Loading…
REGISTRATION IS NOW 
Conference Venue: RAI Amsterdam, Europaplein 24, 1078 GZ Amsterdam, The Netherlands

Book Hotel click HERE

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, September 23
 

9:00am CEST

Attacking Android and iOS apps by Example
Topics Included:
1. Review of Common Flaws in Source Code
2. Modification of App Behavior Through Code/Configuration Changes
3. Interception of Network Communication Aka Mitm
4. Jailbreak/Root Detection Bypasses and App Review from A Privileged Standpoint
5. Instrumentation (Review and Modification of App Behavior)
6. CFT Challenges for Attendants to Test Their Skills

Attendees will be provided with:

- Digital copies of all training material
- Lab VM
- Test apps
- Source code for test apps

Outline:
This course has been prepared after years of research and experience gained through pentesting mobile applications. It is structured to follow the OWASP Mobile Top Ten and the OWASP Mobile Security Testing Guide. This is a hands-on practical course, the skills gained can be applied to mobile security assessments immediately.

Each day starts with a brief introduction to the mobile platform for that day and then continues with a look at the static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.

Day 1 includes but is not limited to a brief introduction to Android security, a series of techniques focused on static analysis, followed by dynamic analysis covering both monitoring and modifying app behavior at runtime. The day ends with beautiful CTF challenges to entertain even advanced mobile app penetration testers.

Day 2 begins with a brief iOS security crash course, static analysis techniques, followed by dynamic analysis including both monitoring and modifying app behavior at runtime. The day ends with more lovely CTF challenges.

Day 3 takes a deeper look at instrumentation on both Android and iOS, with a special focus on app behavior modification at runtime. Learn more about Frida scripts, Objection, and Xposed modules. Bypass jailbreak detection and much more. End the day by testing your skills, more CTF time!

This is a basic outline of the course; it contains various other components and details that will help the students understand and perform better. This will be a learning experience from which people relatively new to the ever-growing world of mobile security will benefit, while the advanced students will polish their skills in specific areas and perhaps complete more or the CTF challenges.

Course Details:
Day 1: Attacking Android apps by Example
Part 0 - Android Security Crash Course
  • The state of Android Security
  • Android security architecture and its components
  • Android apps and the filesystem
  • Android app signing, sandboxing and provisioning
Part 1 – Emphasis on Static Analysis with Runtime Checks
  • Tools and techniques to retrieve/decompile/reverse and review APKs
  • Identification of the attack surface of Android apps and general information gathering
  • Identification of common vulnerability patterns in Android apps: hardcoded secrets, logic bugs, access control flaws, intents, cool injection attacks, and more
  • The art of repackaging: Tips to get around not having root, Manipulating the Android Manifest, defeating pinning, defeating root detection, translating APKs in funny languages and more
Part 2 - Focus on Dynamic Analysis
  • Monitoring data: LogCat, Insecure file storage, Android Keystore, etc
  • The art of MitM: Intercepting Network Communications
  • The art of Instrumentation: Hooking with Xposed
  • App behavior monitoring at runtime
  • Defeating Certificate Pinning and root detection at runtime
  • Modifying app behavior at runtime
Part 3 - Test Your Skills
  • CTF time

Day 2: Attacking iOS apps by Example
Part 0 - iOS Security Crash Course
  • The state of iOS Security
  • iOS security architecture and its components
  • iOS app signing, sandboxing and provisioning
  • iOS apps and the filesystem Recommended lab setup tips
Part 1 - Focus on Static Analysis with runtime check
  • Tools and techniques to retrieve/decompile/reverse and review IPAs
  • Identification of the attack surface of iOS apps and general information gathering_
  • Identification of common vulnerability patterns in iOS apps: hardcoded secrets, logic bugs, access, control flaws, URL handlers, cool injection attacks, and more
  • Patching and Resigning iOS binaries to alter app behavior
  • Tips to test without a jailbreak
Part 2 - Focus on Dynamic Analysis
  • Monitoring data: caching, logs, app files, insecure file storage, iOS keychain, etc.
  • Crypto flaws
  • The art of MitM: Intercepting Network Communications
  • Defeating certificate pinning and jailbreak detection at runtime
  • The art of Instrumentation: Introduction to Cycript, Frida, Objection
  • App behavior monitoring at runtime
  • Modifying app behavior at runtime
Part 3 - Test your Skills
  • CTF time

Day 3: Leveling up your Instrumentation Kung-fu
Part 1: In-depth instrumentation on Android
  • Focus on Dynamic Analysis
  • Useful Xposed modules and labs
  • Practical Frida scripts and labs
  • Defeating certificate pinning with instrumentation
  •  Jailbreak detection bypasses with instrumentation
Part 2: In-depth instrumentation on iOS
  • Focus on Dynamic Analysis
  • Hooking with Cycript
  • Practical Frida scripts and labs
  • Useful Objection labs and modules_
  • Defeating certificate pinning with instrumentation
  •  Jailbreak detection bypasses with instrumentation
Part 3: Test your Skills
  • CTF time

A laptop with the following specifications:
- Ability to connect to wireless and wired networks.
- Ability to read PDF files
- Administrative rights: USB allowed, the ability to deactivate AV, firewall, install tools, etc.
- Minimum 8GB of RAM (recommended: 16GB+)
- 60GB+ of free disk space (to copy a lab VM and other goodies)
- Latest VirtualBox, including the “VirtualBox Extension Pack”
- Genymotion (can be the free version)
- A jailbroken iPhone / iDevice with iOS >=9 (ideally: iOS 12) for the iOS labs
- Optional but useful: One of the following BurpSuite, ZAP or Fiddler (for MitM)
- Optional but useful: A Mac/Hackintosh with the latest XCode installed, for iOS code review & labs

Speakers
avatar for Anirudh Anand

Anirudh Anand

Security Trainer at 7ASecurity, Security Engineer at CRED, 7ASecurity
Anirudh Anand is a security researcher with a primary focus on Web and Mobile Application Security. He is currently working as a Senior Security Engineer at CRED and also Security Trainer at 7asecurity. He has been submitting bugs and contributing to security tools for over 7 years... Read More →


Monday September 23, 2019 9:00am - Wednesday September 25, 2019 5:00pm CEST
D302

9:00am CEST

Seth & Ken’s Excellent Adventures in Secure Code Review
Have you ever been tasked with reviewing 3.2 million lines of code manually for SQL Injection, XSS, and Access Control flaws? Have you been asked to review a new framework on short notice? Does the idea of reviewing Ruby, Go, or Node code leave you with heartburn? This course addresses all of these common challenges in modern code review. We have concentrated on taking our past adventures in code review, the lessons we’ve learned along the way, and made them applicable for others who perform code reviews. We will share our methodology to perform analysis of any source code and suss out security flaws, no matter the size of the code base, or the framework, or the language. You as a student will learn the methodology, techniques, approach, and tools used by Seth Law and Ken Johnson to understand code flows, trace user input, identify vulnerabilities, and effectively secure an application codebase.
Upon completion, attendees will know:
Students will take away knowledge and experience in approaching numerous code languages and frameworks to complete a security source code review. In addition, the learned methodology can be customized by the attendee to fit into any organization’s security SDLC. Finally, the attendee will have the tools to review source code for any web, mobile, or modern application, whether or not the targeted language is specifically covered during the course.

