OWASP 2024 Global AppSec San Francisco

**NOTE:Conference and training tickets are separate purchases.

This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.

Long are the days since web servers were run by perl scripts and desktop apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server. What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client. Modern Web and Desktop apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review modern web and desktop apps, showcasing Node.js and Electron but using techniques that will also work against any other web or desktop app platform. Ideal for Penetration Testers, Web and Desktop app Developers as well as everybody interested in JavaScript/Node.js/Electron app security.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:

1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps
1 hour workshop - https://7asecurity.com/free-workshop-web-apps

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.

Teaser Video: https://www.youtube.com/watch?v=Qckegc2gbfo

If you are facing the challenge of Application Security Posture Management (ASPM) amidst a plethora of applications and issues, this course is designed to streamline the process using OWASP’s open source projects, optimized for DevSecOps workflows. Over the span of two days, you’ll engage in interactive lectures and labs that showcase the effective application of OWASP tools, as previously implemented by seasoned AppSec teams. Recognizing that the size of AppSec teams is often a limiting factor, the course emphasizes automation of routine tasks to free up your time for more complex problem-solving. Upon completion, you will be equipped with a comprehensive set of strategies and tools to enhance your AppSec initiatives through automation and the integration of OWASP projects, all delivered at DevSecOps pace. The instructors, with over two decades of industry and OWASP project experience, offer practical, proven guidance for achieving success in ASPM.

**NOTE:Conference and training tickets are separate purchases.

This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.

Long are the days since web servers were run by perl scripts and desktop apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server. What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client. Modern Web and Desktop apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review modern web and desktop apps, showcasing Node.js and Electron but using techniques that will also work against any other web or desktop app platform. Ideal for Penetration Testers, Web and Desktop app Developers as well as everybody interested in JavaScript/Node.js/Electron app security.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:

1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps
1 hour workshop - https://7asecurity.com/free-workshop-web-apps

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.

Teaser Video: https://www.youtube.com/watch?v=Qckegc2gbfo

If you are facing the challenge of Application Security Posture Management (ASPM) amidst a plethora of applications and issues, this course is designed to streamline the process using OWASP’s open source projects, optimized for DevSecOps workflows. Over the span of two days, you’ll engage in interactive lectures and labs that showcase the effective application of OWASP tools, as previously implemented by seasoned AppSec teams. Recognizing that the size of AppSec teams is often a limiting factor, the course emphasizes automation of routine tasks to free up your time for more complex problem-solving. Upon completion, you will be equipped with a comprehensive set of strategies and tools to enhance your AppSec initiatives through automation and the integration of OWASP projects, all delivered at DevSecOps pace. The instructors, with over two decades of industry and OWASP project experience, offer practical, proven guidance for achieving success in ASPM.

**NOTE:Conference and training tickets are separate purchases.

This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.

Long are the days since web servers were run by perl scripts and desktop apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server. What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client. Modern Web and Desktop apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review modern web and desktop apps, showcasing Node.js and Electron but using techniques that will also work against any other web or desktop app platform. Ideal for Penetration Testers, Web and Desktop app Developers as well as everybody interested in JavaScript/Node.js/Electron app security.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:

1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps
1 hour workshop - https://7asecurity.com/free-workshop-web-apps

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.

Teaser Video: https://www.youtube.com/watch?v=Qckegc2gbfo

In this talk, Carlos Holguera and Sven Schleier, the OWASP Mobile Application Security (MAS) Project Leaders, will take a hands-on look at some of the latest OWASP MAS developments, in particular the new MASWE (Mobile Application Security Weakness Enumeration). This talk will introduce the concepts of "weaknesses", "atomic tests" and "demos" that are the basis of the upcoming MASTG v2. Attendees will gain practical knowledge through detailed examples that show the journey from definition to implementation using both static and dynamic analysis techniques available in MASTG. In addition, discover the newly developed MAS test apps designed to streamline research and improve the development of robust MAS tests. Don't miss this opportunity to improve your mobile app security skills and make your apps hack-proof. Whether you're looking to bolster your defenses or learn how to uncover vulnerabilities, this session will provide you with the cutting-edge resources you need to stay ahead in mobile security!

The safeguarding of personal data in modern digital systems can no longer be an afterthought. It must be a consideration from the beginning. It is imperative that the preservation of privacy be a principal objective, and privacy safeguards must be by design.


LINDDUN, an acronym for Linking, Identifying, Non-repudiation, Detecting, Data Disclosure, Unawareness, and Non-compliance, encapsulates the core privacy threats that are prevalent in modern software systems. The LINDDUN privacy threat modeling framework supports privacy engineering by providing a structured approach to identifying, analyzing and mitigating threats to privacy in software systems, enabling the inclusion of privacy safeguards as an inherent part of software design and architecture.


