Presentation Abstracts and Speaker Biographies - OWASP Chapters All Day
Hour 01 - Opening Session
Session Host: Takaharu Ogasa, Chapter Leader, OWASP Sendai (Japan)
Hour 02 - Hosted by OWASP Belgium
Session Host: Sebastien Deleersnyder, Chapter Leader
Talk 1 - OWASP SAMM v2: Your Dynamic Software Security Journey
Sebastien Deleersnyder - Project Leader
Abstract
Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, technology stacks, tools and processes, different stakeholders, competing priorities, etc. Implementing software assurance will have a significant, positive impact on an organization, yet trying to achieve this without a good framework often leads to marginal and unsustainable improvements.
Speaker Biography
Sebastien (Seba) Deleersnyder is co-founder and CEO of Toreon, and a proponent of application security as a holistic endeavor. He started the Belgian OWASP chapter, was a member of the OWASP Foundation Board and performed several public presentations on Application Security. Seba also co-organized the yearly security & hacker BruCON conference and trainings in Belgium.
With a background in development and many years of experience in security, he has trained countless developers to create software more securely. He has led OWASP projects such as OWASP SAMM, thereby truly making the world a little bit safer. Now he is adapting application security models to the evolving field of DevOps and is also focused on bringing Threat Modeling to a wider audience. Twitter: @sebadele
Talk 2 - A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints
Victor Le Pochat - PhD student web security at KU Leuven
Abstract
In 2016, law enforcement conducted the largest takedown of a cybercrime operation so far, targeting the Avalanche botnet.
They faced a challenge when blocking future registration of the C&C domains: some of these domains already existed, and this was not necessarily for malicious purposes.
In our talk, we discuss our collaboration in developing an approach to improve detection of these false positives for the ongoing cleanup of Avalanche. We’ll explain how we leveraged the synergy of a machine learning model and human analyst to reduce manual effort without compromising correctness.
Speaker Biography
Victor Le Pochat is a PhD student in the area of web security at the imec-DistriNet research group at KU Leuven in Belgium. His interests lie in the exploration of web ecosystems through large-scale measurements, and in web security
research methodology, both analyzing and improving current research practices.
@VictorLePochat
Hour 03 - Hosted by OWASP New York City (CA, USA)
Session Host: Guy Osa, Chapter Leader
Flattening the Cyber Curve
Christopher Frenz
Abstract
To be provided
Speaker Biography
Christopher Frenz is the AVP of Information Security for Interfaith Medical Center where he worked to develop the hospital’s information security program and infrastructure. Under his leadership the hospital has been one of the first in the country to embrace a zero trust model for network security. Christopher has also played a role in pushing for the adoption of improved security standards within hospitals and is the author of the OWASP Secure Medical Device Deployment Standard as well as the OWASP Anti-Ransomware Guide. He also currently chairs the AEHIS Incident Response Committee which has released several deliverables designed to help hospitals test and improve their incident response capabilities. Christopher has been recognized as a Rising Star amongst healthcare executives and also a top healthcare IT leader by Becker’s Hospital Review. He has also been recognized as a top healthcare IT leader by Health Data Management. Christopher’s security expertise has been highlighted in The Financial Times, CSO Magazine, SC Magazine and many other publications. Christopher shares his expertise at conferences around the world including presentations at VMworld, ASIS GSX, Defcon, HIMSS, and many others. He is also the author of the computer programming books Pro Perl Parsing and Visual Basic and Visual Basic .NET for Scientists and Engineers. LinkedIn
OWASP Vulnerability Management Guide (OVMG)
Elizabeth Frenz
Abstract
This is an introductory presentation about OWASP Vulnerability Management Guide (OVMG) published in June 2020. The project leader, Elizabeth Frenz, makes a case for having a vulnerability management program as a part of information security and risk management for an organization of any size and maturity. The purpose of the OWASP Vulnerability Management Guide is to explain how continuous and complex processes can be broken down into three essential cycles - detection, reporting, remediation - and how the components of the cycles relate to each other.
