OWASP Global AppSec Lisbon 2024: Full Schedule

8:00am WEST

Breakfast

Monday June 24, 2024 8:00am - 9:00am WEST

9:00am WEST

3-Day Training: Hacking Android, iOS and IoT apps by Example (In-person and online option)

**Training tickets are a separate ticket purchase from a conference ticket**
Student tickets are only applicable for conference dates.
This course is available in person and online.

This course is a 100% hands-on deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS), so this course covers and goes beyond the OWASP Mobile Top Ten.

Learn about Android, iOS and IoT app security by improving your mobile security testing kung-fu. Ideal for Penetration Testers, Mobile Developers and everybody interested in mobile app security.

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with: 4 hour workshop - https://7asecurity.com/free-workshop-mobile-practical
Teaser Video: https://www.youtube.com/watch?v=Re5oqfVkgd4

Speakers

Abraham Aranguren

CEO, 7ASecurity

After 15 years in ITsec and 22 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other even... Read More →

Monday June 24, 2024 9:00am - 5:00pm WEST

Training, 3-Day Training

Audience intermediate

9:00am WEST

3-Day Training:Application Security Training with Jim Manico (In person and online option)

**Training tickets are a separate ticket purchase from a conference ticket**
Student tickets are only applicable for conference dates.
This course is available in person and online.

Core Modules
00-00 Introduction to Application Security (1 hr): Goals and Threats in AppSec
00-01 Input Validation Basics (1 hr): Allowlist Validation, Safe Redirects
00-02 HTTP Security Basics (1.5 hrs): Response/Request Headers, Verbs, Secure Transport Basics
00-03 SOP and CORS (1 hr): Same-Origin Policy, Cross-Origin Resource Sharing Security
00-04 API and REST Security (2 hrs): REST Design, XML, XXE, JSON, API Access Control
00-05 Microservice Security (2 hrs): Security Architectures in Microservices
00-06 JSON Web Tokens (JWT) (1 hr): Addressing JWT Security Challenges
00-07 SQL and Other Injections (1.5 hrs): Parameterized Queries, Secure Database Configurations, Command Injection
00-08 Cross-Site Request Forgery (1.5 hrs): CSRF Defenses for Various Architectures
00-09 File Upload and File I/O Security (1 hr): Secure File Upload, File I/O Security
00-10 Deserialization Security (0.5 hr): Safe Deserialization Practices
00-11 Artificial Intelligence Security (1-8 hrs): Securing AI Implementations, Full Course
00-12 Third-Party Library Security Management (1 hr): Ensuring Third-Party Library Security
00-13 Introduction to Cloud Security (1 hr): Basics of Cloud Security Management
00-14 Introduction to iOS and Android Security (1 hr): Mobile Security Fundamentals

Standards
01-00 OWASP Top Ten (1-4 hrs): Top Ten Web Security Risks 01-01 Introduction to GDPR (1 hr):
European Data Privacy Law
01-02 OWASP ASVS (1 hr): Comprehensive Secure Coding Standard
01-03 OWASP Top Ten Proactive Controls (1 hr): Web Security Defense Categories
01-04 PCI Secure SDLC Standard (1 hr): Credit Card SDLC Requirements

User Interface Security
02-00 XSS Defense (2 hrs): Client-Side Web Security
02-01 Content Security Policy (1 hr): Advanced Client-Side Web Security
02-02 Content Spoofing and HTML Hacking (.5 hr): HTML Client-Side Injection Attacks
02-03 React Security (1 hr): Secure React Application Development
02-04 Vue.js Security (1 hr): Secure Vue.js Application Development
02-05 Angular and AngularJS Security (1 hr): Secure Angular Application Development
02-06 Clickjacking (0.5 hr): UI Redress Attack Defense

Identity & Access Management
03-01 Authentication Best Practices (1.5 hrs): Web Authentication Practices
03-02 Session Management Best Practices (1.5 hrs): Web Session Management Practices
03-03 Multi-Factor Authentication (1 hr): NIST SP-800-63 Compliant MFA Implementation
03-04 Secure Password Policy and Storage (1 hr): Secure User Password Policy and Storage
03-05 Access Control Design (1 hr): ABAC/Capabilities-Based Access Control
03-06 OAuth2 Security (1 hr): OAuth2 Authorization Protocol
03-07 OpenID Connect Security (1 hr): OpenID Connect Federation Protocol

Crypto Modules
04-00 Secrets Management (1 hr): Key and Credential Storage Strategies
04-01 HTTPS/TLS Best Practices (1 hr): Transport Security Introduction
04-02 Cryptography Fundamentals - Part 1 (4 hrs): Terminology, Steganography, Attacks, Kerchoff's Principle, PFC 04-03 Cryptography Fundamentals - Part 2 (4 hrs): Hash Functions, Symmetric Cryptography, Randomness, Digital Signatures

Process
05-00 DevOps Best Practices (1 hr): DevOps and DevSecOps with a CD/CI Focus
05-01 Secure SDLC and AppSec Management (1 hr): Managing Secure Software Processes

Additional Topics
06-00 User and Helpdesk Awareness Training (1 hr): Security Awareness for Non-Technical Staff
06-01 Social Engineering for Developers (1 hr): Developer Protection Against Social Engineering
06-02 Application Layer Intrusion Detection (0.5 hr): Detecting App Layer Attacks
06-03 Threat Modeling Fundamentals (1 hr): Security Design via Threat Modeling
06-04 Forms and Workflows Security (0.5 hr): Secure Handling of Complex Forms
06-05 Java 8/9/10/11/12/13+ Security Controls (1 hr): Java Security Advances
06-06 Logging and Monitoring Security (0.5 hr): Security-Focused Logging
06-07 Subdomain Takeover (1 hr): Preventing Subdomain Takeover Scenarios
06-08 Laravel and PHP Security (1 hr): Focus on PHP Security

Lab Options
07-00 Competitive Web Hacking LABS (1-4 hrs): Hands-on Web Hacking Labs
07-01 Competitive API Hacking LABS (1-4 hrs): Hands-on API Hacking Labs
07-02 Secure Coding Knowledge LABS (4 hrs): Hands-on Secure Coding Labs

Speakers

Jim Manico

Founder, Manicode Security

Jim Manico is the Founder of Manicode Security, a company dedicated to providing expert training in secure coding and security engineering to software developers. His work at Manicode Security reflects his deep commitment to elevating software security standards in the industry. In... Read More →

Monday June 24, 2024 9:00am - 5:00pm WEST

Training, 3-Day Training

Audience intermediate

9:00am WEST

3-Day Training:Web Application Security Essentials

**Training tickets are a separate ticket purchase from a conference ticket**
Student tickets are only applicable for conference dates.

This course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures.

The course is aligned with the OWASP 10 2021, a world-renowned reference document which describes the most critical web application security flaws.

The topics covered include:
Introduction to Web Application Security
Technologies used in Web Applications
The Security Tester Toolkit
Critical Areas in Web Applications
Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server Side Request Forgery (SSRF)

Format: The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.

Speakers

Fabio Cerullo

Managing Director, Cycubix LTD

Fabio delivered this training to thousands of developers and security professionals. He also regularly delivers training to technical audiences on various topics such as application security, cloud security, and information security. Here is a reference from one attendee of his courses... Read More →

Monday June 24, 2024 9:00am - 5:00pm WEST

Training, 3-Day Training

Audience Beginner

10:30am WEST

AM Break

Monday June 24, 2024 10:30am - 11:00am WEST

Meals provided by OWASP

12:30pm WEST

Lunch

Monday June 24, 2024 12:30pm - 1:30pm WEST

Meals provided by OWASP

3:00pm WEST

PM Break

Monday June 24, 2024 3:00pm - 3:30pm WEST

Meals provided by OWASP

8:00am WEST

Breakfast

Tuesday June 25, 2024 8:00am - 9:00am WEST

Meals provided by OWASP

9:00am WEST

2 Day Training:Building a High-Value AppSec Scanning Programme

**Training tickets are a separate ticket purchase from a conference ticket**
Student tickets are only applicable for conference dates.

You bought the application security tools, you have the findings, but now what? Many organisations find themselves drowning in “possible vulnerabilities”, struggling to streamline their processes and not sure how to measure their progress. If you are involved in using SAST, DAST or SCA tools in your organisation, these may be familiar feelings to you.

In this course you will learn how to address these problems and more (in a vendor-neutral way), with topics including: ● What to expect from these tools?
● Customising and optimising these tools effectively
● Building tool processes which fit your business
● Automating workflows using CI/CD without slowing it down.
● Showing the value and improvements you are making
● Faster and easier triage through smart filtering
● How to focus on fixing what matters and cut down noise
● Techniques for various alternative forms of remediation
● Comparison of the different tool types covered.

To bring the course to life and let you apply what you learn, you will work in teams on table-top exercises where you design processes to cover specific scenarios, explain and justify your decisions to simulated stakeholders and practice prioritising your remediation efforts.

For these exercises, you will work based on specially designed process templates (which we will provide) which you can use afterwards to apply these improvements within your own organisation.

Be ready to work in a group, take part in discussions and present your findings and leave the course with clear strategies and ideas on how to get less stress and more value from these tools.

Speakers

Josh Grossman

CTO, Bounce Security

Josh Grossman has worked as a consultant in IT and Application Security and Risk for 15 years now, as well as a Software Developer. This has given him an in-depth understanding of how to manage the balance between business needs, developer needs and security needs which goes into... Read More →

Tuesday June 25, 2024 9:00am - 5:00pm WEST

Training, 2-Day Training

Audience Intermediate

9:00am WEST

2-Day Training: Adam Shostack's Threat Modeling Intensive

**Training tickets are a separate ticket purchase from a conference ticket**
Student tickets are only applicable for conference dates.

This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start with a guided threat modeling exercise, and we'll then iterate and break down the skills they're learning in more depth. We'll progressing through the Four Questions of Threat Modeling: what are we working on, what can go wrong, what are we going to do about it and did we do a good job. This is capped off with an end-to-end exercise that brings the skills together.

Speakers

Adam Shostack

Shostack & Associates

Adam Shostack is a leading expert in threat modeling, and the author of "Threats: What Every Engineer Should Learn from Star Wars" and "Threat Modeling: Designing for Security."

Tuesday June 25, 2024 9:00am - 5:00pm WEST

Training, 2-Day Training

Audience intermediate

9:00am WEST

2-Day Training: Practical Privacy by Design - Building secure applications that respect privacy

**Training tickets are a separate ticket purchase from a conference ticket**
Student tickets are only applicable for conference dates.

Privacy is hot! Now is the time to embrace this in-demand skillset. Believe it or not, privacy will even strengthen your security posture. Join this course now to learn about privacy engineering essentials and practical privacy-by-design approaches. With the lessons we’ll teach you, you’ll be able to effectively integrate privacy in existing security practices!

Consumers are becoming more privacy-aware and expect privacy-oriented products. Likewise, globally emerging data protection legislations are forcing companies to integrate a technical approach for privacy into system design. With ever higher demands for privacy engineering, privacy by design, privacy-respecting systems - and increasing impact from the lack thereof - security teams are hard pressed to keep up with these emerging requirements and often feel like there is a substantial and growing skills gap.

Traditional security approaches do not typically focus on this aspect, leaving individuals at risk. Fortunately, privacy by design does not have to be difficult, and in fact, can be nicely aligned with secure design best practices. Incorporating privacy into security with a proactive approach is essential, and can even become a force multiplier for more secure systems!

This interactive hands-on training will introduce you to common privacy goals, and how these often fail. You'll learn about core privacy engineering fundamentals and get hands-on experience identifying and tackling potential privacy gaps and weaknesses, by leveraging by-design approaches such as threat modeling. As privacy shouldn’t be tackled in isolation, you will learn how to build privacy into the core of the software design and development process, aligned with security practices, showing how to gain increased efficiency and effectiveness in both domains.

The course will cover these main topics:
- Introduction to Privacy Essentials
- Architectural data mapping
- Tracing the functionality
- Overview of Privacy Threat Modeling
- Analyzing for Privacy Threats
- Privacy controls and mitigation strategies
- Putting it all together: Full Privacy Process Each of these interactive modules will teach you both the technical skills and social aspects essential for successful privacy engineering, explain how they align with corresponding security practices, and highlight how these privacy skills can strengthen your security posture. With plenty of hands-on experience through a set of exercises, class discussions, and productive collaboration, you'll gain confidence to improve the privacy posture of your system using established design techniques, so you can take these practical skills back to your security practice.

