Conference:  Global AppSec San Francisco 2022

Authors: Anna Westelius, Sponsor: lyft

2022-11-17

In this talk, we’ll discuss scaling security programs through technology and secure-by-defaults in an evolving engineering ecosystem. We’ll share lessons learned from “paving roads” for security over the years, how to find opportunities, create shared accountability with engineering partners, and ultimately reduce security risks.

Conference:  Global AppSec San Francisco 2022

Authors: Adarsh Nair, Greeshma M R

2022-11-17

Metaverse is the concept where rather than just viewing digital content, users can immerse themselves in a space where digital and physical worlds merge. Because of advances in digital technology, we are opening ourselves up to the possibility of being in a universe that is infinite. To mould this virtual environment in this new era of digital inquiry, it is necessary to make use of technology that focusses on privacy. However, just as there are some inherent risks and security issues with the Internet as it exists today, there will be risks that will need to be addressed as we move forward into a world of digital connection. Cybercriminals, obviously, are going to be a part of the metaverse and attempts to steal people's personal information and identities will be made. Identity thefts, unauthorized data collection, ransomware attacks, social engineering attacks, impact on mental health and perceptions, increase in deepfakes and so on, are few of the risks that this paper present. Identity theft could become even more prevalent in the metaverse unless strong security measures are enacted. It already runs as a multibillion-dollar industry, with the number of cases increasing by more than 50% from 2020's figures. Hackers can utilize virtual reality headsets and controllers to steal personal information, such as fingerprints and iris scanning, as well as facial geometries, from people who use them. Ransomware attackers could deny you access to your bank accounts or other critical platforms.The metaverse requires us to give up more personal information than we are used to — more than we currently do while using the internet — and this greatly raises the risk.People can be psychologically manipulated into revealing private information through social engineering. Hackers wishing to sell personal information on the Dark Web could potentially profit from the vast amounts of personal data that will be stored in the metaverse. Since metaverse is an immersive experience, the manipulated, disturbing visual content potentially spread by malicious elements can have higher impact than those consumed via the current web. People's perception of the actual world can be affected by the foundational technologies in virtual and augmented reality, according to a study by Stanford University researchers. Creating deepfakes of your metaverse avatar could be more plausible, which are a threat to the society that thrives on information consumption.As we move toward a world where nearly everything is done digitally, the risks of digital interaction will also increase. Passwords and usernames are no longer sufficient to prevent cyberattacks when viewed from a metaverse perspective. A comprehensive authentication solution can promise a more secure interaction and guarantee better user experience.

Conference:  Global AppSec San Francisco 2022

Authors: Lisa Nee

2022-11-17

Quantum computing has been a fast growing technology that brings rewards and risks.  In the wrong hands, threat actors can decrypt codes that would take weeks or months. On the other side is quantum cryptography that, while still in development, could enable both the sender and recipient notifications of any eavesdropping which may satisfy privacy concerns of the transfer of data to the US which are subject to the US Patriot Act that enable government seizure of data without legal proceedings or notice. This discussion will introduce a high level basic understanding of quantum computing, international data transfer issues and quantum cryptography as a potential privacy solution, and begin the discussion of whether if and when such technology is available, is it part of an individual's privacy right to have the technology available or create a serious threat to national security and anti-terrorism.

Conference:  SupplyChainSecurityCon 2022

Authors: Jacques Chester

2022-06-22

The presentation discusses the challenges of identifying and reducing cybersecurity risks in software projects, and the need for a combination of objective data and expert input.

• The speaker emphasizes the importance of honest probabilities and dollars in assessing risk.
• There are numerous software projects, creating a sparsity problem for expert opinions.
• Automated tools like the Criticality Score and Harvard Census can help identify high-risk projects, but they have limitations.
• Human input is necessary to fill in gaps in data and provide context, but experts may have biases and limited knowledge.
• Prediction markets can be a useful tool for eliciting expert opinions, but they require high liquidity to be effective.

Conference:  Transform X 2021

Authors: Navrina Singh

2021-10-07

Navrina Singh is the Founder & CEO of Credo AI which helps organizations build Artificial Intelligence with higher ethical standards. She discusses why AI governance is critical to the scaling of AI across and highlights the risks of not governing AI effectively. She shares how organizations can adopt AI governance practices effectively and continuously to build trust with internal and external stakeholders.

Conference:  OWASP 20th Anniversary Event

Authors: Florian Stahl

2021-09-24

The speaker presents the top 10 risks to web application security and privacy, and discusses the challenges faced in creating version 2.0 of the list.

• The speaker presents the top 10 risks to web application security and privacy, including injection, broken authentication and session management, cross-site scripting, and security misconfiguration.
• Insufficient data quality is also a privacy concern, as incorrect data can lead to issues such as incorrect credit ratings or package delivery.
• Missing or insufficient session expiration is a commonly overlooked risk that can allow providers to collect data from devices without user knowledge.
• Creating version 2.0 of the list was challenging due to finding volunteers, deciding on which risks to include, and determining the appropriate level of abstraction.
• Translations and countermeasures for version 2.0 are still being worked on, and the speaker encourages spreading awareness and implementing the list in practice.