OWASP 2024 Global AppSec San Francisco

(Available as hybrid - in Person or online)

This three-day hands-on course teaches penetration testers and developers how to analyse Android and iOS applications for security vulnerabilities by going through the different phases of testing, including dynamic testing, static analysis, reverse engineering and Software Composition Analysis (SCA), using the OWASP Mobile Application Security Testing Guide (MASTG).

The OWASP MASTG is a comprehensive and open source guide to mobile security testing for both iOS and Android, providing a methodology and very detailed technical test cases to ensure completeness and using the latest attack techniques against mobile applications.

This course will give you hands-on experience with open source tools and advanced methodologies by guiding you through real-world scenarios.

## Detailed outline

We'll start the first day with an introduction to the OWASP MASVS and MASTG and the latest updates to it and then dive into the Android platform and its security architecture. Students will no longer be required to bring their own Android device, instead each student will be provided with a cloud-based virtualised Android device from Corellium.

Topics include:
- Intercepting network traffic from apps written in mobile app frameworks such as Google's Flutter
- Reverse engineering a Kotlin app and identifying and exploiting a real-world deep link vulnerability through manual source code review.
- Explore the differences and effectiveness of reverse engineering Android apps using Smali patching, Magisk and Dynamic Instrumentation with Frida
- Frida crash course to get started with dynamic instrumentation on Android apps
- Bypass different implementations of SSL pinning using Frida
- Use dynamic instrumentation with Frida to
- Bypass multiple root detection mechanisms
- Bypass Frida detection mechanisms -

Day 1 will be closed with a Capture the Flag (CTF)

On day 2 we wrap up Android and start with iOS and we will use a Github repo to trigger static scanning, SCA and secret scanning on Kotlin and Swift:
Android: - Analyse the storage of an Android app and understand the various options on how and where files can be stored (app-specific, shared storage etc.)
- Using Brida (Frida and Burp) to bypass End2End encryption in an Android App
- Static Scanning of Kotlin source code, identifying vulnerabilities and eliminating false positives
- Scanning for secrets in an APK iOS:
- Introduction into iOS Security fundamentals
- Scanning for secrets in a Swift repository and identifying ways to handle them securely.
- Software Composition Analysis (SCA) for iOS
- Scanning 3rd party libraries and SDKs in mobile package managers for known vulnerabilities and mitigation strategies.
- Statically scanning Swift source code, identifying vulnerabilities and eliminating false positives.
- Demonstration on how to test watchOS apps and it's limitations

Day 3 focuses on iOS.
We will begin the day by creating an iOS test environment using Corellium and dive into several topics, including:
- Intercepting network traffic of an iOS App in various scenarios, including intercepting traffic that is not HTTP
- Examining stateless authentication (JWT) in a mobile app
- A Frida crash course to get started with dynamic instrumentation for iOS applications
- Analyse the storage of an iOS app and understand the various options on how (Realm databases etc.) and where files can be stored.
- Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida gadget
- Using Frida to bypass runtime instrumentation of iOS applications
- Anti-Jailbreaking Mechanisms
- Frida's detection mechanism We'll wrap up the final day with another mobile app CTF where you can apply your newly learned skills. Whether you are a beginner who wants to learn mobile app testing from the ground up, or an experienced pentester or developer who wants to improve your existing skills to perform more advanced attack techniques, or just for fun, this training will help you achieve your goals.

The course consists of many different labs developed by the instructor and is approximately 65% hands-on and 35% lecture. Upon successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile applications, how to suggest the right mitigation techniques to developers, and how to perform tests consistently.

### What students should bring

The following requirements must be met by students in order to be able to follow all exercises and participate fully:
- Laptop (Windows/Linux/macOS) with at least 8GB of RAM and 40GB of free disk space.
- Full administrative access in case of problems with the laptop environment (e.g. ability to disable VPN or AV/EDR) - Virtualisation software (e.g. VMware, VirtualBox, UTM); a virtual machine will be provided for X86 and ARM architecture (for M1/M2/M3 MacBooks) with all tools required for the training.
- Ideally a tablet to have a second screen for the practical lab slides when doing the hands-on sessions.
- Github account is needed (free account is sufficient) to fork a repository

An iOS and Android device is NOT required as an emulated instance is provided for each student hosted at Corellium. This is a cloud-based environment that allows each student access to a jailbroken iOS device and a rooted Android device during the training.