Speakers

Avi Douglen

Founder and CEO, Bounce Security

Avi Douglen has been building secure applications for decades, and is *obsessed* with maximizing value output from security efforts. Avi is the founder and CEO of Bounce Security, a boutique consulting agency dedicated to helping developers integrate security efficiently into their... Read More →

Kim Wuyts

Manager Cyber & Privacy, PwC Belgium

Dr. Kim Wuyts is a leading privacy engineering expert with over 15 years of experience in security and privacy. Before joining PwC Belgium as Manager Cyber & Privacy, Kim was a senior researcher at KU Leuven where she led the development and extension of LINDDUN, a popular privacy... Read More →

Tuesday June 25, 2024 9:00am - 5:00pm WEST

Training, 2-Day Training

Audience Intermediate

9:00am WEST

3-Day Training: Hacking Android, iOS and IoT apps by Example (In-person and online option)

**Training tickets are a separate ticket purchase from a conference ticket**
Student tickets are only applicable for conference dates.

This course is a 100% hands-on deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS), so this course covers and goes beyond the OWASP Mobile Top Ten.

Learn about Android, iOS and IoT app security by improving your mobile security testing kung-fu. Ideal for Penetration Testers, Mobile Developers and everybody interested in mobile app security.

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with: 4 hour workshop - https://7asecurity.com/free-workshop-mobile-practical
Teaser Video: https://www.youtube.com/watch?v=Re5oqfVkgd4

Speakers

Abraham Aranguren

CEO, 7ASecurity

Tuesday June 25, 2024 9:00am - 5:00pm WEST

Training, 3-Day Training

Audience intermediate

9:00am WEST

3-Day Training:Application Security Training with Jim Manico (In person and online option)

**Training tickets are a separate ticket purchase from a conference ticket**
Student tickets are only applicable for conference dates.
This course is available in person and online.

Core Modules
00-00 Introduction to Application Security (1 hr): Goals and Threats in AppSec
00-01 Input Validation Basics (1 hr): Allowlist Validation, Safe Redirects
00-02 HTTP Security Basics (1.5 hrs): Response/Request Headers, Verbs, Secure Transport Basics
00-03 SOP and CORS (1 hr): Same-Origin Policy, Cross-Origin Resource Sharing Security
00-04 API and REST Security (2 hrs): REST Design, XML, XXE, JSON, API Access Control
00-05 Microservice Security (2 hrs): Security Architectures in Microservices
00-06 JSON Web Tokens (JWT) (1 hr): Addressing JWT Security Challenges
00-07 SQL and Other Injections (1.5 hrs): Parameterized Queries, Secure Database Configurations, Command Injection
00-08 Cross-Site Request Forgery (1.5 hrs): CSRF Defenses for Various Architectures
00-09 File Upload and File I/O Security (1 hr): Secure File Upload, File I/O Security
00-10 Deserialization Security (0.5 hr): Safe Deserialization Practices
00-11 Artificial Intelligence Security (1-8 hrs): Securing AI Implementations, Full Course
00-12 Third-Party Library Security Management (1 hr): Ensuring Third-Party Library Security
00-13 Introduction to Cloud Security (1 hr): Basics of Cloud Security Management
00-14 Introduction to iOS and Android Security (1 hr): Mobile Security Fundamentals

Standards
01-00 OWASP Top Ten (1-4 hrs): Top Ten Web Security Risks 01-01 Introduction to GDPR (1 hr):
European Data Privacy Law
01-02 OWASP ASVS (1 hr): Comprehensive Secure Coding Standard
01-03 OWASP Top Ten Proactive Controls (1 hr): Web Security Defense Categories
01-04 PCI Secure SDLC Standard (1 hr): Credit Card SDLC Requirements

User Interface Security
02-00 XSS Defense (2 hrs): Client-Side Web Security
02-01 Content Security Policy (1 hr): Advanced Client-Side Web Security
02-02 Content Spoofing and HTML Hacking (.5 hr): HTML Client-Side Injection Attacks
02-03 React Security (1 hr): Secure React Application Development
02-04 Vue.js Security (1 hr): Secure Vue.js Application Development
02-05 Angular and AngularJS Security (1 hr): Secure Angular Application Development
02-06 Clickjacking (0.5 hr): UI Redress Attack Defense

Identity & Access Management
03-01 Authentication Best Practices (1.5 hrs): Web Authentication Practices
03-02 Session Management Best Practices (1.5 hrs): Web Session Management Practices
03-03 Multi-Factor Authentication (1 hr): NIST SP-800-63 Compliant MFA Implementation
03-04 Secure Password Policy and Storage (1 hr): Secure User Password Policy and Storage
03-05 Access Control Design (1 hr): ABAC/Capabilities-Based Access Control
03-06 OAuth2 Security (1 hr): OAuth2 Authorization Protocol
03-07 OpenID Connect Security (1 hr): OpenID Connect Federation Protocol

Crypto Modules
04-00 Secrets Management (1 hr): Key and Credential Storage Strategies
04-01 HTTPS/TLS Best Practices (1 hr): Transport Security Introduction
04-02 Cryptography Fundamentals - Part 1 (4 hrs): Terminology, Steganography, Attacks, Kerchoff's Principle, PFC 04-03 Cryptography Fundamentals - Part 2 (4 hrs): Hash Functions, Symmetric Cryptography, Randomness, Digital Signatures

Process
05-00 DevOps Best Practices (1 hr): DevOps and DevSecOps with a CD/CI Focus
05-01 Secure SDLC and AppSec Management (1 hr): Managing Secure Software Processes

Additional Topics
06-00 User and Helpdesk Awareness Training (1 hr): Security Awareness for Non-Technical Staff
06-01 Social Engineering for Developers (1 hr): Developer Protection Against Social Engineering
06-02 Application Layer Intrusion Detection (0.5 hr): Detecting App Layer Attacks
06-03 Threat Modeling Fundamentals (1 hr): Security Design via Threat Modeling
06-04 Forms and Workflows Security (0.5 hr): Secure Handling of Complex Forms
06-05 Java 8/9/10/11/12/13+ Security Controls (1 hr): Java Security Advances
06-06 Logging and Monitoring Security (0.5 hr): Security-Focused Logging
06-07 Subdomain Takeover (1 hr): Preventing Subdomain Takeover Scenarios
06-08 Laravel and PHP Security (1 hr): Focus on PHP Security

Lab Options
07-00 Competitive Web Hacking LABS (1-4 hrs): Hands-on Web Hacking Labs
07-01 Competitive API Hacking LABS (1-4 hrs): Hands-on API Hacking Labs
07-02 Secure Coding Knowledge LABS (4 hrs): Hands-on Secure Coding Labs

Speakers

Jim Manico

Founder, Manicode Security

Tuesday June 25, 2024 9:00am - 5:00pm WEST

Training, 3-Day Training

Audience intermediate

9:00am WEST

3-Day Training:Web Application Security Essentials

Speakers

Fabio Cerullo

Managing Director, Cycubix LTD

Tuesday June 25, 2024 9:00am - 5:00pm WEST

Training, 3-Day Training

Audience Beginner

10:30am WEST

AM Break

Tuesday June 25, 2024 10:30am - 11:00am WEST

Meals provided by OWASP

12:30pm WEST

Lunch

Tuesday June 25, 2024 12:30pm - 1:30pm WEST

Meals provided by OWASP

3:00pm WEST

PM Break

Tuesday June 25, 2024 3:00pm - 3:30pm WEST

Meals provided by OWASP

8:00am WEST

Breakfast

Wednesday June 26, 2024 8:00am - 9:00am WEST

Meals provided by OWASP

9:00am WEST

SAMM User Day

**Tickets are a separate ticket purchase from a conference ticket**
Student tickets are only applicable for conference dates.

Wednesday June 26, 2024 9:00am - 5:00pm WEST

BONUS TRACK

9:00am WEST

Global Board of Directors Private/Closed Face to Face Meeting

Wednesday June 26, 2024 9:00am - 5:00pm WEST
Lisbon Congress Center - Room 2.04 CCL

Closed Meeting

9:00am WEST

1-Day Training: Intersectional Threat Modeling for Identifying, Ranking, and Mitigating Offline Threats, Risks, and Dangers

**Training tickets are a separate ticket purchase from a conference ticket**
Student tickets are only applicable for conference dates.

This workshop introduces a logic, methodology, and toolset for intersectional, risk-centric, attack-driven threat modeling, tailored to both technical (i.e., computer/network-based) and non-technical practitioners (e.g., journalists, human rights defenders). This approach focuses on promoting proactive harm reduction through a focus on the context-sensitive aspects of human, organizational, and networked digital systems. Backed by dozens of case studies and more than a decade of direct application, this session will help enumerate how ‘technical’ and ‘non-technical’ users can benefit from the logic and methods of threat modeling.

Participants will be challenged to consider their own threat environment and to actively engage with the process through in-session brainstorming activities, risk assessments, and other illustrative exercises. This workshop does not require any technical know-how, but participants should come prepared to investigate and explore their own security challenges. Through a combination of traditional lecture, applied discussion, and hands-on activities participants will engage directly with the process of intersectional threat modeling.

Speakers

Michael Loadenthal, Ph.D.

Professor of Research, Center for Cyber Strategy and Policy

Michael Loadenthal, Ph.D., is as a Professor of Research, with the Center for Cyber Strategy and Policy, within the School of Public and International Affairs at the University of Cincinnati, and the founder and Executive Director of the Prosecution Project which tracks political... Read More →

Wednesday June 26, 2024 9:00am - 5:00pm WEST

Training, 1-Day Training

Audience Beginner

9:00am WEST

1-Day Training: Master AI security (In-person and online option)

**Training tickets are a separate ticket purchase from a conference ticket**
Student tickets are only applicable for conference dates.
This course is available in-person or online

See teaser video for this training

This training is a unique opportunity to become proficient in the intricate and rapidly evolving field of AI security.

Soon, nearly every digital organization will be deploying systems that incorporate AI. This presents a significant challenge, regardless of whether you are an AppSec specialist, a developer, or a red teamer. What are your responsibilities? What constitutes the new AI attack surface, and what threats emerge from it? What measures can you take to mitigate these emerging risks?

This one-day intensive training program will equip you with the knowledge to tackle these AI-related challenges effectively, enabling you to apply what you learn immediately. Starting with a foundational overview of AI, the course then delivers an exhaustive exploration of the distinctive vulnerabilities AI introduces, the possible attack vectors, and the most current strategies to counteract threats like prompt injection, data poisoning, model theft, evasion, and more. Through practical exercises, you will gain hands-on experience in enacting strong security measures, attacking AI systems, conducting threat modelling on AI, and targeted vulnerability assessments for AI applications.

By day's end, you will possess a thorough comprehension of the core principles and techniques critical to strengthening AI systems. You will have gained practical insights and the confidence to implement cutting-edge AI security measures.

Speakers

Rob van der Veer

Senior Director, SIG

Rob van der Veer is an AI pioneer with 32 years of experience in the AI field, specializing in engineering, security and privacy. He is the lead author of the ISO/IEC 5338 standard on AI lifecycle, co-founder of the digital bridge for security standards OpenCRE.org, and creator of the OWASP AI Exchange – open sourcing the global discussion on AI security. He is advisor to ENISA and deeply involved in international standardization through different roles in ISO/IEC and CEN/CENELEC, including JTC21/WG5 - working on the security standardization r... Read More →

Wednesday June 26, 2024 9:00am - 5:00pm WEST

Training, 1-Day Training

Audience Intermediate

9:00am WEST

1-Day Training: The Dark Side of APIs - the Attacker way to protect software

**Training tickets are a separate ticket purchase from a conference ticket**
Student tickets are only applicable for conference dates.

Following a hands-on approach, attendees will be guided into exploiting the ten most common API security risks according to the OWASP API Security Top 10.

The security issues will be discussed in-depth, also covering the mitigation. API protocol-specific security issues will be addressed and discussed to cover the most common API protocols. Training sessions are delivered by a security practitioner and OWASP project leader.

