OWASP 2024 Global AppSec San Francisco

In this talk, Carlos Holguera and Sven Schleier, the OWASP Mobile Application Security (MAS) Project Leaders, will take a hands-on look at some of the latest OWASP MAS developments, in particular the new MASWE (Mobile Application Security Weakness Enumeration). This talk will introduce the concepts of "weaknesses", "atomic tests" and "demos" that are the basis of the upcoming MASTG v2. Attendees will gain practical knowledge through detailed examples that show the journey from definition to implementation using both static and dynamic analysis techniques available in MASTG. In addition, discover the newly developed MAS test apps designed to streamline research and improve the development of robust MAS tests. Don't miss this opportunity to improve your mobile app security skills and make your apps hack-proof. Whether you're looking to bolster your defenses or learn how to uncover vulnerabilities, this session will provide you with the cutting-edge resources you need to stay ahead in mobile security!

The safeguarding of personal data in modern digital systems can no longer be an afterthought. It must be a consideration from the beginning. It is imperative that the preservation of privacy be a principal objective, and privacy safeguards must be by design.


LINDDUN, an acronym for Linking, Identifying, Non-repudiation, Detecting, Data Disclosure, Unawareness, and Non-compliance, encapsulates the core privacy threats that are prevalent in modern software systems. The LINDDUN privacy threat modeling framework supports privacy engineering by providing a structured approach to identifying, analyzing and mitigating threats to privacy in software systems, enabling the inclusion of privacy safeguards as an inherent part of software design and architecture.


In this presentation we will illustrate how adopting LINDDUN can uncover privacy risks and enable privacy by design. We will navigate through the threat modeling process, applying the LINDDUN framework to a fictional application to demonstrate how LINDDUN serves as a critical tool in identifying and analyzing privacy risks. Whether you’re a seasoned professional or new to the field, this presentation will equip you with the foundational knowledge to effectively implement privacy threat modeling with LINDDUN and elevate your privacy engineering efforts to new heights.

If you work in vulnerability management, you’re probably familiar with the painful condition known as CVE overload. Each year, tens of thousands of new vulnerabilities are reported, and these potential risks overwhelm security teams tasked with confirming risks and remediating them. 


A proposed solution is VEX (Vulnerability Exploitability eXchange): a set of formats that communicates vulnerability impact status, whether a vulnerability is exploitable in its deployed context, and mitigation steps. In theory, VEX (when used alongside other prioritization inputs) makes it possible for downstream security teams to remediate more efficiently. But as with most security frameworks, efficacy depends on proper implementation.  


This talk will cover five steps to leveraging VEX throughout the vulnerability remediation lifecycle, from the time a vulnerability is disclosed to the time you publish and distribute a VEX statement. We’ll cover the tools and workflows security practitioners need to know to effectively use VEX in their organizations. 

Achieving an Application Security Program with DSOMM

In this talk, Timo Pagel outlines a practical approach to building and optimizing application security (AppSec) programs for organizations of all sizes. While briefly touching on foundational elements, Timo's presentation focuses on developing and implementing a custom organizational maturity model based on DSOMM that resonates with development and operations teams.

Moving beyond traditional frameworks, Timo will teach attendees get most out of DSOMM by designing tailored models that account for diverse operating environments. The talk provides strategies for avoiding common pitfalls, implementing effective metrics, and creating a scalable AppSec approach adaptable to an organization's evolving needs. Through actionable advice and real-world examples, Timo will offer participants insights applicable to both new and existing AppSec programs.

In this 45 minute offensively focused presentation we dive into GraphQL secondary context attacks and business logic vulnerabilities exploited in real world assessments. Secondary context attacks in particular can access impactful API endpoints using GraphQL as the jumping off point. The impact from these issues when exploited can be significant including unauthorized access to data, the ability to modify other users accounts, cross-tenancy failures, and SSRF. 

This presentation is fresh material to this topic and does not rehash existing GraphQL exploitation discussions. If you are interested in GraphQL attacks, you should attend this talk.

Beyond the buzzword of 'supply chain security,' lies a critical, frequently ignored area: the Build Pipelines of Open Source packages. In this talk, we discuss how we’ve developed a large scale data analysis infrastructure that targets these overlooked vulnerabilities in Open Source projects. Our efforts have led to the discovery of countless 0-days in critical OSS projects, such as AWS-managed Kubernetes Operators, Google OSS Fuzz, RedHat OS Build, hundreds of popular Terraform providers and modules and popular GitHub Actions. We will present a detailed attack tree for GitHub Actions pipelines, offering a much deeper analysis than the prior art, and outlining attacks and mitigations. In addition, we will present three Open Source projects that complement our research and provide actionable insights to Builders and Defenders: the 'Living Off the Pipeline' (LOTP) project, the 'poutine' build pipeline scanner and the 'messypoutine' CTF-style training.

