OWASP 2024 Global AppSec San Francisco

"Red, blue, and purple AI" reverse-engineers the cybersecurity responsibilities of practitioners and modern security programs. It aims to augment these practitioners with practical and useful AI tools. This talk isn't about the future state of AI and ML; it's about taking home concrete strategies and prompts to empower your security team. We will break down these strategies into helpers for red teams, blue teams, and purple teams. Jason will also provide overviews on how to create your own best-in-class prompts based on his experience with OpenAI's ChatGPT-4 and having a top 500 GPT in the GPT store. Expect a wide variety of topics that will not only give you superpowers but also inspire you to augment other parts of your job

Internet of Things (IoT) has revolutionized the way we interact with our environments, connecting billions of devices to enhance efficiency, convenience, and automation in various sectors such as healthcare, transportation, and smart homes. However, the proliferation of interconnected devices also introduces significant security challenges. IoT devices, often designed with limited computing resources, may lack robust security features, making them vulnerable to cyber-attacks. As IoT continues to expand, discovering and addressing its security vulnerabilities becomes paramount to safeguarding personal privacy and ensuring the resilience of interconnected infrastructures. This project showcase will introduce and demonstrate current capabilities of the OWASP IoT Security Testing Guide (ISTG) project released earlier this year. The ISTG comprises a comprehensive methodology for penetration tests in the IoT field, offering flexibility to adapt innovations, and developments in the IoT market while still ensuring comparability of test results. While the guide is mainly intended to be used by penetration testers, its resources may aid manufacturers and operators of IoT devices to proactively improve the security of their devices.

When a web application needs to safely render the user’s input as HTML, e.g., to enable rich text formatting, sanitization would be the solution. Generally speaking, sanitizing user input should be done on the server side, right? Well, this is not so obvious for XSS mitigation. While sanitizing on the client side sounds counterintuitive at first, in this talk, we will explain not only why it makes sense for HTML but also why it is important to do so. This talk showcases common pitfalls of sanitizing HTML server-side and dives into multiple interesting real-world vulnerabilities.

By participating in this panel, attendees will gain an understanding of the crucial role of OWASP AI Exchange in securing AI technologies and how they can contribute to and benefit from this vital initiative. 

In this presentation, we will explore an innovative approach to improve the security of containerized applications using behavior analysis during continuous integration testing and generating native policies based on behavior. By leveraging behavioral analysis, we can replace tedious manual policy definitions which take long to define and can break easily. We will also discuss the importance of native policies, which allow us to enforce security policies directly within container orchestration tools like Kubernetes without relying on third-party tools.


We will focus on policies like seccomp profiles, network policies, AppArmor, and security context. We will cover hands-on practices for implementing this approach, including how to do behavioral analysis using eBPF-based tools, how to integrate this analysis into CI testing, and how to use native policies to enforce security policies.


By the end of this presentation, attendees will have a deeper understanding of how to leverage innovative approaches to security in Kubernetes clusters (and in containerized orchestration in general), and how to use behavioral analysis and native policies to protect their environments against the multiple threats.

As engineers, our goal is to deliver new features to the product, bringing clear value to customers. All of our KPIs and tools are built around facilitating exactly this; how to write quality code while increasing our delivery velocity. Security doesn’t naturally fit into what we do on a daily basis. Or does it?


When we’re breached, everyone cares, from the CEO all the way down to the development teams, and it’s clear that we need to adopt security and AppSec measures to safeguard our software in the future, but it’s unrealistic to expect developers to easily work within AppSec and CyberSecurity tools or to sacrifice development velocity to increase the security posture.


This talk will lay out a framework for AppSec and security leaders to communicate and facilitate security adoption by engineering teams and more importantly, emphasize ways to build security best practices into the development process holistically. 


A bit of what I’ll cover:

1. Translating security to development - 

• Going from a vulnerability bug list to ownership of the harmful vulnerabilities in their code can do.
• Tying together engineering and security KPIs.
• Stakeholder cooperation between SecOps, engineering, and product.

2. Best practices to integrate security tests from phase one.

3. Doing all this while balancing development velocity.

OWASP dep-scan v6: The S in SCA is not an SBOM

The principle behind Software Composition Analysis (SCA) has remained the same for over a decade. It involves a single Software Bill-of-Materials (SBOM) document and a vulnerability database to identify potential vulnerabilities and advisories that might affect the given application or service. Such a technique of scanning an application with limited context creates both false positives and false negatives, a problem that is well-understood. Solving these inherent weaknesses requires some bold ideas. For OWASP dep-scan v6, we are revisiting every single word in the SCA acronym, to rethink SCA as we know it. In this mini session, we discuss the thinking behind the v6 release and offer insights into our technology and development efforts.