Speakers
avatar for Seth Law

Seth Law

President and Principal Security Consultant, Redpoint Security, Inc.
Seth Law is the President and Principal Consultant at Redpoint Security, Inc. (rdpt.io). During the last 15 years, Seth has worked within multiple security disciplines, including application development, cloud architecture, and network protection, both as a manager and individual... Read More →
avatar for Ken Johnson

Ken Johnson

AppSec Person, GitHub
Ken Johnson, has been hacking web applications professionally for 11 years. Ken is both a breaker and builder and currently works on the GitHub application security team. Previously, Ken has spoken at RSA, You Sh0t the Sheriff, Insomnihack, CERN, DerbyCon, AppSec USA, AppSec DC, AppSec... Read More →


Monday September 23, 2019 9:00am - Wednesday September 25, 2019 5:00pm CEST
D301

9:00am CEST

The DevSecOps MasterClass
"A phased approach to continuous delivery is not only preferable, but it’s also infinitely more manageable". This quote by Maurice Kherlakian refers to DevOps, a movement that has seeped into organizations across the globe, resulting in Continuous delivery of apps. However, security remains a serious bottleneck for DevOps. Organizations struggle with including security in continuous delivery processes.
This training is a comprehensive, focused and practical approach at implementing Security for your Continuous Delivery Pipeline. The training is backed by a ton of hands-on labs, original research and real-world implementations of DevSecOps that work.
The training starts with Application Security Automation for SAST, DAST, SCA, IAST, and RASP, apart from Vulnerability Management and Correlation. Finally, the training closes with a deep-dive of Container Security and Kubernetes, with detailed perspectives of implementing scalable security for these deployments.
The DevSecOps MasterClass is a sold-out training that has been delivered at several OWASP events including OWASP AppSec USA 2016, 2017 (50+ attendees), AppSec Day Melbourne, OWASP AppSec EU 2017 and Global AppSec TelAviv 2019. The 4 day version of this training will be delivered at BlackHat USA 2019 and Hack-in-the-Box Dubai 2019

Speakers
avatar for Abhay Bhargav

Abhay Bhargav

Founder, we45
"Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron"", a leading Application Vulnerability Correlation and Orchestration Framework.  He has created some pioneering... Read More →


Monday September 23, 2019 9:00am - Wednesday September 25, 2019 5:00pm CEST
TBA

10:00am CEST

Am Coffee Break
Monday September 23, 2019 10:00am - 10:30am CEST
TBA

12:30pm CEST

Lunch
Monday September 23, 2019 12:30pm - 1:30pm CEST
D300 Foyer

3:00pm CEST

PM Coffee Break
Monday September 23, 2019 3:00pm - 3:30pm CEST
TBA
 
Tuesday, September 24
 

9:00am CEST

Breaking and Pwning Docker Containers and Kubernetes Clusters
This 2 day attack-focused, hands-on training will set you on the path to using common attack techniques against docker, kubernetes, containerized infrastructure. It will help you to learn the approach to follow and the process for testing and auditing containers and Kubernetes clusters. By the end of the training, participants will able to identify and exploit applications running on containers inside Kubernetes clusters with a hands-on approach.

An organization using micro services or any other distributed architecture rely heavily on containers and container orchestration engines like Kubernetes and as such its infrastructure security is paramount to its business operations. This course will set the base for security testers and DevOps teams to test for common security vulnerabilities and configuration weaknesses across containerized environments and distributed systems. It also helps to understand the approach and process to audit the Kubernetes environment for security posture.

* The focus is on the security aspects of the application and the container infrastructure
* The participants will learn the common tools and techniques that are used to attack applications running in containerized environments
* The participants will be introduced to Docker, Kubernetes and learn to assess the attack surfaces applicable for a given application on the cluster.
* The participants will learn how to audit for security based on best practices using tools and custom scripts_

Training Outline

* Student training lab setup
* Docker Quick Start
* Docker Advanced Concepts
* Docker-compose
* Portainer
* Docker Security Architecture
* Namespaces
* Capabilities
* Control Groups
* Scenarios
* Exploiting docker misconfiguration
* Exploiting Docker Images and Containers
* Attacking Private Registry
* Attacking Docker Volumes and Networks
* Auditing Docker Volumes and Networks
* Exploiting Container Capabilities to escape
* Docker Integrity Checks
* Container introspection tool - amicontained
* LSM - Apparmor Nginx Profile
* Docker Bench Security Audit
* Container Logging and Monitoring
* Docker Logging
* Docker Events
* Kubernetes Cluster environments setup
* Kubernetes 101
* Getting started with Kubernetes
* Introduction to Kubernetes
* Overview & Technical Terms
* kubectl usage for pen-testers
* Scenarios
* Exploiting Private Registry via Misconfiguration
* Attacking Kubernetes Cluster Metadata using SSRF vulnerability
* Testing for the sensitive configurations and secrets in Kubernetes cluster
* Docker escape using Pod Volume Mounts to access the nodes and host systems
* Attacking applications in different namespaces in Kubernetes cluster
* Attacking Helm tiller with default RBAC setup
* Auditing Kubernetes
* kube-bench
* kubesec.io
* kube-hunter
* kubeaudit
* Logging and Monitoring for Security Events
* Logging and Monitoring
* Security checks for events using Sysdig Falco (DEMO Only)
* Advanced Scenario
* Exploiting Kubernetes API Server Vulnerability CVE-2018-1002105 (DEMO Only)
* Popular Attacks around Docker and Kubernetes ecosystem
* Resources and References

Pre-requisites

* Google Cloud Platform (GCP) Free trial account (https://cloud.google.com/free/)
* At least 8 GB of RAM, 10GB of disk space free on the system
* Laptop should support hardware-based visualization
* If your laptop can run a 64-bit virtual machine in Oracle VirtualBox it should work
* Other visualization software might work but we will not be able to provide support for that
* USB Ports for copying data from Pen drive

Student Requirements

* Basic knowledge of using the Linux command line
* System administration basics like servers, applications configuration, and deployment
* Familiarity with container environments like Docker would be useful

Who Should Attend?

* Penetration Testers, Security Engineers and Bug bounty hunters
* System administrators, DevOps, and SecOps Teams
* Anyone interested in the container infrastructure security

What to expect?

* Complete hands-on training with a practical approach and real-world scenarios
* Ebooks of the training covering all hands-on in a step by step guide (HTML, PDF, EPub, Mobi)
* Git repository of all the custom source code, scripts, playbooks used during the training
* Resources and references for further learning and practice

What not to expect?

* A lot of hand-holding about basic concepts already mentioned in the things you should be familiar with
* A lot of theory. This is meant to be a completely hands-on training!!
* To become an accomplished DevOps or containers expert

Tuesday September 24, 2019 9:00am - Wednesday September 25, 2019 5:00pm CEST
D403

9:00am CEST

Hands-on threat modeling and tooling for DevSecOps
This action-packed two-day threat modeling course is designed specifically to help DevOps engineers improve the reliability and security of delivered software. Sebastien Deleersnyder teaches an iterative and incremental threat modeling method that is integrated with the development and deployment pipeline.
Speed of delivery is crucial with shorter development cycles, increased deployment frequency, and more dependable releases, and Sebastien focuses on a risk-based unified threat modeling practice that is in close alignment with business objectives. You’ll explore tools and learn how to use threat modeling as code to integrate threat modeling in the CI/CD pipeline; you’ll also discover how to threat model the CI/CD pipeline itself.
Sebastien bases the training material and hands-on workshops on real live use cases in his experience. You’ll be challenged to perform practical threat modeling in squads of three to four people, covering the different stages of threat modeling on an incremental business-driven CI/CD scenario:
Sprint 1: Modeling a hotel booking web and mobile application, sharing the same REST backend
Sprint 2: Threat identification as part of migrating the booking system application to AWS
Sprint 3: AWS threat mitigations for the booking system built on microservices
Sprint 4: Building an attack library for CI/CD pipelines

Handouts, templates, and lab challenges will be made available before the training.

Speakers
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

Seba is co-founder and CEO of Toreon. He started the Belgian OWASP chapter, co-leads the OWASP SAMM project, and co-founded the yearly BruCON conference. With a background in development and many years of experience in security, Seba has trained countless developers to create more... Read More →


Tuesday September 24, 2019 9:00am - Wednesday September 25, 2019 5:00pm CEST
D304

10:30am CEST

AM Coffee Break
Tuesday September 24, 2019 10:30am - 11:00am CEST
D300/D400 Foyer

12:30pm CEST

Lunch
Tuesday September 24, 2019 12:30pm - 1:30pm CEST
D300/D400 Foyer

3:00pm CEST

PM Coffee Break
Tuesday September 24, 2019 3:00pm - 3:30pm CEST
D300/D400 Foyer
 
Wednesday, September 25
 

9:00am CEST

Project Review
Wednesday September 25, 2019 9:00am - 3:00pm CEST
D404

9:00am CEST

DevOps for CISO
The rising popularity of agile and DevOps forced the AppSec world to start interacting with development teams. Quite often this is done with a bolt-on approach, resulting in activities that teams need to start doing on top of their existing way of working. Since many security(-like) processes were never designed for a high-velocity environment this leads to ineffective and time-consuming processes. It is time to rethink and redesign these processes and make them add value!
This training is based on my presentation “Taming rainbow shitting unicorn” and will be interactive with group exercises for better understanding of the topics.
In this training, we’ll take a look at a couple of examples and explore how we could make them more efficient and effective. Topics that for example will be covered are:
- Agile and DevOps basics
- The role of automation in development, deployment, and operations
- Agile threat modeling
- Patch management in DevOps environments
- Incident handling feedback loops
- Cloud challenges and advantages
- Combining SRE and DevSecOps

