AppSec USA 2018
Talks
SDL at Scale: Growing Security Champions
If you’re tasked with securing a portfolio of applications it’s a practice in extremes. You’ve got a small team of security experts trying to help a multitude of developers, testers, and other engineers. You have to find a way to work with the tea...
Ryan O'Boyle
Defensible Application Security for the Artificial Intelligence Era
From the very beginning of the Internet, humans have struggled with how to trust in the digital world. Neuroscience studies are gradually uncovering clues as to how our brains process digital cues, and how we adapt to an increasingly extensive dig...
Chenxi Wang
Battle Tested Application Security
Building Application Security programs from scratch or dropping into existing organizations with some AppSec functions can be a war zone. As practitioners are on the front lines of implementing AppSec programs, there is no one-size fits all or a m...
Ty Sbano
Security Vulnerabilities in AI Assistant Based Applications
Intelligent assistants are and will be everywhere. You might be thinking that you cannot hack assistants because you can't say "What's the weather in Boston' or 1=1--" or your assistant is safe in your house. Unfortunately, there are ways around ...
Abraham Kang
Lessons from integrating third party library scanning in DevOps workflow
Paving the road for Developers: Lessons from integrating third party library scanning in DevOps workflow The necessity of securing third-party libraries and packages is not a new concept, however, not many organizations understand its importanc...
Tim Champagne, Harshil Parikh
OWASP SEDATED
The SEDATED Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure) focuses on preventing sensitive data such as user credentials and tokens from being pushed to GitHub. Developers are constantly pushing changes to GitHub and may try ...
Dennis Kennedy, Simeon Cloutier
Serverless Infections: Malware Just Found a New Home
We are seeing more and more organizations leverage the advantages introduced by serverless computing. But what does serverless computing entail when it comes to security? With no dedicated server, is the security risk higher or lower? Can malware ...
Erez Yalon
Security Culture Hacking: Disrupting the Security Status Quo
This session is an exploration into the world of security culture hacking. In the wake of the "data breach of the day", organizations claim they are more serious about security. The truth is that many still have weak security cultures. At the end ...
Chris Romeo
Chromebooks and network motes to enforce security posture from the device to the cloud
Chromebooks and network motes to enforce security posture from the device to the cloud. Telling a developer they cannot have admin access on their local machine is not practical. We want them to get work done. For any company that doesn’t have an ...
Jon Debonis
Scratching the Surface of your CD?
Continuous Delivery (CD) introduces a new set of challenges for application security testing, even compared with already fast Continuous Integration (CI) and DevOps methodologies. CD development organization can produce hundreds or even thousands ...
Ofer Maor
Breaking fraud & bot detection solutions
Browser fingerprinting and user behavior tracking are powerful techniques used by most fraud and bot detection solutions. These are implemented via JavaScript snippets running in the user browser. In this presentation, we’ll demystify the signals ...
Mayank Dhiman
Open Source Security Tools for Kubernetes Applications
Cloud Native platforms such as Kubernetes help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these...
Michael Ducy
Value Driven Threat Modeling
What if we could get developers to apply threat modeling techniques, and embed secure design right in the product from the beginning? Threat Modeling is a great method to identify potential security weaknesses, and can enable architects and...
Avi Douglen
Security as a Service: Work where You Engineers Live
Product Engineers and Managers live in git, JIRA, and wikis to develop and release software, so why do security engineers use a fully different set of tools and dashboards to try to drive security fixes onto product teams' roadmaps? Our team ...
Taylor Lobb, Julia Knecht
Fixing Mobile AppSec
Even though modern mobile operating systems like iOS and Android offer great APIs for secure data storage and communication, those APIs have to be used correctly in order to be effective. Data storage, inter-app communication, proper usage of cryp...
Sven Schleier
Threat Model-as-Code
Threat Modeling is critical for Product Engineering Team. Yet, even in the rare event that it’s performed, its performed without actionable outputs emerging from the exercise. It is relegated to the status of what a “Policy/Best Practice Document”...
