OWASP 2024 Global AppSec San Francisco

In this presentation, we will explore an innovative approach to improve the security of containerized applications using behavior analysis during continuous integration testing and generating native policies based on behavior. By leveraging behavioral analysis, we can replace tedious manual policy definitions which take long to define and can break easily. We will also discuss the importance of native policies, which allow us to enforce security policies directly within container orchestration tools like Kubernetes without relying on third-party tools.


We will focus on policies like seccomp profiles, network policies, AppArmor, and security context. We will cover hands-on practices for implementing this approach, including how to do behavioral analysis using eBPF-based tools, how to integrate this analysis into CI testing, and how to use native policies to enforce security policies.


By the end of this presentation, attendees will have a deeper understanding of how to leverage innovative approaches to security in Kubernetes clusters (and in containerized orchestration in general), and how to use behavioral analysis and native policies to protect their environments against the multiple threats.

OWASP dep-scan v6: The S in SCA is not an SBOM

The principle behind Software Composition Analysis (SCA) has remained the same for over a decade. It involves a single Software Bill-of-Materials (SBOM) document and a vulnerability database to identify potential vulnerabilities and advisories that might affect the given application or service. Such a technique of scanning an application with limited context creates both false positives and false negatives, a problem that is well-understood. Solving these inherent weaknesses requires some bold ideas. For OWASP dep-scan v6, we are revisiting every single word in the SCA acronym, to rethink SCA as we know it. In this mini session, we discuss the thinking behind the v6 release and offer insights into our technology and development efforts.

OWASP Nettacker project (a portmanteau of "Network Attacker") is a relatively new yet an awesome and powerful "swiss-army-knife" automated penetration testing framework fully written in Python. Nettacker recently gained a lot of interest from the European and Asian penetration testing communities and was even included in the specialist Linux distribution for penetration testers and security researchers. Nettacker is able to run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features - for example an ability to chain different scan methods. This talk will feature a live demo and several practical usage examples of how organisations can benefit from this OWASP project for automated security testing

Despite defense in depth bounty hunters continue to bypass security measures. We will chronicle curated submissions from our bug bounty program. 


This talk covers bugs that span across application security and infrastructure security domain. Folks from Detection and response will find this especially useful to help further strengthen their D&R capabilities. Frankly we recommend this to all security practitioners (red\blue and purple team)  since we will share real world bugs reported to our program and how we applied the learnings to elevate our security program.


Expect to hear root cause analysis, technical details, and mitigations. You will take away practical strategies to elevate your own security program. 

TLS Certificates are re-using private keys by the millions. We'll demonstrate that key re-use in TLS certificates is systemic and undermines one of the foundational protections offered in modern web security


We looked at 7 billion certs logged in Certificate Transparency and found millions of certs re-using private keys. We identified orgs like Verizon that re-used the same key for 10 years, despite revoking it in the first year! We found cases of organizations continuing to re-use the same private key to issue new certs, despite having had that key compromised. Picture a short lived cert that only lasts 90 days, but the same key is re-used on all future certs for a decade 

We also analyzed SSH key re-use for authentication to GitHub. We looked at 58 million GitHub user’s keys and found >100k SSH keys re-used between multiple GitHub account


We’ll show the extent of private key reuse, show re-use of keys from revoked certificates, and open-source a tool to identify certs that reuse private keys. We'll provide examples of common cert generation frameworks that repeatedly use the same key, despite the security risks


Keys are even sometimes used for TLS certs and repurposed as SSH keys on GitHub 

This talk dives deep into a world of systemic private encryption key re-use, the dangers, and current threats it poses

The frequency of Software Supply Chain attacks has been increasing over the last several years. This is, in part, due to the fact that the term “Software Supply Chain Attack” actually refers to a set of attacks that include: Repo Jacking, Repo Poisoning, Typo Squatting, and Dependency Confusion. Threat actors, such as Nation states, select high value targets that can be extremely disruptive. They weaponize the software supply chain against their enemies (real or perceived) to wreak physical infrastructure damage or engage in commercial and governmental espionage. Attackers who are motivated by money have been able to demand huge ransoms, which would have been impractical in the past but have been made easy by cryptocurrencies. Frequently, they seek soft targets. Hospitals, municipalities and schools can be notoriously lax in their software security efforts. Often, they lack the capital and expertise to enable a successful defense against ransomware gangs. 


Governments and the private sector are investing in defensive measures. Europe has responded with the Cyber Resilience Act. The US has mandated SBOMs as a countermeasure against supply chain attacks. If you know what is in your code then such an attack is unlikely. Right? Not exactly. In the commercial sector, a huge software security industry has arisen. In 2023 it was estimated to be valued at approximately 172 billion USD and it is a growing market. Yet this has not resulted in a diminishing threat.


In this presentation, I am going to describe practical strategies for improving your organization’s ability to defend against software supply chain attacks.

Ever felt ignored when raising security concerns? So did we until we changed the game. This is the story of how a small team can drive change by wielding data-driven insights.

This talk delves into our journey of influencing our entire organization through threat modeling. From adopting a framework to managing threat intelligence, we’ll share the lessons learned and the solutions we found to common challenges.

As a small team, it is not realistic to cover everything by ourselves. We need to focus our energy on high value, high return activities and play the influence game. It was not an easy task, but we managed to do it.

Throughout the presentation, we’ll do an overview of our organization’s size and structure, where our team fits in to give some context and how all of this affects decision-making. We’ll explore the three key strategies we implemented to efficiently work toward our goal, namely:

• adopting a common language for threat modeling across the organization,
• embedding threat modeling into everyday operations according to the needs of each team, and
• managing threat intelligence smoothly in an automated manner.

At the end of this talk, you will leave with actionable insights on what could be your next step and a newfound confidence in your abilities to drive change in your organization.

Why OWASP Serverless Top Ten is Crucial for the Industry 

Unique Security Challenges
- Serverless computing introduces distinct security risks, such as misconfigured permissions, insecure third-party integrations, and event injection vulnerabilities.

Rapid Adoption Without Security Awareness
- OWASP Serverless Top Ten helps close the knowledge gap, providing clear guidelines on common threats. Guidance for Developers and Security Teams
- The Top Ten is a comprehensive, practical resource for developers and security teams to understand better and mitigate serverless applications' most critical security vulnerabilities.

Industry-Standard Reference 
- Provides a unified, industry-recognized reference, ensuring organizations and developers follow best practices in securing serverless architectures.

Adaptability to Cloud-Native Ecosystems 
- OWASP Serverless Top Ten addresses security in these increasingly complex environments.

Future-Proofing Security for Next-Generation Applications
- As serverless computing continues to evolve with AI, IoT, and edge computing, the Serverless Top Ten ensures that the industry remains proactive about emerging threats, not reactive.

1:15pm PDT

1:15pm PDT

2:15pm PDT