All times are in Pacific Time(GMT -7)
Day 1 - August 06, 2021
Summer of Fuzz: MacOS
Talk
10:00
-
10:45
August 06, 2021
Jeremy Brown
Jeremy Brown
Thinking of fuzzing applications on OS X can quickly lead to a passing conversation of "ooh exotic Mac stuff", "lets fuzz the kernel" or it can otherwise not be thought of as an exciting target, at least for looking for crashes in stuff other than Safari or the iPhone. While there are some intricaci...
Continue reading...Capture the Flag Starts
Talk
10:00
August 06, 2021
Come join the AppSec Village with a fun community made CTF! Enjoy AppSec focused CTFs or play some traditional categories! Earn swag for first, second, and third place!
Continue reading...Vulnerability Inheritance - Attacking companies and scoring bounties through 3rd party integrations
Talk
11:00
-
11:45
August 06, 2021
Gal Nagli
Gal Nagli
Time to Sharpen your Bug Bounty Game! In this session the attendees will learn about vulnerabilities around 3rd party integrations, how to improve their reconnaissance flow and how to scan the entire internet for specific vulnerabilities utilizing Nuclei, by observing Proof of Concepts from the pres...
Continue reading...Signed, Sealed, Delivered: Abusing Trust in Software Supply Chain Attacks
Talk
13:00
-
13:45
August 06, 2021
Cheryl Biswas
Cheryl Biswas
Our technology-driven world increasingly relies on software dependencies: third party code, open source libraries and shared repositories. A history of software supply chain attacks shows how easy it is to create confusion and send malicious code undetected through automated channels to trusting re...
Continue reading...Poking bots for fun and profit in the age of asynchronous stuff
Talk
14:00
-
14:30
August 06, 2021
Emanuel Rodrigues
Emanuel Rodrigues
What Slack, Telegram, Discord, and a ton of other messaging platforms have in common ? Messaging of course ! : ) ... but also Bots/apps which are used to enrich the experience of messaging and collaboration environments. Bots are extremely popular now and are very easy to create. The App markets ar...
Continue reading...Scaling static analysis for free: add additional codebases with a single line of code and no money
Talk
15:00
-
15:45
August 06, 2021
Scaling static analysis across languages and multiple codebases is a difficult process at best. Here we walk through our setup, which we've architectured to be easy to maintain, provide few false positives, and trivial to add additional codebases. Plus, the primary tool we use is free, as in beer.
Continue reading...DFDs Ain't That Bad
Talk
16:00
-
17:00
August 06, 2021
Threat Modeling is, at its root, a combination of two separate disciplines: system modeling and threat elicitation (and then a bit of risk management, but that’s another talk). In the last few years the industry has focused mostly on the second part, threat elicitation, and rare was the analysis of...
Continue reading...AppSec Quiz Time!
Event
17:30
-
17:35
August 06, 2021
Eden Stroet, Chaos Wrangler, ASV
Eden Stroet, Chaos Wrangler, ASV
We hope you’ve been enjoying the talks so far. Join today’s quiz and correctly answer quiz questions about the talks of the day to earn ASV swag! Anyone can participate, but fingers crossed you were paying attention!
Continue reading...Day 2 - August 07, 2021
Borrow a Mentor
Event
09:05
-
10:00
August 07, 2021
Have some burning questions about the infosec/App Sec field? Want to ask a security professional? Come to “Borrow a Mentor” and get your questions answered from those who are in the trenches on a daily basis. There is no obligation, just come and learn.
Continue reading...Scaling AppSec through Education
Talk
09:05
-
10:00
August 07, 2021
Grant Ongers (rewtd)
Grant Ongers (rewtd)
Given that:
- Security teams are outnumbered by developers 100:1
- 50 - 80% more bugs are found in code review than in testing
- More than 70% of CVEs are caused by implementations in code
It must follow that AppSec should be the biggest part of your concern as a security person, and that you...
Continue reading...I used AppSec skills to hack IoT, and so can you
Talk
10:00
-
10:45
August 07, 2021
Alexei Kojenov
Alexei Kojenov
We tend to think of AppSec and IoT as two separate infosec disciplines. Sure, the domain knowledge, attack vectors, and threat mitigation are not exactly the same in those two worlds. At the same time, as the hardware continues to evolve, we see more and more tiny general purpose computers around us...
Continue reading...Integrating DAST tools into developers' test process
Workshop
12:00
-
14:30
August 07, 2021
Joe Schottman
Joe Schottman
API testing is now vital to AppSec but presents some challenges that conventional DAST testing did not face. This session will show how running developers’ non-security tests for the APIs they develop through an interception proxy such as OWASP ZAP can enable easier, faster, and more accurate DAST t...
Continue reading...When nothing goes right, push left. Designing logs for future breach investigations
Talk
13:00
-
13:45
August 07, 2021
Vee
Vee
If we do not have it we should build it.- If nothing goes right, push left.