### What students will receive
- Slide decks for the iOS and Android training and all videos for all demonstrations shared in class.
- All vulnerable apps used during the training, either as APK or IPA.
- Detailed write-ups for all labs so you can review them at your own pace after the course.
- Dedicated Slack channel used to help students prepare before the course, communicate during the course and stay in touch after the course for any questions.
- Certificate of completion.

## What prerequisites should students have before attending this training?
- This course is for Beginners and Intermediate
- Basic understanding of mobile apps
- Able to use Linux command line

## Biography of the trainer Sven: is a co-founder of Bai7 GmbH in Austria, which is specialized in mobile app trainings and advisory. He has expertise in cloud security, offensive security engagements (Penetration Testing) and Application Security, notably in guiding software development teams across Mobile and Web Applications throughout the Software Development Life Cycle (SDLC) to integrate robust security measures in from the start. Besides his day job, Sven is involved with the Open Worldwide Application Security Project (OWASP) since 2016. As a co-project leader and author, he has significantly contributed to the OWASP Mobile Application Security Testing Guide (MASTG) and the OWASP Mobile Application Security Verification Standard (MASVS).

This course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures. The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.

The topics covered include:
- Introduction to Web Application Security
- Technologies used in Web Applications
- The Security Tester Toolkit
- Critical Areas in Web Applications
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server Side Request Forgery (SSRF)

Format: The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.

Based on the updated Black Hat edition 2024 training, you will be challenged with hands-on threat modeling exercises based on real-world projects. You will get insight into our practical industry experience, helping you to become a Threat Modeling Practitioner. We included an exercise on MITRE ATT&CK, and we focus on embedding threat modeling in Agile and DevOps practices. And we introduce a new challenge on threat modeling a Machine Learning-Powered Chatbot.

We levelled up the threat modeling war game. Engaged in CTF-style challenges, your team will battle for control over an offshore wind turbine park. The level of this training is Beginner/Intermediate. Participants who are new to threat modeling are advised to follow our self-paced Threat Modeling Introduction training (which is about 2 hours and is included in this training).

As highly skilled professionals with years of experience under our belts, we're intimately familiar with the gap between academic knowledge of threat modeling and real-world practice. To minimize that gap, we have developed practical use cases, based on real-world projects. Each use case includes a description of the environment, together with questions and templates to build a threat model.

Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling:
• Diagram techniques applied on a travel booking service
• Threat model a cloud-based update service for an IoT kiosk
• Create an attack tree against a nuclear research facility
• Create a SOC Risk Based Alerting system with MITRE ATT&CK
• Mitigate threats in a payment service build with microservices and S3 buckets
• Threat modeling a Machine Learning-Powered Chatbot
• Apply the OWASP Threat Modeling Playbook on agile development
• Threat modeling the CI/CD pipeline
• Battle for control over "Zwarte Wind", an offshore wind turbine park

After each hands-on exercise, the results are discussed, and students receive a documented solution.

As part of this training, you will be asked to create and submit your own threat model, on which you will get individual feedback.

All participants get our Threat Modeling Playbook to improve you threat modeling practice, one-year access to our online threat modeling learning platform, and one-hour personal coaching to refine your threat modeling.

(Available as hybrid - in Person or online)

This three-day hands-on course teaches penetration testers and developers how to analyse Android and iOS applications for security vulnerabilities by going through the different phases of testing, including dynamic testing, static analysis, reverse engineering and Software Composition Analysis (SCA), using the OWASP Mobile Application Security Testing Guide (MASTG).

The OWASP MASTG is a comprehensive and open source guide to mobile security testing for both iOS and Android, providing a methodology and very detailed technical test cases to ensure completeness and using the latest attack techniques against mobile applications.

This course will give you hands-on experience with open source tools and advanced methodologies by guiding you through real-world scenarios.

## Detailed outline

We'll start the first day with an introduction to the OWASP MASVS and MASTG and the latest updates to it and then dive into the Android platform and its security architecture. Students will no longer be required to bring their own Android device, instead each student will be provided with a cloud-based virtualised Android device from Corellium.

