logo

2021-09-24 ~ 2021-09-25

Presentations (with video): 96 (80)

2021 marks the 20th Anniversary of the OWASP Foundation. We have been working hard to secure the world through challenges and discovery. And now, it’s time to celebrate! Many of you have played a crucial role in the Foundation’s enduring history, and we encourage you to participate in the celebration coming this September! Our theme, Securing the Next 20 Years, is encouraging and exciting as we look ahead to the next 20 years! Join us for FREE at this live, virtual 24-hour global event as we honor the past, celebrate the present and embrace the future of OWASP and cybersecurity. Hear from world renowned keynotes and special speakers, network with your peers and interact with our event sponsors.

Sort by:  

Authors: Debasis Mohanty
2021-09-25

tldr - powered by Generative AI

The presentation discusses the reasons why old security bugs continue to persist in the industry and proposes better mitigation strategies.
  • Machine learning can be used to prevent malicious actions by training it to do behavioral checks
  • DevSecOps is not a silver bullet for software security engineering and should not be hyped as such
  • The way organizations respond to bug reports contributes to the persistence of old security bugs
  • Mitigation strategies that only fix reported bugs or prioritize based on risk rating are inadequate
  • Publicly reported security bugs should be taken seriously and addressed promptly
Authors: Vandana Verma, Steve Coochin
2021-09-25

tldr - powered by Generative AI

The presentation discusses the importance of secure development environments in the face of supply chain security incidents and vulnerabilities in open source code and containers.
  • Open source code makes up a significant portion of an organization's codebase, and new packages are constantly being developed, leading to vulnerabilities and breaches.
  • Containerization is important for keeping code and infrastructure clean, but vulnerabilities can still surface in containers.
  • Developers' integrated development environments, such as Visual Studio Code, are also vulnerable to attacks.
  • Secure development environments are crucial for protecting end users and require a shift left approach to security.
  • The presentation includes a demonstration of a vulnerability in the Instant Markdown plugin for Visual Studio Code.
Authors: Zoe Braiterman, Loredana Mancini, Vandana Verma, Aastha Sahni, Jessica Gottsleben
2021-09-25

Tags:
Authors: Riotaro OKADA
2021-09-25

tldr - powered by Generative AI

The presentation discusses the challenges of implementing AppSec in DevOps and CI/CD and proposes solutions based on the experience of organizing the Hardening Project in Japan.
  • Shift left is important in integrating security early on in the development process
  • Development and security teams need to work together to maximize mutual understanding and cooperation
  • Risk profiling is important in designing effective security defenses
  • The Hardening Project in Japan is an eight-hour security competition that helps participants update their knowledge about incident response and improve their defenses
  • The competition involves dealing with technical failures, customer complaints, and public relations response
  • The Softening Day is a session where teams and attackers give presentations to share and summarize their activities and strategies
Authors: Carlos Holguera, Sven Schleier
2021-09-24

Tags:
Authors: Dr. Abhilasha Vyas
2021-09-24

tldr - powered by Generative AI

Challenges and Solutions for Blockchain-based Cyber Physical Systems
  • Unauthorized access or theft of cryptographic keys may lead to total loss of data
  • Improper key management and access control, unintended forks and chain split attacks are concerns
  • API integration with third parties leads to trust issues
  • Blockchain can provide security for smart systems and achieve trusted data storage and execution of smart contracts
  • Security and privacy are significant challenges in cyber physical systems
  • Heterogeneity in device resources, multiple attack services, lack of control over data sharing, and poor implementation of security and privacy mechanisms are challenges
  • Audit facilities and updating software and hardware are important
  • Ransomware attacks are a major threat to cyber physical systems
Authors: Simon Bennetts
2021-09-24

tldr - powered by Generative AI

The upcoming release of OWASP ZAP 2.11.0 introduces several new features, including an automation framework, out-of-band security testing, and improved reporting capabilities.
  • OWASP ZAP is a web scanner tool designed to find vulnerabilities in custom web applications.
  • The new automation framework simplifies the process of configuring and running scans.
  • Out-of-band security testing allows for the detection of vulnerabilities that may not be immediately apparent.
  • Improved reporting capabilities provide more detailed information about vulnerabilities and site statistics.
  • The package scans and API are still available, but the automation framework provides a more user-friendly option for those less familiar with driving Zap through the API.
Authors: Björn Kimminich
2021-09-24

Tags:
Authors: Catalin Curelaru
2021-09-24

tldr - powered by Generative AI

The presentation discusses the importance of cyber threat intelligence in protecting applications and businesses. It provides insights on how to integrate it into an application security program and automate data collection and processing to prevent or mitigate cyber attacks.
  • Digital technologies have revolutionized the world's economic and cultural institutions but have brought additional risk in the form of cyber attacks
  • Cyber Threat Intelligence (CTI) is important in consolidating a company and protecting applications
  • CTI is the collection and analysis of information about cyber threats and adversaries to provide context and prevent/mitigate attacks
  • CTI should be objectively actionable and help reduce the effectiveness of cyber threats
  • CTI can be a driver for cybersecurity return of investment
  • CTI is lacking a methodology in the application world
  • Intelligence is often shared but hardly used and distribution is difficult
  • Lessons from the intelligence community can be applied to CTI
Authors: Alexander Barabanov
2021-09-24

tldr - powered by Generative AI

The presentation focuses on providing practical tips for conducting a basic security assessment of microservice-based systems to find microservice-specific vulnerabilities.
  • Microservice architecture is increasingly used for designing and implementing application systems, but it brings new security architecture patterns and approaches that may lead to vulnerabilities
  • The presentation provides approaches and practical tips for conducting a basic security assessment of microservice-based systems to find microservice-specific vulnerabilities
  • The research results were extracted during multiple security assessments, collected, structured and contributed to the OWASP community