...
Hackium: a browser for web hackers Talk 11:00 - 11:45 August 08, 2020
Sec Engineering Roundtable 12:00 - 13:00 August 08, 2020
Building the application security tools your company needs to be safer and more secure is a challenge. How do you decide where to start? When not to take short cuts? What is the process like? What have you built? Join the roundtable discussion and bring a horror story or two.Continue reading...
The DevOps & Agile Security Toolkit
August 08, 2020
The DevOps & Agile Security Toolkit - In this talk, we will look at integrating security into Agile and DevOps. We will discuss strategies, training, tools, and techniques that will let your organization move quickly while doing so safely.Continue reading...
Web Shell Threat Hunting Workshop 12:00 - 14:00 August 08, 2020
Web shells are malicious web applications used for remote access to and control of compromised servers. This workshop covers methods to detect web shells at the system and network level.Continue reading...
localghost: Escaping the Browser Sandbox Without 0-Days Talk 13:00 - 13:45 August 08, 2020
Can't Touch This: Detecting Lateral Movement in Zero-Touch Environments Talk 15:00 - 15:45 August 08, 2020
Zero-touch environments are a product of the fast-moving world of DevOps which is being adopted by an increasing number of successful companies. This session will show that by leveraging the constraints of this environment, we can identify malicious network traffic which would otherwise blend into t...Continue reading...
Day 3 - August 09, 2020
Threagile - Agile Threat Modeling with Open-Source Tools from within Your IDE Talk 09:00 - 09:45 August 09, 2020
The open-source tool Threagile enables agile teams to create a threat model directly from within the IDE using a declarative approach: Given information about the data assets, technical assets, communication links, and trust boundaries as input in a simple to maintain YAML file, it executes a set of...Continue reading...
Kubernetes Container Orchestration Security Assessment
August 09, 2020
In this workshop, we will first discuss the fundamentals. After grasping underlying containerization technology, we will go deep about technology vulnerabilities, exploitation techniques, auditing, and hardening solutions.Continue reading...
The Elephant in the Room: Burnout Talk 10:00 - 10:45 August 09, 2020
Burnout. We all go through it at one point, especially during a pandemic. It feels like you are low on battery and it can cause emotional and physical issues. This talk shares an overview of the warning signs, symptoms, and practices to prevent burnout and how to deal with burnout to keep balanced.Continue reading...
A Heaven for Hackers: Breaking a Web Security Virtual Appliances Talk 11:00 - 11:45 August 09, 2020
Most security products require to be placed in the heart of the organization's IT configuration. Even though we are highly paranoid and security aware about every single third party tool that we include in our IT structure; we lose these concerns when it comes to security products. We forget to see...Continue reading...
Secure Your Code — Injections and Logging Talk 12:00 - 12:45 August 09, 2020
This talk combines two of the OWASP top ten security risks to highlight some widespread "this is fine" issues:
- Injections (A1:2017): We are using a simple application exploitable by injection and will then secure it with the Web Application Firewall (WAF) ModSecurity.
- Insufficient Logging & Mo...
Securing Your SDLC
August 09, 2020
Securing your SDLC (software development lifecycle) is appsec 101. Yet so many organizations struggle with the best way to embed security into their DevOps. Join our discussion to learn which sSDLC practices work where and how to implement them. Come ready to share best practices and lessons learned...Continue reading...
Running an appsec program with open source projects Talk 13:00 - 13:45 August 09, 2020
We are all heading towards the modernization of applications. However, we still see the companies being impacted with the most common website vulnerabilities like SQL Injection, Sensitive data exposure, security misconfiguration, etc.
OWASP has many projects which can be tied seamlessly into the ap...