Topics include:
- Intercepting network traffic from apps written in mobile app frameworks such as Google's Flutter
- Reverse engineering a Kotlin app and identifying and exploiting a real-world deep link vulnerability through manual source code review.
- Explore the differences and effectiveness of reverse engineering Android apps using Smali patching, Magisk and Dynamic Instrumentation with Frida
- Frida crash course to get started with dynamic instrumentation on Android apps
- Bypass different implementations of SSL pinning using Frida
- Use dynamic instrumentation with Frida to
- Bypass multiple root detection mechanisms
- Bypass Frida detection mechanisms -

Day 1 will be closed with a Capture the Flag (CTF)

On day 2 we wrap up Android and start with iOS and we will use a Github repo to trigger static scanning, SCA and secret scanning on Kotlin and Swift:
Android: - Analyse the storage of an Android app and understand the various options on how and where files can be stored (app-specific, shared storage etc.)
- Using Brida (Frida and Burp) to bypass End2End encryption in an Android App
- Static Scanning of Kotlin source code, identifying vulnerabilities and eliminating false positives
- Scanning for secrets in an APK iOS:
- Introduction into iOS Security fundamentals
- Scanning for secrets in a Swift repository and identifying ways to handle them securely.
- Software Composition Analysis (SCA) for iOS
- Scanning 3rd party libraries and SDKs in mobile package managers for known vulnerabilities and mitigation strategies.
- Statically scanning Swift source code, identifying vulnerabilities and eliminating false positives.
- Demonstration on how to test watchOS apps and it's limitations

Day 3 focuses on iOS.
We will begin the day by creating an iOS test environment using Corellium and dive into several topics, including:
- Intercepting network traffic of an iOS App in various scenarios, including intercepting traffic that is not HTTP
- Examining stateless authentication (JWT) in a mobile app
- A Frida crash course to get started with dynamic instrumentation for iOS applications
- Analyse the storage of an iOS app and understand the various options on how (Realm databases etc.) and where files can be stored.
- Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida gadget
- Using Frida to bypass runtime instrumentation of iOS applications
- Anti-Jailbreaking Mechanisms
- Frida's detection mechanism We'll wrap up the final day with another mobile app CTF where you can apply your newly learned skills. Whether you are a beginner who wants to learn mobile app testing from the ground up, or an experienced pentester or developer who wants to improve your existing skills to perform more advanced attack techniques, or just for fun, this training will help you achieve your goals.

The course consists of many different labs developed by the instructor and is approximately 65% hands-on and 35% lecture. Upon successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile applications, how to suggest the right mitigation techniques to developers, and how to perform tests consistently.

### What students should bring

The following requirements must be met by students in order to be able to follow all exercises and participate fully:
- Laptop (Windows/Linux/macOS) with at least 8GB of RAM and 40GB of free disk space.
- Full administrative access in case of problems with the laptop environment (e.g. ability to disable VPN or AV/EDR) - Virtualisation software (e.g. VMware, VirtualBox, UTM); a virtual machine will be provided for X86 and ARM architecture (for M1/M2/M3 MacBooks) with all tools required for the training.
- Ideally a tablet to have a second screen for the practical lab slides when doing the hands-on sessions.
- Github account is needed (free account is sufficient) to fork a repository

An iOS and Android device is NOT required as an emulated instance is provided for each student hosted at Corellium. This is a cloud-based environment that allows each student access to a jailbroken iOS device and a rooted Android device during the training.

### What students will receive
- Slide decks for the iOS and Android training and all videos for all demonstrations shared in class.
- All vulnerable apps used during the training, either as APK or IPA.
- Detailed write-ups for all labs so you can review them at your own pace after the course.
- Dedicated Slack channel used to help students prepare before the course, communicate during the course and stay in touch after the course for any questions.
- Certificate of completion.

## What prerequisites should students have before attending this training?
- This course is for Beginners and Intermediate
- Basic understanding of mobile apps
- Able to use Linux command line

## Biography of the trainer Sven: is a co-founder of Bai7 GmbH in Austria, which is specialized in mobile app trainings and advisory. He has expertise in cloud security, offensive security engagements (Penetration Testing) and Application Security, notably in guiding software development teams across Mobile and Web Applications throughout the Software Development Life Cycle (SDLC) to integrate robust security measures in from the start. Besides his day job, Sven is involved with the Open Worldwide Application Security Project (OWASP) since 2016. As a co-project leader and author, he has significantly contributed to the OWASP Mobile Application Security Testing Guide (MASTG) and the OWASP Mobile Application Security Verification Standard (MASVS).

