Conference:  Global AppSec Dublin 2023

Authors: Meghan Jacquot

2023-02-16

The speaker discusses the problem of wearing too many hats in cybersecurity and offers solutions through finding patterns and categorization.

• Wearing too many hats is a common problem in cybersecurity
• Finding patterns and categorization can help consolidate roles and reduce noise
• The speaker provides examples of the OWASP Top 10 vulnerabilities
• The speaker is working on a book about cybersecurity and is gathering stories from people in the field

Conference:  Global AppSec Dublin 2023

Authors: Bjoern Kimminich

2023-02-15

OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications! In this session we will go far beyond the basics of hacking the application! You will learn about the new Coding Challenges, all available tutorial options for newcomers, CTF mode for some added competition, the built-in cheat detection, integration and metrics, and the possibilities of custom theming!

Conference:  Global AppSec San Francisco 2022

Authors: Meghan Jacquot

2022-11-18

When there is too much data our brains strain to find patterns, organization, and categorization. Context, frequency mapping, and using data to tell a larger story via trend analysis helps us parse the signal to noise ratio into something meaningful and into something actionable. This talk seeks to share a combination of open source data and bug bounty data about vulnerabilities from 2021 and 2022, how to categorize those vulnerabilities, and then once categorized, how to connect meaningful context for defenders and builders.All of the vulnerabilities that will be covered in this talk are related to application security and each will be mapped to the most recent OWASP Top Ten list (2021). The vulnerabilities will be grouped into 3 case studies. The first case study will focus on vulnerabilities found in the Google Project Zero report and other Open Source Intelligence (OSINT) sources that relate to Application Security. The second case study will focus on impactful vulnerabilities from 2022, such as those listed on open sources like MITRE’s CWE Top 25 list. The final case study will focus on disaggregated and anonymous data that the presenter has access to related to a bug bounty program. All the vulnerabilities shared from this data will connect with Application Security and they will all be mapped to OWASP Top Ten. Then a cumulative trend and frequency analysis will be discussed.To provide additional context, when data is available and known, it will be shared if the vulnerability was also being actively exploited in the wild, if there is a published proof-of-concept (PoC), and if there is a mitigation plan. Be prepared for visualization of data and story based data telling. At the end of the talk, the speaker will share resources for research and further development for skills around OSINT, threat intelligence, and vulnerability management.The content of this talk could be used by devops to further understand the context behind vulnerabilities that affect the platforms they are building, vulnerability management teams, threat modelers, cyber threat intelligence teams, and incident responders.