Speaker Biography
Elizabeth Frenz is a highly experienced information security professional that has been a cybersecurity enthusiast for over twenty years and an OWASP member since 2015. She specializes in cyber security operations and taking risk based approaches to improving security. She works as a Lead Information Security Analyst for the leading company in clinical trails software. Previously in her career she led the vulnerability management effort at Office of IT Security and Data Management of the NYC Department of Education. Elizabeth also has extensive experience in the identity and access management arena and was one of the contributors to an IEEE standard for using biometrics for identity and access management (IEEE 2410-2017). She is an active member in the NY information security scene and serves as a volunteer at the NYC OWASP chapter. Elizabeth holds an MS degree in Systems Management from New York University. LinkedIn
Hour 04 - Hosted by OWASP Uruguay
Session Host: Mateo Martinez, Chapter Leader
Hour 05 - Hosted by OWASP Chile
Session Host: Carlos Allendes, Chapter Leader
Is Your Phone Your Enemy or Your Friend?
Silvia Arias Becker and Oscar Orellana Artigas
Abstract
In this presentation, we will provide information related to the risks you are exposed to through the apps you download to your mobile. We will review the OWASP Mobile Top 10 and use them in real APK analysis. If you are using your mobile more than ever for social media and even for work, this is the presentation you need in your life now!
Telephone devices have become our biggest repository of personal and private information, containing our banking and social network data. They allow us to read news and choose the type of information we want to read, creating a clear profile of our tastes and preferences. They also store the personal data of our family and people with whom we interact frequently.
All of the above is great, if it is under our control and we can privately isolate that personal information. So what happens if our phone’s operating system decides to publish that data or share it so other entities can access and know our tastes and everything that we thought was private?
Speaker Biographies
Silvia Arias Becker has been a professor for more than 10 years at the University of Santiago in Chile. Her interests go from directing seminars in senior years in the English Teaching Training Program to the development and contribution of new knowledge in different areas related to technology. As a consequence, she is part of the organizing committee and project manager of the Cybersecurity Congress, CYBERSEC CHILE, organized by the University of Santiago, and Project Manager of the “Telemedicine, Telehealth and Digital Health International Congress,” organized by the University of Concepción, Chile.
- Teacher of English- Graduated from University of Santiago, Chile
- Master’s Degree in Linguistics, focusing in Language learning theories
- Founder and Project Manager in Creativa Producciones
- Project Manger of the Cybersecurity Congress, CYBERSEC Chile
- Project Manager of the “Telemedicine, Telehealth and Digital Health International Conference”
Oscar Orellana Artigas is a Master in Cybersecurity and a volunteer with the OWASP Chile Chapter. He has extensive experience presenting talks about cybersecurity in universities and other organizations, also webinar experience in LATAM events. His current ocupations is working in consulting services and like university docent, connecting his experience in the real world with the daily classroom interactions with his students.
Hour 06 - Hosted by OWASP Cairo (Egypt)
Session Host: Mohamed Alfateh, Chapter Leader
Building Your Web Offensive Shield
Mohamed Alfateh - Chapter Leader, OWASP Cairo
Abstract
The presentation will talk about how to track any malicious user trying to perform any suspected activity on your website. During the presentation, I’ll show how to configure a honey trap in the web application firewall and then integrate the WAF with BeEf framework automatically to track the web clients. After that, the presentation will describe how to perform an advanced counter attack on that user.
Speaker Biography
Mohamed Alfateh is the OWASP Cairo chapter leader. He has deep experience in secure SDLC, code review, application threat modeling, DevSecOps, and security compliance. Mohamed has many contributions for OWASP, he is the author for the “OWASP Application Threat Modeling Cheat Sheet” and a board member of OWASP Middle-East. He is currently Sr. Consultant at ZINAD IT.
Set Up a Continuous DevSecOps Toolchain with Open-Source Tools
Azzendine Ramrami - Chapter Leader, OWASP Morocco
Abstract
During this talk, I will show how to build a complete DevSecOps toolchain using open-source tools. The objective is to automate secure coding checks and security tests including static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA), and interactive application security testing (IAST).
We will focus on open-source tools, including OWASP Zed Attack Proxy (ZAP), OWASP Dependency-Check, Jenkins, and SonarQube.
Speaker Biography
Azzendine Ramrami is the Chapter Leader of the OWASP Morocco chapter.
