Twilight Room, 3rd Floor, Flamingo Corporate Convention Center
All times are in Pacific Time(GMT -7)
Day 1 - Friday, August 12, 2022
Wartime AppSec
Keynote
09:00
-
10:00
August 12, 2022
Chris Kubecka
Chris Kubecka
To understate things, the 2020s have been a challenging time for AppSec. First, Corona took the hardware out of the office for everyone. Now, with a war in Ukraine activating hacktivists, patriotic hackers, and nation-state level actors are wreaking havoc on our apps and websites. Cyber-attacks are...
Continue reading...Agility Broke AppSec. Now It's Going to Fix It.
Panel
Intermediate
10:00
-
11:30
August 12, 2022
Roy Erlich
Emil Vaagland
Seth Kirschner
Vandana Verma Sehgal
Roy Erlich
Emil Vaagland
Seth Kirschner
Vandana Verma Sehgal
In today's high-tech industries, security is struggling to keep up with rapidly changing production systems and the chaos that agile development introduces into workflows. Application security (AppSec) teams are fighting an uphill battle to gain visibility and control over their environments. Rather...
Continue reading...Cloud Security and IAM for Devs and DevOps - How can IAM be exploited and how to minimize the risks
Talk
Intermediate
11:30
-
12:30
August 12, 2022
David Hendri
David Hendri
How often do you define permissions for new cloud-native applications? How often do you use the pre-defined vendor suggestion for them or use wildcards? IAM (Identity and Access Management) is an important factor in determining how secured your product will be. Doing it right requires an understandi...
Continue reading...AppSec Nuggets : Bolstering security first mindset
Talk
All Audiences
12:30
-
13:30
August 12, 2022
Joylynn Kirui
Joylynn Kirui
The role of a software developer has been evolving across development, testing, security and scaling with more and more integrated processes across these spheres - On the app security front, how do we ensure excellence? How much security is enough security and what is your role in ensuring software...
Continue reading...Hacking 8+ million websites - Ethical dilemmas when bug hunting and why they matter
Talk
Intermediate
13:45
-
14:45
August 12, 2022
Rotem Bar
Rotem Bar
Many companies are reluctant to pay bug hunters to find and report vulnerabilities in software produced by a 3rd party.
In this lecture, we explore the pros and cons of this approach and demonstrate why taking responsibility for 3rd party vulnerabilities is actually better for everyone.
Using sh...
Continue reading...Hands-on threat modeling
Workshop
Intermediate
14:45
-
16:45
August 12, 2022
Chris Romeo
Chris Romeo
Everyone from security teams to CISOs wants to ingrain threat modeling across the organization, but how do you teach threat modeling that sticks? We’ll provide a two-hour security threat modeling workshop to engage participants and help them put security-focused threat modeling into action. Each ses...
Continue reading...Day 2 - Saturday, August 13, 2022
WarTime AppSec
Talk
10:05
-
11:00
August 13, 2022
Chris Kubecka
Chris Kubecka
To understate things, the 2020s have been a challenging time for AppSec. First, Corona took the hardware out of the office for everyone. Now, with a war in Ukraine activating hacktivists, patriotic hackers, and nation-state level actors are wreaking havoc on our apps and websites. Cyber-attacks are...
Continue reading...The Log4J Rollercoaster - from an incident response perspective
Talk
All Audiences
11:00
-
12:00
August 13, 2022
Guy Barnhart-Magen
Brenton Morris
Guy Barnhart-Magen
Brenton Morris
Log4J was a merry Christmas call for many teams around the world. This talk will share our story of how we were among the first to respond to in-the-wild attacks, helping the community manage and understand how to prepare for such an incident.
Log4J did not catch us unaware, but we did not connect...
Continue reading...Implementing E2E multi-client communication (for fun, work or profit) - what could go wrong?
Talk
Intermediate
12:00
-
13:00
August 13, 2022
Maya
Maya
End-to-end encryption is a concept we've been hearing about a lot these last few years, and has gained a lot of prominence in the public eye due to various platforms (WhatsApp, Signal, Telegram) implementing a variation of it.
In this talk I want to cover E2E encryption in detail, it's usages, as...
Continue reading...Running system tests with active authn/z
Talk
Intermediate
13:30
-
14:30
August 13, 2022
Lars Skjorestad
Lars Skjorestad
Experience has shown that we spend most of our test effort on unit testing. Many team reports that a key blocker for spending more time on system testing is the effort required to manage/mock the authentication and authorization parts of the system. In this talk we will briefly explore this problem...
