logo

2023-02-13 ~ 2023-02-16

Presentations (with video): 44 (33)

Designed for private and public sector infosec professionals, the two-day OWASP conference equips developers, defenders, and advocates to build a more secure web. We are offering educational 2-day training courses on February 13-14 followed by the conference and exhibition days February 15-16.

Sort by:  

Authors: Marine du Mesnil
2023-02-16

In 2019, users of the Ameli, the french welfare website, could read other users' messages and attachments containing confidential information by trivially changing a parameter in the URL. Unfortunately, this flaw is much more common than we think and access control has been listed as the Top 1 flaw by OWASP.Historically, developers manage permissions directly in code and the product team is not always well aware of the conditions which leads to flaws in access control. It is also one of the most complex vulnerabilities to manage and it is easy for a developer to forget a condition in their API and open up access to sensitive data to anyone.On a fund management site using django-admin, we needed very fine-grained management of vertical (permission levels) and horizontal (compartmentalisation between users) permissions with a need for some administrators to manage their own teams independently.We were able to implement an extremely easy-to-use and manageable system using both Django's internal permissions management and a SaaS: Okta.During this talk, I will cover the following topics:- Vertical and Horizontal Permissions using a django-admin example- Adding a SaaS for login and permissions- The pros and cons of OktaAt the end of this talk, you will know the best practices for implementing and using permissions with django-admin example. You will also understand the pros and cons of using a SaaS to outsource permissions management and simplify it for your administrators.
Authors: Sam Stepanyan
2023-02-16

tldr - powered by Generative AI

Nettacker: An Automated Penetration Testing Framework
  • Nettacker is a free and open-source automated reconnaissance and penetration testing tool
  • It can scan networks for vulnerabilities, discover expired SSL certificates, and find subdomains hosting vulnerable versions of content management systems
  • Nettacker can be used by both attackers and defenders, and has been helpful for bug bounty research
  • The tool uses YAML modules and is written in Python
  • Nettacker can be automated using GitHub actions and Docker containers
  • Automated scans can be scheduled to run regularly and generate reports as artifacts
Authors: Tanya Janca
2023-02-16

tldr - powered by Generative AI

The presentation discusses resources and strategies for maintaining secure legacy applications in DevOps.
  • Encourages joining the Open Web Application Security Project and local chapters
  • Provides a PDF summary of the presentation
  • Offers free online community called We Hack Purple with training courses and podcasts
  • Suggests regular communication with software developers and security champions through lunch and learns and presentations
  • Emphasizes the importance of feedback and addressing issues promptly
Authors: Chuck Willis
2023-02-16

tldr - powered by Generative AI

The presentation discusses various techniques for encrypting data in databases, including deterministic encryption, searchable encryption, and homomorphic encryption.
  • Deterministic encryption allows for searches on equality while keeping data encrypted
  • Searchable encryption allows for searching for keywords in encrypted documents by encrypting the keywords and storing them in a database
  • Homomorphic encryption allows for performing operations on encrypted data in a way that is equivalent to performing the operations before encryption
  • Each technique has its limitations and trade-offs
  • Maintaining an index of keyword frequency can improve the security of searchable encryption
Authors: Meghan Jacquot
2023-02-16

tldr - powered by Generative AI

The speaker discusses the problem of wearing too many hats in cybersecurity and offers solutions through finding patterns and categorization.
  • Wearing too many hats is a common problem in cybersecurity
  • Finding patterns and categorization can help consolidate roles and reduce noise
  • The speaker provides examples of the OWASP Top 10 vulnerabilities
  • The speaker is working on a book about cybersecurity and is gathering stories from people in the field
Authors: Adam Berman
2023-02-16

The growth in security threats has overwhelmed organizations. All too frequently, security teams are forced to prioritize compliance-related checkboxes, as opposed to work that makes a real dent in their organization’s security. Since few teams can afford to simply expand their teams to keep up — they must take a new approach to evaluating and prioritizing threats. This talk presents a counterintuitive approach to strengthening security: one that ignores over 90% of security vulnerability alerts. Using specific examples, it illustrates how organizations can ignore alerts with high confidence, and how this enables a marked shift in security workflows and behavior, thus significantly improving security posture.
Authors: Izar Tarandach
2023-02-16

tldr - powered by Generative AI

The importance of documenting and using threat models in cybersecurity and DevOps
  • Threat models should be stored and available in places that people know where to find them and how to relate and change them
  • Threat models can be used to define security contracts and find commonalities for platforming
  • Templates are useful for making threat models consistent and easy to compare
  • Everyday tools can be used for automating boring parts of the system and dealing with low hanging fruit
  • Threat models are living documents that should be updated and stored for future use
Authors: Dan Murphy, Frank Catucci
2023-02-16

tldr - powered by Generative AI

The presentation discusses a vulnerability in OpenSSL 3.0 that requires a specific set of circumstances to exploit, limiting its impact. The speaker emphasizes the importance of exploring and testing vulnerabilities to determine their actual risk.
  • The vulnerability requires a valid client certificate and occurs during the certificate handshake process
  • The affected code is a narrow window in OpenSSL 3.0, limiting the number of potential targets
  • The exploit requires a specific alignment of memory, making it difficult to execute
  • The speaker encourages a spirit of exploration and experimentation to determine the actual risk of vulnerabilities
Authors: Dr. Magda Chelly
2023-02-16

tldr - powered by Generative AI

The presentation discusses the potential risks and benefits of using AI-generated code in software development, with a focus on cybersecurity and DevOps. The speaker emphasizes the importance of balancing speed and efficiency with quality and security, and highlights the need for clear contracts and due diligence when working with third-party AI tools and data sets.
  • AI-generated code can increase productivity and reduce errors, but may also pose significant risks to businesses and users if not properly regulated and tested.
  • Clear contracts and due diligence are necessary when working with third-party AI tools and data sets to ensure quality and security.
  • The use of AI in software development requires a balance between speed and efficiency and quality and security.
  • The speaker suggests that AI-assisted coding may be a more effective approach than relying solely on AI-generated code.
  • The presentation also touches on the broader issues of data privacy and intellectual property rights in the context of AI and big data.
Authors: Sven Schleier
2023-02-16

There are numerous ways of developing mobile apps today, but how do you ensure that your app is properly secured? What are the threats you should be concerned about and what can you do to avoid being an easy target? If you don't want to miss anything, leveraging a standard is essential. Google understands this very well and since April 2022 acknowledges developers who had their apps independently validated against the OWASP MASVS. In this talk we'll introduce you to the OWASP MASVS (Mobile Application Security Verification Standard), which works together with the OWASP MASTG (Mobile App Security Testing Guide) to help you understand the attack surface of mobile apps, how to exploit them and how to protect them and the transitioning into version 2.0. Both resources are crafted and are curated by a team of numerous experts and community contributors. Want to secure your mobile apps? See you there!