All times are in Pacific Time(GMT -7)

Day 1 - August 06, 2021

Colorful AppSec

Panel 09:05 - 10:00 August 06, 2021

Tanya Janca

Pedro Umbelino

Luís Gomes

Erez Yalon (Moderator)

Summer of Fuzz: MacOS

Talk 10:00 - 10:45 August 06, 2021

Jeremy Brown

Thinking of fuzzing applications on OS X can quickly lead to a passing conversation of "ooh exotic Mac stuff", "lets fuzz the kernel" or it can otherwise not be thought of as an exciting target, at least for looking for crashes in stuff other than Safari or the iPhone. While there are some intricaci...

Continue reading...

Capture the Flag Starts

Talk 10:00 August 06, 2021

Come join the AppSec Village with a fun community made CTF! Enjoy AppSec focused CTFs or play some traditional categories! Earn swag for first, second, and third place!

Continue reading...

Vulnerability Inheritance - Attacking companies and scoring bounties through 3rd party integrations

Talk 11:00 - 11:45 August 06, 2021

Time to Sharpen your Bug Bounty Game! In this session the attendees will learn about vulnerabilities around 3rd party integrations, how to improve their reconnaissance flow and how to scan the entire internet for specific vulnerabilities utilizing Nuclei, by observing Proof of Concepts from the pres...

Continue reading...

Cross-document messaging technology, how to hack it, and how to use it safely

Talk 12:00 - 12:45 August 06, 2021

Chen Gour-Arie

Signed, Sealed, Delivered: Abusing Trust in Software Supply Chain Attacks

Talk 13:00 - 13:45 August 06, 2021

Cheryl Biswas

Our technology-driven world increasingly relies on software dependencies: third party code, open source libraries and shared repositories. A history of software supply chain attacks shows how easy it is to create confusion and send malicious code undetected through automated channels to trusting re...

Continue reading...

Poking bots for fun and profit in the age of asynchronous stuff

Talk 14:00 - 14:30 August 06, 2021

Emanuel Rodrigues

What Slack, Telegram, Discord, and a ton of other messaging platforms have in common ? Messaging of course ! : ) ... but also Bots/apps which are used to enrich the experience of messaging and collaboration environments. Bots are extremely popular now and are very easy to create. The App markets ar...

Continue reading...

Scaling static analysis for free: add additional codebases with a single line of code and no money

Talk 15:00 - 15:45 August 06, 2021

Erin Browning

Tim Faraci

Scaling static analysis across languages and multiple codebases is a difficult process at best. Here we walk through our setup, which we've architectured to be easy to maintain, provide few false positives, and trivial to add additional codebases. Plus, the primary tool we use is free, as in beer.

Continue reading...

DFDs Ain't That Bad

Talk 16:00 - 17:00 August 06, 2021

Matthew Coles

Izar Tarandach

Threat Modeling is, at its root, a combination of two separate disciplines: system modeling and threat elicitation (and then a bit of risk management, but that’s another talk). In the last few years the industry has focused mostly on the second part, threat elicitation, and rare was the analysis of...

Continue reading...

AppSec Quiz Time!

Event 17:30 - 17:35 August 06, 2021

Eden Stroet, Chaos Wrangler, ASV

We hope you’ve been enjoying the talks so far. Join today’s quiz and correctly answer quiz questions about the talks of the day to earn ASV swag! Anyone can participate, but fingers crossed you were paying attention!

Continue reading...

Day 2 - August 07, 2021

Borrow a Mentor

Event 09:05 - 10:00 August 07, 2021

Have some burning questions about the infosec/App Sec field? Want to ask a security professional? Come to “Borrow a Mentor” and get your questions answered from those who are in the trenches on a daily basis. There is no obligation, just come and learn.

Continue reading...

Scaling AppSec through Education

Talk 09:05 - 10:00 August 07, 2021

Grant Ongers (rewtd)

Given that:

  • Security teams are outnumbered by developers 100:1
  • 50 - 80% more bugs are found in code review than in testing
  • More than 70% of CVEs are caused by implementations in code

It must follow that AppSec should be the biggest part of your concern as a security person, and that you...

Continue reading...

I used AppSec skills to hack IoT, and so can you

Talk 10:00 - 10:45 August 07, 2021

Alexei Kojenov

We tend to think of AppSec and IoT as two separate infosec disciplines. Sure, the domain knowledge, attack vectors, and threat mitigation are not exactly the same in those two worlds. At the same time, as the hardware continues to evolve, we see more and more tiny general purpose computers around us...

Continue reading...

The Curious Case of Knowing the Unknown

Talk 11:00 - 11:45 August 07, 2021

Vandana Verma Sehgal

CSP is broken, let’s fix it

Talk 12:00 - 12:45 August 07, 2021

Amir Shaked

Integrating DAST tools into developers' test process

Workshop 12:00 - 14:30 August 07, 2021

Joe Schottman

API testing is now vital to AppSec but presents some challenges that conventional DAST testing did not face. This session will show how running developers’ non-security tests for the APIs they develop through an interception proxy such as OWASP ZAP can enable easier, faster, and more accurate DAST t...