# Target Audience API developers, DevSecOps, Pentesters, and systems integrators

# Training Program Part 1
* Introduction to the Open Web Application Security Project (OWASP), the OWASP API Security Project, and the OWASP API Top 10
* The HTTP protocol and how APIs work on top of it Part 2 For each of the ten most common API security risks (according to the OWASP API Top 10)
* Exploit the vulnerability
* Discuss the security issue, impact, and how to mitigate the risk GraphQL-specific security risks

# What You’ll Learn
* Relevant OWASP projects and how to use them to write secure code
* HTTP protocol fundamentals and how APIs work on top of it *
In-depth knowledge of the ten most common API security risks
* API protocol-specific risks (e.g. GraphQL)
*How threat agents exploit APIs vulnerabilities: tools and techniques
* How to avoid the most common API security issues

Speakers

Paulo Silva

Security Researcher, Char49

While leading and co-authoring the OWASP API Top 10 Project, Paulo is a security practitioner with a solid background in software development who has spent the last decade breaking software and helping organizations improve their security posture. In addition, Paulo participated in... Read More →

Wednesday June 26, 2024 9:00am - 5:00pm WEST

Training, 1-Day Training

Audience Beginner

9:00am WEST

2 Day Training:Building a High-Value AppSec Scanning Programme

Speakers

Josh Grossman

CTO, Bounce Security

Wednesday June 26, 2024 9:00am - 5:00pm WEST

Training, 2-Day Training

Audience Intermediate

9:00am WEST

2-Day Training: Adam Shostack's Threat Modeling Intensive

Speakers

Adam Shostack

Shostack & Associates

Adam Shostack is a leading expert in threat modeling, and the author of "Threats: What Every Engineer Should Learn from Star Wars" and "Threat Modeling: Designing for Security."

Wednesday June 26, 2024 9:00am - 5:00pm WEST

Training, 2-Day Training

Audience intermediate

9:00am WEST

2-Day Training: Practical Privacy by Design - Building secure applications that respect privacy

Speakers

Avi Douglen

Founder and CEO, Bounce Security

Kim Wuyts

Manager Cyber & Privacy, PwC Belgium

Wednesday June 26, 2024 9:00am - 5:00pm WEST

Training, 2-Day Training

Audience Intermediate

9:00am WEST

3-Day Training: Hacking Android, iOS and IoT apps by Example (In-person and online option)

**Training tickets are a separate ticket purchase from a conference ticket**
Student tickets are only applicable for conference dates.
This course is available in person and online.

This course is a 100% hands-on deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS), so this course covers and goes beyond the OWASP Mobile Top Ten.

Learn about Android, iOS and IoT app security by improving your mobile security testing kung-fu. Ideal for Penetration Testers, Mobile Developers and everybody interested in mobile app security.

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with: 4 hour workshop - https://7asecurity.com/free-workshop-mobile-practical
Teaser Video: https://www.youtube.com/watch?v=Re5oqfVkgd4

Speakers

Abraham Aranguren

CEO, 7ASecurity

Wednesday June 26, 2024 9:00am - 5:00pm WEST

Training, 3-Day Training

Audience intermediate

9:00am WEST

3-Day Training:Application Security Training with Jim Manico (In person and online option)

Training courses require a separate ticket purchase than conference tickets.
Student tickets are only applicable to conference dates, not training.
This course is available in person and online

Core Modules
00-00 Introduction to Application Security (1 hr): Goals and Threats in AppSec
00-01 Input Validation Basics (1 hr): Allowlist Validation, Safe Redirects
00-02 HTTP Security Basics (1.5 hrs): Response/Request Headers, Verbs, Secure Transport Basics
00-03 SOP and CORS (1 hr): Same-Origin Policy, Cross-Origin Resource Sharing Security
00-04 API and REST Security (2 hrs): REST Design, XML, XXE, JSON, API Access Control
00-05 Microservice Security (2 hrs): Security Architectures in Microservices
00-06 JSON Web Tokens (JWT) (1 hr): Addressing JWT Security Challenges
00-07 SQL and Other Injections (1.5 hrs): Parameterized Queries, Secure Database Configurations, Command Injection
00-08 Cross-Site Request Forgery (1.5 hrs): CSRF Defenses for Various Architectures
00-09 File Upload and File I/O Security (1 hr): Secure File Upload, File I/O Security
00-10 Deserialization Security (0.5 hr): Safe Deserialization Practices
00-11 Artificial Intelligence Security (1-8 hrs): Securing AI Implementations, Full Course
00-12 Third-Party Library Security Management (1 hr): Ensuring Third-Party Library Security
00-13 Introduction to Cloud Security (1 hr): Basics of Cloud Security Management
00-14 Introduction to iOS and Android Security (1 hr): Mobile Security Fundamentals

Standards
01-00 OWASP Top Ten (1-4 hrs): Top Ten Web Security Risks 01-01 Introduction to GDPR (1 hr):
European Data Privacy Law
01-02 OWASP ASVS (1 hr): Comprehensive Secure Coding Standard
01-03 OWASP Top Ten Proactive Controls (1 hr): Web Security Defense Categories
01-04 PCI Secure SDLC Standard (1 hr): Credit Card SDLC Requirements

User Interface Security
02-00 XSS Defense (2 hrs): Client-Side Web Security
02-01 Content Security Policy (1 hr): Advanced Client-Side Web Security
02-02 Content Spoofing and HTML Hacking (.5 hr): HTML Client-Side Injection Attacks
02-03 React Security (1 hr): Secure React Application Development
02-04 Vue.js Security (1 hr): Secure Vue.js Application Development
02-05 Angular and AngularJS Security (1 hr): Secure Angular Application Development
02-06 Clickjacking (0.5 hr): UI Redress Attack Defense

Identity & Access Management
03-01 Authentication Best Practices (1.5 hrs): Web Authentication Practices
03-02 Session Management Best Practices (1.5 hrs): Web Session Management Practices
03-03 Multi-Factor Authentication (1 hr): NIST SP-800-63 Compliant MFA Implementation
03-04 Secure Password Policy and Storage (1 hr): Secure User Password Policy and Storage
03-05 Access Control Design (1 hr): ABAC/Capabilities-Based Access Control
03-06 OAuth2 Security (1 hr): OAuth2 Authorization Protocol
03-07 OpenID Connect Security (1 hr): OpenID Connect Federation Protocol

Crypto Modules
04-00 Secrets Management (1 hr): Key and Credential Storage Strategies
04-01 HTTPS/TLS Best Practices (1 hr): Transport Security Introduction
04-02 Cryptography Fundamentals - Part 1 (4 hrs): Terminology, Steganography, Attacks, Kerchoff's Principle, PFC 04-03 Cryptography Fundamentals - Part 2 (4 hrs): Hash Functions, Symmetric Cryptography, Randomness, Digital Signatures

Process
05-00 DevOps Best Practices (1 hr): DevOps and DevSecOps with a CD/CI Focus
05-01 Secure SDLC and AppSec Management (1 hr): Managing Secure Software Processes

Additional Topics
06-00 User and Helpdesk Awareness Training (1 hr): Security Awareness for Non-Technical Staff
06-01 Social Engineering for Developers (1 hr): Developer Protection Against Social Engineering
06-02 Application Layer Intrusion Detection (0.5 hr): Detecting App Layer Attacks
06-03 Threat Modeling Fundamentals (1 hr): Security Design via Threat Modeling
06-04 Forms and Workflows Security (0.5 hr): Secure Handling of Complex Forms
06-05 Java 8/9/10/11/12/13+ Security Controls (1 hr): Java Security Advances
06-06 Logging and Monitoring Security (0.5 hr): Security-Focused Logging
06-07 Subdomain Takeover (1 hr): Preventing Subdomain Takeover Scenarios
06-08 Laravel and PHP Security (1 hr): Focus on PHP Security

Lab Options
07-00 Competitive Web Hacking LABS (1-4 hrs): Hands-on Web Hacking Labs
07-01 Competitive API Hacking LABS (1-4 hrs): Hands-on API Hacking Labs
07-02 Secure Coding Knowledge LABS (4 hrs): Hands-on Secure Coding Labs

Speakers

Jim Manico

Founder, Manicode Security

Wednesday June 26, 2024 9:00am - 5:00pm WEST

Training, 3-Day Training

Audience intermediate

9:00am WEST

3-Day Training:Web Application Security Essentials

Speakers

Fabio Cerullo

Managing Director, Cycubix LTD

Wednesday June 26, 2024 9:00am - 5:00pm WEST

Training, 3-Day Training

Audience Beginner

10:30am WEST

AM Break

Wednesday June 26, 2024 10:30am - 11:00am WEST

Meals provided by OWASP

12:30pm WEST

Lunch

Wednesday June 26, 2024 12:30pm - 1:30pm WEST

Meals provided by OWASP

3:00pm WEST

PM Break

Wednesday June 26, 2024 3:00pm - 3:30pm WEST

Meals provided by OWASP

5:30pm WEST

Global Board of Directors Public Board Meeting

Wednesday June 26, 2024 5:30pm - 7:30pm WEST

Meeting

7:45pm WEST

New Global AppSec Conference Attendee Icebreaker Reception

Separate ticket purchase is required. Actual time is to be determined but will be around the 8:30-10:30pm range

Wednesday June 26, 2024 7:45pm - 8:45pm WEST

Meals provided by OWASP

8:45pm WEST

Women in AppSec Reception

Separate ticket purchase is needed. Actual time is TBD but will be somewhere in the 7:30 - 9:00pm range.

Wednesday June 26, 2024 8:45pm - 9:45pm WEST

Meals provided by OWASP

8:00am WEST

Breakfast

Thursday June 27, 2024 8:00am - 9:00am WEST

Meals provided by OWASP

9:00am WEST

Keynote 1

Speakers

John Graham-Cumming

CTO, Cloudflare

John Graham-Cumming is CTO of Cloudflare and is a computer programmer and author. He studied mathematics and computation at Oxford and stayed for a doctorate in computer security. As a programmer, he has worked in Silicon Valley and New York, the UK, Germany, and France. His open... Read More →

Thursday June 27, 2024 9:00am - 10:00am WEST

Keynote

9:00am WEST

OWASP Member's Lounge

For OWASP members only

Thursday June 27, 2024 9:00am - 6:00pm WEST

BONUS TRACK

10:00am WEST

AM Break

Thursday June 27, 2024 10:00am - 10:30am WEST

Meals provided by OWASP

10:30am WEST

Breakout: Projects

Thursday June 27, 2024 10:30am - 11:05am WEST

Breakout: Project Track

10:30am WEST

AI Package Hallucination – Spreading Malicious Packages Using Generative AI

Revolutionary research exposes new attack technique using ChatGPT! Discover how attackers could exploit its hallucination to spread malicious packages, posing a grave threat to developers and production systems.

Speakers

Bar Lanyado

Security Research, Lasso Security

Bar is a security researcher at Lasso Security. For the past 6 years, he has worked as a penetration tester and security researcher. During his career, Bar has tested and researched various areas such as Mobile & Web applications, reversing, supply chain attacks, and more.

Thursday June 27, 2024 10:30am - 11:15am WEST

Breakout: Breaker Track

Audience intermediate

10:30am WEST

A Race to the Bottom - Database Transactions Undermining Your AppSec

In the context of relational databases such as Postgres, MySQL/MariaDB or MSSQL, a transaction is a construct used to wrap complex business operations, ensuring the application is safe from data corruption. But what happens when they start working against you?

This presentation will show a darker side of database transactions: as a potential source of application vulnerabilities. Learn how common patterns of (mis)use can introduce data races and easily exploitable race conditions. We’ll dig into database internals and find out how the helpful hand of the database engine introduces the vulnerability, ways of exploiting it and look at possible mitigations.

Speakers

Viktor Chuchurski

Application Security Engineer, Doyensec

Viktor Chuchurski is a passionate Application Security Engineers with an extensive background in Software Development. He work in helping clients deliver secure software to their customers.

Thursday June 27, 2024 10:30am - 11:15am WEST

Breakout: Defender Track

Audience Beginner

10:30am WEST

Tracking and Hacking Your Career

Employees, especially those earlier in their career, often expect their managers to provide a plan for their career growth. Experienced managers know this effort needs to be collaborative or it will likely fall flat. Employees that take an active role in this process will have more agency in shaping their career.

This talk is designed to be valuable for both individual contributors (ICs) and people managers.

In this presentation we’ll demonstrate how to translate your company’s ladder into the skeleton of a Career Development Plan (CDP). A custom CDP is a powerful tool that can help you during promotions and makes filling out those dreaded self-reviews easy. It’s also a durable document that will help protect you from career setbacks when you switch teams, your manager leaves, or even when you change companies.

Another aspect of shaping your career is being comfortable talking about your accomplishments. Unfortunately a lot of security folks are bad at marketing. We’ll briefly cover how to make your work visible to others.

This combined with a CDP helps you achieve whatever’s next. This could be Senior to Staff AppSec Eng, IC to manager, or changing disciplines from CloudSec to CorpSec.

The most consistent person in your career is you, make sure you are recognized for your work.