Speakers
avatar for Marinus Kuivenhoven

Marinus Kuivenhoven

Senior Security Consultant, Xebia Security
Marinus works as a Senior Security Consultant at Xebia Security. He has 15 years of experience in implementing security in the culture, teams and development life cycles at organizations. But also, the underlying activities like security requirements, architectural threat analysis... Read More →


Wednesday September 25, 2019 9:00am - 5:00pm CEST
D402

9:00am CEST

Your dynamic software security journey with OWASP SAMM2
OWASP SAMM2 (https://owaspsamm.org) is the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyse and improve their software security posture. Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance will have a significant impact on the organisation. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements. OWASP Software Assurance Maturity Model (SAMM) gives you a structural and measurable framework to do just that. It enables you to formulate and implement a strategy for software
The goal of this one-day training, which is a mix of training and workshop, is for the participants to get a more in-depth view on and practical implementation of the SAMM2 model. The training has run successfully for several years now.
The training is setup in three different parts.
In the first part, an overview is presented of the SAMM2 model and similarities and differences with other similar models are explained. The different domains (governance, design, implementation, verification, and operations), their activities and relations are explained. This will incorporate the updates of the v2 of the model. Furthermore, different elements (e.g., metrics) are discussed and the overall usage scenarios of the model are explained.
The first half-day will be spent on performing an actual SAMM2 evaluation of your own organization (or one that you have worked for). We will go through an evaluation of all the SAMM domains and discuss the results in the group. This will give all participants a good indication of the organization's maturity wrt. software assurance. In the same effort, we will define a target maturity for your organization and identify the most important challenges in getting there. All of this will be executed using the new SAMM2 toolbox.
The final part of the training will be dedicated to specific questions or challenges that you are facing wrt. secure development in your organization. For instance, what about agile development, DevSecOps, outsourcing, or how do you best organize test automation? In this group discussion, experience between the different participants will be shared to address these questions.
In case you haven't started a secure software initiative in your organization yet, this training should provide you with the necessary foundations and ideas to do so. Be prepared for the highly effective and applicable treatment of this large domain! And in case you would be concerned about confidentiality issues, we adhere to the Chatham House Rule.



Speakers
avatar for Bart De Win

Bart De Win

Bart De Win has over 20 years of experience in software security. He has an extensive background in the field, including his Ph.D. and research work on methods and techniques for software protection. Since 2009, Bart has been responsible for all application security services within... Read More →


Wednesday September 25, 2019 9:00am - 5:00pm CEST
D401

10:00am CEST

AM Coffee Break
Wednesday September 25, 2019 10:00am - 10:30am CEST
D300/D400 Foyer

12:30pm CEST

Lunch
Wednesday September 25, 2019 12:30pm - 1:00pm CEST
D300/D400 Foyer

3:00pm CEST

PM Coffee Break
Wednesday September 25, 2019 3:00pm - 3:30pm CEST
D300/D400 Foyer

5:00pm CEST

Welcome Reception
Wednesday September 25, 2019 5:00pm - 6:00pm CEST
Elicium 2

6:00pm CEST

Leaders Meeting
Wednesday September 25, 2019 6:00pm - 7:00pm CEST
D201

7:00pm CEST

Public Board Meeting
Wednesday September 25, 2019 7:00pm - 8:00pm CEST
D201
 
Thursday, September 26
 

8:45am CEST

Opening Remarks
Thursday September 26, 2019 8:45am - 9:00am CEST
Elicium 1

9:00am CEST

The house is built on sand: exploiting hardware glitches and side channels in perfect software

For years, we have tried to address security problems by fixing software bugs and misconfigurations. For critical systems, we may even choose to formally verify software to guarantee the absence of bugs. However, the question is whether getting rid of bugs in the software is sufficient. In this talk, I will discuss vulnerabilities in hardware (leading to glitches and side channels) that allow attackers to compromise systems even in the absence of software bugs. In particular, I will give an overview of our work on Rowhammer and discuss our recent work on RIDL (the speculative execution vulnerability in all Intel processors disclosed earlier this year).

Speakers
avatar for Herbert Bos

Herbert Bos

Full professor, Vrije Universiteit Amsterdam
Herbert Bos is a full professor at VUSec, the systems security group at Vrije Universiteit Amsterdam in the Netherlands. He obtained his Ph.D. from Cambridge University Computer Laboratory (UK). Coming from a systems background, he drifted into security a few years ago and never left... Read More →


Thursday September 26, 2019 9:00am - 9:45am CEST
Elicium 1

9:45am CEST

AM Coffee Break
Thursday September 26, 2019 9:45am - 10:15am CEST
Elicium 2

10:00am CEST

Members Lounge
Looking for a place to recharge your electronics?  
Feeling a bit hungry or thirsty?
Maybe you are looking for some cool OWASP Member Only swag?
Or just looking to take a break from the hectic conference atmosphere?

Head on over to the Members Lounge located in the XXXX Room.

Here you can grab a snack, quench your thirst, recharge your electronics, kick up your feet, and network with other OWASP members all within a relaxed atmosphere.

Not an OWASP Member? No problem! Swing on over to the lounge, and you can sign up on the spot, or join here!

Look for the signs or ask a volunteer how to find us!


Thursday September 26, 2019 10:00am - 4:00pm CEST
Elicium 2

10:15am CEST

Attacking AWS: the full cyber kill chain
While it is quite common practice to do periodic security assessments of your local network, it is really rare to find a company who puts the same effort for testing the security in their cloud. We have to understand what new threats and risks appeared with the cloud and how should we change our attitude to testing cloud security. The goal of my presentation is to show how security assessment of cloud infrastructure it is different from testing environments in classic architecture. I'll demonstrate a hypothetical attack on a company which is fully deployed in the AWS environment. I’m going to show the whole kill chain starting from presenting cloud-applicable reconnaissance techniques. Then I’ll attack the web application server hosted on EC2 instance to access its metadata. Using the assigned role, I’ll access another AWS EC2 instance to escalate privileges to the administrator and then present how to hide fingerprints in CloudTrail service. Finally, I’ll demonstrate various techniques of silent exfiltrating data from AWS environment, setting up persistent access and describe another potential, cloud-specific threats, e.g. cryptojacking or ransomware in the cloud. The presentation shows practical aspects of attacking cloud services and each step of the kill chain will be presented in a form of an interactive, live demo. On the examples of presented attacks, I’ll show how to use AWS exploitation framework Pacu and other handy scripts.

Speakers
avatar for Pawel Rzepa

Pawel Rzepa

Senior Security Consultant, SecuRing
Pawel is a senior security consultant in SecuRing. On his daily basis he is responsible for performing penetration tests and cloud security assessment. He has a wide experience in security field gained inter alia, as a fuzzer developer in Spirent, pentester in EY GSS, security auditor... Read More →


Thursday September 26, 2019 10:15am - 11:00am CEST
D201

10:15am CEST

Controlled Mayhem with Cloud Native Security Pipelines
Managing security within a cloud-native development pipeline requires reimagining traditional security rituals. With hybrid and multi-cloud deployments as well as different container runtimes, orchestration platforms, and technology stacks, getting it right requires more than tooling. We must understand how our teams build software and consume telemetry gleaned through operations. This talk will dive into building with isolation in mind and limiting the damage of a compromised service within an environment. It starts with development and extends through deploying software to the runtime environment. This presentation’s goal is to provide strategies on moving security both to the left and to the right in our software development lifecycle. This presentation will explain the distinct differences between shipping traditional software and how the cloud-native development pipeline changes things. We will focus on popular projects from the Continuous Delivery Foundation (CDF) including Jenkins X, Spinnaker, and Tekton and using them with Kubernetes. We'll examine the non-linear pipelines we're building, the additional steps we've introduced, and the consequences of how CI/CD works in cloud-native shops. At the end of this presentation, you'll be ready to tighten up your stack with new tricks to solidify your cloud-native CI/CD pipeline and the additional security dilemmas it presents.

