OWASP 2024 Global AppSec San Francisco

Internet of Things (IoT) has revolutionized the way we interact with our environments, connecting billions of devices to enhance efficiency, convenience, and automation in various sectors such as healthcare, transportation, and smart homes. However, the proliferation of interconnected devices also introduces significant security challenges. IoT devices, often designed with limited computing resources, may lack robust security features, making them vulnerable to cyber-attacks. As IoT continues to expand, discovering and addressing its security vulnerabilities becomes paramount to safeguarding personal privacy and ensuring the resilience of interconnected infrastructures. This project showcase will introduce and demonstrate current capabilities of the OWASP IoT Security Testing Guide (ISTG) project released earlier this year. The ISTG comprises a comprehensive methodology for penetration tests in the IoT field, offering flexibility to adapt innovations, and developments in the IoT market while still ensuring comparability of test results. While the guide is mainly intended to be used by penetration testers, its resources may aid manufacturers and operators of IoT devices to proactively improve the security of their devices.

OWASP dep-scan v6: The S in SCA is not an SBOM

The principle behind Software Composition Analysis (SCA) has remained the same for over a decade. It involves a single Software Bill-of-Materials (SBOM) document and a vulnerability database to identify potential vulnerabilities and advisories that might affect the given application or service. Such a technique of scanning an application with limited context creates both false positives and false negatives, a problem that is well-understood. Solving these inherent weaknesses requires some bold ideas. For OWASP dep-scan v6, we are revisiting every single word in the SCA acronym, to rethink SCA as we know it. In this mini session, we discuss the thinking behind the v6 release and offer insights into our technology and development efforts.

OWASP Nettacker project (a portmanteau of "Network Attacker") is a relatively new yet an awesome and powerful "swiss-army-knife" automated penetration testing framework fully written in Python. Nettacker recently gained a lot of interest from the European and Asian penetration testing communities and was even included in the specialist Linux distribution for penetration testers and security researchers. Nettacker is able to run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features - for example an ability to chain different scan methods. This talk will feature a live demo and several practical usage examples of how organisations can benefit from this OWASP project for automated security testing

Why OWASP Serverless Top Ten is Crucial for the Industry 

Unique Security Challenges
- Serverless computing introduces distinct security risks, such as misconfigured permissions, insecure third-party integrations, and event injection vulnerabilities.

Rapid Adoption Without Security Awareness
- OWASP Serverless Top Ten helps close the knowledge gap, providing clear guidelines on common threats. Guidance for Developers and Security Teams
- The Top Ten is a comprehensive, practical resource for developers and security teams to understand better and mitigate serverless applications' most critical security vulnerabilities.

Industry-Standard Reference 
- Provides a unified, industry-recognized reference, ensuring organizations and developers follow best practices in securing serverless architectures.

Adaptability to Cloud-Native Ecosystems 
- OWASP Serverless Top Ten addresses security in these increasingly complex environments.

Future-Proofing Security for Next-Generation Applications
- As serverless computing continues to evolve with AI, IoT, and edge computing, the Serverless Top Ten ensures that the industry remains proactive about emerging threats, not reactive.

2:15pm PDT

2:45pm PDT

3:15pm PDT