This course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures. The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.

The topics covered include:
- Introduction to Web Application Security
- Technologies used in Web Applications
- The Security Tester Toolkit
- Critical Areas in Web Applications
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server Side Request Forgery (SSRF)

Format: The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.

Based on the updated Black Hat edition 2024 training, you will be challenged with hands-on threat modeling exercises based on real-world projects. You will get insight into our practical industry experience, helping you to become a Threat Modeling Practitioner. We included an exercise on MITRE ATT&CK, and we focus on embedding threat modeling in Agile and DevOps practices. And we introduce a new challenge on threat modeling a Machine Learning-Powered Chatbot.

We levelled up the threat modeling war game. Engaged in CTF-style challenges, your team will battle for control over an offshore wind turbine park. The level of this training is Beginner/Intermediate. Participants who are new to threat modeling are advised to follow our self-paced Threat Modeling Introduction training (which is about 2 hours and is included in this training).

As highly skilled professionals with years of experience under our belts, we're intimately familiar with the gap between academic knowledge of threat modeling and real-world practice. To minimize that gap, we have developed practical use cases, based on real-world projects. Each use case includes a description of the environment, together with questions and templates to build a threat model.

Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling:
• Diagram techniques applied on a travel booking service
• Threat model a cloud-based update service for an IoT kiosk
• Create an attack tree against a nuclear research facility
• Create a SOC Risk Based Alerting system with MITRE ATT&CK
• Mitigate threats in a payment service build with microservices and S3 buckets
• Threat modeling a Machine Learning-Powered Chatbot
• Apply the OWASP Threat Modeling Playbook on agile development
• Threat modeling the CI/CD pipeline
• Battle for control over "Zwarte Wind", an offshore wind turbine park

After each hands-on exercise, the results are discussed, and students receive a documented solution.

As part of this training, you will be asked to create and submit your own threat model, on which you will get individual feedback.

All participants get our Threat Modeling Playbook to improve you threat modeling practice, one-year access to our online threat modeling learning platform, and one-hour personal coaching to refine your threat modeling.

(Available as hybrid - in Person or online)

This three-day hands-on course teaches penetration testers and developers how to analyse Android and iOS applications for security vulnerabilities by going through the different phases of testing, including dynamic testing, static analysis, reverse engineering and Software Composition Analysis (SCA), using the OWASP Mobile Application Security Testing Guide (MASTG).

The OWASP MASTG is a comprehensive and open source guide to mobile security testing for both iOS and Android, providing a methodology and very detailed technical test cases to ensure completeness and using the latest attack techniques against mobile applications.

This course will give you hands-on experience with open source tools and advanced methodologies by guiding you through real-world scenarios.

## Detailed outline

We'll start the first day with an introduction to the OWASP MASVS and MASTG and the latest updates to it and then dive into the Android platform and its security architecture. Students will no longer be required to bring their own Android device, instead each student will be provided with a cloud-based virtualised Android device from Corellium.

Topics include:
- Intercepting network traffic from apps written in mobile app frameworks such as Google's Flutter
- Reverse engineering a Kotlin app and identifying and exploiting a real-world deep link vulnerability through manual source code review.
- Explore the differences and effectiveness of reverse engineering Android apps using Smali patching, Magisk and Dynamic Instrumentation with Frida
- Frida crash course to get started with dynamic instrumentation on Android apps
- Bypass different implementations of SSL pinning using Frida
- Use dynamic instrumentation with Frida to
- Bypass multiple root detection mechanisms
- Bypass Frida detection mechanisms -

Day 1 will be closed with a Capture the Flag (CTF)

On day 2 we wrap up Android and start with iOS and we will use a Github repo to trigger static scanning, SCA and secret scanning on Kotlin and Swift:
Android: - Analyse the storage of an Android app and understand the various options on how and where files can be stored (app-specific, shared storage etc.)
- Using Brida (Frida and Burp) to bypass End2End encryption in an Android App
- Static Scanning of Kotlin source code, identifying vulnerabilities and eliminating false positives
- Scanning for secrets in an APK iOS:
- Introduction into iOS Security fundamentals
- Scanning for secrets in a Swift repository and identifying ways to handle them securely.
- Software Composition Analysis (SCA) for iOS
- Scanning 3rd party libraries and SDKs in mobile package managers for known vulnerabilities and mitigation strategies.
- Statically scanning Swift source code, identifying vulnerabilities and eliminating false positives.
- Demonstration on how to test watchOS apps and it's limitations