Speakers
avatar for Jack Mannino

Jack Mannino

CEO, nVisium
Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since then has helped the world's largest software teams enhance... Read More →
avatar for Ben Pick

Ben Pick

Senior Security Consultant, nVisium
Ben Pick has worked in the application security industry for over a decade in such roles as Security Analyst, DevSecOps Engineer, and IDS Monitor while bouncing between red and blue teams. He has spoken at local conferences, meetups, and provided training for improving CI/CD pipelines... Read More →


Thursday September 26, 2019 10:15am - 11:00am CEST
D202

10:15am CEST

Practical OWASP CRS in High Security Settings
Traditionally, the OWASP ModSecurity Core Rule Set, an OWASP flagship project, has been hard to use. However, the release of CRS 3.0 in 2017 and the advancements made with CRS 3.1 successfully removed most of the false positives in the default installation. This improved the user experience when running the only general purpose open source web application firewall. The presentation explains how to run CRS successfully in high security settings. This includes practical advice to tuning, working with the anomaly thresholds, the paranoia levels and the sampling mode. This talk is based on many years of experience gained by using CRS in various high security settings, including the one by Swiss Post for it's national online voting service.

Speakers
avatar for Christian Folini

Christian Folini

OWASP project co-lead, OWASP
Christian Folini is a security engineer and open source enthusiast. He holds a PhD in medieval history and enjoys defending castles across Europe. Unfortunately, defending medieval castles is not a big business anymore and so, he turned to defending web servers, which he finds equally... Read More →


Thursday September 26, 2019 10:15am - 11:00am CEST
D203

10:15am CEST

Remote Code Execution in Firefox Beyond Memory Corruptions
Browsers are complicated enough to have attack surface beyond memory safety issues. This talk will look into injection flaws in the user interface of Mozilla Firefox, which is implemented in JS, HTML, and an XML-dialect called XUL. With an Cross-Site Scripting (XSS) in the user interface attackers can execute arbitrary code in the context of the main browser application process. This allows for cross-platform exploits of high reliability. The talk discusses past vulnerabilities and will also suggest mitigations that benefit Single Page Applications and other platforms that may suffer from DOM-based XSS, like Electron.

Speakers
FB

Frederik Braun

Mozilla
Frederik Braun defends Mozilla Firefox as a Staff Security Engineer in Berlin. Besides enhancing the browser, he has also been involved in web and mobile security. Frederik contributes to the W3C Web Application Security Working Group and co-authored the Subresource Integrity standard... Read More →


Thursday September 26, 2019 10:15am - 11:00am CEST
D204

11:05am CEST

OWASP based Threat Modelling : Creating a feedback Model in an agile environment
Threat Modeling is an art of foreseeing the threats associated with an application and getting them fixed in a very early stage. There have been various Threat Modeling frameworks developed over the course of years. Most of companies follow their own version of Threat Modeling. However, these frameworks lack one of the most crucial steps in order to produce the maximum result of Threat modeling. The aim of this presentation is to provide you with the last missing piece of the puzzle. We help you complete the full circle of Threat Modeling and create a feedback model to create overall Threat Landscape for any organization. We will talk about how and when you should upgrade your threat modeling process in order to accommodate newly introduced Threat Vectors in the market. We will also talk about building a security mindset that would help in successful Threat Model with a real life case study or demo.

Speakers
avatar for Chaitanya Bhatt

Chaitanya Bhatt

Security Engineer, eBay Inc.
Chaitanya Bhatt is an information security professional working as Staff Security Engineer at eBay who specializes in Application Security and Vendor Security Assessment. Chaitanya holds Master’s degree in Computer Engineering and has over 6+ years of experience in source code analysis... Read More →


Thursday September 26, 2019 11:05am - 11:50am CEST
D201

11:05am CEST

Security Vulnerabilities Decomposition: Another way to look at Vulnerabilities
In most companies security is driven by compliance regulations. The policies are designed to contain the security vulnerabilities each company is interested to comply with. These vulnerabilities can be measured only at the end, after the software has been developed, which is way too late. The result of this approach is a high number of insecure applications are still produced and injection is still King. Is there another way to create a more secure the software from the start? This presentation will look at security vulnerabilities from a different angle. We will decompose the vulnerabilities into the security controls that prevent them and developers are familiar with. We will flip the security from focusing on vulnerabilities (which can be measured only at the end, after the software has been developed) to focus on the security controls, which can be used from beginning in software development cycle. Recommended to all builders and security professionals interested to build a more secure software from the start.

Speakers
avatar for Katy Anton

Katy Anton

Principal Application Security Consultant, Veracode
Katy Anton is a security professional with a background in software development. An international public speaker, she enjoys speaking about software security and how to secure software applications.In her previous roles, she led software development teams and implemented security... Read More →


Thursday September 26, 2019 11:05am - 11:50am CEST
D202

11:05am CEST

Manual JavaScript Analysis is a Bug
When performing security assessments or participating in bug bounties, there is generally a methodology you follow when assessing source-code or performing dynamic analysis. This involves using tools, reviewing results and understanding what you should be testing for. Reviewing modern web applications can be quite challenging, and this talk will go into details on how we can automate the boring (but necessary parts) and how to set a roadmap of what should be focused on when dealing with modern JavaScript applications.

Thursday September 26, 2019 11:05am - 11:50am CEST
D204

11:05am CEST

API Security Project
Join us and take part of the creation of the API Security Project.
  • How are API-based apps different than traditional apps?
  • Why do this apps deserve their own OWASP security project?
  • Roadmap of the project
  • Introducing API Security Top 10 - V1.0 in depth
  • Next steps
Join the mailing list:
Join the effort:

Speakers
avatar for Inon Shkedy

Inon Shkedy

Head of Security Research, Traceable.ai
The speaker has 8 years of experience in application security. He started his career in a red team in a government organization for 5 years, and then moved to the Silicon Valley to learn more about startups, modern applications and APIs. Today he provides consultation to various companies... Read More →
avatar for Erez Yalon

Erez Yalon

Director of Security Research, Checkmarx
Erez Yalon heads the Security Research team at Checkmarx, a provider of software security solutions for DevOps. With vast defender and attacker experience, and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez is also a Co-Founder... Read More →


Thursday September 26, 2019 11:05am - 11:50am CEST
D301

11:05am CEST

The Zest of ZAP: How scripting in our favorite tool can bridge the gap between dev teams and security
Security testing has a reputation for being mysteriously technical and conceptually unapproachable to many in the field of technology; they know it's important on some level but still approach security as mysticism and superstition rather than technical reality. Simultaneously, the average security team is too overloaded to help guid the daily needs of those very same teams. While this operational gap can be large, it does not need to be accepted as truth, and by using OWASP ZAP and its handy scripting engines we will explore the ways in which we can use such an application as a testing tool for development teams in a way that both enhances the quality of assertions in the current QA arsenal for exploratory, functional, regression, integration and automated test process. By so doing, it will also provide a natural springboard from which to incorporate security concerns, concepts and education.

Speakers
avatar for Peter Hauschulz

Peter Hauschulz

Software Test Engineer, HumanIT
The speaker holds a bachelor’s degree in Psychology and Integrative Physiology, with a focus on the influence of group perception, behavior, and pathology. His work experiences include a wide range of oddities beyond computers, from shelving library books to disaster relief and... Read More →


Thursday September 26, 2019 11:05am - 11:50am CEST
D203

11:55am CEST

Knative Security Pipelines
Modern security practices require extensive testing using a multitude of tools. Moreover, orchestrating and executing them in a traditional CI/CD environment doesn’t scale easily. Additionally, adopting the push-left ideology, enabling developers to run pipelines on demand places a bottleneck when using a traditional CI/CD solution. While modern CI/CD servers usually provide some ability to orchestrate a kubernetes cluster which could mitigate this load, the orchestration is usually a transparent frontend to loading K8s manifests. This talk introduces Dracon, an open source tool providing a pluggable and flexible way of running producer/consumer pipelines natively on Kubernetes. We will provide use cases, architecture details and demos along with links to documentation on how to integrate new tools.

