Conference:  Global AppSec Dublin 2023

Authors: Sam Stepanyan

2023-02-16

Nettacker: An Automated Penetration Testing Framework

• Nettacker is a free and open-source automated reconnaissance and penetration testing tool
• It can scan networks for vulnerabilities, discover expired SSL certificates, and find subdomains hosting vulnerable versions of content management systems
• Nettacker can be used by both attackers and defenders, and has been helpful for bug bounty research
• The tool uses YAML modules and is written in Python
• Nettacker can be automated using GitHub actions and Docker containers
• Automated scans can be scheduled to run regularly and generate reports as artifacts

Conference:  Global AppSec Dublin 2023

Authors: Zohar Shchar

2023-02-15

Bug bounty is a wonderful thing, and over the last few years it has completely overturned the industry focus, where more and more organizations direct money and resources to operating thriving programs. But there is another side to bug bounty - the side that can side-track your entire appsec strategy. As bug bounty becomes more and more popular, more and more researchers focus on scale and wide-spread issues that can be discovered by automation, rather than spending their time on deeper technical research of a particular target. Your team might easily get bombarded with low impact (valid) issues such as subdomain takeovers and XSS on random domains, and less and less focused on higher risk issues that require deep technical understanding. While this can be sometimes subverted by carefully aligning your scope and educating your researchers, you might end up spending more time on refining your program than on actually solving issues. As an enthusiastic bug bounty researcher myself, I truly believe in bug bounty. As an appsec manager, I understand bug bounty will never be enough to replace penetration testing. In this talk I’ll cover some of the pitfalls we fell into within our own program, and how you need to calibrate your expectations from bug bounty - and perhaps recalibrate your appsec strategy.

Conference:  OWASP 20th Anniversary Event

Authors: Daniel Krasnokucki

2021-09-24

Abstract:Having Security testing in the pipeline is getting more and more popular, I would say it is becoming a standard! But what we are doing with findings? What are we automating and how are using the automation?The presentation will cover security-as-a-code practices to integrate security testing into the CI and CD pipelines, but in addition - I will discuss the part of the testing that cannot be automated, which is penetration testing. How do you connect it with your automation testing and what is the role of penetration testing in monitoring? I will show how it affects next round of the process and what the process should look like.During the presentation I will discuss real use cases from different pipelines and security tools, showing pros and cons, advantages and challenges. Demo will include GitHub Actions and open-source tools like OWASP ZAP and examples will be provided with pipeline-as-a-code and security-as-a-code. Real life use cases and examples with step-by-step instruction how the development process in mature state of DevSecOps should look like.