All times are in Pacific Time(GMT -7)

Day 1 - August 07, 2020

Maddie Stone

Who’s secure, who’s not, & who makes that choice

Keynote 10:00 - 11:00 August 07, 2020

Applying Pysa to Identify Python Security Vulnerabilities

Workshop 11:00 - 13:00 August 07, 2020

Graham Bleaney


The Product Security teams at Facebook make extensive use of static analysis to find security vulnerabilities. We use systems like Zoncolan and the open source Python Static Analyzer (Pysa) on a daily basis. Using static analysis helped us find more than 1100 security bugs in 2018, accounting for mo...

Continue reading...

2FA in 2020 and Beyond

Talk 11:00 - 11:45 August 07, 2020

Security professionals agree: SMS based Two-factor Authentication (2FA) is insecure, yet thousands of companies still employ this method to secure their customer-facing applications. This talk will look at the evolution of authentication and provide a data-driven analysis of the tradeoffs between th...

Continue reading...

Android Bug Foraging

Talk 12:00 - 12:45 August 07, 2020

Pedro Umbelino


João Morais


In this session, we will analyze four real-world examples of different high impact android vulnerabilities. We will show how we discover, developed, and leveraged the vulnerabilities into a fully working proof-of-concept, devised meaningful attack scenarios (demos included), and how our work was app...

Continue reading...

Think Like A Hacker To Defend Your Application

Roundtable 12:00 - 13:00 August 07, 2020

Jerry Gamblin


Join our open discussion on how to put on your hacker hat. We will explore application security from the hacker, consultant, and enterprise perspectives. Come with an open mind and a good story to share.

Continue reading...

Our journey into turning offsec mindset to developer's toolset

Talk 13:00 - 13:45 August 07, 2020

Paul Amar


Stanislas Molveau

Security is hard. Especially for people not in this specific field. Hundreds of vulnerabilities are getting disclosed each week and it's hard for security folks to keep up with that pace. How can developers follow up with this including business constraints/deadlines? In this talk, we will talk abou...

Continue reading...

API (in)Security TOP 10: Guided tour to the Wild Wild World of APIs

Talk 15:00 - 15:45 August 07, 2020

Do you speak API? Surely you do, even if you don't notice them in your world wide web everyday use. APIs are proved to be beneficial for business, but with great power comes great responsibility and some of them have serious problems. Last year we put a lot of effort to build and release the OWASP A...

Continue reading...

Threat Modelling the Death Star

Talk 16:00 - 16:45 August 07, 2020

It is a known fact the Empire needs to up their security game. The Rebellion hack their ships, steal their plans, and even create backdoors! In this talk, we will help the Empire by threat modeling the Death Star. Traditionally, Threat Models have been a slow and boring process that ends up with a g...

Continue reading...

Day 2 - August 08, 2020

Fredrick “Flee” Lee

Be Like Water: What Bruce Lee Can Teach Us About AppSec

Keynote 09:00 - 10:00 August 08, 2020

Fredrick “Flee” Lee


Every few years, security “thought leaders” tell us what is the one, proper way to practice application security. I’m just as guilty of this as anyone else in the “industry”. But, it turns out there isn’t just one true style of effective AppSec. This talk walks through my path of letting go of dogma...

Continue reading...

Introduction to application security threat hunting - background for Web Shell Threat Hunting

Workshop 10:00 - 11:00 August 08, 2020

A prerequisite background for the Web Shell Threat Hunting workshop.

Continue reading...

10,000 Dependencies Under The Sea: Exploring and Securing Open source dependencies

Talk 10:00 - 10:45 August 08, 2020

Gregg Horton


Ryan Slama

Come on our journey of creating scalable tooling and processes to automatically identify vulnerabilities in third-party libraries and handle the question of “ok we found this, who’s going to fix it?”

Continue reading...

Hackium: a browser for web hackers

Talk 11:00 - 11:45 August 08, 2020

The web has changed. Sites went from being a few kilobytes of static, hand-written HTML to monstrosities of tangled JavaScript that eat hundreds of megs of RAM. Web sites are applications now, complete with security controls, complex state, and custom protocols. Our tools need to become smarter.

Continue reading...