Speakers
avatar for Spyros Gasteratos

Spyros Gasteratos

Human, '">
Spyros has nearly a decade of experience in application development and security. He now works as an appsec engineer in a cloud focused fintech company trying to keep services secure and running. Also, he usually doesn’t speak about himself in the third person.


Thursday September 26, 2019 11:55am - 12:40pm CEST
D201

11:55am CEST

WebAuthn: Strong authentication vs. privacy vs. convenience
WebAuthn is the new API now widely available in browsers, enabling strong, public-key based authentication that has the potential to strengthen, if not replace, password-based authentication mediums. It further allows for convenient and fast authentications with via biometric readers built into devices, like Apple’s Touch ID. But now the device itself can be the authentication medium; how does WebAuthn deal with all of the potential privacy implications therein? How do users and relying parties deal with lost, or stolen devices? In this talk I will give an overview of WebAuthn, and then do a deep dive into the security properties of the API, and how it delegates responsibilities to browsers, authenticators, relying parties, and users in order to build a balance between privacy, strength, and convenience.

Speakers
avatar for Suby Raman

Suby Raman

Software Engineer, Duo Security
Suby Raman is a full-stack software engineer working for Duo Security out of Ann Arbor, Michigan. He has helped lead development of Duo's implementation of WebAuthn, now being widely used in Duo's two-factor authentication prompt. He is also the author of Webauthn.Guide, a developer... Read More →


Thursday September 26, 2019 11:55am - 12:40pm CEST
D202

11:55am CEST

Securing ProtonMail: Building a Web App that Doesn’t Trust the Server
How do you know WhatsApp Web isn’t spying on your messages, despite the end-to-end encryption? Why did Signal decide to build a desktop application instead of a web app? At ProtonMail, we’re aiming to build a web application that gives users the guarantee that we are physically unable to read their email, even if we wanted to. This comes with a set of unique challenges: how can the user trust the source code that comes from our server (without reading it each time), and how can the user trust the public keys that they receive (without hosting key signing parties, however fun they may be :)).


Thursday September 26, 2019 11:55am - 12:40pm CEST
D204

11:55am CEST

Choosing the right static code analyzers based on hard data
Published research shows that static code analysis cost-effectively catches security weaknesses before they become exploitable vulnerabilities. But finding the right code analyzers can be challenging. This talk will discuss research funded by the U.S. Department of Homeland Security to deliver unbiased methods and information to assess and compare the performance of static analyzer products. In this talk we introduce a new, freely-available website that presents the results of our research. We will discuss plans to track the types of weaknesses that analyzers can detect to help people quickly find the right analyzer and how to achieve good detection coverage of multiple weaknesses. We’ll discuss the properties of analyzers important to consider when bringing one (or a few!) into your development pipeline. We’ll also cover plans to benchmark results quality using real code, not artificial data sets. Finally, we’re looking forward to audience feedback on what information or capabilities are important.

Speakers
avatar for Chris Horn

Chris Horn

Chris Horn is a Researcher at Secure Decisions, an R&D organization, and helps guide application security product development at Code Dx. He is currently engaged in several application security (AppSec) research projects, including developing a system for benchmarking static code... Read More →


Thursday September 26, 2019 11:55am - 12:40pm CEST
D203

12:40pm CEST

Lunch
Thursday September 26, 2019 12:40pm - 1:45pm CEST
Elicium 2

1:45pm CEST

OWASP SAMM2 - your dynamic software security journey
OWASP SAMM (https://owaspsamm.org) is the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyse and improve their software security posture. Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance will have a significant impact on the organisation. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements. OWASP Software Assurance Maturity Model (SAMM) gives you a structural and measurable framework to do just that. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organisation. In this talk, we give an overview of the new release of the SAMM model. After 10 years since its first conception, it was important to align it with today’s development practices. We will cover a number of topics in the talk: (i) the core structure of the model, which was redesigned and extended to align with modern development practices, (ii) the measurement model which was setup to cover both coverage and quality and (iii) the new security practice streams where the SAMM activities are grouped in maturity levels. We will demonstrate the new SAMM2 toolbox to measure the maturity of an example DevOps team and how you can create a roadmap of activities.

Speakers
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

Seba is co-founder and CEO of Toreon. He started the Belgian OWASP chapter, co-leads the OWASP SAMM project, and co-founded the yearly BruCON conference. With a background in development and many years of experience in security, Seba has trained countless developers to create more... Read More →


Thursday September 26, 2019 1:45pm - 2:30pm CEST
D201

1:45pm CEST

Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Last year at AppSec EU I had a presentation about the Ethereum smart contracts and did a technical showcase of some of their potential vulnerabilities and security flaws. I also presented my proposition on how to handle the responsible disclosure process in the smart contracts world.
This year I want to focus on the whole process of security testing and present it by analogies to the web applications which are quite well-known. Smart contracts are described as Web3 decentralized apps and I believe that my talk will not only bring new light on this subject but will also help to understand and organize the way of testing. I am going to cover the whole SDLC and show the similarities and differences between the smart contracts and web applications on each step.
The presented overview is especially important nowadays when the biggest companies are building their own blockchain platforms and cryptocurrencies – i.e. Libra introduced by Facebook (which by the way also supports smart contracts).
I am also going to show the differences in the arsenal of vulnerabilities, security tools and standards by the analogy to web apps arsenal. I think that, even though there exist a lot of great security projects for smart contracts, we do not have a single, widely accepted security standard (such as ASVS in web apps world). I would like to discuss potential work that needs to be done in that area and show my preliminary work on that matter.
After this presentation audience will know what are the similarities and differences between smart contracts and web apps in the SDLC, an arsenal of tools and standards, but also will have a fresh overview of possible options and current trends.

Speakers
avatar for Damian Rusinek

Damian Rusinek

Sr. Security Specialist, SecuRing
Senior IT Security Specialist, since 2016 in SecuRing. Professionally responsible for blockchain, web and mobile application audits and source code analysis. Software developer and analyst with over a decade of experience. Engaged in many projects, such as projects from energy industry... Read More →


Thursday September 26, 2019 1:45pm - 2:30pm CEST
D202

1:45pm CEST

Being Powerful While Powerless: Elevating Security by Leading Without Authority
Inculcating security into a company’s culture is a difficult task in itself. Let’s envision there’s a situation where you’re an individual contributor without a CSO or Director title. In addition, imagine that you’re the only member of the Security team and are solely responsible for securing the entire company in a fast-paced, ever-changing environment. That illustration depicted my situation before we grew the team. Are you in such a position? Or are you considering a new opportunity with this scenario? In this talk, I’ll explore how I leveraged both technical and non-technical strategies for exerting soft power to build a functional, secure foundation and evangelize security as an IC on a 1-person Security team. By building tools and implementing programs, I effectively scaled myself across the organization (engineering and non-engineering alike) by empowering others to deeply care about security too. I’ll share lessons learned and how to thrive in this role.

Speakers
avatar for Nathan Yee

Nathan Yee

Application Security Engineer, Gusto
Nathan is an Application Security Engineer on the Security team at Gusto, where he partners with engineers to securely develop software by creating tools, consulting on security designs, and delivering security training. Before joining Gusto, he was an early engineer at Synack. Nathan... Read More →


Thursday September 26, 2019 1:45pm - 2:30pm CEST
D203

1:45pm CEST

Fun with KSM
The Linux Kernel Samepage Merging mechanism implements a memory deduplication strategy, which can be applied for saving resources in virtualization scenarios. In this talk we are going to explore some of KSM's security properties, including different ways for turning KSM into an oracle leaking memory page contents. Furthermore, we are going do demonstrate a side-channel attack against the guest Kernel's ASLR implementation.


Thursday September 26, 2019 1:45pm - 2:30pm CEST
D204

2:35pm CEST

Secure Agile development according to SAMM
This talk presents the work that has been done to extend SAMM with agile guidance. SAMM is OWASP's flagship project on how to setup and grow a secure development process. It wants to be agnostic of the type of development approach, which is why agile was not covered. Nevertheless, there appears to be a strong need in the industry for guidance on how to make secure software development work in an agile environment. Together with the SAMM working group, industry colleagues and clients, I have been working on extending SAMM with such guidance. How do you squeeze all the necessary activities in a sprint, e.g. requirement selection, threat modeling, verification? What do you do with stories, with abuse stories and with the definition of done? How do you get security teams and developers to co-operate instead of just setting up quality gates? Based on studying many organizations on what works and what doesn't work, by doing interviews and by looking into the many publications on this topic, a straightforward set of 'Agile' notes were written and validated. The results will be published with an upcoming SAMM update.