Day 3 focuses on iOS.
We will begin the day by creating an iOS test environment using Corellium and dive into several topics, including:
- Intercepting network traffic of an iOS App in various scenarios, including intercepting traffic that is not HTTP
- Examining stateless authentication (JWT) in a mobile app
- A Frida crash course to get started with dynamic instrumentation for iOS applications
- Analyse the storage of an iOS app and understand the various options on how (Realm databases etc.) and where files can be stored.
- Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida gadget
- Using Frida to bypass runtime instrumentation of iOS applications
- Anti-Jailbreaking Mechanisms
- Frida's detection mechanism We'll wrap up the final day with another Mobile app CTF where you can apply your newly learned skills. Whether you are a beginner who wants to learn mobile app testing from the ground up, or an experienced pentester or developer who wants to improve your existing skills to perform more advanced attack techniques, or just for fun, this training will help you achieve your goals.

The course consists of many different labs developed by the instructor and is approximately 65% hands-on and 35% lecture. Upon successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile applications, how to suggest the right mitigation techniques to developers, and how to perform tests consistently.

### What students should bring

The following requirements must be met by students in order to be able to follow all exercises and participate fully:
- Laptop (Windows/Linux/macOS) with at least 8GB of RAM and 40GB of free disk space.
- Full administrative access in case of problems with the laptop environment (e.g. ability to disable VPN or AV/EDR) - Virtualisation software (e.g. VMware, VirtualBox, UTM); a virtual machine will be provided for X86 and ARM architecture (for M1/M2/M3 MacBooks) with all tools required for the training.
- Ideally a tablet to have a second screen for the practical lab slides when doing the hands-on sessions.
- Github account is needed (free account is sufficient) to fork a repository

An iOS and Android device is NOT required as an emulated instance is provided for each student hosted at Corellium. This is a cloud-based environment that allows each student access to a jailbroken iOS device and a rooted Android device during the training.

### What students will receive
- Slide decks for the iOS and Android training and all videos for all demonstrations shared in class.
- All vulnerable apps used during the training, either as APK or IPA.
- Detailed write-ups for all labs so you can review them at your own pace after the course.
- Dedicated Slack channel used to help students prepare before the course, communicate during the course and stay in touch after the course for any questions.
- Certificate of completion.

## What prerequisites should students have before attending this training?
- This course is for Beginners and Intermediate
- Basic understanding of mobile apps
- Able to use Linux command line

## Biography of the trainer Sven: is a co-founder of Bai7 GmbH in Austria, which is specialized in mobile app trainings and advisory. He has expertise in cloud security, offensive security engagements (Penetration Testing) and Application Security, notably in guiding software development teams across Mobile and Web Applications throughout the Software Development Life Cycle (SDLC) to integrate robust security measures in from the start. Besides his day job, Sven is involved with the Open Worldwide Application Security Project (OWASP) since 2016. As a co-project leader and author, he has significantly contributed to the OWASP Mobile Application Security Testing Guide (MASTG) and the OWASP Mobile Application Security Verification Standard (MASVS).

This course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures. The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.

The topics covered include:
- Introduction to Web Application Security
- Technologies used in Web Applications
- The Security Tester Toolkit
- Critical Areas in Web Applications
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server Side Request Forgery (SSRF)

Format: The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.

You may upload the speaker slides ​here.​​​

Whatever your need as a hacker post-compromise, Microsoft Copilot has got you covered. Covertly search for sensitive data and parse it nicely for your use. Exfiltrate it out without generating logs. Most frightening, Microsoft Copilot will help you phish to move lately. Heck, it will even social engineer victims for you!




This talk is a comprehensive analysis of Microsoft copilot taken to red-team-level practicality. We will show how Copilot plugins can be used to install a backdoor into other user’s copilot interactions, allowing for data theft as a starter and AI-based social engineering as the main course. We’ll show how hackers can circumvent built-in security controls which focus on files and data by using AI against them.




Next, we will drop LOLCopilot, a red-teaming tool for abusing Microsoft Copilot as an ethical hacker to do all of the above. The tool works with default configuration in any M365 copilot-enabled tenant.