Hour 07 - Hosted by OWASP Guatemala
Session Host: Pablo Barrera, Chapter Leader
Building Cyber-Resilience the right way
Pablo Barrera, OWASP Guatemala
Task 0: Hardening as code. Protecting your systems before they born
Hour 08 - Hosted by OWASP Atlanta (GA, USA)
Session Host: Tony UV, Chapter Leader
Cooking with PASTA - Risk Centric, Offensive Minded Threat Modeling Walk Through
Tony UV - Chapter Leader, OWASP Atlanta (“The ATL”)
Abstract
Pour yourself a nice vino and enjoy this walk through of the Process for Attack Simulation & Threat Analysis - the only risk centric threat modeling approach that was developed by two OWASP leaders and manifested in their literary work, Risk Centric Threat Modeling, via Wiley Publishing. This presentation will walk those interested in an evidence based approach to decomposing their application/ software for the purposes of addressing attack patterns and software weaknesses that facilitate a library of threats. Each of the seven stages of PASTA will be covered so that practioners, developers, architects, and security champions can become inspired to chef up their own PASTA within their respective S-SDLC cycles.
Speaker Biography
Tony UV is the OWASP Atlanta (ATL) chapter leader. He is the co-author of Risk Centric Threat Modeling (Wiley 2015) and is CEO of VerSprite. Tony UV is an avid AppSec professional who’s experience in security architecture, development, code analysis, exploit testing, threat analysis have funneled into his current passion around threat modeling.
Hour 09 - Hosted by OWASP Orange County (CA, USA)
Session Host: Haral Tsitsivas, Chapter Leader
Your Taxes Are Being Leaked
Michael Wylie
Abstract
80% of U.S. small business accounting data is entered and stored on one vendor’s software. Major professional CPA firms around the world use this vendor’s tax preparation software and trust that the security controls are doing their job. During a Penetration Test, I discovered, and responsibly disclosed to the vendor, a critical unauthenticated information leak vulnerability in the way the software transfers customer data between client and server. This vulnerability exposes all customers’ names, addresses, phone numbers, email addresses, social security numbers, job, spouse information, and more. After further testing, it became clear that the problem was bigger than just one piece of software in one industry, as multiple CVEs were discovered during testing.
Speaker Biography
Michael Wylie, MBA, CISSP is the Director of Cybersecurity Services at Richey May Technology Solutions. In his role, Michael is responsible for delivering information assurance by means of vulnerability assessments, TPN vendor assessments, cloud security, penetration tests, risk management, and training. Michael has developed and taught numerous courses for the U.S. Department of Defense, DEFCON, Moorpark College, California State Universities, and for clients around the world. Michael is the winner of the SANS Continuous Monitoring and Security Operations challenge coin and holds the following credentials: CISSP, CCNA R&S, CCNA CyberOps, GPEN, GMON, TPN, CEH, CEI, VCP-DCV, CHPA, PenTest+, Security+, Project+, and more. Twitter: @TheMikeWylie.
Hour 10 - Hosted by OWASP Santa Barbara (CA, USA)
Session Host: Walter Martín Villalba, Chapter Leader
HTTP Security Headers
Walter Martín Villalba - Chapter Leader, OWASP Santa Barbara
Abstract
HTTP headers let web clients and servers exchange additional information (usually metadata) in HTTP messages. HTTP security headers define whether a set of security mechanisms should be enabled on the web client. They are a fundamental part of web security as they help protect against different types of attacks such as XSS, code injection, and session hijacking. In this talk, we’ll discuss the most common security headers, how to configure them properly, and look at some real-world examples of misconfigurations that led to successful attacks.
Speaker Biography
Walter Martín Villalba is a Principal Application Security Consultant at C13 Security, a company he started recently. He leads the OWASP Santa Barbara chapter and is one of the key organizers for the AppSec California conference. He loves foosball and cyberpunk culture. Twitter: @act1vand0; LinkedIn: wmvillalba
Hour 11 - Hosted by OWASP Hawaii (USA)
Session Host: Jason Sewell, Chapter Leader
Lyft Cartography: Using Graphs to Improve and Scale Security Decision-Making
Alex Chantavy
Abstract
This talk highlights how we leverage Cartography (https://github.com/lyft/cartography) at Lyft to improve and scale security decision-making. Attendees of this session will be introduced to our platform and shown a broad set of compelling scenarios including reducing security debt, tracking and alerting on infrastructure changes, and enabling teams to see and better understand their security risk.