Speakers
avatar for Rob van der Veer

Rob van der Veer

Principal consultant, Software Improvement Group
Rob is founder and leader of the security and privacy practice at SIG, providing key insights to organizations worldwide to get software right. Rob has a long background in the software industry, from being a programmer to 9 years of holding CEO positions. Cybersecurity and privacy... Read More →


Thursday September 26, 2019 2:35pm - 3:20pm CEST
D201

2:35pm CEST

Threat Modelling Stories from the Trenches
Threat modelling is a software analysis technique capable of finding design defects. But what sort of issues are uncovered in practice using threat modelling? This talk bridges the gap between theory and practice by describing case studies – design flaws uncovered for actual (but anonymised) systems across many domains, for example online gaming, two-factor authentication, business-to-business, embedded, and cloud. In this talk we are less concerned with theory. Instead, in this interactive session the attendee will gain insight into the mindset of threat modelling by considering mistakes in the real-world. Along the way we will (re)learn secure design principles and attack patterns and see how the theory is expressed in reality.

Speakers
avatar for David Johannson

David Johannson

Principal Consultant, Synopsys
David Johansson has worked as a security consultant for over 10 years. Among other things, he has worked with software development and architecture, threat modeling, web security testing, and training developers and testers in security. David lives in London where he works as a Principal... Read More →
avatar for Andrew Lee-Thorp

Andrew Lee-Thorp

Mr Lee-Thorp is a software security consultant who started life as an ocean-atmosphere scientist, then as a developer and now works as a Principal Consultant at Synopsys where he performs code reviews, threat modelling, Android testing and trains developers to write secure code.


Thursday September 26, 2019 2:35pm - 3:20pm CEST
D202

2:35pm CEST

The Now and the Future of Malicious WebAssembly
WebAssembly, or Wasm for short, is a new, low-level language that allows for near-native execution performance and is supported by all major browsers as of today. In comparison to JavaScript it offers faster transmission, parsing, and execution times. Up until now it has, however, been largely unclear what WebAssembly is used for in the wild. In this talk, we examine the prevalence of WebAssembly in the Alexa Top 1 million websites and find that as many as 1 out of 600 sites execute Wasm code. By manually analyzing all collected Wasm modules we find that over 50% of all sites using WebAssembly apply it for malicious deeds. The main use for mining cryptocurrencies in the browser, however we also discovered several sites that use Wasm to obfuscate their code. The talk concludes with the potential future of malicious WebAssembly defense mechanisms are affected.

Speakers
avatar for Marius Musch

Marius Musch

Marius Musch is a PhD candidate at the Insitute for Application Security at TU Braunschweig in Germany. His field of research is web application security with a focus on client-side attacks and large-scale analyses.


Thursday September 26, 2019 2:35pm - 3:20pm CEST
D203

2:35pm CEST

Ransomware Identification with Limited Information
Ransomware identification is crucial to determine if encrypted files can be recovered or decrypted for free. The ransomware executable is often not available for incident responders and even ransom notes may be missing. Which tools and key points can be used to identify the ransomware family correctly?

Speakers

Thursday September 26, 2019 2:35pm - 3:20pm CEST
D204

2:35pm CEST

Juice Shop
OWASP Juice Shop is an intentionally insecure web app for security trainings written entirely in JavaScript which encompasses the entire OWASP Top Ten and many more severe and complex security flaws.
In this talk, you'll learn about this open-source project and its capabilities first-hand from its creator. You are invited on a happy shopper round trip and will have the chance to see some hacking demos of the many built-in challenges. You'll also witness how to apply custom themes to the Juice Shop to make it your company's next security awareness super-weapon. Last but not least, you will experience how to set up a capture-the-flag (CTF) event with the Juice Shop in less than 5 minutes!



Speakers
avatar for Björn Kimminich

Björn Kimminich

OWASP Juice Shop Project Leader, Kuehne + Nagel (AG & Co.) KG
Björn Kimminich is responsible for global IT architecture and application security at Kuehne + Nagel. On the side he gives IT security lectures at the non-profit private university Nordakademie. Björn is also the project leader of the OWASP Juice Shop and a board member for the... Read More →


Thursday September 26, 2019 2:35pm - 3:20pm CEST
D301

3:20pm CEST

PM Coffee Break
Thursday September 26, 2019 3:20pm - 4:05pm CEST
Elicium 2

4:05pm CEST

ModSecurity Core Rule Set
Speakers
avatar for Christian Folini

Christian Folini

OWASP project co-lead, OWASP
Christian Folini is a security engineer and open source enthusiast. He holds a PhD in medieval history and enjoys defending castles across Europe. Unfortunately, defending medieval castles is not a big business anymore and so, he turned to defending web servers, which he finds equally... Read More →


Thursday September 26, 2019 4:05pm - 4:20pm CEST
D301

4:05pm CEST

Mobile-friendly or Attacker-friendly? A Large-scale Security Evaluation of Mobile-first Websites
In the last few years, traffic generated by mobile devices has surpassed desktop visits. In order to provide users with the best browsing experience, many website owners specifically tailor their site to mobile devices. While some websites make use of reactive designs, many others opt to create an entirely new "mobile-first" website, typically hosted on a different subdomain than the desktop site. These mobile-first sites provide a unique viewpoint on how organizations handle security: the mobile version of a site is typically developed several years after the desktop site by the same organization. Through a large-scale security analysis on 10,222 domains with both a desktop and mobile-first version, we find several strong indicators that security is generally applied consistently across the different parts of an organization's web estate. Overall, we find relatively few differences between the desktop and mobile versions of a website, both on the adoption and the implementation of security features, indicating that these are applied reactively rather than proactively during the design phase. Nevertheless, we discover that desktop users are unnecessarily facing threats from the mobile website, whereas mobile users are less exposed to vulnerabilities in the desktop site.

Speakers
avatar for Tom Van Goethem

Tom Van Goethem

Tom is a Ph.D. researcher at the University of Leuven in Belgium. As part of his research, Tom is broadly interested in web security and privacy, and more specifically focuses on uncovering side-channel attacks in the web platform and large- scale security evaluations. As part of... Read More →


Thursday September 26, 2019 4:05pm - 4:50pm CEST
D201

4:05pm CEST

Modern and Secure IAM for Modern Applications
Modern applications include Mobile Applications, JS Single Page Applications, APIs, Microservices, etc and we need modern & secure Identity and Access Management solutions to protect them. Unfortunately, Authentication and Authorization related CWEs (Common Weakness and Enumerations) still result in many vulnerabilities in both traditional and modern applications. This eventually results in data breaches. Different studies related to data breaches (Verizon data breach report) clearly show attackers' interest in these vulnerabilities and how they are abusing this. This presentation is focused on a proactive solution to these problems. It's evident that attackers misuse the vulnerabilities in the IAM implementations. This can be secured by reducing the multiple weak IAM implementations and by utilizing centrally managed and more secure IAM solutions using the federation with the security principle of minimization attack surface area. This presentation will cover basic terminologies in IAM, different ways to implement IAM solutions, benefits of the Federation. Comparison between OIDC and SAML. Explanation of different OIDC flows (Authcode flow, Auth Code Flow with PKCE) for modern applications.