Finally, we will recommend detection and hardening your can put in place to protect against malicious insiders and threat actors with Copilot access.

In the fast-evolving world of cybersecurity, managing an application security (AppSec) program can feel like running a marathon—a test of endurance, strategy, and continuous improvement. This presentation draws insightful parallels between marathon running and effective AppSec management, demonstrating how the principles of disciplined training, strategic pacing, and incremental progress can lead to long-term success.


Over the past five years, the speaker has completed seven marathons and has qualified for the prestigious Boston Marathon next year. With more than a decade of experience in building application security programs for various companies, they bring a unique perspective to bridging the gap between these two demanding fields.


Mindset and goal setting are critical for success in both marathon running and AppSec programs. We will explore the essential tools and techniques that both marathon runners and AppSec professionals need to optimize performance and achieve their goals. For instance, choosing the right footwear—whether it's the Nike ZoomX Vaporfly or the Adidas Ultraboost—and leveraging SAST, DAST, and SIEM systems can significantly impact outcomes.


Moreover, the session will delve into targeted training methodologies such as interval training and long runs, translated into AppSec practices like threat modeling and regular security audits. Attendees will learn the importance of continuous monitoring and feedback mechanisms—whether it's through wearables and performance metrics or automated testing and security dashboards.


Adaptation and evolution are crucial in both fields. Just as runners adjust to varying conditions and integrate innovative techniques, AppSec programs must adapt to emerging threats and incorporate state-of-the-art technologies. We'll share real-world examples showcasing how these adaptations can lead to improved security postures.


We will also cover some commonly seen pitfalls for both marathon runners and those managing application security programs. Understanding these pitfalls can help avoid setbacks and ensure a smoother path to success.


Collaboration and knowledge sharing form the backbone of success in both marathon running and application security. This presentation will highlight the role of running communities, expert consultations, and workshops in fostering growth and resilience. Similarly, it will emphasize the importance of cross-team collaboration, industry engagement, and internal training sessions in cultivating a robust AppSec culture.


Key Takeaways:

1. Believe in Yourself: Anyone can run a marathon and anyone can run an application security program with the right mindset.
2. Realistic Goals and Concrete Plans: Setting realistic goals and concrete plans is essential for both your marathon and your application security program.
3. Enjoy the Process and Have Fun: Enjoying the process and having fun can make the journey more rewarding.

Join us to discover how to navigate your journey from the start line to the security finish, ensuring that your application security program is not only resilient but also continuously evolving, much like a marathon runner training for the ultimate race.

The potential benefits are substantial as organizations increasingly adopt AI-driven code-generation tools to enhance productivity and streamline development workflows. Code generation offers transformative advantages, from accelerating development cycles to minimizing manual errors.

However, this technological advancement introduces a range of risks that, if not adequately understood and managed, could pose significant challenges. Key risks include security vulnerabilities, code quality issues, potential copyright infringement, data breaches, and the possibility of reverse engineering models. Additional concerns involve bias introduction, poisoning attacks, inefficient code generation, hallucinated dependencies, and an over-reliance on AI tools, potentially leading to increased technical debt over time. A comprehensive understanding and effective mitigation of these risks are essential to fully realizing the potential of code generation technologies.

A robust risk mitigation strategy is critical. Organizations must prioritize comprehensive code reviews, continuous monitoring of tools, and the implementation of rigorous testing frameworks. Establishing clear guidelines, adopting stringent security measures, and managing controlled rollouts are vital to minimizing vulnerabilities. Additionally, safeguards around data management, intellectual property protection, and sustainable code practices will ensure code generation tools’ long-term efficacy and security.

This talk will detail these risks, offering actionable insights and strategies for leveraging AI-driven code generation while mitigating associated risks. This will allow organizations to harness this technology’s full potential safely and effectively.

Through a metaphorical journey into the 'Container Escape Room,' we will navigate through real-world scenarios and dissect the mechanisms behind container escapes. From privilege escalation exploits to vulnerabilities within container runtimes, we'll explore the diverse array of techniques employed by attackers to break out of containerized environments. Drawing insights from notable incidents and vulnerabilities, we will examine the implications of container escapes on system integrity, data confidentiality, and overall security posture. Moreover, we'll discuss mitigation strategies and best practices for hardening Kubernetes infrastructures against potential exploits. Whether you're a seasoned security professional, a DevOps enthusiast, this talk promises to be an insightful exploration into the evolving landscape of cybersecurity within containerized environments. Join us as we uncover the mysteries of container escapes.