Abhay Bhargav
Flying Above the Clouds: Securing Kubernetes
Cloud-native architectures built using Kubernetes are composed of containerized microservices managed by an orchestration system. They are distributed systems that run on top of the cloud (or sometimes physical) infrastructure and abstract away de...
Jack Mannino
Identity Theft: Attacks on SSO Systems
SAML is often the trust anchor for Single Sign-On (SSO) in most modern day organizations. This presentation will discuss a new vulnerability discovered which has affected multiple independent SAML implementations, and more generally, can affect an...
Kelby Ludwig
Deserialization Vulnerability Remediation with Automated Gadget Chain Discovery
Although vulnerabilities stemming from the deserialization of untrusted data have been understood for many years, unsafe deserialization continues to be a vulnerability class that isn't going away. Attention on Java deserialization vulnerabilities...
Ian Haken
A new framework to automate MSTG and MASVS in your CI/CD pipeline
In the era of Agile, DevOps and CI/CD, enterprises are constantly facing security challenges, especially in mobile where security is still underestimating. One of the main issues is speed and repeatability of security tests for each release/build....
Davide Cioccia
Human factors that influence secure software development
Software is written by people, either alone or in teams. Ultimately secure code development depends on the actions and decisions taken by the people who develop the code. How do we account for the “human factors” that contribute to application sec...
Anita D'Amico, Chris Horn
Authentication as a Microservice: Portable Customer Identity Management
Authentication is a core piece of many applications but it has traditionally been handled in a monolithic manner. Foreign keys to the user table and join tables for roles and permissions is the most common mechanism that applications use to manage...
Brian Pontarelli
How to get the best AppSec test of your life
The Internet is full of advice on delivering a better pen test. That’s great but what if you are the one arranging or receiving the test? In this talk, I want to use my experience of scoping and delivering these tests (as well as feedback from tes...
Josh Grossman
SCORE Bot: Shift Left, at Scale!
In today’s DevSecOps world, “shift to the left” is not a new mantra for AppSec practitioners. It is imperative to notify developers about potential security issues as early as possible. While heavy-weight static and dynamic analysis tools and f...
Laksh Raghavan, Vidhu Jayabalan
OWASP Leaders Workshop AppSecUSA 2018 - Part 1
The OWASP Leader Workshop is designed for OWASP members currently leading or interested in starting a chapter in their local area or a project. Matt Tesauro. Director of Community and Operations Karen Staley. Executive Director Harold Bla...
Dawn Aitken, Harold Blankenship, Karen Staley, Matt Tesauro
The Anatomy of a Secure Web Application in Java Using Spring Security and Apache Fortress
The Jakarta EE architecture provides the necessary enablement but most developers do not have the time or the training to take full advantage of what it has to offer. This technical session describes and demos an end-to-end application security ar...
Shawn McKinney, John Tumminaro
Ecosystem, Interoperability and Standards: IoT Security
Security Development Lifecycle (SDL) methodologies have traditionally served consumer products and enterprise applications. These programs are usually well defined, with established architectures, target markets and product development cycles that...
Kavya Racharla, Sumanth Naropanth
ZAP Heads Up Display
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while...
David Scrobonia
Prevent Business Logic Attacks using Dynamic Instrumentation
As application security practitioners, we know that the attacks representing the most significant business risk for our organizations are often attacks targeting sensitive business functions of our applications. Those go far beyond the OWASP Top 1...
Jean-Baptiste Aviat
Are we using Java Crypto API Securely?
Do you feel cryptographic libraries are just thrown over the fence for us developers and security professionals to understand and pray its used securely? Java Cryptography Architecture is one such famously used the library, laden by ambiguous docu...
Mansi Sheth
Teach a man how to fish
So you were asked by a few devops teams to make them more secure. So you pick up their assets, review them and help them forward. But after that, when you leave them behind, more vulnerabilities get introduced. The question is: did your hacks brin...