Speakers

Misha Yalavarthy

Security Engineering Manager, Semgrep

Misha Yalavarthy is currently an Security Engineering Manager of a research team at Semgrep that is building rules to find vulnerabilities in our customers code. Before Semgrep, she was the Security Engineering Manager for the Detection and Response team at Sentry and was responsible... Read More →

Leif Dreizler

information Security Professional, Semgrep

Leif Dreizler is an information security professional with over a decade of experience. He is currently leading an engineering team that builds features of Semgrep’s product. Previously, Leif was a Senior Engineering Manager at Twilio Segment where his team was focused on building... Read More →

Thursday June 27, 2024 10:30am - 11:15am WEST

Breakout: Manager/Culture Track

Audience Beginner

10:30am WEST

Traceability in cyber security: lessons learned from the medical sector

Cyber security for medical devices has received a lot of attention very early and quite naturally, since it can literally be a matter of life or death. Regulatory bodies all over the world have imposed strict cyber security requirements that cover the entire lifecycle of a medical device. Such regulations include cyber security guidance by the FDA in the US, and the Medical Device Regulation in the EU (EU MDR). In this presentation we will provide a high level overview of these requirements, and focus on the topic of traceability. Traceability was first introduced as a requirement by FDA almost 20 years ago. It is a systematic way to link together product requirements, design, and testing, along with risk management. It connects cyber security assessments, threat modeling, security tests and SBOMs, covering the entire software supply chain. Subsequently, we will present a methodology for product security traceability, that we have developed after performing numerous security assessments on medical devices. We believe that any product, not just medical devices, can benefit from this approach. Our methodology helps product teams to focus on pragmatic, business, and product-related risks, rather than just technical, application vulnerabilities. Overall, we will highlight how lessons learned from regulatory compliance requirements and cyber security best practices for medical devices can be adopted from product security teams.

Speakers

Dr Konstantinos Papapanagiotou

Advisory Services Director, Census S.A.

Dr Konstantinos Papapanagiotou is the Advisory Services Director at Census Labs S.A. Prior to that, he worked for OTE S.A. (member of Deutsche Telekom Group) where he was responsible for the cyber security solutions offered to corporate customers. In the past he has led cyber security... Read More →

Thursday June 27, 2024 10:30am - 11:15am WEST

Builder Track

Audience intermediate

10:30am WEST

BONUS TRACK: Meet the Mentor (sponsored by Semgrep)

One more Global AppSec event.
You’re taking training, you’re running between sessions, you’re connecting with people over coffee or when talking to a vendor.

What if you could use the event to also meet a potential mentor, or mentee?
What if you could connect face to face with someone who may help take your career to the next level, or that you can help and make a difference with?

We are inviting you to an OWASP Lisbon Global AppSec activity, first of its kind in an OWASP event: Meet The Mentor! A speed-dating activity between potential mentors and mentees where you can come face to face and see if it “clicks”, start a conversation, and see if it is a match.

Thursday June 27, 2024 10:30am - 12:15pm WEST

BONUS TRACK

11:10am WEST

Breakout: Projects

Thursday June 27, 2024 11:10am - 11:45am WEST

Breakout: Project Track

11:30am WEST

Back to the Future: Old Tricks Invading a New Attack Surface

Based on our recent research, this talk explores security risks in leading Low-Code/No-Code (LCNC) application development platforms. It highlights the possibility of spreading malware and stealing data using injection and supply chain attacks.

Low-Code/No-Code application platforms (LCAP) are rapidly emerging as the preferred technology for creating enterprise applications. However, we argue that attackers currently hold an unfair advantage. Time-tested application layer tricks are experiencing a revival when used against applications built on these platforms.

First, our attention turns to Robotic Process Automation (RPA), which is becoming increasingly popular across organizations of all sizes. It is a perilous misconception that RPAs created using LCNC technologies are immune to “classic” application layer attacks. Moreover, most organizations consider these to be “internal facing” applications. Our research unveils a different reality where LCNC applications are, in fact, vulnerable to SQL injections, authorization mishaps, and OS command injections. Additionally, we show how these vulnerabilities can in practice be exploited by external attackers.

Next, we delve into some intriguing supply chain attacks. As the adoption of LCAPs gains momentum, a common thread emerges - the integration of code reuse and sharing mechanisms via marketplaces. Whether it’s Forge for OutSystems, AppSource for Microsoft Power Platform, or the UiPath Marketplace, these platforms embrace the concept of empowering app developers by leveraging content created and openly shared by their peers. It’s a double-edged sword - a shortcut to innovation but also a potential gateway for attackers.

Our session aims to discuss and demonstrate the critical topic of security risks associated with LCNC app development and robotic process automation (RPA). As security professionals still struggle with applying adequate security practices into the LCNC app development life cycle, we confront a harsh reality: the current security stack falls short in shielding businesses from these looming threats. The absence of effective tools to detect and mitigate SQL injections or govern the use of third-party components within various LCAPs intensifies the risk, leaving these environments particularly vulnerable.

Speakers

Uriya Elkayam

Security Researcher, Nokod Security

Uriya Elkayam is a security researcher at Nokod Security. His research focuses on application security aspects of low-code/ o-code platforms such as MS Power Platform, UiPath, and OutSystems. He has a passion for both finding vulnerabilities and new mitigation techniques. In his previous... Read More →

Thursday June 27, 2024 11:30am - 12:15pm WEST

Breakout: Breaker Track

Audience intermediate

11:30am WEST

Modern Appsec vs. GenAI Application : Is Your Appsec Ready?

We are seeing the exponential rise in GenAI application development and the use of GenAI code assistance in traditional app development. Are the current mature Appsec programs ready to handle the security challenges of GenAI adoption?

In this session we will evaluate how top 3 GenAI applications and CodeGen security threats fare against a mature Appsec program.

The goal of the session will be to answer the questions below to measure Appsec readiness against these threats.

1> Do the current Appsec practices adequately mitigate new GenAI Application threats ?

2> Do we need to enhance current Appsec controls or add new ones to mitigate GenAI application threats ?

3> How to address the new security challenges of traditional apps built with GenAI assistance ?

Speakers

Balachandra Shanabhag

Staff Security Engineer, Cohesity

Bala is working as Staff security Engineer for Cohesity. Bala has over 15 years of experience in various domains of cybersecurity. Bala Joined Cohesity as Founding Product Security Engineer and helped boot strap Appsec and other security initiatives. Before Cohesity Bala worked... Read More →

Thursday June 27, 2024 11:30am - 12:15pm WEST

Breakout: Defender Track

Audience intermediate

11:30am WEST

Security Champions and Experiments – Building Blocks for Cultural Change

Ever wondered how to successfully mature application security culture in a complex organization? In this talk, I will try to answer this question by presenting the building blocks used to create the foundation for the cultural change in an IT-company with 500+ developers that provides IT-systems for banks. The building blocks are: 1) a management-backed security champions program and 2) an experimental approach to incrementally implementing new application security initiatives.

As a large organization with ~100 teams covering everything from mainframe to mobile apps in a highly regulated sector, we face a lot of challenges in creating the desired change in security culture. These challenges include legacy systems, a complex technology stack, team autonomy, company culture, and regulation. Furthermore, we recognize that security is not top-of-mind for developers, and while each successful new security initiative is a step forward, every failure is five steps backwards, as failed initiatives create resistance against the desired security conscious culture. Hence, it is essential to minimize failed initiatives.

To mitigate these challenges, we built a security champions program which includes a core team with essential stakeholders, and approx. 30 security champions, each representing several teams. In addition to anchoring security knowledge in the development organization, this has created a feedback loop where previously uncollected security-relevant information is fed back to the security organization.

In addition to our security champions program, we have applied a methodology of experimentation based on empirical methods, which enables us to conduct structured experiments and evaluate the real-world impact of new security initiatives before rolling them out to the entire organization, hence, maximizing the change of success.

Join this talk to learn what happens when guidelines meet reality in the complexity of a real-world setup. Learning from our experience, this will give you principles and methods you can apply to implement application security initiatives using structured experiments and to structure a successful security champions program.

Speakers

Mads Andersen

Lead IT Security Consultant, Bankdata

Mads has worked in security and privacy for 15+ year with experience from research and different companies. He has an education as a software engineer and holds a PhD in computer science. Currently, he is working as a lead application security consultant and running a security champions... Read More →

Thursday June 27, 2024 11:30am - 12:15pm WEST

Breakout: Manager/Culture Track

Audience Beginner

11:30am WEST

From Zero to Hero: Rollout your hardcoded secrets detection and prevention with minimal effort and maximum impact!

The importance of safeguarding system credentials cannot be overstated in the realm of security. Unauthorized access to these credentials undermines the foundational principle of authentication and can lead to severe data breaches. It's essential to ensure that secrets are not embedded in source code, as security is only as strong as its weakest link.

This presentation covers the implementation of a robust secret detection system that leverages TruffleHog, an open-source tool, to perform scheduled and integrated preventive scans across GitHub and Azure DevOps repositories. The system is designed to scan on a scheduled basis and in response to specific triggers such as pull requests or pushes to specific branches, ensuring real-time detection and prevention of secret leaks.

The infrastructure, built using Terraform and cloud-based services, is capable of handling large-scale operations, scanning terabytes of data, and accommodating the unique challenges inherent in rolling out such a comprehensive initiative within an organizational framework.

At the end of this talk, attendees will have have learnt how to construct an efficient and automated secrets detection and prevention program at scale and secrets management strategies to help with remediation. The discussion will cover practical considerations for implementation, including the deployment of Infrastructure as Code (IaC), secret management strategies, and the integration of monitoring services. All of the knowledge shared in this talk will be applicable immediately after.

Speakers

Yassine Ilmi

Product Security Architect, Thomson Reuters

Yassine Ilmi is a seasoned Product Security Architect at Thomson Reuters, where he spearheads all aspects of product security. With a comprehensive background in information security, risk management, and secure software development, Yassine has made significant contributions to establishing... Read More →

Arbër Salihi

Senior Product Security Engineer, Thomson Reuters

Arbër Salihi is a Senior Product Security Engineer at Thomson Reuters, where he works in the Product Security team focusing on container security, software supply chain security, and application security. As part of his role, Arbër and his team members collaborate closely with all... Read More →

Thursday June 27, 2024 11:30am - 12:15pm WEST

Builder Track

Audience Beginner

12:15pm WEST

Lunch

Thursday June 27, 2024 12:15pm - 1:15pm WEST

Meals provided by OWASP

1:15pm WEST

Breakout: Projects

Thursday June 27, 2024 1:15pm - 1:50pm WEST

Breakout: Project Track

1:15pm WEST

Gridlock: The Dual-Edged Sword of EV and Solar APIs in Grid Security

In this talk, we delve deep into the increasingly interconnected world of electronic vehicles (EVs), photovoltaic (PV) solar systems, and the broader power grid infrastructure—a nexus that is becoming a fertile ground for potential large-scale cyber disruptions. As we navigate through this complex interplay of technology and infrastructure, we will uncover the critical vulnerabilities lurking within the API connections that bind these systems together. Our exploration will not only highlight these weaknesses but will also demonstrate, through real-world scenarios and potential attack vectors, how they can be exploited to launch sophisticated cyber-attacks, emphasizing the urgent need for robust security frameworks and proactive cybersecurity measures to safeguard our collective future.

The advent of PV inverters and EV charging systems has been marred by the industry's "rush to market" mentality, leading to overlooked security considerations. These critical weaknesses potentially allow remote attackers unprecedented control, with the ability to fully commandeer or even incapacitate these devices. Our investigation will reveal how targeting cloud platforms used by installers could unlock elevated access not just to PV inverters but also to EV chargers. This access includes functionalities usually restricted from the systems' proprietors, thereby opening a pandora's box of vulnerabilities.

Our presentation will demonstrate the alarming potential of such cyber-attacks to concurrently disrupt hundreds of thousands of PV inverters and EV chargers. This scenario could precipitate significant instability across national power grids, underscoring the systemic risks posed by the intertwined infrastructure of renewable energy and EV charging networks. At the core of these vulnerabilities are logic flaws embedded within the web portals designed for managing these systems. These flaws range from Insecure Direct Object References (IDORs) to more complex vulnerabilities that allow users to escalate their privileges to that of a platform administrator, all of which are susceptible to remote exploitation.

Moreover, we will dissect these vulnerabilities in detail, examining their origins in the development lifecycle and discussing methodologies for their identification and mitigation. This examination aims to propel a shift towards integrating security considerations early in the design and deployment of such critical systems.

In addition to technical vulnerabilities, our talk will also address the broader implications of these security weaknesses on public trust and safety. As renewable energy sources and EVs become pillars of our attempt to combat climate change, ensuring the security of these technologies is paramount. This presentation aims to catalyze a concerted effort among stakeholders—including developers, regulators, and users—to adopt a more vigilant and proactive stance towards cybersecurity.