Compromising AI infrastructure can have devastating consequences, making it a prime target for attackers. Often, a simple misconfiguration or vulnerability in AI applications is all it takes to compromise the entire system. Many developers are not fully aware of the threat landscape and end up deploying vulnerable AI infrastructures. Traditional pentesting tools like DVWA and bWAPP have helped the infosec community understand popular web attack vectors, but there is a gap when it comes to AI environments. In this talk, we introduce AI Goat, a deliberately vulnerable AI infrastructure featuring vulnerabilities based on the OWASP AI Top 10. AI Goat mimics real-world AI applications but includes added vulnerabilities, providing security enthusiasts and pen-testers with an easy-to-deploy and destroy platform to learn how to identify and exploit AI vulnerabilities. The deployment scripts will be open-source and available after the talk.

This session equips participants with the methodology and knowledge to proactively manage risks and improve the security posture of their AI systems. Threat modeling is a systematic approach to identifying potential threats and vulnerabilities in a system. This session will delve into threat modeling for AI systems, and how it differs from traditional applications. Participants will learn what threat modeling is & isn’t, including an overview of terms & methodologies, and then dive into how threat modeling for AI actually works. The presenter is part of the OWASP AI Exchange team of experts who developed the OWASP AI Exchange threat framework, and has extensive experience with threat modeling of mission-critical AI. With that knowledge and experience participants will be guided in applying the threat framework to various types of AI architectures, to cover AI attacks such as data poisoning and indirect prompt injection. 

OWASP Software Assurance Maturity Model (SAMM) Interactive Introduction and Update
Join project core members Aram and Sebastien for an engaging and interactive introduction and update on the OWASP Software Assurance Maturity Model (SAMM).

We will begin with a concise overview of SAMM's purpose and application in jumpstarting and accelerating your software assurance roadmap. This session will provide valuable insights and practical knowledge on leveraging SAMM effectively.

Tools and Assessment Guidance: Discover the range of SAMM tools available to support your software assurance efforts. We will explain the latest assessment guidance, providing you with the knowledge to utilize these tools to their fullest potential.

Mapping to Other Frameworks: Learn how SAMM can be mapped to other frameworks, such as the NIST Secure Software Development Framework (SSDF). This will enable you to leverage SAMM for demonstrating compliance and enhancing your software security posture.

Benchmark yourself against peers: The OWASP SAMM Benchmark enables organizations to anonymously compare their software security practices against industry peers, providing insights to identify improvement areas, prioritize security efforts, and track progress over time.

Since its launch in May 2023, the OWASP Top 10 for Large Language Models (LLMs) project has gained remarkable traction across various sectors, including mainstream commercial entities, government agencies, and media outlets. This project addresses the rapidly growing field of LLM applications, emphasizing the critical importance of security in AI development. Our work has resonated deeply within the community, leading to widespread adoption and integration of the Top 10 list into diverse AI frameworks and guidelines.


As we advance into the development of version 2 (v2) of the OWASP Top 10 for LLMs, this session will provide a comprehensive update on the progress made so far. Attendees will gain insights into how version 1 (v1) has been embraced by the wider community, including practical applications, case studies, and testimonials from key stakeholders who have successfully implemented the guidelines.


The session will dive into several key areas:

Adoption and Impact of v1: 

• Overview of how v1 has been utilized in various sectors.
• Case studies showcasing the integration of the Top 10 list into commercial, governmental, and academic projects.
• Feedback from users and organizations on the effectiveness and relevance of the list.

Progress on v2 Development: 

• An in-depth look at the ongoing development process for v2.
• Key changes and updates from v1 to v2, reflecting the evolving landscape of LLM security challenges.
• Methodologies and criteria used to refine and expand the list.

Community Involvement and Contributions: 

• Ways in which the community can get involved in the project.
• Opportunities for contributing to the development of v2, including participation in working groups, submitting case studies, and providing feedback.
• Upcoming events, webinars, and collaboration opportunities for those interested in shaping the future of LLM security.

Future Directions and Goals: 

• Long-term vision for the OWASP Top 10 for LLMs project.
• Strategic goals for enhancing the list’s impact and reach.
• Exploration of potential new areas of focus, such as emerging threats and mitigation strategies.