In this presentation we will illustrate how adopting LINDDUN can uncover privacy risks and enable privacy by design. We will navigate through the threat modeling process, applying the LINDDUN framework to a fictional application to demonstrate how LINDDUN serves as a critical tool in identifying and analyzing privacy risks. Whether you’re a seasoned professional or new to the field, this presentation will equip you with the foundational knowledge to effectively implement privacy threat modeling with LINDDUN and elevate your privacy engineering efforts to new heights.

If you work in vulnerability management, you’re probably familiar with the painful condition known as CVE overload. Each year, tens of thousands of new vulnerabilities are reported, and these potential risks overwhelm security teams tasked with confirming risks and remediating them. 


A proposed solution is VEX (Vulnerability Exploitability eXchange): a set of formats that communicates vulnerability impact status, whether a vulnerability is exploitable in its deployed context, and mitigation steps. In theory, VEX (when used alongside other prioritization inputs) makes it possible for downstream security teams to remediate more efficiently. But as with most security frameworks, efficacy depends on proper implementation.  


This talk will cover five steps to leveraging VEX throughout the vulnerability remediation lifecycle, from the time a vulnerability is disclosed to the time you publish and distribute a VEX statement. We’ll cover the tools and workflows security practitioners need to know to effectively use VEX in their organizations. 

Achieving an Application Security Program with DSOMM

In this talk, Timo Pagel outlines a practical approach to building and optimizing application security (AppSec) programs for organizations of all sizes. While briefly touching on foundational elements, Timo's presentation focuses on developing and implementing a custom organizational maturity model based on DSOMM that resonates with development and operations teams.

Moving beyond traditional frameworks, Timo will teach attendees get most out of DSOMM by designing tailored models that account for diverse operating environments. The talk provides strategies for avoiding common pitfalls, implementing effective metrics, and creating a scalable AppSec approach adaptable to an organization's evolving needs. Through actionable advice and real-world examples, Timo will offer participants insights applicable to both new and existing AppSec programs.

In this 45 minute offensively focused presentation we dive into GraphQL secondary context attacks and business logic vulnerabilities exploited in real world assessments. Secondary context attacks in particular can access impactful API endpoints using GraphQL as the jumping off point. The impact from these issues when exploited can be significant including unauthorized access to data, the ability to modify other users accounts, cross-tenancy failures, and SSRF. 

This presentation is fresh material to this topic and does not rehash existing GraphQL exploitation discussions. If you are interested in GraphQL attacks, you should attend this talk.

Beyond the buzzword of 'supply chain security,' lies a critical, frequently ignored area: the Build Pipelines of Open Source packages. In this talk, we discuss how we’ve developed a large scale data analysis infrastructure that targets these overlooked vulnerabilities in Open Source projects. Our efforts have led to the discovery of countless 0-days in critical OSS projects, such as AWS-managed Kubernetes Operators, Google OSS Fuzz, RedHat OS Build, hundreds of popular Terraform providers and modules and popular GitHub Actions. We will present a detailed attack tree for GitHub Actions pipelines, offering a much deeper analysis than the prior art, and outlining attacks and mitigations. In addition, we will present three Open Source projects that complement our research and provide actionable insights to Builders and Defenders: the 'Living Off the Pipeline' (LOTP) project, the 'poutine' build pipeline scanner and the 'messypoutine' CTF-style training.

**Want to see the attack videos in a good resolution: https://nokodsecurity.com/resources/owasp-global-appsec-2024-us/


This session presents a new attack technique called “OData Injection” that affects many API based environments and in particular Microsoft Power Automate, part of the Microsoft Power Platform. The technique can be used by attackers to extract sensitive data and bypass access controls. Furthermore, we show that if you think that “No Code” = “No Vulnerabilities”, you are in for a BIG surprise. Not only that applications and automations written by citizen developers are vulnerable to good ol’ injection attacks but these could be exploited by external attackers. We prove our points using demos of the attacks and vulnerabilities that simulate our findings in the field.


Low Code / No Code (LCNC) Development and Robotic Process Automations (RPA, automations) is a rapidly growing trend within enterprises going through a digital transformation process. These tools and environments allow business users (called citizen developers), who are not software engineers, to quickly build enterprise applications, by just dragging and dropping objects within the platform’s UI. These applications typically automate their daily tasks and accelerate digital transformation within the organization - all this without writing a single line of code. Top platforms to support LCNC are Microsoft Power Platform and UiPath Cloud Automation.


It is widely believed by organizations that since no code is involved in the development process, it is safe to assume that the resulting applications are not vulnerable to traditional security issues.Think again! Our research, backed by analyzing tens of thousands of applications and flows in large enterprises, shows that automations and applications which are perceived as “internal applications” are in fact exposed to external attackers. For the first time at OWASP Global AppSec, we will show how applications and automations built in the Microsoft Power Platform and UiPath Automation Cloud environments are also vulnerable to SQL Injection, OS Command Injection and more.