This comprehensive analysis, enriched with case studies and practical recommendations, intends to elevate the dialogue on cybersecurity in the realm of renewable energy and EV infrastructure. By the conclusion of this talk, attendees will not only grasp the gravity and complexity of the challenges ahead but will also be equipped with the knowledge to contribute to a more secure, resilient, and sustainable energy future.

Speakers

Vangelis Stykas

Chief Technology Officer, Atropos

Vangelis began as a developer from Greece. Six years ago he realized that only his dog didn’t have an API, so he decided to steer his focus towards security.That led him to pursue a PhD in Web Application Security with an extra focus on machine learning. He’s still actively pursuing... Read More →

Thursday June 27, 2024 1:15pm - 2:00pm WEST

Breakout: Breaker Track

Audience Beginner

1:15pm WEST

Start covering your bases & Stop chasing APT headlines

We're showcasing a "run-of-the-mill" simulation of a network breach, illustrating that despite cognitive biases towards recent technical trends, most breaches occur through well-known methods. Utilizing public DFIR reports, MITRE's ATT&CK framework, and common hacking tradecraft, we highlight the importance of defense-in-depth strategies and network controls in thwarting attacks.

Speakers

Matan Mittelman

Team Leader for Threat Prevention Team, Cato

Matan Mittelman is the team leader for Cato's Threat Prevention team. He's responsible for analyzing, researching and developing protections against emerging threats and CVEs. Matan brings more than seven years of experience leading cyber security teams.

Thursday June 27, 2024 1:15pm - 2:00pm WEST

Breakout: Defender Track

Audience intermediate

1:15pm WEST

Cryptographic Governance: Software Supply Chain Security with CBOM

The development of quantum computing and its potential threat to cryptography requires an increased focus on the identification and management of risks associated with cryptography within organizations. The integration of Cryptography Bill of Materials (CBOM) into CycloneDX Software Bill of Materials (SBOM) version 1.6 provides a standardized format for the exchange of cryptographic information from applications to address this issue. The integration of CBOM into the existing software supply chain security framework is essential to gain insight into the cryptographic components used in applications. This presentation will introduce the use of CBOM for cryptography representation within software supply chain initiatives and discuss how it can facilitate cryptographic governance and promote cryptographic agility.

Speakers

Nicklas Körtge

Software Engineer, IBM Research

Nicklas Körtge is a software engineer at IBM Research Lab in Zurich, specializing in security. He holds a Master's degree in Computer Science and is actively involved in research on topics like Crypto-Discovery and CBOM within the Post-Quantum Cryptography research group. Additionally... Read More →

Thursday June 27, 2024 1:15pm - 2:00pm WEST

Breakout: Manager/Culture Track

Audience intermediate

1:15pm WEST

OWASP Privacy Toolkit: Bringing Privacy Awareness in the Digital Age

In an era marked by pervasive digitalization and the omnipresence of web-based applications, concerns surrounding data privacy have reached unprecedented levels. As individuals increasingly navigate the digital landscape, they face a barrage of potential privacy infringements, such as:

Third-party data collection
Exposure of personal and sensitive data in case of an occurred breach
Security issues with an impact on privacy

Addressing these concerns requires innovative solutions to help users to safeguard their privacy proactively. Browsers have already done quite a leap forward to minimize privacy leakages, with origin-only referrer, third party cookies blocking etc; nonetheless, there are still several bad practices that could affect user privacy during web navigation.

This talk introduces the OWASP Privacy Toolkit, a new cybersecurity community-driven project which aims to improve the protection of the user’s digital privacy by using new and well known techniques. This project embodies the spirit of innovation at the heart of OWASP's mission.

Designed as a browser extension, this toolkit serves as a continuous monitoring, passively scanning webpages for potential privacy vulnerabilities and providing users and developers real-time insights to identify risks and bring awareness on sensitive and personal data handling.

The toolkit goal is to provide the detection of both privacy threats and security issues with an impact on privacy on the browser layer.

The project focuses on the importance of final users and developers education in the realm of digital privacy protection.

At its core, the OWASP Privacy Toolkit leverages a set of detection techniques specifically crafted to identify a broad spectrum of privacy issues, such as:

Referrer Leakage
Data Oversharing
Globally Accessible Data
Script Positioning Best Practices
Prototype protection Best Practices

Which are implemented through a combination of:

Heuristic analysis
Pattern recognition
Traffic analysis algorithms
Development best practices analysis

This presentation will offer a deep dive into the OWASP Privacy Toolkit, exploring the techniques behind its powerful detection capabilities. By exploring the toolkit's underlying principles and technical approach in detail, participants will gain a clear understanding of how it functions within a user's browser environment and the privacy issues it addresses.

The final part of the presentation will feature a live demo showcasing the OWASP Privacy Toolkit in action. Attendees will have the opportunity to see the user interface, and the results of the toolkit’s detection capabilities.

The project was started under the H2020 TESTABLE Project, funded by the EU.

More information here: https://owasp.org/www-project-privacy-toolkit/

Speakers

Stefano Di Paola

CTO and Co-Founder, IMQ Minded Security

Stefano Di Paola is the CTO and cofounder of IMQ Minded Security, where he is CTO and head of research.In the past years Stefano presented several cutting edge research topics, such as JS deobfuscation by partial evaluation, innovative DOM based XSS runtime taint analysis methodology... Read More →

Martino Lessio

Principal Security Consultant, IMQ Minded Security

Martino Lessio is a Principal Security Consultant @IMQ Minded Security, with a strong expertise in penetration testing and code reviews in Mobile and Web scenarios. As a former developer, he has a specialized focus on the fixing support and a strategic insight in the customer needs... Read More →

Thursday June 27, 2024 1:15pm - 2:00pm WEST

Builder Track

Audience intermediate

1:55pm WEST

Breakout: Projects

Thursday June 27, 2024 1:55pm - 2:30pm WEST

Breakout: Project Track

2:00pm WEST

CfP/CfTs for the Newcomer: How To Write A Good Submission

Are you interested in submitting for the OWASP Call for Trainers or Call for Papers? Join Izar Tarandach and Martin Knobloch, leading members of the OWASP Review Team, as they guide you through the process and highlight what the review team looks for when selecting papers!

Thursday June 27, 2024 2:00pm - 4:00pm WEST

BONUS TRACK

2:15pm WEST

Breakout: Breaker Track

Thursday June 27, 2024 2:15pm - 3:00pm WEST

Breakout: Breaker Track

2:15pm WEST

Transitive vulnerabilities exploit in real-life

Transitive vulnerabilities are the most hated type of security issue by developers, and for a good reason: transitive dependencies are the most common source of vulnerabilities in software projects. However, yet still, only a tiny number of them are exploitable. This talk will present our research findings on quantifying the risk of known vulnerabilities in modern software applications.

The prevalence of exploitable transitive dependencies in real-world applications. While each vulnerability may have a slight chance of exploitation, the sheer number of transitive dependencies amplifies the risk significantly. This data underscores the importance of our discussion and the need for effective strategies to mitigate these risks in your software projects.

We will present a PoC exploit for a real-world transitive dependency vulnerability and demonstrate how an attacker can compromise the application by exploiting a vulnerable transitive dependency.

We will discuss practical strategies for mitigating the risks associated with transitive dependencies and how to prioritize addressing them in your threat model.

Speakers

Eyal Paz

VP of Research, OX Security

Eyal Paz is the VP of Research at OX Security, a software supply chain security startup. His work includes hands-on security research toward a holistic DevSecOps solution. Before joining OX Security, Eyal spent eleven years at Check Point working on security research for product innovation... Read More →

Thursday June 27, 2024 2:15pm - 3:00pm WEST

Breakout: Defender Track

Audience Advanced

2:15pm WEST

Maturing SDLC at a Fortune 500 company based on OWASP SAMM: Successes and Pitfalls

Application security is a paramount concern for organizations that develop software. However systematically managing AppSec across diverse development teams in a measurable way remains a challenge. This talk outlines Zebra Technologies’ journey in adopting the OWASP Software Assurance Maturity Model (SAMM) as our guiding framework for measuring and improving application security practices. Zebra is a Fortune 500 company with 35 different product and IT teams developing and maintaining secure software applications and systems. Despite initial scepticism and the inherent challenges of integrating SAMM, particularly with embedded and delivered software teams, the implementation led to significant improvements. The introduction of SAMM facilitated a risk-driven, measurable approach to security. It provided a clear framework for comparison across business units and promoting a shared platform for discussing security concerns. Moreover, the gamification of SAMM scores spurred healthy competition among units, though it raised questions about the focus on risk-based improvements versus score chasing. Ultimately, the correlation between SAMM scores and other quality metrics affirmed the value of a SAMM-driven approach. We have seen a moderate (-0.5) inverse correlation between SAMM scores and risk scores produced by an Application Security Posture Management (ASPM) tool we use internally across all teams. To the best of our knowledge this is the first indication that SAMM scores could reduce risk. Overall, SAMM demonstrated tangible enhancements in application security and broader software development lifecycle processes at Zebra Technologies.

Speakers

Dr. Jasyn Voshell, EJD CISSP, CGEIT, CISA, CISM, CRISC, CHTP, CWTS

Director Product Security, Zebra Technologies

Dr. Jasyn Voshell, with a career spanning over two decades in the security industry, currently serves as the Director of Products and Solutions Security with Zebra Technologies. In this role, he spearheads the global Product & Solutions Security Program, managing its strategy, planning... Read More →

Thursday June 27, 2024 2:15pm - 3:00pm WEST

Breakout: Manager/Culture Track

Audience Beginner

2:15pm WEST

API Security by Design

APIs are now the main attack vector against websites and organizations are growing concerned about how APIs affect their security posture. Sadly, APIs can easily expose vulnerabilities in unexpected ways. For example, unconstrained query parameters can be leveraged for SQL injection and reusing schemas for input and output models opens the door for mass assignment.

The good news is, there’s a lot we can do to improve our API security posture by shifting left on security and tackling vulnerabilities at design time. And that’s the goal of this talk! We’ll begin with a few examples that show how common design and implementation patterns expose major vulnerabilities, and then we’ll proceed to analyse a battery of API design anti-patterns that make our applications vulnerable. I’ll show you how those vulnerabilities relate to the OWASP top 10 API Threats and how we can resolve them by applying security-by-design principles.

We’ll conclude with an overview of the tools we can use to automate the process of discovering and addressing vulnerabilities in our APIs. I’ll show examples of using linters to identify vulnerabilities at design time and fuzzy testers to identify vulnerabilities at runtime.

By the end of this talk, you’ll be aware of the most important threats to our APIs and you’ll know how to discover and address them effectively. You’ll also get familiar with the concepts of API Security by Design, Shift-Left API Security, and Zero Trust APIs.

Speakers

Jose Haro Peralta

API Strategy and Security Advisor, microapis.io

Jose is an API strategy and security advisor. He's the author of Microservice APIs and the creator of fencer, an open-source API security testing tool. He's a regular speaker at international conferences and has taught hundreds of students to build and deliver reliable and secure APIs... Read More →

Thursday June 27, 2024 2:15pm - 3:00pm WEST

Builder Track

Audience intermediate

3:00pm WEST

PM Break

Thursday June 27, 2024 3:00pm - 3:30pm WEST

Meals provided by OWASP

3:15pm WEST

Leaders Meeting

This is a meeting for all OWASP Leaders

Thursday June 27, 2024 3:15pm - 4:15pm WEST

Leader's Meeting

3:30pm WEST

In the Same Site We Trust: Navigating the Landscape of Client-side Request Hijacking on the Web

Request forgery attacks are among the oldest threats to Web applications, traditionally caused by server-side confused deputy vulnerabilities. However, recent advancements in client-side technologies have introduced more subtle variants of request forgery, where attackers exploit input validation flaws in client-side programs to hijack outgoing requests. We have little-to-no information about these client-side variants, their prevalence, impact, and countermeasures, and in this paper we undertake one of the first evaluations of the state of client-side request hijacking on the Web platform.

Starting with a comprehensive review of browser API capabilities and Web specifications, we systematize request hijacking vulnerabilities and the resulting attacks, identifying 10 distinct vulnerability variants, including seven new ones. Then, we use our systematization to design and implement Sheriff, a static-dynamic tool that detects vulnerable data flows from attacker-controllable inputs to request-sending instructions. We instantiate Sheriff on the top of the Tranco top 10K sites, performing, to our knowledge, the first investigation into the prevalence of request hijacking flaws in the wild.

Our study uncovers that request hijacking vulnerabilities are ubiquitous, affecting 9.6% of the top 10K sites. We demonstrate the impact of these vulnerabilities by constructing 67 proof-of-concept exploits across 49 sites, making it possible to mount arbitrary code execution, information leakage, open redirections and CSRF also against popular websites like Microsoft Azure, Starz, and TP-Link. Finally, we review and evaluate the adoption and efficacy of existing countermeasures against client-side request hijacking attacks, including browser-based solutions like CSP, COOP and COEP, and input validation.