Speakers
avatar for Vinod Anandan

Vinod Anandan

SVP, Citi
Vinod is an application security engineer. He started his career as a developer and decided to be part of securing software. He is an OWASP volunteer, member and project lead.  He loves open-source software and standards and he believes in collaboration and teamwork when it comes... Read More →


Thursday September 26, 2019 4:05pm - 4:50pm CEST
D202

4:05pm CEST

OWASP Docker Top 10
Docker and Containerization in general offer several advantages for developers: They fit excellent in software development processes, they enable fast development cycles, reproducible deployments and with little change the same container can run either in a test or production environment. Last but not least: it always seems a cool thing for developers. Some DevOps marketing companies realized that, telling you your business will fall behind if you're not in the container business as the "time to market" is just too long. So far, so good. Or not? A catch is that an average developer is no expert in system and network security. Container security is a system and network topic though. And also if you have system and network security knowledge, you first need to fully understand the technology. Even big players seem still on the learning curve as several researches and incidents in 2018 showed. But also the containerization technologies like CoreOS and Kubernetes showed surprising flaws in the recent past. This mixture of complexity and/or lack of acknowledging it's not KISS and a lack of system knowledge are not good start conditions for a building and operating a secure container environment. This is the point where the OWASP Docker Top 10 chimes in. By using a threat model approach, attack surfaces were defined first. Based on that, 10 controls evolved. The speaker will show an overview over the 10 points and some practical examples (also bad ones) to demonstrate pitfalls. The OWASP Docker Top 10 is a defender project. It starts from important Do's and Dont's to more advanced controls which could help you to make your environment almost bullet proof.

Speakers
avatar for Dirk Wetter

Dirk Wetter

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20 years of professional experience in information security. He has a broad technical and information security management background. He has published over 60 articles in computer magazines.His primary focus... Read More →


Thursday September 26, 2019 4:05pm - 4:50pm CEST
D203

4:05pm CEST

XSS magic tricks
Finding new stuff to talk about in XSS is hard business especially when you are as old as me and remember CSS being able to execute JavaScript. However, over the past year I've found various cool XSS magic tricks that you might not be aware of. This talk will disclose a new XS-Leak, a AngularJS CSP bypass in under 65 characters and a brand new way to execute XSS from any tag! Who needs expression? I wish Microsoft would listen, absolutely nobody. Anyway, it should hopefully be an entertaining talk about some cool tricks. The XSS magic circle has been contacted and they have refused to allow me to talk about my tricks but I'm going to wear a mask so they don't know it's me and I might blank out my name and twitter handle so everything is good.

Speakers

Thursday September 26, 2019 4:05pm - 4:50pm CEST
D204

5:00pm CEST

Securing the Future
Security landscape never stands still. We see new kinds of threats from new kinds of attackers all the time. As the enemy changes, we security people need to change as well. Our job is to protect the security and privacy of our users. Our duty is to do it in a fair and open way. And our responsibility is to keep our promises for our users, regardless of what the attackers' action. We are defenders. This is what we do.

Speakers
avatar for Mikko Hypponen

Mikko Hypponen

Researcher, F-Secure


Thursday September 26, 2019 5:00pm - 5:45pm CEST
Elicium 1

6:30pm CEST

Networking Event at Strandzuid
Strandzuid​​​

Thursday September 26, 2019 6:30pm - 8:30pm CEST
Strandzuid Europaplein 22, 1078 GZ Amsterdam, Netherlands
 
Friday, September 27
 

9:00am CEST

I've got a working title: The Woman Who Squashed Terrorists: When an Embassy gets Hacked
The angle is OWASP related to the Saudi embassy case and working with CERTs and various law enforcement. Each major portion of the case would have an OWASP top ten component. Primarily, I would like to show the importance of technologists taking part in such cases with how important following the basic OWASP top ten can save plenty of troubles. 


Speakers
avatar for Chris Kubecka

Chris Kubecka

CEO, Hypasec
Chris Kubecka is an experienced, committed, energetic and certified digital security expert who is passionate about solutions. Author of multiple books including the 2019 release of Hack the World with OSINT. Over 20 years of professional experience ranging from military, government... Read More →


Friday September 27, 2019 9:00am - 9:45am CEST
Elicium 1

9:45am CEST

AM Coffee Break
Friday September 27, 2019 9:45am - 10:15am CEST
Elicium 2

10:00am CEST

Members Lounge
Friday September 27, 2019 10:00am - 3:00pm CEST
Elicium 2

10:15am CEST

Unlikely allies: how HR can help build a security-first culture
Building a security-first company culture is a pain for even the most seasoned of sec professionals, but instilling good security habits from day one is key to protecting your team, your technology and your customers from unwanted attacks. Internal sec teams need allies in this pursuit, and whilst not the conventional choice, HR can help. Cyber security is a people problem, and who knows people better than your HR department? From on boarding new employees well to developing ongoing security training and awareness, HR are heavily involved in shaping systems, processes and most importantly - employee behaviour. A security-first culture can't exist without first establishing a culture of psychological safety - where speaking up is routine and the risk of looking dumb is one that can be easily taken. The alternative? Punitive policies, blame and shame that lead to vulnerabilities. If you're going to build a security-first culture in your company, you'd better call HR.

Speakers
avatar for Alison Eastaway

Alison Eastaway

Head of People, Sqreen
Alison Eastaway - Head of People at Sqreen. Australian-born but Parisian at heart, Alison joined Sqreen to help scale the team across Paris and San Francisco. Previously Alison helped establish high-performing People practices in some of France's most promising tech startups. She... Read More →


Friday September 27, 2019 10:15am - 11:00am CEST
D203

10:15am CEST

Restricting the scripts, you're to blame, you give CSP a bad name
In a current research project, we investigated the longitudinal evolution of the Content Security Policy header over the course of the last seven years. Throughout this analysis of the 10.000 highly ranked sites, we conducted case studies that illustrate the struggle of Web sites that try to deploy a CSP in a secure fashion and examples of sites that give up on CSP. In addition to that, we shed light on the other security capabilities of CSP, especially regarding framing control and TLS enforcement. The CSP can be used to enforce that resources are only loaded via TLS secured connections. This can be achieved by either forbid the loading of HTTP resources by specifying the block-all-mixed-content directive in CSP or by using the upgrade-insecure-requests directive. This directive forces the automatic rewriting of all HTTP URLs to HTTPS upon page loading. This is useful to gracefully implement a transition from HTTP to HTTPS while preventing warnings and breakage due to the use of mixed content. Based on an analysis of live Web sites, we show that most sites could deploy upgrade-insecure-requests right now to avoid any mixed content without errors. In case of framing control, we have investigated that within the Top 10K sites 3,253 made use of XFO, whereas only 409 used frame-ancestors. Due to the inconsistencies of the XFO header, the protection of the 3,253 sites might be weaker in comparison to the protection offered by the frame-ancestors Web sites. The ALLOW-FROM mode of XFO is not supported in some of the major browsers (including Google Chrome). Thus, an operator that uses this mode would not secure all user of this browser, because unsupported headers will be ignored. In addition to that, the SAMEORIGIN mode of XFO is in some cases susceptible to so-called Double Framing attacks. This is caused by the fact that the XFO standard does not define whether the top-most frame, the parent frame, or even all frame ancestors (like the CSP directive) have to be hosted within the same origin. Due to this inconsistencies, we send notifications to 2700 Web sites that suffer from this problem. By investigating the responses, we were able to get valuable information regarding the roadblocks of CSP deployment in the wild. While most of the Web developers were aware of the protection that CSP can offer, they are massively intimidated by the complexity of CSPs content restriction. Due to this complexity or because of the unawareness of the additional capabilities of CSP, they do not consider framing control or TLS enforcement as legitimate use cases of the CSP. In this talk, we want to raise the awareness regarding issues of some of the widely used security header as well as presenting and explaining the more secure CSP alternatives for them. Furthermore, we want to involve the audience to discuss with us about their “horror stories” and roadblocks for CSP deployment such that we can build better tools and improve informational material regarding the CSP.

