Loading…
Attending this event?
THE MUST ATTEND EVENT FOR CYBERSECURITY PROFESSIONALS
Simple
Expanded
Grid
By Venue
Beginner clear filter
arrow_back View All Dates
Friday, September 27
 

10:30am PDT

Sanitize Client-Side: Why Server-Side HTML Sanitization is Doomed to Fail
Friday September 27, 2024 10:30am - 11:15am PDT
Room: Grand Ballroom
When a web application needs to safely render the user’s input as HTML, e.g., to enable rich text formatting, sanitization would be the solution. Generally speaking, sanitizing user input should be done on the server side, right? Well, this is not so obvious for XSS mitigation. While sanitizing on the client side sounds counterintuitive at first, in this talk, we will explain not only why it makes sense for HTML but also why it is important to do so. This talk showcases common pitfalls of sanitizing HTML server-side and dives into multiple interesting real-world vulnerabilities.
Speakers
avatar for Yaniv Nizry

Yaniv Nizry

Vulnerability Researcher, SonarSource
Yaniv Nizry (@YNizry) is a Vulnerability Researcher at Sonar, where he leverages his expertise to identify and mitigate vulnerabilities in complex systems. Starting his way as a software engineer, he shifted his focus while serving in the IDF's 8200 unit, where he gained experience... Read More →
Friday September 27, 2024 10:30am - 11:15am PDT
Room: Grand Ballroom
  Breakout: Breaker Track

10:30am PDT

How to get developers to want to adopt AppSec
Friday September 27, 2024 10:30am - 11:15am PDT
Room: Bayview B (Bay Level)
As engineers, our goal is to deliver new features to the product, bringing clear value to customers. All of our KPIs and tools are built around facilitating exactly this; how to write quality code while increasing our delivery velocity. Security doesn’t naturally fit into what we do on a daily basis. Or does it?


When we’re breached, everyone cares, from the CEO all the way down to the development teams, and it’s clear that we need to adopt security and AppSec measures to safeguard our software in the future, but it’s unrealistic to expect developers to easily work within AppSec and CyberSecurity tools or to sacrifice development velocity to increase the security posture.


This talk will lay out a framework for AppSec and security leaders to communicate and facilitate security adoption by engineering teams and more importantly, emphasize ways to build security best practices into the development process holistically. 


A bit of what I’ll cover:

1. Translating security to development - 

  • Going from a vulnerability bug list to ownership of the harmful vulnerabilities in their code can do.
  • Tying together engineering and security KPIs.
  • Stakeholder cooperation between SecOps, engineering, and product.
2. Best practices to integrate security tests from phase one.

3. Doing all this while balancing development velocity.

Speakers
avatar for Matan Rabi

Matan Rabi

Engineering Manager, Bright Security
Matan is an Engineering Manager at Bright Security. His team manages the core research and development team, focused on creating the best DAST tool out there in terms of precision, recall, and vulnerability coverage to help companies identify their actual runtime vulnerabilities.He... Read More →
Friday September 27, 2024 10:30am - 11:15am PDT
Room: Bayview B (Bay Level)
  Breakout: Manager/Culture

1:15pm PDT

Hackuracy: Boosting AST accuracy through hacking
Friday September 27, 2024 1:15pm - 2:00pm PDT
Room: Grand Ballroom
How may a system's exposure to successful cyberattacks be detected more accurately? The short answer is that it is not possible with vulnerability scanning alone; expert manual evaluation by ethical hackers is also necessary.

While automated tools, due to their processing capacity and speed, have become indispensable in identifying potential vulnerabilities, they report high rates of false positives and false negatives, finding only 45% of systems' risk exposure. Tools cannot find vulnerabilities when their discovery involves an external user having come up with a complex, unexpected use of the application. This is where the expertise of ethical hackers comes into play.


In this talk, we will explain what accuracy in AppSec entails and specify three different measures that we used to assess security testing accuracy of scanning alone and the combination of scanning and hacking. We will characterize the insecure-by-design web application that was used as the target of evaluation (ToE), and then compare the performance of the different conditions both in reporting vulnerabilities and risk exposure (identified with a metric designed to accurately show the severity of vulnerabilities to help prioritize them for remediation).


We will present our research findings, which highlight that the combination of scanning and hacking dramatically outperformed all of the assessed tools' scanning in all three accuracy measures in identifying both the amount of vulnerabilities and associated risk exposure. Specifically, the combined approach achieved accuracy scores ranging from 78.9% to 93.7% in detecting the amount of vulnerabilities in the ToE, and from 94.3% to 98.5% in identifying its risk exposure. In contrast, the most accurate tool's scores ranged from 26.4% to 58.4% and 8.5% to 27.0%, respectively. Notably, the overall performance of application security testing in our research was better for guaranteeing few false negatives in reports than for providing reports containing all legitimate vulnerabilities.


In summary, we will demonstrate that achieving accurate detection of a system's risk exposure related to its vulnerabilities requires more than just automated security testing. It necessitates the involvement of expert hackers who can perform manual evaluations, understand the nuances of application logic and identify sophisticated security flaws. Further, we mention how the accuracy of vulnerability scanners can be enhanced. Ultimately, the goal is to equip developers, security professionals and organizations with the knowledge and tools needed to enhance the security of their applications and protect against threats.