Cartography is a free open-source tool that consolidates your technical assets and the relationships between them in an intuitive graph database to enable quick exploration, repeatable decisions, and automated workflows.
We hope that sharing our approach to these problems with Cartography will help you achieve these same outcomes in your own organizations. We have been thrilled to grow the community in our first couple years as an open source project and look forward to hearing your feedback!
Speaker Biography
Alex Chantavy is a software engineer on Lyft’s security team (and also happens to be from Makakilo, HI). As one of the developers on Cartography, his security interests are understanding cloud permissions relationships and finding opportunities for lateral movement. In previous roles, Alex has performed red teaming as well as security tool development. In short, he enjoys learning easy ways to make computers do what they’re not supposed to do, making robots do his homework, and showing others how to do the same.
Content Security Policy: Going From Idea to Afterthought
Neil Matatall
Abstract
Content security policy (CSP) is a browser feature that allows an application to tell a browser what is allowed to happen on a given page. It can be a very powerful tool when used correctly. But it’s a tricky beast with a lot of complexity, esoteric details, gotchas, and is still not widely adopted by most of the Internet, by any measure.
Any random article on CSP will talk about its features and behaviors. Some talk about the “report-only” mode for testing out CSP and analyzing reports. But how do you go from no CSP to a solid CSP? A light overview of CSP with a focus on mitigating cross-site scripting will be followed by an explanation of strategies to create an effective and dynamic policy including code samples taken directly from the GitHub codebase.
Speaker Biography
Neil Matatall is a product security engineer at GitHub that focuses on account security and security UX. Having started off in development with two separate development stints in between, the majority of his work has been in the application security space hardening frameworks, creating libraries, and working with standards bodies. Neil is often considered a hipster because he likes Ruby on Rails. He is also the first user to ever get locked out of their Twitter account because of 2FA.
Hour 12 - Hosted by OWASP Viña del Mar (Chile)
Session Host: Gustavo Nieves Arreaza, Chapter Leader
Why Phishing Is Here to Stay?
Paola Perez and Patricia Valdivia Heredia
Abstract
A review of the growing phishing trend with tools and techniques to explain even now that phishing is a common attack and it will stay with us, so it is better to understand it and be prepared to fight it.
Speaker Biographies
Visit their profiles on LinkedIn:
Automated and Manual Threat Modeling
Gustavo Nieves Arreaza
Abstract
Vulnerabilities, Compliance, Unified Modeling Language and calculate the risk of the vulnerabilities.
How to use an automated threat modeling tool, the advantages of using it versus manual threat modeling, and why they complement each other.
Speaker Biography
Visit his profile on LinkedIn: Gustavo Nieves Arreaza
Hour 13 - Hosted by OWASP New Zealand
Session Host: John DiLeo, Chapter Leader
Small, But Fierce (But Still Small)
Erica Anderson
Abstract
Most of us volunteer or work closely with small groups. These are the local community groups, the side gigs, the small family businesses, the weekend projects. These groups are small but mighty. They use data, technology, and systems to provide us a service to make our communities better places. We need them to exist; and we also need them to be secure. This talk is going to focus on the few, free steps that any small group can take to level up their security, the stories and reasoning behind them, and give you some manna for dispelling the security misconceptions that come with being small.
Speaker Biography
Erica Anderson: Her twitter bio says “info sec, cat, and ketchup enthusiast” which summarizes her quite nicely. Erica is a space cadet (and Principal Security Consultant) for SafeStack and leads their Wellington presence. She also causes general mayhem with Kiwicon, Kawaiicon, and (previously) BSides Wellington. Twitter: @sputina
Let Me Secure That for You
Kirk Jackson - Chapter Leader, OWASP New Zealand
Abstract
Is it possible to wrap security around an insecure website? Wouldn’t it be great if security was something you could just add later?
This talk will introduce virtual patching, what types of security issues can be fixed, and dive a bit deeper into Content Security Policy.
Speaker Biography
Kirk Jackson works at RedShield in Wellington, leads OWASP New Zealand’s Wellington Meetup, and has previously helped organize the annual OWASP New Zealand Day conference in Auckland.