Attendees will leave this session with a clear understanding of the significant strides made since the project’s inception and the vital role it plays in ensuring secure AI application development. Additionally, they will be equipped with the knowledge and resources to actively participate in and contribute to the ongoing evolution of the OWASP Top 10 for LLMs.

This session is ideal for developers, security professionals, AI researchers, and anyone interested in the intersection of AI and cybersecurity. Join us to learn more about this critical initiative and discover how you can play a part in advancing the security of large language models.


By attending this session, participants will gain actionable insights and practical guidance on integrating the OWASP Top 10 for LLMs into their projects, ensuring robust security measures are in place to address the unique challenges posed by AI technologies.

There is some debate as to how SBOMs can enhance vulnerability management practices, and some believe that collecting SBOMs from internal teams or suppliers is too difficult and time-consuming. Learn how one company has collected thousands of our product SBOMs and how we are leveraging the SBOMs as part of our corporate product CERT to quickly analyze and focus our attention when time is of importance. This presentation describes how we modified our policies and processes to collect, generate, and store thousands of SBOMs. You will hear how we have leveraged SBOMs during the Log4j and OpenSSL vulnerability events. Then we will conclude with key learnings, suggestions, and opportunities for improvement.

The complexity of the cybersecurity landscape, compounded by evolving frameworks and compliance regulations, necessitates a clear understanding of how different standards align and relate to each other. Mappings between standards have been our solution so far, but manual mappings are a slow, labour intensive process. The OWASP OpenCRE project aims to remediate this issue.


This presentation explores the current state of standard mappings, comparing traditional manual methods with the innovative OpenCRE solution. It highlights the benefits and limitations of each approach and shares insights from our experiences using OpenCRE. We also investigate a novel approach combining manual mappings with OpenCRE to extend mappings to standards outside OpenCRE.


Key concepts of mappings such as purpose, target audience, and relationship types are examined. We discuss how these elements help organisations align different guidelines and best practices. While OpenCRE supports various relationship types and offers a fast, automated alternative to manual mappings, it has limitations. This is illustrated by comparing the SAMM -> SSDF mapping generated with OpenCRE to the direct manual mapping approved by NIST.


Proposed solutions include improving the quality of OpenCRE mappings by involving standards & regulations bodies (NIST, ISO, etc.) and using OpenCRE as a foundation for expert-reviewed and validated mappings. A specific example showcases how mappings can facilitate compliance efforts, by using SAMM to infer compliance with other frameworks.


In conclusion, mappings are crucial for aligning standards and frameworks, serving as guidelines rather than definitive proofs of compliance. Despite technological advancements, expert involvement remains essential for creating high-quality mappings. Investing in these mappings can streamline security and compliance efforts, making processes more robust and reducing the burden on security professionals.

When a web application needs to safely render the user’s input as HTML, e.g., to enable rich text formatting, sanitization would be the solution. Generally speaking, sanitizing user input should be done on the server side, right? Well, this is not so obvious for XSS mitigation. While sanitizing on the client side sounds counterintuitive at first, in this talk, we will explain not only why it makes sense for HTML but also why it is important to do so. This talk showcases common pitfalls of sanitizing HTML server-side and dives into multiple interesting real-world vulnerabilities.

As engineers, our goal is to deliver new features to the product, bringing clear value to customers. All of our KPIs and tools are built around facilitating exactly this; how to write quality code while increasing our delivery velocity. Security doesn’t naturally fit into what we do on a daily basis. Or does it?


When we’re breached, everyone cares, from the CEO all the way down to the development teams, and it’s clear that we need to adopt security and AppSec measures to safeguard our software in the future, but it’s unrealistic to expect developers to easily work within AppSec and CyberSecurity tools or to sacrifice development velocity to increase the security posture.


This talk will lay out a framework for AppSec and security leaders to communicate and facilitate security adoption by engineering teams and more importantly, emphasize ways to build security best practices into the development process holistically. 


A bit of what I’ll cover:

1. Translating security to development - 

• Going from a vulnerability bug list to ownership of the harmful vulnerabilities in their code can do.
• Tying together engineering and security KPIs.
• Stakeholder cooperation between SecOps, engineering, and product.

2. Best practices to integrate security tests from phase one.

3. Doing all this while balancing development velocity.