Jeroen Willemsen
OWASP Glue Tool
The OWASP Glue Tool Project is a tools based project intended to make security automation easier. It is essentially a ruby gem that co-ordinates the running of different analysis tools and reporting from those tools. https://www.owasp.org/inde...
Matt Konda
Pentesting Swift Application with OWASP iGoat
As enterprises are moving their iOS development towards Swift development from Objective C, it has become essential to adopt skills required to perform penetration testing/security audit of such applications. If you are working as Product Security...
Swaroop Yermalkar
Dependency Track
Dependency-Track is an intelligent Software Composition Analysis (SCA) platform that allows organizations to identify and reduce risk from the use of third-party and open source components. The platform integrates with multiple sources of vulnerab...
Steve Springett
(in)Security is eating the world
Technology has transformed nearly every segment of our lives and will continue to dramatically impact the future. From transportation, to medicine, to communication, technology underpins every aspect of how we interact with the world, and with eac...
Michael Coates
OWASP Leaders Workshop AppSecUSA 2018 - Part 2
The OWASP Leader Workshop is designed for OWASP members currently leading or interested in starting a chapter in their local area or a project. We are hosting a sessions to learn from each other how to run chapter activities, what types of even...
Dawn Aitken, Harold Blankenship, Matt Tesauro, Karen Staley
My journey through building an advanced bot detection product
Bot activity represents a significant part of the overall Internet traffic. In the past, bots were concentrating on scraping content from ecommerce sites but in more recent years, bots are also being used to conduct fraudulent activity such as acc...
David Senecal
Web application compromise mitigation with crypto anchoring
Today’s world of Equifax breaches is the same old data security problem. In the past you’d need a solid SQL injection to pull all the records of a database. Now days, you need an RCE on the application server. The root problem has not changed. The...
Jon Debonis
OWASP IoT Top 10
The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions wh...
Daniel Miessler
Single Page Applications: Is your design secure?
In the current landscape of web development, Single Page Applications (SPA) have been utilized more frequently due to its versatile capabilities. Also, popularity of frameworks such as Angular and React have enabled fast paced development of SPAs....
Rafael Dreher, Murali Vadakke Puthanveetil
Making Security Approachable for Developers and Operators
Security is a complex topic filled with jargon and subtle nuances. The "weakest link" challenge in security means we must be concerned with every threat vector and apply best practices universally. This becomes challenging when we need to bring de...
Armon Dadgar
OWASP Amass Project
Amass is an in-depth DNS Enumeration and Network Mapping written in Go. It helps organizations fill in blind spots for their their presence and exposure to the internet. Amass reaches out to more than 30 passive data sources to learn about the DNS...
Jeff Foley
Exposing Security Flaws in Trading Technologies
With the advent of electronic trading platforms and networks, the exchange of financial securities now is easier and faster than ever; but this comes with inherent risks. Nowadays not only rich people can invest in the money markets, but also anyo...
Alejandro Hernandez
OWASP Code Pulse and Attack Surface Detector
White hat penetration testers are generally at a disadvantage compared to the malicious attackers they help defend against. They have limited time and resources to secure the entire application, whereas attackers have unlimited time and may only n...
Ken Prole
Deserialization: what, how and why [not]
Insecure deserialization was recently added to OWASP's list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. For years, data serialization and deserialization have been used in applica...
Alexei Kojenov
Domino's Delivery of a Faster Response was No Standard Order
Come listen to Domino's Pizza share how they transformed a complex, multi-ticket, time-consuming process into an Automated Application Security Engagement workflow. Using deep knowledge of Atlassian tools, a little ingenuity, and a lot of ITSM, a ...
Michael Sheppard
Empowering the Employee: Incident Response with a Security Bot
As organizations scale, it can become increasingly difficult for a small security team to process the large volumes of alerts. In addition, the employee who triggered the alert frequently has the most context as to what transpired. At our organiza...
Jeremy Krach