This session presents a new attack technique called “OData Injection” that affects many API based environments and in particular Microsoft Power Automate, part of the Microsoft Power Platform. The technique can be used by attackers to extract sensitive data and bypass access controls. Furthermore, we show that if you think that “No Code” = “No Vulnerabilities”, you are in for a BIG surprise. Not only that applications and automations written by citizen developers are vulnerable to good ol’ injection attacks but these could be exploited by external attackers. We prove our points using demos of the attacks and vulnerabilities that simulate our findings in the field.


Low Code / No Code (LCNC) Development and Robotic Process Automations (RPA, automations) is a rapidly growing trend within enterprises going through a digital transformation process. These tools and environments allow business users (called citizen developers), who are not software engineers, to quickly build enterprise applications, by just dragging and dropping objects within the platform’s UI. These applications typically automate their daily tasks and accelerate digital transformation within the organization - all this without writing a single line of code. Top platforms to support LCNC are Microsoft Power Platform and UiPath Cloud Automation.


It is widely believed by organizations that since no code is involved in the development process, it is safe to assume that the resulting applications are not vulnerable to traditional security issues.Think again! Our research, backed by analyzing tens of thousands of applications and flows in large enterprises, shows that automations and applications which are perceived as “internal applications” are in fact exposed to external attackers. For the first time at BlackHat, we will show how applications and automations built in the Microsoft Power Platform and UiPath Automation Cloud environments are also vulnerable to SQL Injection, OS Command Injection and more.

Leveraging AI for AppSec presents promise and danger, as let’s face it, you cannot do everything with AI, especially when it comes to security. At our session, we’ll delve into the complexities of AI in the context of auto remediation. We’ll begin by examining our research, in which we used OpenAI to address code vulnerabilities. Despite ambitious goals, the results were underwhelming and revealed the risk of trusting AI with complex tasks. 


Our session features real-world examples and a live demo that exposes GenAI’s limitations in tackling code vulnerabilities. Our talk serves as a cautionary lesson against falling into the trap of using AI as a stand-alone solution to everything. We’ll explore the broader implications, communicating the risks of blind trust in AI without a nuanced understanding of its strengths and weaknesses.


In the second part of our session, we’ll explore a more reliable approach to leveraging GenAI for security relying on the RAG Framework. RAG stands for Retrieval-Augmented Generation. It's a methodology that enhances the capabilities of generative models by combining them with a retrieval component. This approach allows the model to dynamically fetch and utilize external knowledge or data during the generation process.

Attendees will leave with a clear understanding of how to responsibly and effectively deploy AI in their programs — and how to properly vet AI tools.

If you are working in cybersecurity, the world can feel very scary. Keeping up with the industry means reading the latest news about new threat actors, vulnerabilities, and massive breaches. When we find a new flaw in our environment with a CVSS of 10, we feel a real sense of urgency to fix it. But for some reason, all too often, it can be really hard to get executives and boards to listen to you. Don't they know what "Critical" means? 

Could it be that the executive team is speaking a different language?

You're a security analyst triaging a list of exposed credentials - how do you prioritize which key to rotate first? How do you even know what resources the key can access? Most SaaS providers make it difficult to enumerate the access granted to a particular credential without logging into their UI.


In this talk, we're releasing a new method (self-discovery) for enumerating the permissions and resources associated with API keys and other secrets, without requiring access to the provider's UI. We'll walk through the meticulous steps required to accurately assess different SaaS providers' permission and scopes, as well as share the logic behind how to validate key permissions, including string analysis, HTTP request brute forcing and more.


Finally, we'll demo a new open-source tool that automates the enumeration of API key permissions and accessible resources, without requiring access to the provider's UI.

The security team plays a vital role in improving the security posture of an organization. However, it is equally important that the software developers contribute to securing all of the applications their organization creates and maintains. If there is an absence of trust and buy-in between security professionals and developers it can hinder progress, create vulnerabilities, and limit growth within organizations. In this thought-provoking talk, we look at the reasons behind a lack of trust and explore the importance of establishing buy-in and trust for success. We delve into why we cannot succeed without trust, effective strategies and tactics, and specific and actionable advice on what to do and what NOT to do. Together, let’s rebuild trust, mend grievances, and unlock our true potential for success by changing the way we run our AppSec programs.

As the web evolves, so do the complexities of securing it. WebRTC (Web Real-Time Communication) is a powerful technology embedded in every modern web browser, enabling audio, video, and data sharing. While WebRTC offers tremendous advantages for real-time communication, it introduces a unique set of security challenges that many web and API security professionals may overlook.


This presentation aims to bridge the knowledge gap between traditional web/API security and the specialized realm of WebRTC. Designed for OWASP attendees ranging from novice to advanced practitioners, it will provide a comprehensive overview of WebRTC security concepts, common vulnerabilities, and practical testing methodologies.