Dates
Conferences
Tags
Sort by:
Most recent
Conference: Global AppSec Dublin 2023
Authors: Sven Schleier
2023-02-16
There are numerous ways of developing mobile apps today, but how do you ensure that your app is properly secured? What are the threats you should be concerned about and what can you do to avoid being an easy target? If you don't want to miss anything, leveraging a standard is essential. Google understands this very well and since April 2022 acknowledges developers who had their apps independently validated against the OWASP MASVS. In this talk we'll introduce you to the OWASP MASVS (Mobile Application Security Verification Standard), which works together with the OWASP MASTG (Mobile App Security Testing Guide) to help you understand the attack surface of mobile apps, how to exploit them and how to protect them and the transitioning into version 2.0. Both resources are crafted and are curated by a team of numerous experts and community contributors. Want to secure your mobile apps? See you there!
Conference: Global AppSec Dublin 2023
Authors: Tal Melamed
2023-02-16
tldr - powered by Generative AI
Best practices for securing serverless functions
- Serverless functions have dependencies that can introduce vulnerabilities
- Cloud providers offer some security measures but it's important to scan for vulnerabilities in your own code and dependencies
- Logging and monitoring are important but require automation to be effective
- Permissions and authentication are crucial for securing serverless functions
- Stateless nature of serverless functions makes authentication challenging
Conference: Global AppSec Dublin 2023
Authors: Felipe Zipitria, Juan Pablo Tosso
2023-02-15
tldr - powered by Generative AI
The presentation discusses the importance of web application firewalls (WAFs) in cybersecurity and the benefits of using the open-source WAF, Coraza. The speaker emphasizes the need for companies to embrace API security and the new internet, and highlights the challenges of handling SQL injection and cross-scripting attacks. The presentation also showcases the Coraza playground, a tool for debugging and testing web applications.
- WAFs are crucial in protecting against cyber threats such as SQL injection and cross-scripting attacks
- Coraza is an open-source WAF that offers active development and easy customization through customer support
- API security and the new internet must be embraced by companies
- Handling SQL injection and cross-scripting attacks is challenging due to the variety of SQL dialects and HTML syntax
- The Coraza playground is a useful tool for debugging and testing web applications
Conference: Global AppSec Dublin 2023
Authors: Jeff Williams
2023-02-15
tldr - powered by Generative AI
The presentation discusses the importance of incorporating threat intelligence and runtime protection into application security programs to prevent attacks and vulnerabilities.
- Threat intelligence can dynamically change the risk of an attack and allow for prioritization of security measures.
- Runtime protection can prevent a significant portion of vulnerabilities from being exploited.
- Instrumentation and telemetry can provide real-time feedback to developers and production teams.
- Trust boundaries and sandboxes can be implemented to prevent common vulnerabilities such as unsafe serialization and expression language injection.
Conference: Global AppSec San Francisco 2022
Authors: Simon Bennetts, semgrep.dev
2022-11-18
Is OWASP Still Relevant?Do people want to go to conferences and chapter meetings in the aftermath of COVID?Do we need 260+ projects?Does anyone get past the titles of the Top 10?In this talk Simon will explain why he thinks OWASP is still very relevant and a much needed force for good.But this will be interactive and you will get a chance to have your say!
Conference: Global AppSec San Francisco 2022
Authors: Jim Manico, semgrep.dev
2022-11-18
tldr - powered by Generative AI
The presentation discusses the history and progress of information security testing and the role of OWASP in promoting application security.
- The history of security testing dates back to the Polish researchers who built the first security testing tool to crack Enigma during World War II.
- The first security testing device in modern history is the bomb.
- The OWASP foundation is a non-profit international foundation dedicated to helping people and organizations make informed decisions about application security risk.
- OWASP has released several free guides and tools to promote application security, including the OWASP Top 10 and the Application Security Verification Standard.
- Cross-site scripting is a complicated vulnerability category that requires attention in application security.
Conference: Global AppSec San Francisco 2022
Authors: John DiLeo
2022-11-17
The Open Web Application Security Project (OWASP) boasts around 130 active Projects, whose volunteers have developed tools and resources covering nearly every aspect of application security and software assurance. The challenge lies in knowing what they are, where to find them, and how they can help.I will present a brief overview of an array of interesting and useful OWASP Projects, including the current Flagship Projects, and provide insights into how each can be used to build and improve your AppSec program.
Conference: Global AppSec San Francisco 2022
Authors: Chris Koehnecke
2022-11-17
tldr - powered by Generative AI
The presentation discusses the OWASP DevSecOps Maturity Model and how to practically apply security controls using open source tools for each requirement.
- The OWASP DevSecOps Maturity Model provides a framework for companies to apply security in a cloud-native and fast-paced engineering world.
- Whatever isn't automated is much more difficult to practically apply to systems.
- Open source security tools have evolved and provide good coverage for many of the layers of the DSOMM model.
- The presentation walks through the different security requirements in the DSOMM framework and does live code demos for each.
- Prioritization of security issues can be done per each pull request.
- The speaker shares their experience with implementing security processes in a startup environment.
- Developers owning security is seen as the future of the security industry.
Conference: Cloud Native SecurityCon North America 2022
Authors: Jimmy Mesta
2022-10-25
tldr - powered by Generative AI
The OWASP Top Ten for Kubernetes is a community-curated list of the most common Kubernetes risks backed by data collected from organizations varying in maturity and complexity. The project aims to help practitioners assess and secure the security of their containerized infrastructure.
- The OWASP community has published a number of projects to help practitioners assess and secure the security of their containerized infrastructure
- The OWASP Top Ten for Kubernetes is a community-curated list of the most common Kubernetes risks
- The project is backed by data collected from organizations varying in maturity and complexity
- The project aims to help practitioners assess and secure the security of their containerized infrastructure
Conference: OWASP 20th Anniversary Event
Authors: Alexander Barabanov
2021-09-24
tldr - powered by Generative AI
The presentation focuses on providing practical tips for conducting a basic security assessment of microservice-based systems to find microservice-specific vulnerabilities.
- Microservice architecture is increasingly used for designing and implementing application systems, but it brings new security architecture patterns and approaches that may lead to vulnerabilities
- The presentation provides approaches and practical tips for conducting a basic security assessment of microservice-based systems to find microservice-specific vulnerabilities
- The research results were extracted during multiple security assessments, collected, structured and contributed to the OWASP community