Kirk worked as a web developer before switching to the defense team - setting up the security practice at Xero, working as a pen tester, and in defense roles at several companies. Twitter: @kirkj
Hour 14 - Hosted by OWASP Victoria (BC, Canada)
Session Host: Tanya Janca
Purple is the New Black: Modern Approaches to Application Security
Tanya Janca
Abstract
Gone are the days when breaches were rare and security could safely be put low on the priority list; product security is now a customer demand and cyber crime has reached epic proportions. Our idolization of hackers, penetration testing and ‘breaking’ has not resulted in secure software for our industry, only egos, stereotypes and unaffordable security models. Modern application security approaches are needed for new technologies, and this talk will outline several strategies for new tech, one by one. The future of security is PURPLE.
Speaker Biography
Tanya Janca, also known as ‘SheHacksPurple,’ is the founder, security trainer and coach of SheHacksPurple.dev, specializing in software and cloud security. Her obsession with securing software runs deep, from starting her company, to running her own OWASP chapter for four years in Ottawa, co-founding a new OWASP chapter in Victoria, and co-founding the OWASP DevSlop open-source and education project. With her countless blog articles, workshops and talks, her focus is clear. Tanya is also an advocate for diversity and inclusion, co-founding the international women’s organization WoSEC, starting the online #CyberMentoringMonday initiative, and personally mentoring, advocating for and enabling countless other women in her field. As a professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science. Twitter: shehackspurple
Hour 15 - Hosted by OWASP Japan
Session Hosts: Riotaro Okada and Sen Ueno, Chapter Leaders
Implementing CSIRT Based on Frameworks and Maturity Model
Akitsugu Ito
Abstract
We implemented CSIRT based on some frameworks and maturity model at this year including FIRST Service Framework, SIM3 and documents devised in Japan. I’d like to introduce how to use these materials in this presentation.
Speaker Biography
Akitsugu Ito has worked in the security industry for nine years. His specialties are information security management, incident handling, product security and quality assurance.
How Our PSIRT Evolved
Yuriko Otsuka
Abstract
How to run PSIRT effectively depends on every aspects of the organization like its culture, scale, products, and strategy. Therefore, there are many different models of PSIRT.
In this session, I will talk about how our PSIRT has evolved from its launch to the present and how our PSIRT has impacted to our organization.
In addition, I will also share our activities like Bug Bounty program and collaboration with the product team.
Speaker Biography
Yuriko Ostuka is a PSIRT specialist at Cybozu, Inc.
Hour 16 - Hosted by OWASP Melbourne (Australia)
Session Host: Daniel Ting
Input Validation and Output Encoding Fallacies
Eldar Marcussen
Abstract
Exploring application security problems and solutions around input validation and output encoding. Join us for a fireside chat with Eldar who will mostly be debating bad security advice (input validation) and insecure programming interfaces for output encoding and patterns that still sadly require input validation due to their lack of built-in safety within their handling mechanisms.
Speaker Biography
Eldar Marcussen is a lead security researcher and penetration tester working for Seek Australia. He is a long-time bug hunter with a large number of published advisories, exploits and conference presentations at leading security conferences all over the world. He was a recipient of the first CVE 10K candidate numbers.
In addition to finding vulnerabilities, he contributes to and maintains several open-source projects in his spare time aimed at web application security and penetration testing. These include graudit, doona, lbmap, dotdotpwn, nikto and more. His tools and research are featured in most security-oriented linux distros as well as many industry-leading books.
Hour 17 - Hosted by OWASP Bangalore (India)
Session Host: Vandana Verma Sehgal, OWASP Global Board of Directors
Continuous Auditing with Compliance as Code
Mohammed A. Imran
Abstract
Very useful in today’s modern dev context where quick turnarounds for features means ensuring a separate security cycle may not be feasible. Ensuring compliance is a step that goes hand in hand with security testing especially for regulatory requirements. Audience will like this talk.
Speaker Biography
Visit his profile on LinkedIn: Mohammed A. Imran
Security Hardening of Popular Public Cloud Managed Services
Runcy Oommen
Abstract
The default configurations of popular managed services in public cloud like AWS, Azure and GCP may not be fine tuned for best security. In this talk, I will walk through the essential steps required to make them robust yet retain their agility without jumping through multiple hoops.