Leveraging AI for AppSec presents promise and danger, as let’s face it, you cannot do everything with AI, especially when it comes to security. At our session, we’ll delve into the complexities of AI in the context of auto remediation. We’ll begin by examining our research, in which we used OpenAI to address code vulnerabilities. Despite ambitious goals, the results were underwhelming and revealed the risk of trusting AI with complex tasks. 


Our session features real-world examples and a live demo that exposes GenAI’s limitations in tackling code vulnerabilities. Our talk serves as a cautionary lesson against falling into the trap of using AI as a stand-alone solution to everything. We’ll explore the broader implications, communicating the risks of blind trust in AI without a nuanced understanding of its strengths and weaknesses.


In the second part of our session, we’ll explore a more reliable approach to leveraging GenAI for security relying on the RAG Framework. RAG stands for Retrieval-Augmented Generation. It's a methodology that enhances the capabilities of generative models by combining them with a retrieval component. This approach allows the model to dynamically fetch and utilize external knowledge or data during the generation process.

Attendees will leave with a clear understanding of how to responsibly and effectively deploy AI in their programs — and how to properly vet AI tools.

If you are working in cybersecurity, the world can feel very scary. Keeping up with the industry means reading the latest news about new threat actors, vulnerabilities, and massive breaches. When we find a new flaw in our environment with a CVSS of 10, we feel a real sense of urgency to fix it. But for some reason, all too often, it can be really hard to get executives and boards to listen to you. Don't they know what "Critical" means? 

Could it be that the executive team is speaking a different language?

You're a security analyst triaging a list of exposed credentials - how do you prioritize which key to rotate first? How do you even know what resources the key can access? Most SaaS providers make it difficult to enumerate the access granted to a particular credential without logging into their UI.


In this talk, we're releasing a new method (self-discovery) for enumerating the permissions and resources associated with API keys and other secrets, without requiring access to the provider's UI. We'll walk through the meticulous steps required to accurately assess different SaaS providers' permission and scopes, as well as share the logic behind how to validate key permissions, including string analysis, HTTP request brute forcing and more.


Finally, we'll demo a new open-source tool that automates the enumeration of API key permissions and accessible resources, without requiring access to the provider's UI.

The security team plays a vital role in improving the security posture of an organization. However, it is equally important that the software developers contribute to securing all of the applications their organization creates and maintains. If there is an absence of trust and buy-in between security professionals and developers it can hinder progress, create vulnerabilities, and limit growth within organizations. In this thought-provoking talk, we look at the reasons behind a lack of trust and explore the importance of establishing buy-in and trust for success. We delve into why we cannot succeed without trust, effective strategies and tactics, and specific and actionable advice on what to do and what NOT to do. Together, let’s rebuild trust, mend grievances, and unlock our true potential for success by changing the way we run our AppSec programs.

As the web evolves, so do the complexities of securing it. WebRTC (Web Real-Time Communication) is a powerful technology embedded in every modern web browser, enabling audio, video, and data sharing. While WebRTC offers tremendous advantages for real-time communication, it introduces a unique set of security challenges that many web and API security professionals may overlook.


This presentation aims to bridge the knowledge gap between traditional web/API security and the specialized realm of WebRTC. Designed for OWASP attendees ranging from novice to advanced practitioners, it will provide a comprehensive overview of WebRTC security concepts, common vulnerabilities, and practical testing methodologies.

In this presentation, we will explore an innovative approach to improve the security of containerized applications using behavior analysis during continuous integration testing and generating native policies based on behavior. By leveraging behavioral analysis, we can replace tedious manual policy definitions which take long to define and can break easily. We will also discuss the importance of native policies, which allow us to enforce security policies directly within container orchestration tools like Kubernetes without relying on third-party tools.


We will focus on policies like seccomp profiles, network policies, AppArmor, and security context. We will cover hands-on practices for implementing this approach, including how to do behavioral analysis using eBPF-based tools, how to integrate this analysis into CI testing, and how to use native policies to enforce security policies.


By the end of this presentation, attendees will have a deeper understanding of how to leverage innovative approaches to security in Kubernetes clusters (and in containerized orchestration in general), and how to use behavioral analysis and native policies to protect their environments against the multiple threats.

OWASP Nettacker project (a portmanteau of "Network Attacker") is a relatively new yet an awesome and powerful "swiss-army-knife" automated penetration testing framework fully written in Python. Nettacker recently gained a lot of interest from the European and Asian penetration testing communities and was even included in the specialist Linux distribution for penetration testers and security researchers. Nettacker is able to run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features - for example an ability to chain different scan methods. This talk will feature a live demo and several practical usage examples of how organisations can benefit from this OWASP project for automated security testing

Despite defense in depth bounty hunters continue to bypass security measures. We will chronicle curated submissions from our bug bounty program. 


