Sort by:  

Authors: Meghan Jacquot

tldr - powered by Generative AI

The speaker discusses the problem of wearing too many hats in cybersecurity and offers solutions through finding patterns and categorization.
  • Wearing too many hats is a common problem in cybersecurity
  • Finding patterns and categorization can help consolidate roles and reduce noise
  • The speaker provides examples of the OWASP Top 10 vulnerabilities
  • The speaker is working on a book about cybersecurity and is gathering stories from people in the field
Authors: Paul Schwarzenberger

tldr - powered by Generative AI

The presentation discusses the implementation of a serverless architecture for continuous compliance in a large organization's AWS accounts using Lambda functions and other AWS services.
  • The organization has multiple AWS accounts for different purposes and teams
  • The Lambda function assumes a role into the organization management account and triggers a step function to orchestrate Lambda functions for each AWS account
  • Each Lambda function queries Route 53 records and writes to a DynamoDB database and SNS topic for notifications
  • The architecture is designed to be low cost, low operational overhead, and continuous
  • The use of serverless services allows for scalability and ease of maintenance
Authors: Zohar Shchar

Bug bounty is a wonderful thing, and over the last few years it has completely overturned the industry focus, where more and more organizations direct money and resources to operating thriving programs. But there is another side to bug bounty - the side that can side-track your entire appsec strategy. As bug bounty becomes more and more popular, more and more researchers focus on scale and wide-spread issues that can be discovered by automation, rather than spending their time on deeper technical research of a particular target. Your team might easily get bombarded with low impact (valid) issues such as subdomain takeovers and XSS on random domains, and less and less focused on higher risk issues that require deep technical understanding. While this can be sometimes subverted by carefully aligning your scope and educating your researchers, you might end up spending more time on refining your program than on actually solving issues. As an enthusiastic bug bounty researcher myself, I truly believe in bug bounty. As an appsec manager, I understand bug bounty will never be enough to replace penetration testing. In this talk I’ll cover some of the pitfalls we fell into within our own program, and how you need to calibrate your expectations from bug bounty - and perhaps recalibrate your appsec strategy.
Authors: Omar Minawi

Can’t seem to shake off those XSS bug bounty reports? Interested in exploring a novel XSS attack chain? This session is for you.Tune in to explore a real-life example of a multi-step XSS attack chain that targeted and exploited multiple trust domains. You will get an insight into defense-in-depth and an exciting walkthrough of exploit research and investigation. Lastly, we will tie it all together by evaluating and diving into multiple web security defense-in-depth tactics that could thwart this novel chained attack.
Authors: Henrik Blixt, Dan Garfield, Michael Crenshaw

Download the code ahead of time. DCO Required.Let's kick off ArgoProj's new bug bounty program with contrib fest. Project maintainers will lead a session to help participants get started contributing and the knowledge of where and how to make an impact on the project. This will include resources for tackling technical debt, security issues, and outstanding feature requests.This Contribfest session is designed to provide projects with the space and resources to tackle outstanding technical debt, security issues, or outstanding impactful feature requests. They are intended to provide a place for maintainers to meet contributors and potential contributors and work together on solving a problem.