Speaker Biography
Visit his profile on LinkedIn: Runcy Oommen
Hour 17/18 - Hosted by OWASP Jakarta (Indonesia)
Session Host: TBC
OWASP Risk Assessment Framework
Azhar Ahamed
Abstract
The OWASP Risk Assessment Framework consists of Static Application Security Testing and Risk Assessment tools. There are many SAST tools available for testers, but the compatibility and the environment setup process is complex. By using OWASP Risk Assessment Framework’s Static Application Security Testing tool, testers will be able to analyze and review their code quality and vulnerabilities without any additional setup. OWASP Risk Assessment Framework can be integrated into the DevSecOps tool chain to help developers to write and produce secure code.
Hour 18 - Hosted by OWASP Kerala (India)
Session Host: Rejah Rahim
OSINT Gathering and Analysis
Manieendar Mohan and Anees Muhammed
Abstract
This talk will begin with a beginner-level introduction to Open-Source Intelligence (OSINT), and will proceed to cover the following topics:
- History of OSINT
- Foundations of OSINT
- Social Media Data Harvesting
- Business and Network Data Harvesting
- Tools and Frameworks
Speaker Biographies
Manieendar Mohan is a Cyber Security Engineer. Visit his profile on LinkedIn: Manieendar Mohan.
Anees Muhammed - No biography submitted
Hour 19 - Hosted by OWASP Nagpur
Session Host: Tushar Kulkarni, Chapter Leader
Cuffing Web APIs Offensively
Chaitanya Deshpande
Abstract
I like to think of APIs like my arms, a tool to interact with the world. But in the case of APIs, they should always be cuffed, they must shake hands with only the people who have access to your personal space and they must never drop things to be picked up by someone else.
In this talk, we will be discussing how to achieve all this and more.
Speaker Biography
Chaitanya Deshpande is a Full-Stack Developer at Tata Consultancy Services.
Fortifying Ruby On Rails Web Application Framework Security
Sahil Tembhare
Abstract
A short but very comprehensive introduction to Ruby On Rails web framework’s security, including very common exploits about the RoR framework.
Key points that will be covered:
- Securing the RoR framework
- Common Exploits about the RoR framework
- Some CVEs
Speaker Biography
*Sahil Tembhare is currently a student. Visit his profile on LinkedIn.
Hour 20 - Hosted by OWASP Meerut (India)
Session Host: Hanut Arora, Chapter Leader
Real Privacy Protection in the COVID-19 Era
Rahul Tyagi
Abstract
At the time of this pandemic, cyber scams are scaling like never before. In this talk we will go back to ground level and try to understand what are the core scams and privacy attacks and how can we mitigate them to stay safe online.
Speaker Biography
Visit his profile on LinkedIn: Rahul Tyagi
Introduction to Exploit Development
Sanjeev Multani
Abstract
In this talk, we will talk about the basics of Exploit Development and will answer the following 2 questions:
- Why do we need to do Exploit development?
- What actually is Exploit development?
And, finally, we will burst all the myths about Exploit Development.
Speaker Biography
Visit his profile on LinkedIn: Sanjeev Multani
Hour 21 - Hosted by OWASP Israel
Session Hosts: Shira Shamban and Ori Troyna
How SameSite Cookies Are Making the World a Safer Place
Michael Furman
Abstract
Are you familiar with cross-site request forgery (CSRF) attacks?
Do you know how to protect against them? Is the ‘Synchronizer Token’ Pattern still relevant?
There is a much better approach based on SameSite Cookies.
Come learn about:
- SameSite Cookies
- The supported settings
- How to protect against CSRF attacks
- Best practices
- Google’s new Cookie policy
The presentation includes a live demo.
Speaker Biography
Michael Furman has over 13 years of experience with application security. Michael has been the Lead Security Architect at Tufin for over six years. He is responsible for the security of all Tufin software products and has spoken at various security and developer conferences. Tufin has over 2000 customers, including more than half of the Fortune 50 organizations.
Blog: https://ultimatesecurity.pro/
Twitter: @ultimatesecpro
Vulnerable Dependencies: It’s Not About Discovery
Omer Levi Hevroni
Abstract
We are all already familiar with the risk of vulnerable dependencies. We’ve all heard at least one talk about why it is an issue, and have likely seen at least one demo of hacking using a vulnerable dependency.
