OWASP 2024 Global AppSec San Francisco

In this talk, Carlos Holguera and Sven Schleier, the OWASP Mobile Application Security (MAS) Project Leaders, will take a hands-on look at some of the latest OWASP MAS developments, in particular the new MASWE (Mobile Application Security Weakness Enumeration). This talk will introduce the concepts of "weaknesses", "atomic tests" and "demos" that are the basis of the upcoming MASTG v2. Attendees will gain practical knowledge through detailed examples that show the journey from definition to implementation using both static and dynamic analysis techniques available in MASTG. In addition, discover the newly developed MAS test apps designed to streamline research and improve the development of robust MAS tests. Don't miss this opportunity to improve your mobile app security skills and make your apps hack-proof. Whether you're looking to bolster your defenses or learn how to uncover vulnerabilities, this session will provide you with the cutting-edge resources you need to stay ahead in mobile security!

Achieving an Application Security Program with DSOMM

In this talk, Timo Pagel outlines a practical approach to building and optimizing application security (AppSec) programs for organizations of all sizes. While briefly touching on foundational elements, Timo's presentation focuses on developing and implementing a custom organizational maturity model based on DSOMM that resonates with development and operations teams.

Moving beyond traditional frameworks, Timo will teach attendees get most out of DSOMM by designing tailored models that account for diverse operating environments. The talk provides strategies for avoiding common pitfalls, implementing effective metrics, and creating a scalable AppSec approach adaptable to an organization's evolving needs. Through actionable advice and real-world examples, Timo will offer participants insights applicable to both new and existing AppSec programs.

This talk will provide a comprehensive introduction to Coraza, its use cases, how to implement it, and operationalise it generally.

In recent years, we have been involved in several significant discussions, including:
- Why not Core Ruleset WAF?
- Evaluating the effectiveness of signature-based rules in protecting against zero-day vulnerabilities.
- Considering the applicability of Machine Learning in the realm of security.
- How can ModSecurity and Coraza live together?

This presentation will examine each of these areas in depth. It will also cover the latest benchmarks and metrics and investigate future improvements, such as the possibility of a new rule language, support for multi-threading regex, and dynamic rule execution based on payload type.

In today's technological era, docker is the most powerful technology in each and every domain, whether it is Development, cyber security, DevOps, Automation, or Infrastructure. Considering the demand of the industry, I would like to introduce my idea to create a NIGHTINGALE: docker image for pentesters. This docker image is ready to use environment will the required tools that are needed at the time of pentesting on any of the scopes, whether it can be web application penetration testing, network penetration testing, mobile, API, OSINT, or Forensics. Also, it is a complete platform-independent so you can run Nightingale on every operating system as your wish, and it supports the Debian operating system.

OWASP Software Assurance Maturity Model (SAMM) Interactive Introduction and Update
Join project core members Aram and Sebastien for an engaging and interactive introduction and update on the OWASP Software Assurance Maturity Model (SAMM).

We will begin with a concise overview of SAMM's purpose and application in jumpstarting and accelerating your software assurance roadmap. This session will provide valuable insights and practical knowledge on leveraging SAMM effectively.

Tools and Assessment Guidance: Discover the range of SAMM tools available to support your software assurance efforts. We will explain the latest assessment guidance, providing you with the knowledge to utilize these tools to their fullest potential.

Mapping to Other Frameworks: Learn how SAMM can be mapped to other frameworks, such as the NIST Secure Software Development Framework (SSDF). This will enable you to leverage SAMM for demonstrating compliance and enhancing your software security posture.

Benchmark yourself against peers: The OWASP SAMM Benchmark enables organizations to anonymously compare their software security practices against industry peers, providing insights to identify improvement areas, prioritize security efforts, and track progress over time.

Internet of Things (IoT) has revolutionized the way we interact with our environments, connecting billions of devices to enhance efficiency, convenience, and automation in various sectors such as healthcare, transportation, and smart homes. However, the proliferation of interconnected devices also introduces significant security challenges. IoT devices, often designed with limited computing resources, may lack robust security features, making them vulnerable to cyber-attacks. As IoT continues to expand, discovering and addressing its security vulnerabilities becomes paramount to safeguarding personal privacy and ensuring the resilience of interconnected infrastructures. This project showcase will introduce and demonstrate current capabilities of the OWASP IoT Security Testing Guide (ISTG) project released earlier this year. The ISTG comprises a comprehensive methodology for penetration tests in the IoT field, offering flexibility to adapt innovations, and developments in the IoT market while still ensuring comparability of test results. While the guide is mainly intended to be used by penetration testers, its resources may aid manufacturers and operators of IoT devices to proactively improve the security of their devices.

OWASP dep-scan v6: The S in SCA is not an SBOM

The principle behind Software Composition Analysis (SCA) has remained the same for over a decade. It involves a single Software Bill-of-Materials (SBOM) document and a vulnerability database to identify potential vulnerabilities and advisories that might affect the given application or service. Such a technique of scanning an application with limited context creates both false positives and false negatives, a problem that is well-understood. Solving these inherent weaknesses requires some bold ideas. For OWASP dep-scan v6, we are revisiting every single word in the SCA acronym, to rethink SCA as we know it. In this mini session, we discuss the thinking behind the v6 release and offer insights into our technology and development efforts.

OWASP Nettacker project (a portmanteau of "Network Attacker") is a relatively new yet an awesome and powerful "swiss-army-knife" automated penetration testing framework fully written in Python. Nettacker recently gained a lot of interest from the European and Asian penetration testing communities and was even included in the specialist Linux distribution for penetration testers and security researchers. Nettacker is able to run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features - for example an ability to chain different scan methods. This talk will feature a live demo and several practical usage examples of how organisations can benefit from this OWASP project for automated security testing

Why OWASP Serverless Top Ten is Crucial for the Industry 

Unique Security Challenges
- Serverless computing introduces distinct security risks, such as misconfigured permissions, insecure third-party integrations, and event injection vulnerabilities.

Rapid Adoption Without Security Awareness
- OWASP Serverless Top Ten helps close the knowledge gap, providing clear guidelines on common threats. Guidance for Developers and Security Teams
- The Top Ten is a comprehensive, practical resource for developers and security teams to understand better and mitigate serverless applications' most critical security vulnerabilities.

Industry-Standard Reference 
- Provides a unified, industry-recognized reference, ensuring organizations and developers follow best practices in securing serverless architectures.

Adaptability to Cloud-Native Ecosystems 
- OWASP Serverless Top Ten addresses security in these increasingly complex environments.

Future-Proofing Security for Next-Generation Applications
- As serverless computing continues to evolve with AI, IoT, and edge computing, the Serverless Top Ten ensures that the industry remains proactive about emerging threats, not reactive.

2:15pm PDT

2:45pm PDT

3:15pm PDT