OWASP 2024 Global AppSec San Francisco

In this talk, Carlos Holguera and Sven Schleier, the OWASP Mobile Application Security (MAS) Project Leaders, will take a hands-on look at some of the latest OWASP MAS developments, in particular the new MASWE (Mobile Application Security Weakness Enumeration). This talk will introduce the concepts of "weaknesses", "atomic tests" and "demos" that are the basis of the upcoming MASTG v2. Attendees will gain practical knowledge through detailed examples that show the journey from definition to implementation using both static and dynamic analysis techniques available in MASTG. In addition, discover the newly developed MAS test apps designed to streamline research and improve the development of robust MAS tests. Don't miss this opportunity to improve your mobile app security skills and make your apps hack-proof. Whether you're looking to bolster your defenses or learn how to uncover vulnerabilities, this session will provide you with the cutting-edge resources you need to stay ahead in mobile security!

Achieving an Application Security Program with DSOMM

In this talk, Timo Pagel outlines a practical approach to building and optimizing application security (AppSec) programs for organizations of all sizes. While briefly touching on foundational elements, Timo's presentation focuses on developing and implementing a custom organizational maturity model based on DSOMM that resonates with development and operations teams.

Moving beyond traditional frameworks, Timo will teach attendees get most out of DSOMM by designing tailored models that account for diverse operating environments. The talk provides strategies for avoiding common pitfalls, implementing effective metrics, and creating a scalable AppSec approach adaptable to an organization's evolving needs. Through actionable advice and real-world examples, Timo will offer participants insights applicable to both new and existing AppSec programs.

This talk will provide a comprehensive introduction to Coraza, its use cases, how to implement it, and operationalise it generally.

In recent years, we have been involved in several significant discussions, including:
- Why not Core Ruleset WAF?
- Evaluating the effectiveness of signature-based rules in protecting against zero-day vulnerabilities.
- Considering the applicability of Machine Learning in the realm of security.
- How can ModSecurity and Coraza live together?

This presentation will examine each of these areas in depth. It will also cover the latest benchmarks and metrics and investigate future improvements, such as the possibility of a new rule language, support for multi-threading regex, and dynamic rule execution based on payload type.

In today's technological era, docker is the most powerful technology in each and every domain, whether it is Development, cyber security, DevOps, Automation, or Infrastructure. Considering the demand of the industry, I would like to introduce my idea to create a NIGHTINGALE: docker image for pentesters. This docker image is ready to use environment will the required tools that are needed at the time of pentesting on any of the scopes, whether it can be web application penetration testing, network penetration testing, mobile, API, OSINT, or Forensics. Also, it is a complete platform-independent so you can run Nightingale on every operating system as your wish, and it supports the Debian operating system.

OWASP Software Assurance Maturity Model (SAMM) Interactive Introduction and Update
Join project core members Aram and Sebastien for an engaging and interactive introduction and update on the OWASP Software Assurance Maturity Model (SAMM).

We will begin with a concise overview of SAMM's purpose and application in jumpstarting and accelerating your software assurance roadmap. This session will provide valuable insights and practical knowledge on leveraging SAMM effectively.

Tools and Assessment Guidance: Discover the range of SAMM tools available to support your software assurance efforts. We will explain the latest assessment guidance, providing you with the knowledge to utilize these tools to their fullest potential.

Mapping to Other Frameworks: Learn how SAMM can be mapped to other frameworks, such as the NIST Secure Software Development Framework (SSDF). This will enable you to leverage SAMM for demonstrating compliance and enhancing your software security posture.

Benchmark yourself against peers: The OWASP SAMM Benchmark enables organizations to anonymously compare their software security practices against industry peers, providing insights to identify improvement areas, prioritize security efforts, and track progress over time.