This talk is going to be different. Instead of focusing on tools, or rehashing the issue, this talk will focus on how to actually mitigate these vulnerable dependencies. There are many tools out there for finding them. But this is just the first step.
The real question is: How do we start remediating these vulnerabilities once we find them? How do we get developers and product managers to care about them and prioritize fixing them? Should we fix all of them? How can we automate this process?
Join me to hear about some of the pains I had over the last few years while trying to answer some of these questions. I’ll share some of the things that worked for me, and hopefully may be applicable for you as well. This talk will be vendor-neutral as it will focus more on culture and processes - instead of specific tooling.
Speaker Biography
Omer Levi Hevroni: I have been coding since 4th grade, when my dad taught me BASIC and I got hooked. From that point, I learned to code in many programming languages (today my favorite is C#). Today I’m working at Snyk, and coding is a huge part of my day job.
My passion for AppSec started by accident when I was offered the role of security champion. The AppSec journey was (and still is) fascinating, and taught me a lot. OWASP helped me a lot during this journey; This is why I decided to become a paying member and am also leading the OWASP Glue Project.
My current job is DevSecOps - helping the entire team to produce more secure software. Besides my job, I’m also giving a lot of talks all over the world, and heavy OSS contributor - mainly to Kamus, a secret encryption solution for Kubernetes platform.
When not working, I’m enjoying the company of my two beloved kids.
Hour 22 - Hosted by OWASP Kyiv (Ukraine)
Session Host: Vlad Styran, Chapter Leader
Use Cryptography; Don’t Learn It
Anastasiia Voitova
Abstract
We’ll talk about “boring crypto”: why developers shouldn’t spend time learning all the details of crypto-algorithms (or invent new ones). How to avoid typical crypto-mistakes when all you need is to protect data at rest or in motion. There are enough ready-to-use cryptographic libraries and tools for everyone.
This talk was first presented at OWASP Kyiv Winter 2017. Still relevant.
Speaker Biography
Anastasiia Voitova is Head of Customer Solutions at Cossack Labs. She is a software engineer with a wide background, now deepen into software security engineering. She is focused on cryptography/applied security and architecture of secure yet usable systems. Anastasiia maintains the open-source cryptographic library Themis, conducts secure software development training, speaks at international conferences, co-organises cyber-security events. Twitter: @vixentael
Cybersecurity Economics
Vlad Styran - Chapter Leader, OWASP Kyiv
Abstract
This is a small recap of a Cybersecurity Economics 101 course I took on edEX. It was a huge surprise to me, a “seasoned” professional with more than 15 years of experience, to discover the economic concepts behind the security market. Security spending and investment are literally sunk costs. We spend money and the best Return on Investment that we could get is…nothing happens. In these circumstances, it is crucial to know how to correctly plan and control the amount of effort we put into security. Because whether we’ve overspent or underspend, we would hurt the business in either case.
Speaker Biography
Vlad Styran is Cofounder at Berezha Security, and Chapter Leader at OWASP Kyiv. Relevant credentials include: CISSP, CISA, and OSCP.
Hour 23 - Hosted by OWASP Cambridge (UK)
Session Host: Adrian Winckles, Chapter Leader
OWASP Application Security Curriculum Project
Adrian Winckles - Project Leader
Abstract
Part of OWASP’s main purpose is to “Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software.” A key part of that mission is to educate not just the current generation of developers or information security professionals, but also the next generation, particularly in the context of the acknowledged skills shortage in the security sector.
A common problem with many security education programmes (whether cyber or InfoSec) or even traditional computer science programmes is that they do not address application security adequately, if at all. In some regions, attempts have been made to address this deficit.
In the UK for example, (ISC)2 and the BCS are working on an initiative to embed security firmly within the Computer Science curriculum, with an emphasis on secure coding techniques. OWASP, through my involvement, also champions this initiative.
There is an opportunity for OWASP to pull together its wide-ranging expertise, projects, and dedicated volunteers to engage in these types of education programmes and initiatives by developing an educational strategy for undergraduate and postgraduate students. This could take the form of an open “Standard” curriculum template which can be adopted and adapted by diverse educational partners and organisations. Such a template would also give a useful starting point or reference document for when we engage with other professional bodies.