This talk covers bugs that span across application security and infrastructure security domain. Folks from Detection and response will find this especially useful to help further strengthen their D&R capabilities. Frankly we recommend this to all security practitioners (red\blue and purple team)  since we will share real world bugs reported to our program and how we applied the learnings to elevate our security program.


Expect to hear root cause analysis, technical details, and mitigations. You will take away practical strategies to elevate your own security program. 

TLS Certificates are re-using private keys by the millions. We'll demonstrate that key re-use in TLS certificates is systemic and undermines one of the foundational protections offered in modern web security


We looked at 7 billion certs logged in Certificate Transparency and found millions of certs re-using private keys. We identified orgs like Verizon that re-used the same key for 10 years, despite revoking it in the first year! We found cases of organizations continuing to re-use the same private key to issue new certs, despite having had that key compromised. Picture a short lived cert that only lasts 90 days, but the same key is re-used on all future certs for a decade 

We also analyzed SSH key re-use for authentication to GitHub. We looked at 58 million GitHub user’s keys and found >100k SSH keys re-used between multiple GitHub account


We’ll show the extent of private key reuse, show re-use of keys from revoked certificates, and open-source a tool to identify certs that reuse private keys. We'll provide examples of common cert generation frameworks that repeatedly use the same key, despite the security risks


Keys are even sometimes used for TLS certs and repurposed as SSH keys on GitHub 

This talk dives deep into a world of systemic private encryption key re-use, the dangers, and current threats it poses

The frequency of Software Supply Chain attacks has been increasing over the last several years. This is, in part, due to the fact that the term “Software Supply Chain Attack” actually refers to a set of attacks that include: Repo Jacking, Repo Poisoning, Typo Squatting, and Dependency Confusion. Threat actors, such as Nation states, select high value targets that can be extremely disruptive. They weaponize the software supply chain against their enemies (real or perceived) to wreak physical infrastructure damage or engage in commercial and governmental espionage. Attackers who are motivated by money have been able to demand huge ransoms, which would have been impractical in the past but have been made easy by cryptocurrencies. Frequently, they seek soft targets. Hospitals, municipalities and schools can be notoriously lax in their software security efforts. Often, they lack the capital and expertise to enable a successful defense against ransomware gangs. 


Governments and the private sector are investing in defensive measures. Europe has responded with the Cyber Resilience Act. The US has mandated SBOMs as a countermeasure against supply chain attacks. If you know what is in your code then such an attack is unlikely. Right? Not exactly. In the commercial sector, a huge software security industry has arisen. In 2023 it was estimated to be valued at approximately 172 billion USD and it is a growing market. Yet this has not resulted in a diminishing threat.


In this presentation, I am going to describe practical strategies for improving your organization’s ability to defend against software supply chain attacks.

Ever felt ignored when raising security concerns? So did we until we changed the game. This is the story of how a small team can drive change by wielding data-driven insights.

This talk delves into our journey of influencing our entire organization through threat modeling. From adopting a framework to managing threat intelligence, we’ll share the lessons learned and the solutions we found to common challenges.

As a small team, it is not realistic to cover everything by ourselves. We need to focus our energy on high value, high return activities and play the influence game. It was not an easy task, but we managed to do it.

Throughout the presentation, we’ll do an overview of our organization’s size and structure, where our team fits in to give some context and how all of this affects decision-making. We’ll explore the three key strategies we implemented to efficiently work toward our goal, namely:

• adopting a common language for threat modeling across the organization,
• embedding threat modeling into everyday operations according to the needs of each team, and
• managing threat intelligence smoothly in an automated manner.

At the end of this talk, you will leave with actionable insights on what could be your next step and a newfound confidence in your abilities to drive change in your organization.

Why OWASP Serverless Top Ten is Crucial for the Industry 

Unique Security Challenges
- Serverless computing introduces distinct security risks, such as misconfigured permissions, insecure third-party integrations, and event injection vulnerabilities.

Rapid Adoption Without Security Awareness
- OWASP Serverless Top Ten helps close the knowledge gap, providing clear guidelines on common threats. Guidance for Developers and Security Teams
- The Top Ten is a comprehensive, practical resource for developers and security teams to understand better and mitigate serverless applications' most critical security vulnerabilities.

Industry-Standard Reference 
- Provides a unified, industry-recognized reference, ensuring organizations and developers follow best practices in securing serverless architectures.

Adaptability to Cloud-Native Ecosystems 
- OWASP Serverless Top Ten addresses security in these increasingly complex environments.

Future-Proofing Security for Next-Generation Applications
- As serverless computing continues to evolve with AI, IoT, and edge computing, the Serverless Top Ten ensures that the industry remains proactive about emerging threats, not reactive.

1:15pm PDT

1:15pm PDT

2:15pm PDT