Speakers
AR

Andres Roldan

VP of Hacking, Fluid Attacks
Andres Roldan is Fluid Attacks’ VP of Hacking. He leads the company's research team and has identified and ethically disclosed 110 CVEs in open-source software. He has over 20 years of experience in cybersecurity, is a GIAC Advisory Board member, and holds 29 certifications in offensive... Read More →
Friday September 27, 2024 1:15pm - 2:00pm PDT
Room: Grand Ballroom
  Breakout: Breaker Track

2:15pm PDT

From Hype to Reality: The Broken State of DevSecOps and Its Maturity Model
Friday September 27, 2024 2:15pm - 3:00pm PDT
Room: Bayview B
Despite the hype surrounding DevSecOps, the reality is starkly different: reported issues remain unresolved, SLAs are neglected, and the role of security champions is reduced to basic training sessions. 


This talk examines the shortcomings of the current DevSecOps maturity model and its failure to drive substantial improvements in security practices. We will discuss the cultural shifts needed to instill a security-first mindset, emphasizing the importance of guiding teams effectively. 


By empowering security champions with meaningful responsibilities and integrating advanced technologies for automated and proactive security measures, we can transform the theoretical promises of DevSecOps into a practical framework that genuinely addresses and fixes security vulnerabilities. 


Join us to explore actionable solutions and strategies for bridging the gap between DevSecOps hype and reality.

Speakers
avatar for Eitan Worcel

Eitan Worcel

CEO & Co Founder, Mobb
Eitan Worcel is the co-founder and CEO of Mobb, the recent Black Hat StartUp Spotlight winner. He has over 15 years of experience in the application security field as a developer, product management leader, and now business leader. Throughout his career, Eitan has worked with numerous... Read More →
avatar for Dustin Lehr

Dustin Lehr

Co-founder, Chief Product and Technology Officer, Katilyst
Before shifting into cybersecurity leadership, Dustin Lehr spent 13 years as a software engineer and application architect in a variety of industries, including retail, US DoD, and even video games. This background has helped him forge close partnerships with development teams, engineering... Read More →
Friday September 27, 2024 2:15pm - 3:00pm PDT
Room: Bayview B
  Breakout: Manager/Culture

3:30pm PDT

Maturing Your Application Security Program with ASVS-Driven Development
Friday September 27, 2024 3:30pm - 4:15pm PDT
Room: Seacliff AB
Application security requires a systematic and holistic approach. However, organizations typically struggle in creating an effective application security (AppSec) program. They often end up in the rabbit hole of fixing security tool-generated vulnerabilities. We believe that leveraging ASVS as a security requirements framework as well as a guide to unit and integration testing is amongst the highest added value security practices. By turning security requirements into “just requirements” organizations can enable a common language shared by all stakeholders involved in the SDLC.

In this talk, we would like to present the case of ASVS-driven development. Firstly, we have analyzed the completed ASVS to determine how much of it could be transformed into security test cases. Our analysis indicates that 162 ASVS requirements (58%) can be automatically verified using unit, integration and acceptance tests. Secondly, we have designed an empirical study where we have added 98 ASVS requirements to the sprint planning of a relatively large web application. We have implemented unit and integration tests for 90 ASVS requirements in 10 man-days that are now part of the security regression test suites.

Our study demonstrates that leveraging ASVS for deriving security test cases can create a common theme across all stages of the software development lifecycle making security everyone’s responsibility.








Speakers
avatar for Aram Hovsepyan

Aram Hovsepyan

Founder and CEO, Codific
Aram is the founder and CEO of Codific - a Flemish cybersecurity product firm. With over 15 years of experience, he jas a proven track record in building complex software systems by explicitly focusing on software security. Codific’s flagship product, Videolab, is a secure multimedia... Read More →
Friday September 27, 2024 3:30pm - 4:15pm PDT
Room: Seacliff AB
  Breakout: Builder

3:30pm PDT

I Know What You Did Last Summer: Lessons Learned from Privacy Breaches and Scandals
Friday September 27, 2024 3:30pm - 4:15pm PDT
Room: Bayview B (Bay Level)
The "assume breach" point of view has become the norm for security professionals, recognizing that incidents are bound to happen sooner or later.  But what about breaches that go beyond the typical security threats exploited by malicious outsiders? In this talk, we will dive into privacy breaches, from major well-published scandals to smaller, barely mentioned cases, showing the impact of weak privacy design and how these breaches could have been avoided. 

Through these high profile privacy incidents, we will derive actionable learning that you can integrate into your current security practices, ensuring your products will be both secure and privacy-respecting.

Speakers
avatar for Dr. Kim Wuyts

Dr. Kim Wuyts

Manager Cyber & Privacy, PwC Belgium
Dr. Kim Wuyts is a leading privacy engineering expert with over 15 years of experience in security and privacy. Before joining PwC as Manager Cyber & Privacy, Kim was a senior researcher at KU Leuven where she led the development and extension of LINDDUN, a popular privacy threat... Read More →
Friday September 27, 2024 3:30pm - 4:15pm PDT
Room: Bayview B (Bay Level)
  Breakout: Manager/Culture