Speakers

Soheil Khodayari

Doctoral Researcher, CISPA Helmholtz Center for Information Security

Soheil Khodayari is a doctoral researcher and part of the AppSec team at CISPA, center for information security in Germany. His area of interests include Web application security and Internet measurements, utilizing a blend of static and dynamic code analysis, machine learning, and... Read More →

Thursday June 27, 2024 3:30pm - 4:15pm WEST

Breakout: Breaker Track

Audience intermediate

3:30pm WEST

The rise and fall of ModSecurity and the OWASP Core Rule Set

Web application firewalls (WAFs) protect Web Applications and API from a wide-range of attacks, and their adoption is widely confirmed even if their effectiveness is the center of many debates in the community. In particular, the popularity of WAFs has been mainly provided by ModSecurity, a signature-based detection program that leverages the Core Rule Set, a list of rules developed by experts in the domain. These are released as open-source projects, fostering their deployment, and easing their inclusion in many commercial WAFs.

However, recent research highlighted how attackers can automate the adaptation of attacks to a specific WAF, thus creating subtle payloads that systematically avoid detection. This problem is exacerbated by the fact that the tuning of the Core Rule Set in production environments is the outcome of a manual trial and error process, where rules that may interfere with applications and services are progressively disabled. Thus attackers can exploit such heuristic nature to their advantage.

In this talk we will address the robustness of WAFs against attackers, showing that the detection strategy implemented by ModSecurity, is largely ineffective for detecting SQL injection (SQLi) attacks, as it is not tuned on the legitimate traffic it needs to protect, thus increasing false alarms,while also being vulnerable to adversarial SQLi attacks, i.e., attacks intentionally manipulated to evade detection.

To better understand how attackers can exploit the weaknesses of WAFs, we will provide an overview on how ModSecurity and Core Rule Set are used together, and how they stop malicious payloads, providing insights on their internals. We will conclude by proposing possible strategies to optimize the trade-off between false alarms and detection rate, while also increasing robustness against adversarial attacks through adversarially-aware machine learning models.

Speakers

Davide Ariu

CEO and co-founder, Pluribus One

Davide ARIU is the CEO and co-founder of Pluribus One, a European company focused on the security of Web Applications and Services. The company develops and distributes Seer Box (http://seerbox.it), a Web Application Security Manager. Davide supports the Pluribus One customers in... Read More →

Thursday June 27, 2024 3:30pm - 4:15pm WEST

Breakout: Defender Track

Audience Beginner

3:30pm WEST

What Makes Them Happy? Leveraging Psychological Needs For Building A Security Culture Amongst Developers

"How can I motivate our development teams to take ownership of the security of their applications and to engage with security topics proactively?" With this question in mind I started building different communication channels and event formats to foster developer centric security awareness and start a flame in the developer's hearts for secure development topics. During that (still ongoing) process I came accross psychological needs as important factor for both intrinsic and extrinsic motivation. Motivation is one of the core drivers for behavioral change - and this is exactly what we are aiming for when establishing a good security culture in an organization.

In my talk I will share my insights on how to motivate people to contribute to the security culture and why I think that a posivite experience of cyber security is a big lever for central security teams to foster engagement accross the organization.

Speakers

Juliane Reimann

Cyber Security Consultant, Juliane Reimann

Juliane Reimann works as cyber security consultant for large companies since 2019 with focus on DevSecOps and Community Building. Her expertise includes building security communities of software developers and establishing developer centric communication about secure software development... Read More →

Thursday June 27, 2024 3:30pm - 4:15pm WEST

Breakout: Manager/Culture Track

Audience intermediate

3:30pm WEST

Automating security test cases based on ASVS

Application security requires a systematic approach and dealing with software security throughout every stage of the software development lifecycle. However organizations typically struggle in creating an effective improvement roadmap and they end up in the rabbit hole of fixing security tool generated vulnerabilities. We believe that leveraging ASVS as a security requirements framework as well as a guide to unit and integration testing is by far the best pick in terms of ROI. By turning security requirements into “just requirements” organizations can enable a common language shared by all stakeholders involved in the SDLC.

In this study, we have analyzed the complete ASVS to determine how much of it could be automated using various testing strategies. Our analysis indicates that 162 ASVS requirements (58%) can be automatically verified using unit, integration and acceptance tests. The verifiability can be further augmented by another 10% with SAST, DAST and SCA tooling.

We have also designed an empirical study where we have added 98 ASVS requirements to the sprint planning of a relatively large web application. We have followed a security test-driven development approach where a test engineer was asked to write unit and integration tests for as many requirements as possible in 8 man-days. We have succeeded in implementing 90 ASVS requirements, which are now running as part of the regression test suites on every commit.

Our study demonstrates that leveraging ASVS for deriving securit test cases can create a common theme across all stages of the software development lifecycle making security everyone’s responsibility.

Speakers

Aram Hovsepyan

CEO, Codific

I am the founder and CEO of Codific - a Flemish cybersecurity product firm. With over 15 years of experience, I have a proven track record in building complex software systems by explicitly focusing on software security. Codific’s flagship product, Videolab, is a secure multimedia... Read More →

Thursday June 27, 2024 3:30pm - 4:15pm WEST

Builder Track

Audience Beginner

4:30pm WEST

Keynote 2

Speakers

Isabel Praça

AI Expert, European Union Agency for Cybersecurity (ENISA)

Coordinator Professor at the Institute of Engineering – Polytechnic of Porto (ISEP), Advisor of ISEP Presidency for R&D, EISA expert on Security of AI and the on the Skills framework, Director of the Master on Informatics of ISEP, and Senior Researcher at GECAD (leading the research... Read More →

Thursday June 27, 2024 4:30pm - 5:30pm WEST

Keynote

5:30pm WEST

OWASP Brain Battle Spectacula

Do you know more about AppSec than your co-worker, boss, friend, or person sitting next to you? Join Jerry Hoff and Fred Donovan as they test your knowledge in AppSec Trivia during this high energy, fun event. Did we mention there are prizes????

Thursday June 27, 2024 5:30pm - 6:30pm WEST

BONUS TRACK

6:30pm WEST

Networking Reception with Exhibitors

Thursday June 27, 2024 6:30pm - 8:30pm WEST

Meals provided by OWASP

8:00am WEST

Breakfast

Friday June 28, 2024 8:00am - 9:00am WEST

Meals provided by OWASP

9:00am WEST

Keynote - AI is just software, what could possibly go wrong?

In his keynote, Rob will guide us through a compelling series of AI- incidents —ranging from remarkable triumphs to calamitous failures, drawn from the news, his direct experiences with clients, and his use of AI to catch criminals in the 1990s. Some cases are humorous, others sobering, and some are both. They illustrate the vast potential of AI as well as its often-unforeseen security risks, as described in the AI Exchange, the LLM top 10, and OpenCRE.

One case will be a deep dive into how pizza boxes became instrumental in crime investigation—one of the practical exercises from Rob's training on the 26th.

This will help you as a security professional, to gain insight into the multifaceted world of AI, where its capabilities are as exciting as the challenges they pose.

Speakers

Rob van der Veer

Senior Director, SIG

Friday June 28, 2024 9:00am - 10:00am WEST

Keynote

9:00am WEST

OWASP Member's Lounge

For OWASP members only

Friday June 28, 2024 9:00am - 6:00pm WEST

BONUS TRACK

10:00am WEST

AM Break

Friday June 28, 2024 10:00am - 10:30am WEST

Meals provided by OWASP

10:00am WEST

Bob the Breaker CTF (Low-code/no-code hacking!)

Hosted by Nokod Security

Bob the Breaker CTF - Live at OWASP Global Lisbon and Global Access for Everyone!
Created especially for OWASP Lisbon 2024, this is your chance to hack the first CTF for low-code/no-code applications. Get hands-on experience, encounter real-world scenarios, and have fun!

Bob the Breaker has been given access to some innocuous low-code/no-code enterprise apps.
Will he be able to take a sneak, unauthorized peek at PII, customer, and employee data?
Will he cheat his way into the President’s Club?
Come help Bob hack his way through the corporate Low-code/No-Code universe!
Claim eternal fame and bragging rights!

The CTF will be open on Friday, June 28 from 10:00 am – 2:00 pm (GMT+1) during OWASP Lisbon.
To give all OWASP members and the global security community a chance to participate, we will open another instance of the CTF on Friday, June 28,
starting at 6 PM (GMT+1) | 12 PM EST | 9 AM PT and keep it open for 24 hours.

Learn more at https://nokod.ctfd.io/ or https://nokodsecurity.com/lp-bob-the-breaker/.

Speakers

Nokod Security

Friday June 28, 2024 10:00am - 2:00pm WEST

BONUS TRACK

10:30am WEST

Project Track

Friday June 28, 2024 10:30am - 11:05am WEST

Breakout: Project Track

10:30am WEST

Malice in Chains: Supply Chain Attacks Using Machine Learning Models

This past year marked a rapid acceleration in the adoption of artificial intelligence. As AI-based solutions have started to dominate the market, a new cyber attack vector opened up taking CISOs by surprise: the exploitation of the underlying machine-learning models. These models are often treated as black boxes that process the input data and compute the output, communicating with users through an API/UI while their internals are hidden away. However, it is crucial to understand that these models are essentially code - and as such, can be manipulated in unexpected and potentially malicious ways.

ML models are stored, shared, and transferred using serialization formats, such as JSON, pickle, and HDF5. While some of these formats have been known to be vulnerable, there is still not enough clarity on how the attackers can subvert these models and how they can be used to create real damage to the victims. Unlike software, ML artifacts are not routinely checked for integrity, cryptographically signed, or even scanned by anti-malware solutions, which makes them the perfect target for cyber adversaries looking to fly under the radar.

In this talk, we show how an adversary can abuse machine learning models to carry out highly damaging supply chain attacks. We start by exploring several model serialization formats used by popular ML libraries, including PyTorch, Keras, TensorFlow, and scikit-learn. We show how each of these formats can be exploited to execute arbitrary code and bypass security measures, leading to the compromise of critical ML infrastructure systems. We present various code execution methods in Python’s pickle format, show the possible abuse of Keras lambda layers in HDF5, exploit SavedModel file format via unsafe TensorFlow I/O operations, and more. Finally, we demonstrate a supply chain attack scenario in which a ransomware payload is hidden inside an ML model using steganography and then reconstructed and executed through a serialization vulnerability when the model is loaded into memory.

With the rise of public model repositories, such as Hugging Face, businesses are increasingly adopting pre-trained models in their environments, often unaware of the associated risks. Our aim is to prove that machine learning artifacts can be exploited and manipulated in the same way as any other software, and should be treated as such - with utmost care and caution.

Speakers

Tom Bonner

VP of Research, HiddenLayer

Tom Bonner is the Vice President of Research at HiddenLayer, responsible for a multidisciplinary team of researchers investigating novel attacks against ML/AI systems. Tom has over two decades of experience in cyber-security, previously working with Norman, HP, Cylance, and BlackBerry... Read More →

Marta Janus

Principal Researcher, HiddenLayer

Marta is a Principal Researcher at HiddenLayer, focused on investigating adversarial machine learning attacks and the overall security of AI-based solutions. Prior to HiddenLayer, Marta spent over a decade working as a researcher for leading anti-virus vendors. She has extensive experience... Read More →

Friday June 28, 2024 10:30am - 11:15am WEST

Breakout: Breaker Track

Audience intermediate

10:30am WEST

What can traditional web app security learn from browser wallet extensions?

Securing crypto browser wallets is quite a challenge.

On the one hand, it's just a normal JavaScript Web extension for the most part, so therefore securing it should resemble classic web application security.

On the other hand, the crypto space introduces major software architecture paradigm shift, making a lot of classic web application security practices not resilient enough for the task.

For example, how do you monitor and block suspicious activity when there's no server to help you with that in the first place?

And to make things even more challenging - for the first time ever, literally billions of dollars are at stake!

Come listen to the unique challenges in our journey to defend first-of-its-brand software in an industry processing a never-seen-before volume of financial goods (and how JavaScript and the web are both the problem and the solution)

But most importantly - how does this all connect to traditional web app security and what can it teach us in order to improve it?