Continue reading...

When nothing goes right, push left. Designing logs for future breach investigations

Talk 13:00 - 13:45 August 07, 2021

If we do not have it we should build it.- If nothing goes right, push left.
TL;DR: Your logs should be simple, and structured, they should also contain enough information without disclosing sensitive data. Often accidental information disclosure within the logs can lead to future breaches. This t...

Continue reading...

How I broke into Mexico City's justice system application and database

Talk 14:00 - 14:45 August 07, 2021

Alfonso Ruiz Cruz

Brief talk about how a chain of simple vulnerabilities gained me admin access to the whole database and application of Mexico City's justice system. Leaving exposed every file from criminal, civil and familiar trials since 2008.

Continue reading...

A Deep Dive Into Supply Chain Vulnerabilities: And How SecDevOps Can Save the Day

Talk 15:00 - 15:45 August 07, 2021

Adam Schaal

These are dangerous times. From left-pad to event-stream to the Node Security Platform shutdown - nowhere are supply chain vulnerabilities more prevalent than modern-day javascript applications. Join us as we discuss how investing in the DevOps cycle now can help save your assets in the long run.

Continue reading...

DevSecOps: Merging Security and Software Engineering

Talk 16:00 - 16:45 August 07, 2021

Magno Logan

Lately, we’ve been hearing a lot about Dev Ops and DevSecOps, and why they’re so important. While integrating these are considered very good practices, organizations may be unintentionally unaware of how to maximize DevOps to ensure security and compliance are being met without delays. This could be...

Continue reading...

Can’t Stop the Code: Embrace the Code

Talk 17:00 - 17:45 August 07, 2021

Alton Crossley

You can't stop the code. So how do you make it all secure? The answer is: you don't. Let's discuss securing your software while using proprietary third parties and Open Source without disrupting ecosystems or innovation.

Continue reading...

Event: AppSec Quiz Time!

Event 17:45 - 17:50 August 07, 2021

Eden Stroet, Chaos Wrangler, ASV

We hope you’ve been enjoying the talks so far. Join today’s quiz and correctly answer quiz questions about the talks of the day to earn ASV swag! Anyone can participate, but fingers crossed you were paying attention!

Continue reading...

Day 3 - August 08, 2021

Borrow a Mentor

Event 09:05 - 09:45 August 08, 2021

Have some burning questions about the infosec/App Sec field? Want to ask a security professional? Come to “Borrow a Mentor” and get your questions answered from those who are in the trenches on a daily basis. There is no obligation, just come and learn.

Continue reading...

"The Poisoned Diary": Supply Chain Attacks on Install scripts

Talk 09:05 - 09:45 August 08, 2021

Yakov Shafranovich

The "curl | bash" pattern is in use everywhere but is it safe? How common is it and how can we make it safer? Join this talk to a discussion on install script security, Harry Potter and more!

Continue reading...

Encryption for Developers

Talk 10:00 - 10:45 August 08, 2021

James McKee (punkcoder)

Encryption has become a major part of the implementation of many products, but how many of us really understand what is going on behind the scenes. During your implementation, do you really know what an initialization vector does? What is the difference between AES-CBC and AES-CFB, and when should y...

Continue reading...

AppSec 101: A Journey from Engineer to Hacker

Talk 11:00 - 11:45 August 08, 2021

Arjun Gopalakrishna

Join this session to appreciate the role of Application Security in the context of software development, by examining them side by side. We will walk through an insecure application to find (and exploit) a few security issues, and examine - from an AppSec lens - the issue classes and ways to unearth...

Continue reading...

Car Hacking + Bug Hunting Field Guide for Appsec Hackers

Talk 12:00 - 12:45 August 08, 2021

End Capture the Flag

Event 13:00 August 08, 2021

Eden Stroet

Chaos Wrangler

ASV

Join us in ASV’s DEF CON Discord for our closing ceremony and announcement of the winners of AppSec Village’s 2021 Capture the Flag!

Continue reading...

0-Days & Nat 20's - CVSSv3 Through the Lens of Dungeons & Dragons

Talk 13:00 - 13:45 August 08, 2021

Alex "RedWedgeX" Hoffman

What do the Critical Vulnerability Scoring System and Dungeons & Dragons have in common? As a pentester, security professional, network defender, developer, or an RPG gamer, it's vital to know how to read your character sheet in order figure out how much the BBEG (big bad evil guy) is going to mess...

Continue reading...

Attacking Modern Environments Series: Attack Vectors on Terraform Environments

Talk 14:00 - 14:45 August 08, 2021

Mazin Ahmed

AppSec Quiz Time!

Event 15:00 - 15:15 August 08, 2021

Eden Stroet, Chaos Wrangler, ASV

We hope you’ve been enjoying the talks so far. Join today’s quiz and correctly answer quiz questions about the talks of the day to earn ASV swag! Anyone can participate, but fingers crossed you were paying attention!

Continue reading...

Thanks to our Sponsors

Gold Sponsors


Silver Sponsors


Bronze Sponsors


Is your organization passionate about application security and want to sponsor?

Read on how to become a sponsor and checkout our available sponsorship opportunities.