The DevOps & Agile Security Toolkit

Talk 12:00 - 12:45 August 08, 2020

David Waldrop

The DevOps & Agile Security Toolkit - In this talk, we will look at integrating security into Agile and DevOps. We will discuss strategies, training, tools, and techniques that will let your organization move quickly while doing so safely.

Continue reading...

Web Shell Threat Hunting

Workshop 12:00 - 14:00 August 08, 2020

Web shells are malicious web applications used for remote access to and control of compromised servers. This workshop covers methods to detect web shells at the system and network level.

Continue reading...

Sec Engineering

Roundtable 12:00 - 13:00 August 08, 2020

Jerry Gamblin


Building the application security tools your company needs to be safer and more secure is a challenge. How do you decide where to start? When not to take short cuts? What is the process like? What have you built? Join the roundtable discussion and bring a horror story or two.

Continue reading...

localghost: Escaping the Browser Sandbox Without 0-Days

Talk 13:00 - 13:45 August 08, 2020

Many modern desktop applications use a localhost server for IPC and seamless interaction with websites. These servers usually have no authentication. JavaScript running in browsers can connect to these servers. I will discuss a dozen publicly disclosed bugs where malicious websites can connect these...

Continue reading...

Can't Touch This: Detecting Lateral Movement in Zero-Touch Environments

Talk 15:00 - 15:45 August 08, 2020

Zero-touch environments are a product of the fast-moving world of DevOps which is being adopted by an increasing number of successful companies. This session will show that by leveraging the constraints of this environment, we can identify malicious network traffic which would otherwise blend into t...

Continue reading...

Day 3 - August 09, 2020

Threagile - Agile Threat Modeling with Open-Source Tools from within Your IDE

Talk 09:00 - 09:45 August 09, 2020

The open-source tool Threagile enables agile teams to create a threat model directly from within the IDE using a declarative approach: Given information about the data assets, technical assets, communication links, and trust boundaries as input in a simple to maintain YAML file, it executes a set of...

Continue reading...

The Elephant in the Room: Burnout

Talk 10:00 - 10:45 August 09, 2020

Burnout. We all go through it at one point, especially during a pandemic. It feels like you are low on battery and it can cause emotional and physical issues. This talk shares an overview of the warning signs, symptoms, and practices to prevent burnout and how to deal with burnout to keep balanced.

Continue reading...

Kubernetes Container Orchestration Security Assessment

Workshop 10:00 - 12:00 August 09, 2020

Ali Abdollahi


In this workshop, we will first discuss the fundamentals. After grasping underlying containerization technology, we will go deep about technology vulnerabilities, exploitation techniques, auditing, and hardening solutions.

Continue reading...

A Heaven for Hackers: Breaking a Web Security Virtual Appliances

Talk 11:00 - 11:45 August 09, 2020

Most security products require to be placed in the heart of the organization's IT configuration. Even though we are highly paranoid and security aware about every single third party tool that we include in our IT structure; we lose these concerns when it comes to security products. We forget to see...

Continue reading...

Securing Your SDLC

Roundtable 12:00 - 13:00 August 09, 2020

Martín Villalba

Securing your SDLC (software development lifecycle) is appsec 101. Yet so many organizations struggle with the best way to embed security into their DevOps. Join our discussion to learn which sSDLC practices work where and how to implement them. Come ready to share best practices and lessons learned...

Continue reading...

Secure Your Code — Injections and Logging

Talk 12:00 - 12:45 August 09, 2020

This talk combines two of the OWASP top ten security risks to highlight some widespread "this is fine" issues:

  • Injections (A1:2017): We are using a simple application exploitable by injection and will then secure it with the Web Application Firewall (WAF) ModSecurity.
  • Insufficient Logging & Mo...

Continue reading...

Running an appsec program with open source projects

Talk 13:00 - 13:45 August 09, 2020

Vandana Verma Sehgal


We are all heading towards the modernization of applications. However, we still see the companies being impacted with the most common website vulnerabilities like SQL Injection, Sensitive data exposure, security misconfiguration, etc.
OWASP has many projects which can be tied seamlessly into the ap...

Continue reading...

Thanks to our Sponsors

Gold Sponsors

Bronze Sponsors

Is your organization passionate about application security and want to sponsor?

Read on how to become a sponsor and checkout our available sponsorship opportunities.