Speakers

Gal Weizman

Security Engineer, MetaMask

Gal is an expert in browser JavaScript and client side security with close to a decade of proven experience in multiple fields, ranging from vulnerability research and bots mitigation, through application and supply chain security to anti debugging research, browser extensions security... Read More →

Friday June 28, 2024 10:30am - 11:15am WEST

Breakout: Defender Track

Audience Advanced

10:30am WEST

Winning Buy-In: Mastering the Art of Communicating Security to Management

Talking to management can be exhausting and experience has shown that it doesn't always lead to the result the presenter wants. Does it sometimes seem to you that management and technicians simply speak different languages? Or as if they simply don't want to understand you, even though you only want to help the company and make it more secure? Do they pick apart your arguments, ask you detailed questions that have nothing to do with your reasoning or do you have the feeling that management doesn't take you seriously at all? On the other hand, do you have the feeling that management is just talking in their own language?

In my presentation, I would like to use the example of Zero Trust to show you how to skillfully express safety issues and strategies in management language. You will learn how to develop and present arguments that will convince your management. I will explain how you can best present yourself in presentations and how you can ultimately help yourself and your company. I will give you concrete steps without the risk of micromanaging or management bingo that simply snuffs out management ignorance. Get noticed and implement your ideas!

Speakers

Ida Hameete

Application Security Consultant, Groundworkers

As a seasoned product owner transitioning into an application security consultant, I excel in bridging technical complexities with strategic business objectives. With a knack for delivering engaging presentations tailored to C-level audiences, I articulate the importance of security... Read More →

Friday June 28, 2024 10:30am - 11:15am WEST

Breakout: Manager/Culture Track

Audience Beginner

10:30am WEST

I can’t cope! How OWASP is helping to manage vulnerability overload

You may have noticed that the number of new vulnerabilities being reported is increasing at a significant rate (over 15% in 2023). For many organisations who already struggle to keep on top of the vulnerabilities to be fixed, this is not good news and there is always the danger that you may miss the really important one which leads to an incident resulting in a data exploit, ransomware attack or similar issue.

And with legislation now starting to demand a greater focus on improving software security and resilience across many sectors this significant challenge needs some new approaches.

This talk will demonstrate how you can manage software vulnerabilities more effectively by increasing the software transparency of all of the components used in your application through the use of Software Bill of Materials (SBOMs) and in particular CycloneDX. A SBOM provides a better understanding of how all of the components (particularly 3rd party sourced components) are used which will then enable the impact that a vulnerability could have on the users of the application to be better understood.

A key use case for SBOMs is as part of a vulnerability management activity. However many of the reported vulnerabilities are not exploitable in the context in which the application has been constructed and valuable time and resources can be wasted by fixing vulnerabilities which are not necessary. Fortunately, there is a developing solution for this problem and by leveraging a number of OWASP projects and standards, organisations will be able to focus on the vulnerabilities which represent the greatest risk and save valuable time and effort in the remediation process.

Speakers

Anthony Harrison

Founder and Director, APH10

Anthony Harrison has been developing and delivering mission critical applications for over 40 years working on various complex programmes where he held various roles in software, systems and cyber engineering as well as providing technical leadership for a number of programmes. He... Read More →

Friday June 28, 2024 10:30am - 11:15am WEST

Builder Track

Audience Beginner

11:30am WEST

Show me your Pipeline and I'll tell you your Secrets

In the last few years, exploiting self-hosted Continuous Integration/Continuous Deployment (CI/CD) environments has become highly popular. Security threats have emerged as malicious actors discover and take advantage of vulnerabilities within these systems. Their primary goals are often to insert backdoors into cloud or internal environments, carry out remote command execution on an organization's infrastructure.

During my one-year journey of "poisoning pipelines", I reported to more than 150 leading companies around the globe about how I was able to use this supply chain attack to insert backdoors to companies infrastructure, fetch sensitive secrets, use cloud security credentials and leaked GitHub tokens, which allowed me to push "malicious" code into projects and publish "malicious" releases, without the owner's knowledge or approval.

We will start by exploring poisoned pipeline execution (PPE) attack techniques and the ways in which CI/CD processes allow attackers to inject their modified malicious code, interact with internal components, fetch environment secrets, and hopefully end up in a vulnerable pipeline that we can take control of.

Finally, having covered the theoretical groundwork, I'll demonstrate how such an attack sequence might lead to secret exfiltration and lateral movement from a compromised CI pod to hack internal organizational assets. We will conclude by discussing measures that can be put in place to protect against these types of attacks.

Speakers

Naor Yaacov

Application Security Team Lead, Wix.com

Naor is an Application Security Team Lead at Wix.com and responsible for the security research and offensive security activities within the organization. Naor gained his experience by working for major cyber security and development organizations as a consultant, penetration tester... Read More →

Friday June 28, 2024 11:30am - 12:15pm WEST

Breakout: Breaker Track

Audience intermediate

11:30am WEST

Breakout: Defender Track

Friday June 28, 2024 11:30am - 12:15pm WEST

Breakout: Defender Track

11:30am WEST

5 AppSec stories, and what we can learn from them

While application security is a thrilling field, it can be difficult to get developers interested in it. And some vulnerabilities require specific in-depth technical knowledge, which can be difficult to pass on.

But there's a solution to both these problems: storytelling. With 5 true stories, we'll explore :

how storytelling helps to raise awareness of cybersecurity
what these stories can teach us about application security

Speakers

Paul Molin

CISO, Theodo Group

Paul Molin is the CISO of the Theodo Group.After training in information systems security, he joins Theodo in 2013 and becomes passionate about web development. Very quickly, he specializes in security issues by helping Theodo teams to succeed in their post-production audits. He eventually... Read More →

Friday June 28, 2024 11:30am - 12:15pm WEST

Breakout: Manager/Culture Track

Audience Beginner

11:30am WEST

Breakout: Builder

Friday June 28, 2024 11:30am - 12:15pm WEST

Builder Track

12:15pm WEST

Lunch

Friday June 28, 2024 12:15pm - 1:15pm WEST

Meals provided by OWASP

1:15pm WEST

Breakout: Projects

Friday June 28, 2024 1:15pm - 1:50pm WEST

Breakout: Project Track

1:15pm WEST

Exploiting Client-Side Path Traversal : CSRF is Dead, Long Live CSRF

To provide users with a safer browsing experience, the IETF proposal named "Incrementally Better Cookies" set in motion a few important changes to address Cross-Site Request Forgery (CSRF) and other client side issues. Soon after, Chrome and other major browsers implemented the recommended changes and introduced the SameSite attribute. SameSite helps mitigate CSRF, but does that mean CSRF is Dead?

While auditing major web applications, we realized that Client Side Path-Traversal (CSPT) can be actually leveraged to resuscitate CSRF for the joy of all pentesters. Listed in the Top 10 Web Hacking Techniques of 2022, Client Side Path-Traversal has been overlooked for years. While considered by many as a low-impact vulnerability, it can be actually used to force an end user to execute unwanted actions on a web application.

Once we have introduced the basics of Client Side Path Traversal, we will present sources and sinks for Cross Site Request Forgery. Software engineers will learn how to defend their applications against this new class of vulnerabilities, while security auditors will come back home with a set of tips and tricks to bring CSRF back in their reports. To demonstrate the impact and novelty of our discovery, we will showcase vulnerabilities in major web messaging applications, including Mattermost and Rocket.Chat among others. Finally, we will also release a Burp extension to help the discovery of Client-Side Path-Traversal sources and sinks.

Speakers

Maxence Schmitt

Application Security Engineer, Doyensec

Maxence graduated from a French engineering school in Computer Science and Software Engineering and always had an interest in the security field. His professional experience began with managing Identity and Access Management topics in a large French IT consulting company. His skillset... Read More →

Friday June 28, 2024 1:15pm - 2:00pm WEST

Breakout: Breaker Track

Audience intermediate

1:15pm WEST

XZ Backdoor: Navigating the Complexities of Supply Chain Attacks Detected by Accident

Why did an individual, not-security-related person discover the XZ attack on such an important upstream open-source project such as the XZ Utils?

Four years after the SolarWinds attack, we still see confusion when it comes to Vulnerabilities, Zero-Days & just intentional Malware. So let’s talk about it!

In this session, we will highlight the differences between those various Open-Source threats.

We will shine a spotlight on a critical yet often overlooked area: compromised 3rd party libraries and CI/CD attacks.

We'll showcase real-world examples, differentiate vulnerabilities from attacks (spoiler alert - Log4J is not an attack), and attach the risks to frameworks like NIST SSDF, OWASP PSCF, and SLSA.

Speakers

Yoad Fekete

DevOps Engineer, Myrror Security

I am a DevOps engineer with over 13 years of experience in IT, DevOps, and DevSecOps.I have designed, built hands-on, and secured complex Cloud & On-Prem projects in startups and corporates.It started from the Stone era when people deployed servers in racks. Creating infrastructure... Read More →

Friday June 28, 2024 1:15pm - 2:00pm WEST

Breakout: Defender Track

Audience Advanced

1:15pm WEST

Harnessing Nature's Wisdom: Growing a Security Champion Program Into a Security Powerhouse

Yahoo’s Security Champion program offers a proven approach to embed a security influencer within engineering teams company-wide. Utilizing sound methodology based in behavioral psychology and empirical science, organizations can achieve remarkable results that enhance their security team’s success.

Speakers

Bonnie Viteri

Principle Technical Security Engineer, Yahoo

Building security programs and devising simple solutions to complex problems is what I do. I didn't travel the traditional path into cyber, and I don't plan to conform now. A behavioral psychologist at heart who is always watching and actively listening when everyone else is waiting... Read More →

Friday June 28, 2024 1:15pm - 2:00pm WEST

Breakout: Manager/Culture Track

Audience intermediate

1:15pm WEST

Assessing 3rd Party Libraries more easily with Security Scorecards

Several studies shown that round 80% of our applications consist of other people's code because why would you re-create something that's already made by someone else? But with using a package (e.g. NuGet, NPM, Maven, PyPi) that is developed by others, we also put a lot of trust in it, which might result in bigger security problems later. Of course, it's always a good idea to get updates of libraries in case of a bug fix related to a functional and/or security issue found. But will that be enough? What about packages that have malicious code inside? Even related to your own supply-chain security, any problem in the package its supply-chain implicitly means your supply-chain is compromised as well!

Would it not be nice if there is a better way to review a 3rd party library for security? An easier way to perform an assessment based on certain aspects of the package that will tell you more about the package its software security. With the introduction of Scorecards the Open Source Security Foundation (OpenSSF) exactly tries to achieve that. You could consider a Scorecard being the equivalent of a nutrition labels put on food you buy in a supermarket. It will allow you to see what's inside and determine if you want to eat it or not.

In this session we start out with different area's covered by of OpenSSF Scorecards, like how well it's maintained, does the build have dangerous workflows, and does the project use other security tools to check for problems? We're also going to identify area's for improvement which we could add additional information related to reproducibility and security review of the codebase. All combined will give us the ability to assess a 3rd party library its security posture more easily and improve our own application security.

Speakers

Niels Tanis

Sr. Principal Security Reseacher, Veracode

Niels Tanis has got a background in .NET development, pentesting and security consultancy. He is Microsoft MVP and has been involved in breaking, defending and building secure applications. He joined Veracode in 2015 and right now he works as a security researcher on a variant... Read More →

Friday June 28, 2024 1:15pm - 2:00pm WEST

Builder Track

Audience intermediate

1:55pm WEST

Breakout: Projects

Friday June 28, 2024 1:55pm - 2:30pm WEST

Breakout: Project Track

2:15pm WEST

How (not) to implement secure digital identity - case study of Poland's Digital ID system

Digital identity solutions are on the rise in many countries. Is your identity card stored on your mobile phone in a safe and secure manner? What risks do digital identity solutions pose, and how easily can criminals exploit them? What to look out for when implementing and using a digital identity system implemented in your country?

During my talk I will:

analyse security of digital ID systems based on Poland's latest digital ID solution,
show how a digital ID system can be used to hijack your identity,
showcase critical vulnerabilities in a system storing sensitive information of millions of Polish citizens,
give tips on how to maintain security when implementing digital ID systems.

After this talk, the audience will understand the risks associated with national digital ID systems. They will also know what to look out for when using, implementing or testing such systems.

Speakers

Szymon Chadam

IT Security Consultant, SecuRing

IT Security Consultant at SecuRing. His key responsibilities are web and mobile application security testing. Throughout his career, Szymon has performed numerous penetration tests of critical infrastructure for a wide range of industries, such as banking, financial services, medical... Read More →

Friday June 28, 2024 2:15pm - 3:00pm WEST

Breakout: Breaker Track

Audience Beginner

2:15pm WEST

Dawn of the Dead - The Tale of the Resurrected Domains

After years of innovation, it's become clear that the same features which propelled web applications to the forefront of software delivery are also their Achilles' heel in terms of vulnerability to supply chain attacks. This vulnerability arises from their highly composable nature, dynamically distributed code, and error-tolerant runtimes like browsers, which strive to execute code despite errors, such as syntax issues.