Continue reading...No Code Security Review - What should I review in applications without code?
Talk
Intro
14:30
-
15:30
August 13, 2022
Inaae Kim
Inaae Kim
No-code application platforms emerged a few years ago. They are a very attractive platform to many business organizations because they use modular and pre-built configurations for quick and efficient software development and delivery without writing code. Secure code review is one of the major proce...
Continue reading...Hacking & Defending Blockchain Applications
Talk
Intermediate
15:30
-
16:30
August 13, 2022
Kennashka DeSilva
Aimee Reyes
Kennashka DeSilva
Aimee Reyes
Blockchain is a technology that is rapidly gaining widespread adoption; however, security standards, frameworks, or methodologies that incorporate the OWASP principles are not widely available. Frameworks such as OWASP as it relates to Blockchain Application Security (BAS) can ensure accountability,...
Continue reading...One Low, Two Informational: Why Your Pentest Findings are so Boring
Talk
All Audiences
16:30
-
17:30
August 13, 2022
Robyn Lundin
Robyn Lundin
Application Pentests are costly, sometimes six-figures costly, and can be very time consuming for the hosting AppSec team. Even so, application pentests often yield very few meaningful findings, leaving potential security bugs in the wild for malicious actors to find and exploit. The goal of a pen...
Continue reading...Day 3 - Sunday, August 14, 2022
The Simple, Yet Lethal, Anatomy of a Software Supply Chain Attack
Talk
Intermediate
09:00
-
10:00
August 14, 2022
Elad Rapoport
tzachi(Zack) zorenshtain
Elad Rapoport
tzachi(Zack) zorenshtain
Security teams nowadays are struggling to contain the risk of software supply chain attacks on their organizations, implementing control of that sort varies from internal controls hardening CI services /hardening developer workstations to demanding compliance to standards from vendors\contactors. Ho...
Continue reading...How to find 0-days in your “memory safe” stack?
Talk
Intermediate
10:00
-
11:00
August 14, 2022
Cezary Cerekwicki
Cezary Cerekwicki
Your memory-safe stack is not memory-safe at all. For instance, many popular Python libraries have substantial amounts of memory-unsafe code. Python is not unique here. You can find some potential for memory safety bugs in practically every software stack. If three simple, realistic conditions are m...
Continue reading...Offensive Application Security for Developers...
Workshop
Intro
11:00
-
13:00
August 14, 2022
James McKee
James McKee
Application developers are the first line in defending applications from attack, there are thousands of software and hardware solutions to attempt to make your software more safe and secure. In the end if the software isn't developed properly and securely no amount of software or hardware is going t...
Continue reading...Layer 7 matters at Layers 2/3 : Appsec on Network Infrastructure
Workshop
All Audiences
13:00
-
15:00
August 14, 2022
Ken Pyle
Ken Pyle
How does a stored XSS on a switch become a covert, firewall bypassing protocol? How does rebooting a switch using unsanitized input allow an attacker to eavesdrop or poison traffic? When do these bugs become weapons?
In this lecture / interactive lab environment, attendees will learn bug hunting,...
Continue reading...Village Activities
Code Busters - Appsec Code Review Challenges
Challenge
Fri, 12 Aug, 9am–1pm
Sat, 13 Aug, 9am-1pm
Raphael Silva
Raphael Silva
Put your skills to the test in this challenge and try to find all the vulnerabilities in the code. We have a wide range of challenges, from easy to advanced in various languages. Can you find them all?
Continue reading...c{api}tal - API Security CTF
Competition
Fri, 12 Aug, 9am–5pm
Sat, 13 Aug, 9am-5pm
Sun, 14 Aug, 9am-1pm
Ravid Mazon
Alex Livshiz
Ravid Mazon
Alex Livshiz
Experience API security with our hands-on c{api}tal CTF! Learn about the API security top 10 risks and get ready to exploit them! The top 3 winners will win awesome prizes!
Continue reading...Trojan & Shell Games: The (un)intentional risks
Demo
Fri, 12 Aug, 1pm – 5pm
Sat, 13 Aug, 9am – 1pm
Diogo Rispoli
Diogo Rispoli
Log4Shell and Trojan Source are two prominent risks introduced in the last year. We will demonstrate an exploit for each vector and provide an easy-to-understand analysis of the behavior. Mitigation and detection of each will also be discussed.
Continue reading...