TL;DR: Your logs should be simple, and structured, they should also contain enough information without disclosing sensitive data. Often accidental information disclosure within the logs can lead to future breaches. This t...
How I broke into Mexico City's justice system application and database
Talk
14:00
-
14:45
August 07, 2021
Alfonso Ruiz Cruz
Alfonso Ruiz Cruz
Brief talk about how a chain of simple vulnerabilities gained me admin access to the whole database and application of Mexico City's justice system. Leaving exposed every file from criminal, civil and familiar trials since 2008.
Continue reading...A Deep Dive Into Supply Chain Vulnerabilities: And How SecDevOps Can Save the Day
Talk
15:00
-
15:45
August 07, 2021
Adam Schaal
Adam Schaal
These are dangerous times. From left-pad to event-stream to the Node Security Platform shutdown - nowhere are supply chain vulnerabilities more prevalent than modern-day javascript applications. Join us as we discuss how investing in the DevOps cycle now can help save your assets in the long run.
Continue reading...DevSecOps: Merging Security and Software Engineering
Talk
16:00
-
16:45
August 07, 2021
Magno Logan
Magno Logan
Lately, we’ve been hearing a lot about Dev Ops and DevSecOps, and why they’re so important. While integrating these are considered very good practices, organizations may be unintentionally unaware of how to maximize DevOps to ensure security and compliance are being met without delays. This could be...
Continue reading...Can’t Stop the Code: Embrace the Code
Talk
17:00
-
17:45
August 07, 2021
Alton Crossley
Alton Crossley
You can't stop the code. So how do you make it all secure? The answer is: you don't. Let's discuss securing your software while using proprietary third parties and Open Source without disrupting ecosystems or innovation.
Continue reading...Event: AppSec Quiz Time!
Event
17:45
-
17:50
August 07, 2021
Eden Stroet, Chaos Wrangler, ASV
Eden Stroet, Chaos Wrangler, ASV
We hope you’ve been enjoying the talks so far. Join today’s quiz and correctly answer quiz questions about the talks of the day to earn ASV swag! Anyone can participate, but fingers crossed you were paying attention!
Continue reading...Day 3 - August 08, 2021
Borrow a Mentor
Event
09:05
-
09:45
August 08, 2021
Have some burning questions about the infosec/App Sec field? Want to ask a security professional? Come to “Borrow a Mentor” and get your questions answered from those who are in the trenches on a daily basis. There is no obligation, just come and learn.
Continue reading..."The Poisoned Diary": Supply Chain Attacks on Install scripts
Talk
09:05
-
09:45
August 08, 2021
Yakov Shafranovich
Yakov Shafranovich
The "curl | bash" pattern is in use everywhere but is it safe? How common is it and how can we make it safer? Join this talk to a discussion on install script security, Harry Potter and more!
Continue reading...Encryption for Developers
Talk
10:00
-
10:45
August 08, 2021
James McKee (punkcoder)
James McKee (punkcoder)
Encryption has become a major part of the implementation of many products, but how many of us really understand what is going on behind the scenes. During your implementation, do you really know what an initialization vector does? What is the difference between AES-CBC and AES-CFB, and when should y...
Continue reading...AppSec 101: A Journey from Engineer to Hacker
Talk
11:00
-
11:45
August 08, 2021
Arjun Gopalakrishna
Arjun Gopalakrishna
Join this session to appreciate the role of Application Security in the context of software development, by examining them side by side. We will walk through an insecure application to find (and exploit) a few security issues, and examine - from an AppSec lens - the issue classes and ways to unearth...
Continue reading...End Capture the Flag
Event
13:00
August 08, 2021
Eden Stroet
Chaos Wrangler
ASV
Eden Stroet
Chaos Wrangler
ASV
Join us in ASV’s DEF CON Discord for our closing ceremony and announcement of the winners of AppSec Village’s 2021 Capture the Flag!
Continue reading...0-Days & Nat 20's - CVSSv3 Through the Lens of Dungeons & Dragons
Talk
13:00
-
13:45
August 08, 2021
Alex "RedWedgeX" Hoffman
Alex "RedWedgeX" Hoffman
What do the Critical Vulnerability Scoring System and Dungeons & Dragons have in common? As a pentester, security professional, network defender, developer, or an RPG gamer, it's vital to know how to read your character sheet in order figure out how much the BBEG (big bad evil guy) is going to mess...
Continue reading...AppSec Quiz Time!
Event
15:00
-
15:15
August 08, 2021
Eden Stroet, Chaos Wrangler, ASV
Eden Stroet, Chaos Wrangler, ASV
We hope you’ve been enjoying the talks so far. Join today’s quiz and correctly answer quiz questions about the talks of the day to earn ASV swag! Anyone can participate, but fingers crossed you were paying attention!
Continue reading...