Today, our reliance on third-party dependencies is unprecedented, encompassing not only the software itself but also the development, build chains, and various tools designed to enhance software development efficiency.

A significant portion of these dependencies includes scripts dynamically loaded from third-party servers. This approach allows script owners to update them unannounced, bypassing the website’s ability to validate script integrity using things like an Subresource Integrity (SRI), as file hash validation would break upon the first update.

What if these third-party hosts fail? Typically, browsers still attempt to run the web application, often resulting in numerous console errors unnoticed by users. This is a likely reason for the lax code maintenance observed in many websites, as their applications appear to function despite these underlying issues.

The risk escalates when script hosts are permanently shut down, often leaving their domains available for purchase. This scenario has recently been exploited by attackers, who acquire these domains to inject malicious scripts into websites still linked to the original URLs.

We caught one such attack, injecting malicious code into several websites. The extent of this threat was unknown until our threat hunting journey led to the discovery of over 1,000 compromised websites. This presentation will cover the full saga from detection to neutralization, including the various challenges faced and tools built and employed.

Post-incident, we expanded our research to investigate the prevalence of similar attacks. This led to extensive research and the development of a tool capable of scanning millions of websites for such vulnerabilities. We’ll present our findings. During our research, we also developed a free tool designed to alert website owners if they are using third-party scripts from defunct domains that may have fallen into malicious hands. We will introduce this tool to the community in our talk.

Speakers

Pedro Fortuna

CTO and Co-Founder, Jscrambler

Once on a trajectory to a full academic career, where he taught security and computer science courses for about 5 years - ended up falling in love with the fast-paced world of entrepreneurship. He Started Jscrambler where he leads all security research and drives the company's product... Read More →

Friday June 28, 2024 2:15pm - 3:00pm WEST

Breakout: Defender Track

Audience intermediate

2:15pm WEST

Building an Effective Application Penetration Testing Team

Offensive application security (penetration) testing is a technically demanding cybersecurity specialization with a growing demand for proficient security specialists. Despite the demand, there is a lack of established standards, guidelines, and best practices to cultivate effective teams. In contrast, software engineering benefits from a thriving culture and extensive literature dedicated to optimizing team and individual performance. Undergraduate and graduate programs provide aspiring engineers with comprehensive curricula that covers the technical, philosophical, and soft skills fundamentals of the discipline. Lacking formalized or structured training, application penetration testers typically acquire skills through on-the-job experience or a patchwork of online resources and certifications. Given the role of application security specialists in identifying vulnerabilities in critical systems, the absence of comprehensive training programs and evaluation frameworks may have a substantial (though unquantified) impact on the security posture of today's applications. Resources for building effective offensive application security teams are even more sparse.

This talk will share notable insights, challenges, and novel approaches, towards the management and development of a fully remote (work-from-home) offensive application security team operating within a consultancy. This talk will describe the successes, failures, and future work in the pursuit of developing a comprehensive and empirically grounded framework for building an optimally effective team. Though technical proficiency is an essential focus, this talk will also cover additional elements of effective teams, including team cohesiveness, communication, and the supporting processes and systems. The following key areas of focus will be covered:

Understanding security and penetration testing in the context of human performance informed by technical skills training of surgeons
The development and delivery of an offensive application security curriculum
Implementing effective skill and talent assessment for hiring across experience levels
Utilizing effective fully remote communication and collaboration strategies to engage teams and inform decision making
Managing ongoing research and development projects as necessary side projects
Applying empirical approaches to evolve penetration testing systems and methodology

Speakers

Ryan Armstrong

Manager of Application Security Services, Digital Boundary Group (DBG)

Ryan Armstrong is the Manager of Application Security Services at Digital Boundary Group (DBG). Ryan began with DBG as an application penetration tester and security consultant following completion of his PhD in Biomedical Engineering at Western University in 2016. With a passion... Read More →

Friday June 28, 2024 2:15pm - 3:00pm WEST

Breakout: Manager/Culture Track

Audience intermediate

2:15pm WEST

Designing Security and Privacy: A Developer's Guide to Threat Modeling with OWASP SAMM

Aimed at developers, security architects, and system engineers, this talk provides actionable insights for integrating threat modeling into development processes, enhancing security, and ensuring compliance. It focuses on the application of the newly developed Threat Modeling Capabilities (TMC) framework - contributed to by the speaker - and the OWASP Software Assurance Maturity Model (SAMM), with the speaker as a project leader, for embedding security and privacy into software. Attendees will learn to customize threat modeling practices to meet their organizational security objectives and risk tolerance, facilitating the early adoption of security and privacy measures in a scalable manner. Furthermore, the session will include an explanation and contribution of the TMC framework's mapping with SAMM to the OWASP community.

Speakers

Sebastien Deleersnyder

CTO and Co-Founder / COO, Toreon / Data Protection Institute

Sebastien Deleersnyder (Seba) is the CTO, co-founder of Toreon and COO of Data Protection Institute. With a strong background in development and extensive experience in cybersecurity, Seba has trained numerous developers on how to create more secure software. He is also the founder... Read More →

Friday June 28, 2024 2:15pm - 3:00pm WEST

Builder Track

Audience Beginner

3:00pm WEST

PM Break

Friday June 28, 2024 3:00pm - 3:30pm WEST

Meals provided by OWASP

3:15pm WEST

Breakout: Projects

Friday June 28, 2024 3:15pm - 3:50pm WEST

Breakout: Project Track

3:30pm WEST

Token It Up a Notch: Elevating Payment Security

Handling credit and debit cards is one of the riskiest features a company can perform. However, it unlocks a lot of flexibility in the business and better serves our members. How can we implement this feature, while staying compliant with PCI and protecting this data?

We designed and implemented a tokenization service that ingests credit/debit cards and stores them in a secure manner. In this talk, we'll present an in-depth case study of building this process and deep dive into the main use cases. We'll cover the "why" this was needed, the design, implementation, and metrics. Further we'll detail how card info is ingested, stored, and shared with authorized partners and services. We'll also share some challenges we faced along the way.

Our goal is to provide a full picture of this service and how other companies can apply these techniques to securely handle payment cards in their ecosystem.

Speakers

Jovon Itwaru

Software Engineer, Chime

As a security engineer, Jovon Itwaru loves to focus on building security features and dabbles in applied cryptography. He's previously worked at Uber, LinkedIn, and Cisco. When he's not in front of his keyboard, he's traveling the world with his family or rehabbing fire-damaged p... Read More →

Friday June 28, 2024 3:30pm - 4:15pm WEST

Breakout: Breaker Track

Audience intermediate

3:30pm WEST

DOM Jungle - Can We Trust The UI?

One thing's for sure - we can no longer trust all code running under the same origin as our app because of today's landscape of development where web apps are mostly composed of third party code that builders do not control.

Thus, we can no longer trustfully perform many operations we're used to blindly trust. A significant one being DOM interaction - if some code I don't trust runs in my app, how can I rest assure it doesn't manipulate the DOM and the content accessible to the user? If I present them with sensitive content, can an attacker just steal it? What stops them from changing my website's layout to phish the user?

Regulating DOM restriction is a very hard problem to solve due to how it's designed.

In this talk, we'll make it clear why DOM API is so complicated to confine, explain why this problem is so concerning, and explore noble approaches for addressing it such as SnowJS, LavaDome and LavaMoat and how they open up new possibilities for finally safely working with the DOM.

Speakers

Gal Weizman

Security Engineer, MetaMask

Friday June 28, 2024 3:30pm - 4:15pm WEST

Breakout: Defender Track

Audience Advanced

3:30pm WEST

Build strong defenses by participating in standards!

From a distance, it can feel like standards float down from a tall ivory tower to become the received law by us mere mortals. They're a basis for building software and defenses, but once they're established, there's not much to do about it other than to look forward to the next one whenever it comes down from on high.

In reality, standards are produced by software engineers just like any piece of software. These days, standards groups work hard to welcome anyone who puts in good technical work, regardless of where you come from or who you work for, just like any well-run open source project.

Standards are a great complement to open source software, especially when you need to evaluate or coordinate multiple implementations. This is why the Internet is built atop them. As explained in "The Tangled Web," the differences between implementations often constitute security issues themselves, and standards aim to reduce those differences by providing a common point for everyone to target. Standards can also facilitate communication to help widely distribute crucial security fixes.

We're going to need security experts like you to help us develop strong defenses in standards, many of which are in development across a wide range of technologies today. In this talk, I hope to convince you to consider getting engaged in this process by showing you some exciting current issues at the intersections between standards and security. We'll talk about JavaScript, standardized in Ecma TC39, and the new Ecma TC54 to standardize CycloneDX. You'll learn what kind of help is needed by the security standards community, and how you can get involved.

Speakers

Daniel Ehrenberg

Senior Software Engineer, Bloomberg

Daniel Ehrenberg is a software engineer on Bloomberg’s JavaScript Infrastructure and Tooling engineering team. He serves as the Vice President of Ecma International and contributes to Ecma TC39, the JavaScript standards committee. Daniel has dabbled in WebAssembly and web standards... Read More →

Friday June 28, 2024 3:30pm - 4:15pm WEST

Breakout: Manager/Culture Track

Audience intermediate

3:30pm WEST

Securing the Gateway and Mitigating Risks in LLM API Integration

As the adoption of AI and Large Language Models (LLMs) continues to accelerate across enterprises, the average organization now leverages three or more such models to drive efficiency and innovation.

This rapid LLM usage comes with significant risks to user privacy and data security. A substantial portion of LLMs ingest data indirectly through APIs, leading to the processing of vast amounts of sensitive information without adequate protection measures.
Recent incidents, such as the self-XSS vulnerability in Writesonic and the prompt injection vulnerability in ChatGPT or NotionAI, have highlighted the urgency of addressing vulnerabilities in the usage of LLM APIs.

The most pressing concerns surrounding LLM API security include prompt injection, overreliance on unvalidated LLM outputs, insecure output handling mechanisms, and exposure of sensitive data. In this talk, we will present these critical vulnerabilities, their impact and ways to mitigate them.

1. Prompt injection vulnerabilities enable attackers to manipulate an LLM's responses by injecting malicious prompts, potentially leading to data theft, manipulation, or the execution of harmful actions. Additionally, organizations that blindly trust and implement LLM outputs without proper validation expose themselves to significant risks, as evidenced by the Writesonic self-XSS vulnerability, where users could inject malicious JavaScript code into the website.
2. Insecure output handling practices in LLMs can result in the unintentional exposure of sensitive information, such as personally identifiable data, trade secrets, or intellectual property. Even with robust input validation, inadequate safeguards within the LLM itself can lead to sensitive data leaks, compromising the privacy and security of individuals and organizations. A recent example is CVE-2023-29374, a critical vulnerability in LangChain up to version 0.0.131, which allows for prompt injection attacks that can execute arbitrary code.

How to securely use LLMs?

Securing LLMs for Developers
Here are five ways developers can secure LLMs:
1. Input validation: Ensure prompts are free from malicious code or instructions.
2. Security testing: Conduct thorough vulnerability assessments regularly.
3. Restrict API connections: Connect only to trusted APIs.
4. Validate LLM outputs: Implement solid output handling mechanisms to
prevent data exposure.
5. Advanced techniques: Use methods like homomorphic encryption or
secure multi-party computation to further protect data.
We'll present these strategies and more with examples, aiming to provide developers with practical ways to secure their LLM APIs.

Speakers

Ayush Agarwal

Software Developer, Akto

Ayush Agarwal is currently working as a Software Developer at Akto. He has over 4 years of experience working on scalable and complex systems. He built the API Security testing framework at Akto, which involved developing a new language in the form of YAML. This language empowers... Read More →

Avneesh Hota

Software Developer, Akto.io

Avneesh has a solid background in API security and a keen interest in the emerging field of Large Language Models (LLMs). With three years at akto.io, he's been pivotal in enhancing their API testing frameworks and tackling diverse technological architectures. Moving beyond mere security, he's also exploring the responsible use of LLMs. Avneesh is known for his ability to demystify complex topics at key industry events like OWASP... Read More →

Friday June 28, 2024 3:30pm - 4:15pm WEST

Builder Track

Audience intermediate

4:30pm WEST

Keynote 4

Speakers

Dinis Cruz

AppSec, OWASP

Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform. After many years (and multiple roles) Dinis... Read More →

Friday June 28, 2024 4:30pm - 5:30pm WEST

Keynote

5:30pm WEST

Closing Ceremony and Raffle

Friday June 28, 2024 5:30pm - 6:00pm WEST

BONUS TRACK