Speaker Biography
Adrian Winckles is Director for the Cyber Security, Networking & Big Data Research Group and Security Researcher at Anglia Ruskin University. He is OWASP Cambridge Chapter Leader, OWASP Europe Board Member and is involved in rebooting the Cambridge Cluster of the UK Cyber Security Forum. His security research programs include (in)security of software-defined networks/everything (SDN/Sdx), novel network botnet detection techniques within cloud and virtual environments, distributed honeypots for threat intelligence, advanced educational techniques for teaching cybercrime investigation, and virtual digital crimescene/incident simulation. He has successfully completed a contribution to the European FP7 English Centre of Excellence for Cybercrime training, research and education (ECENTRE). He is Chair of the BCS Cyber Forensics Special Interest Group. Adrian is also CTO for Botprobe, an intelligent threat data capture start-up.
OWASP SecureFlag Community Edition
Andrea Scaduto - Project Leader
Abstract
The OWASP SecureFlag Community Edition is an open-source training platform created for developers to learn and practice modern secure coding techniques through hands-on exercises.
Developers manually find, exploit and remediate the code of vulnerable applications running in disposable development environments accessed via a web browser. The platform offers 100% hands-on training, with no multiple-choice questions involved. The platform helps develop secure coding skills through real-world challenges to ensure knowledge acquired during the course can be confidently and continuously applied in the real world.
This short talk will focus on showing how SecureFlag can be used to tailor internal security learning paths for devs/devops, including the basics about the SDK and the Exercise Hub.
Speaker Biography
Andrea Scaduto is a Senior IT Security Professional with an MSc in Computer Engineering, several IT Security certifications and a solid IT & cybersecurity background backed by 10 years of experience in the industry.
He enjoys breaking, building and securing web, mobile and cloud applications, and he has an extensive knowledge of secure coding techniques with a focus on reducing the cost of fixing vulnerabilities at scale.
He co-founded and built SecureFlag, an Application Security training platform for developers to learn and practice modern secure coding techniques through 100% hands-on exercises. SecureFlag offers an innovative concept for Application Security training to help our customers improve their development teams’ AppSec knowledge, keep their skills up-to-date, and help them to protect their most valuable products.
Hour 24 - Hosted by OWASP London (UK)
Session Host: Sam Stepanyan, Chapter Leader
Introducing the OWASP Nettacker Project
Sam Stepanyan - Chapter Leader, OWASP London
Abstract
The OWASP Nettacker project was created to automate the information gathering, vulnerability scanning and in general to aid the penetration testing engagements. Nettacker is able to run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features. This talk will showcase the OWASP Nettacker project, giving an overview of its features including the live demo of the tool.
Speaker Biography
Sam Stepanyan is an OWASP London Chapter Leader and an Independent Application Security Consultant with over 20 years of experience in IT industry with a background in software engineering and web application development. Sam has worked for various financial services institutions in the City of London specialising in Application Security consulting, Secure Software Development Lifecycle (SDLC), developer training, source code reviews and vulnerability management. He is also a Subject Matter Expert in Web Application Firewalls (WAF) and SIEM systems. Sam holds a Master’s degree in Software Engineering and a CISSP certification.
Gamification of Threat Modelling
Grant Ongers - OWASP Global Board of Directors
Abstract
Helping your teams perform all important threat modelling in a way that doesn’t require a huge security team, or prevent delivery from being at the speed that the business requires. We do this as part of a normal agile delivery through backlog scrubbing, using gamification and OWASP Cornucopia.
Speaker Biography
Grant Ongers is co-founder of the bearded trio called Secure Delivery. The philosophy and purpose of the organisation is in the name: optimal delivery and security in one dynamic package.
Grant’s versatile experience in information systems spans Dev - building management platforms for some of the world’s largest Telcos, MSPs and Financial groups for more than 10 years. Twenty-plus years in Ops, doing everything from running operational teams in global NOCs to managing mainframe and database systems. He also has over thirty years pushing the limits of (Info)Sec - mostly white-hat. He’s done time on both sides of the TPSA (security assessment) table working for and with regulated organisations ensuring compliance and matching appetite with acceptance of risk.
Grant’s community involvement is global: Staff at BSides (London, Las Vegas, and Cape Town), Goon at DEF CON (USA) for nearly ten years and DC2721 co-founder, staff at BlackHat (USA and EU), and OWASP Global Board member. Twitter: @rewtd