Sort by:  

Conference:  Black Hat Asia 2023
Authors: Rohit Sehgal

Security Zines is a unique initiative that uses comics, single-page flyers, and visual presentations to teach about cybersecurity in a fun and interactive way. Our goal is to make learning about infosec, appsec, data security, network security, and other technical topics accessible and engaging for people of all ages and backgrounds. In this presentation, we'll discuss the concept and creation of Security Zines, and share examples of how they can be used to educate and inspire the next generation of cybersecurity professionals.We'll also explore the challenges and opportunities facing new and aspiring cybersecurity professionals, and offer insights on how to overcome common barriers to entry in the field. Through the use of case studies and interactive exercises, attendees will learn how to use creative and innovative approaches to engage with their peers and the wider cybersecurity community.This presentation is ideal for attendees who are new to cybersecurity or looking to become more engaged in the field. It will provide a forum for idea sharing and discussion on relevant issues impacting the cybersecurity community, and offer constructive and creative ideas for solutions to these challenges. Join us to learn how Security Zines can be used to inspire and educate the next generation of cybersecurity professionals!
Authors: Dan Murphy, Frank Catucci

tldr - powered by Generative AI

The presentation discusses a vulnerability in OpenSSL 3.0 that requires a specific set of circumstances to exploit, limiting its impact. The speaker emphasizes the importance of exploring and testing vulnerabilities to determine their actual risk.
  • The vulnerability requires a valid client certificate and occurs during the certificate handshake process
  • The affected code is a narrow window in OpenSSL 3.0, limiting the number of potential targets
  • The exploit requires a specific alignment of memory, making it difficult to execute
  • The speaker encourages a spirit of exploration and experimentation to determine the actual risk of vulnerabilities
Authors: Tanya Janca

tldr - powered by Generative AI

The presentation discusses resources and strategies for maintaining secure legacy applications in DevOps.
  • Encourages joining the Open Web Application Security Project and local chapters
  • Provides a PDF summary of the presentation
  • Offers free online community called We Hack Purple with training courses and podcasts
  • Suggests regular communication with software developers and security champions through lunch and learns and presentations
  • Emphasizes the importance of feedback and addressing issues promptly
Authors: Moti Harmats

tldr - powered by Generative AI

The speaker discusses the importance of monitoring server error logs for security vulnerabilities and shares their experience of discovering critical vulnerabilities through this method.
  • Server error logs can contain indications of application vulnerabilities
  • Creating detection rules and signatures for server error logs can help identify vulnerabilities
  • Lessons learned from monitoring server error logs at scale and in distributed systems
  • Automating security processes is crucial for large enterprises with limited security resources
Authors: Ken Toler

tldr - powered by Generative AI

The presentation discusses the importance of threat modeling and testing in web3 organizations and the need for understanding code in web3.
  • Threat modeling is important in web3 organizations and should be done iteratively starting with a contract or cloud infrastructure
  • Writing tests is crucial in web3 organizations
  • Learning to code is important for effective communication with developers in web3 organizations
Authors: Jakub Kaluzny

tldr - powered by Generative AI

The presentation discusses a scalable and autonomous AppSec program that allows engineers to own security in a high-growth environment. The program includes establishing principles and metrics, managing and motivating security champions, and using structured Threat Modeling as Code for AppSec innovations.
  • Engineers should own security in a high-growth environment
  • Each pull request should have an associated security review
  • Threat modeling should be done by engineers using a custom tool with automation
  • All deliverables or output should be stored in a database
  • Risk assessment should be used to determine which features need a security review
  • Security champions should be introduced to help with reviews
  • Autonomy levels should be introduced for teams and partners
  • Structured Threat Modeling as Code should be used for AppSec innovations
Authors: Jeff Williams

tldr - powered by Generative AI

The presentation discusses the importance of incorporating threat intelligence and runtime protection into application security programs to prevent attacks and vulnerabilities.
  • Threat intelligence can dynamically change the risk of an attack and allow for prioritization of security measures.
  • Runtime protection can prevent a significant portion of vulnerabilities from being exploited.
  • Instrumentation and telemetry can provide real-time feedback to developers and production teams.
  • Trust boundaries and sandboxes can be implemented to prevent common vulnerabilities such as unsafe serialization and expression language injection.
Authors: Chen Gour-Arie

"and this mess is so big and so deep and so tall - we can not pick it up, there is no way at all" – Dr. SeussThe evolution of application security coincides, for the most part, with the innovations in the realm of applications themselves. When characterizing each of these chapters, we see that while the techniques and tools of application security may have changed, the challenge has remained the same – AppSec is always playing catch-up. Is there anything we can do as AppSec professionals to change this vicious cycle? In order to better secure our future, we must first look at the past.This presentation will define, for the first time, the four major transformation periods of application security:1. Primordial Terminal Applications2. Thick Application Clients3. The Web Application Era4. Mobile, SPA & Cloud Native Applications.We will review the mistakes we have made as AppSec practitioners and the impact we’ve had on each transformation stage. But most of all, we will ask the critical question– why do we have more problems today in AppSec yet so many more security solutions and innovations? The answer lies in the fact that although we’ve tried, AppSec still evolves at a slower pace than engineers in application development.We will always need application security– just as a door needs a lock and a yard needs a fence. It’s the classic game of offense and defense: innovation will spur incredible progress in application development, which in turn will surface new vulnerabilities, attack vectors and challenges. As AppSec professionals, now is the moment to tie the game and stop playing catch-up.So although demoralized, we are not defeated!The final part of my presentation will discuss the ways in which AppSec can become as agile as development and transform!But in order to pave the road for this future, we must learn important lessons from our past. Welcome to AppSec story time!
Authors: Warren Kopp

Building an application security program is hard. Application Security teams struggle to grow, be effective, or get budget. Why? They’re missing the collaboration. You face resistance from developers, they don’t want to change their practices. You face resistance from testers, this isn’t in their test plans. You face resistance from leadership, SAST costs how much?! Overcoming this adversity depends on growing your communication and collaboration skills. It’s key to learn how to identify stakeholders for AppSec output. Who needs to know about your metrics? Why do they need to know that? Is it Marketing, to help sell your software, your posture, your commitment? Is it Compliance, to know about all the hard work that gets done building secure defaults? Is it Operations, so they know how to report new vulnerabilities? These are only a few examples of where in your company you might find new allies.At every level in an organization there are people who need to know about Application Security who aren’t currently even aware of the concept. And they need your help to get there. Attendees will learn about sharing their hard work with the right people across their organization. They will learn about how to find the right people for their message, and about building the right message for the audience. They will learn how to solicit feedback and build actionable plans and goals to address it.It is on the shoulders of Application Security Teams to reach out and build a community around their goals. This takes a lot of meetings, a lot of compromise, and quite often a lot of doing “non-security” work. But it builds a stronger team that breaks down existing silos. It builds a more effective organization that can adapt to changes in customers, markets, and technologies. Building a community around application security amplifies effort, but more importantly, strengthens the output. After building your community you will learn about vulnerabilities sooner, address questions quicker, and support your customers better, all while delivering more secure software.
Authors: Sponsor: Apiiro

You are invited to join us for our Global AppSec San Francisco Networking Reception in the Exhibitor Hall.Mingle with your peers in a relaxed, laid-back environment. Visit our exhibitor booths to learn about their newest products and services and get your "Passport" stamped for a chance to win some great prizes at the conclusion of the conference.Past hors-d'oeuvres and beverages will be provided.