OWASP Nettacker project (a portmanteau of "Network Attacker") is a relatively new yet an awesome and powerful "swiss-army-knife" automated penetration testing framework fully written in Python. Nettacker recently gained a lot of interest from the European and Asian penetration testing communities and was even included in the specialist Linux distribution for penetration testers and security researchers. Nettacker is able to run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features - for example an ability to chain different scan methods. This talk will feature a live demo and several practical usage examples of how organisations can benefit from this OWASP project for automated security testing

Despite defense in depth bounty hunters continue to bypass security measures. We will chronicle curated submissions from our bug bounty program. 


This talk covers bugs that span across application security and infrastructure security domain. Folks from Detection and response will find this especially useful to help further strengthen their D&R capabilities. Frankly we recommend this to all security practitioners (red\blue and purple team)  since we will share real world bugs reported to our program and how we applied the learnings to elevate our security program.


Expect to hear root cause analysis, technical details, and mitigations. You will take away practical strategies to elevate your own security program. 

TLS Certificates are re-using private keys by the millions. We'll demonstrate that key re-use in TLS certificates is systemic and undermines one of the foundational protections offered in modern web security


We looked at 7 billion certs logged in Certificate Transparency and found millions of certs re-using private keys. We identified orgs like Verizon that re-used the same key for 10 years, despite revoking it in the first year! We found cases of organizations continuing to re-use the same private key to issue new certs, despite having had that key compromised. Picture a short lived cert that only lasts 90 days, but the same key is re-used on all future certs for a decade 

We also analyzed SSH key re-use for authentication to GitHub. We looked at 58 million GitHub user’s keys and found >100k SSH keys re-used between multiple GitHub account


We’ll show the extent of private key reuse, show re-use of keys from revoked certificates, and open-source a tool to identify certs that reuse private keys. We'll provide examples of common cert generation frameworks that repeatedly use the same key, despite the security risks


Keys are even sometimes used for TLS certs and repurposed as SSH keys on GitHub 

This talk dives deep into a world of systemic private encryption key re-use, the dangers, and current threats it poses

The frequency of Software Supply Chain attacks has been increasing over the last several years. This is, in part, due to the fact that the term “Software Supply Chain Attack” actually refers to a set of attacks that include: Repo Jacking, Repo Poisoning, Typo Squatting, and Dependency Confusion. Threat actors, such as Nation states, select high value targets that can be extremely disruptive. They weaponize the software supply chain against their enemies (real or perceived) to wreak physical infrastructure damage or engage in commercial and governmental espionage. Attackers who are motivated by money have been able to demand huge ransoms, which would have been impractical in the past but have been made easy by cryptocurrencies. Frequently, they seek soft targets. Hospitals, municipalities and schools can be notoriously lax in their software security efforts. Often, they lack the capital and expertise to enable a successful defense against ransomware gangs. 


Governments and the private sector are investing in defensive measures. Europe has responded with the Cyber Resilience Act. The US has mandated SBOMs as a countermeasure against supply chain attacks. If you know what is in your code then such an attack is unlikely. Right? Not exactly. In the commercial sector, a huge software security industry has arisen. In 2023 it was estimated to be valued at approximately 172 billion USD and it is a growing market. Yet this has not resulted in a diminishing threat.


In this presentation, I am going to describe practical strategies for improving your organization’s ability to defend against software supply chain attacks.

Ever felt ignored when raising security concerns? So did we until we changed the game. This is the story of how a small team can drive change by wielding data-driven insights.

This talk delves into our journey of influencing our entire organization through threat modeling. From adopting a framework to managing threat intelligence, we’ll share the lessons learned and the solutions we found to common challenges.

As a small team, it is not realistic to cover everything by ourselves. We need to focus our energy on high value, high return activities and play the influence game. It was not an easy task, but we managed to do it.

Throughout the presentation, we’ll do an overview of our organization’s size and structure, where our team fits in to give some context and how all of this affects decision-making. We’ll explore the three key strategies we implemented to efficiently work toward our goal, namely:

• adopting a common language for threat modeling across the organization,
• embedding threat modeling into everyday operations according to the needs of each team, and
• managing threat intelligence smoothly in an automated manner.

At the end of this talk, you will leave with actionable insights on what could be your next step and a newfound confidence in your abilities to drive change in your organization.

Why OWASP Serverless Top Ten is Crucial for the Industry 

Unique Security Challenges
- Serverless computing introduces distinct security risks, such as misconfigured permissions, insecure third-party integrations, and event injection vulnerabilities.

Rapid Adoption Without Security Awareness
- OWASP Serverless Top Ten helps close the knowledge gap, providing clear guidelines on common threats. Guidance for Developers and Security Teams
- The Top Ten is a comprehensive, practical resource for developers and security teams to understand better and mitigate serverless applications' most critical security vulnerabilities.

Industry-Standard Reference 
- Provides a unified, industry-recognized reference, ensuring organizations and developers follow best practices in securing serverless architectures.

Adaptability to Cloud-Native Ecosystems 
- OWASP Serverless Top Ten addresses security in these increasingly complex environments.

Future-Proofing Security for Next-Generation Applications
- As serverless computing continues to evolve with AI, IoT, and edge computing, the Serverless Top Ten ensures that the industry remains proactive about emerging threats, not reactive.