Speakers
avatar for Sebastian Roth

Sebastian Roth

PhD Candidate, CISPA Helmholtz Center for Information Security
Sebastian Roth is a PhD student in the Information Security and Cryptography Group at the CISPA Helmholtz Center for Information Security, where he is supervised by Michael Backes. His research interest is focused on client-side Web Security as well as Usable Security for developers... Read More →


Friday September 27, 2019 10:15am - 11:00am CEST
D201

10:15am CEST

SAMM
Speakers
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

Seba is co-founder and CEO of Toreon. He started the Belgian OWASP chapter, co-leads the OWASP SAMM project, and co-founded the yearly BruCON conference. With a background in development and many years of experience in security, Seba has trained countless developers to create more... Read More →


Friday September 27, 2019 10:15am - 11:00am CEST
D301

10:15am CEST

SUSTO: Systematic Universal Security Testing Orchestration
We have identified that there's a gap in the threat modeling/risk assessment/control selection/security assurance pipeline. Current best practices and available tools include SAST/DAST, SCA, Container Vulnerability Analysis and Vulnerability Correlation. Gartner has recently recognized an emerging technology category for test orchestration: ASTO (Application Security Testing Orchestration) to integrate those existing tools. However, this is not enough. DevOps and SDx allow automating the building of not only the application but the complete infrastructure, making critical to automatically check hundreds of small configuration controls. And unlike feature testing where a simple test can be safely extrapolated, insecurity we need to test for "all of" or "none of" conditions, making necessary to pipeline and orchestrate outputs of tools as inputs of other tools, being existing commercial ones or small CLI scripts. Fortunately, and also unlike feature testing, security tests are more universal because the security controls (and system configurations) are similar, just with different instantiation. Also, the overwhelming number of tests a single organization should develop makes it difficult to start a project that will require a high maintenance cost. However, we have some success cases of community-based approaches like IDS, WAF or Yara rules. We have checked with some OWASP members the interest in such kind of tool and community and are starting a seed open source project, initially with 3 big European financial companies involved. We want to present the initiative to the OWASP community and the current state at the time of the Conference to obtain feedback in order to start it as a new OWASP project and a call to collaboration

Speakers
avatar for Luis Saiz

Luis Saiz

Head of Innovation in Security, BBVA
25 years of experience in multiple fields of security and fraud management. Last 19 years working in BBVA Bank involved in Privacy Compliance, Security Assessments and Engineering in SDLC. Design of BBVA Group Security Strategic Plans. Builder and Head of Global Security Center (detection... Read More →


Friday September 27, 2019 10:15am - 11:00am CEST
D202

11:05am CEST

Don't Trust The Locals: Evaluating and Mitigating the Insecurity Caused by Trusting Your Client-Side Storage
The Web has become highly interactive and an important driver for modern life, enabling information retrieval, social exchange, and online shopping. From the security perspective, Cross-Site Scripting (XSS) is one of the most nefarious attacks against Web clients. Most informational resources (OWASP one of the few positive counterexamples) name three categories of XSS: reflected, persistent, and DOM-based XSS. In this talk, we provide real-world insights that show that the categorization into client/server and reflected/persistent XSS as done by the OWASP is much more sensible. To do so, we report on a real-world study which shows that of the Alexa Top 5,000 domains, around 2,000 make use of persisted data on the client. We conduct this study using a combination of taint tracking and a fully automated exploit generation pipeline. Doing so, we find that of these 2,000, over 20% make that use in an insecure way which enables an attacker to execute a persisted payload on every page load, allowing for nefarious long-term attacks such as JavaScript-based keyloggers, credential extraction from password managers, or cryptojacking. In addition, we analyze the end-to-end exploitability of the flaws we discovered based on two attacker models, showing that at least 70% of the sites with an insecure data flow can successfully be infected with a malicious payload. Additionally, we also analyze the vulnerable code pieces and classify them according to their intended use case. On the one hand, we can reason about the prevalent places in which developers put full trust into the integrity of the storages. On the other hand, this allows us to discuss how to achieve the same goal in a secure fashion, hence providing the audience with actionable insights for their own applications.

Speakers
avatar for Marius Steffens

Marius Steffens

CISPA Helmholtz Center for Information Security
Marius Steffens is a first-year Ph.D. student at the Secure Web Applications Group at CISPA-Helmholtz Center for Information Security, where Ben Stock supervises him. Marius is currently interested in the area of web security and is looking into the prevalence of vulnerabilities... Read More →


Friday September 27, 2019 11:05am - 11:50am CEST
D201

11:05am CEST

How do JavaScript frameworks impact the security of applications?
The best way to enable developers to create secure applications is to “shift left” in security. That means providing developers with the tools and techniques that help build more secure applications from the get-go. Developers may get security controls into their applications in different ways. They may write them from scratch following security training or guidance, they may use open source libraries, or they may use frameworks that have the security features built in already. In this talk we explore JavaScript applications that use different types of security controls implemented at levels ranging from developer code, to libraries and plugins, to different frameworks, and analyze which applications actually turn out to be more secure. This work is based on analysis of over 500 open source JavaScript applications on GitHub that use client-side frameworks and template engines to prevent XSS, as well as server-side frameworks (Express, Koa, Hapi, Sails, Meteor) and CSRF prevention mechanisms. In conclusion, we provide data-driven recommendations for framework maintainers and application developers on how to develop and choose a framework that will actually make applications more secure.

Speakers
avatar for Ksenia Peguero

Ksenia Peguero

Sr. Research Engineer, Synopsys
Ksenia Peguero is a Sr. Research Engineer within Synopsys Software Integrity Group. She has nine years of experience in application security and five years in software development. Ksenia focuses her research in static analysis and JavaScript security, frameworks, and technologies... Read More →


Friday September 27, 2019 11:05am - 11:50am CEST
D202

11:05am CEST

Do certain types of developers or teams write more secure code?
Why do some developers and development teams write more secure code than others? This talk will describe several human factors—developer, team and environmental characteristics—that influence whether developers will inadvertently introduce security weaknesses into their code. We will present the results of research on how factors such as developer experience, disrupted attention, team size, team co-location, communication, work hours, and code rewrites affect software security. The research results are drawn from DoD-funded R&D and academic research conducted on the software engineering practices used to develop both open-source and proprietary software.

Speakers
avatar for Anita D'Amico

Anita D'Amico

CEO, Code Dx, Inc.
Anita D’Amico, PhD. is CEO of Code Dx, Inc., which provides application security orchestration and correlation solutions that automate AppSec workflows. Prior to taking on the role of CEO, Anita was the Director of Secure Decisions, a cybersecurity R&D organization that developed... Read More →


Friday September 27, 2019 11:05am - 11:50am CEST
D203

11:05am CEST

SecurityRat

Friday September 27, 2019 11:05am - 11:50am CEST
D301

11:55am CEST

HTTP Desync Attacks: Smashing into the Cell Next Door
HTTP requests are traditionally viewed as isolated, standalone entities. In this session, I'll introduce techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $60k in bug bounties. Using these targets as case studies, I'll show you how to delicately amend victim's requests to route them into malicious territory, invoke harmful responses, and lure credentials into your open arms. I'll also demonstrate using backend reassembly on your own requests to exploit every modicum of trust placed on the frontend, gain maximum privilege access to internal APIs, poison web caches, and compromise what's possibly your most trusted login page. This is an attack the web is thoroughly unprepared for. Although documented over a decade ago, a fearsome reputation for difficulty and collateral damage has left it optimistically ignored for years while the web's susceptibility grew. By applying fresh ideas and new techniques, I'll unveil a vast expanse of vulnerable systems ranging from huge content delivery networks to bespoke backends. I'll help you tackle this legacy by sharing a refined methodology and open source tooling for black-box detection, assessment and exploitation with minimal risk of collateral damage. These will be developed from core concepts, ensuring you leave equipped to devise your own desync techniques and tailor (or thwart) attacks against your target of choice.

Speakers
avatar for James Kettle

James Kettle

Director of Research, PortSwigger Web Security
James Kettle is Director of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on using web cache poisoning to turn caches into exploit delivery systems. James has extensive experience... Read More →


Friday September 27, 2019 11:55am - 12:40pm CEST
D201

11:55am CEST

[In]secure deserialization, and how [not] to do it
Serialized data is neither new nor exciting. Serialization and deserialization have been in use by countless applications, services and frameworks for a long time. Many programming languages support serialization natively, and most people seem to understand it well. However, many of us don’t fully understand security implications of data deserialization, and in the last couple of years this topic got an increasing focus in the security community, up to the point that insecure deserialization made it to the list of OWASP Top 10 most critical web application security risks! Needless to say high-severity vulnerabilities in some well-known applications as well as popular frameworks such as Apache Struts and Apache Commons Collections raised awareness of this risk. In this session, we’ll discuss how serialized data are used in software, talk about different serialization formats and the dangers of deserializing untrusted input. We will review some real life vulnerabilities and related exploits. The presentation will contain lots of code examples with live demos of bypassing security controls by exploiting deserialization vulnerabilities. We’ll forge a session cookie, elevate privileges, alter execution flow, and even perform a remote code execution - all via insecure deserialization! The demos will use native Java and .NET serialization, as well as JSON, XML, and other formats. Of course, we’ll also talk about how to deserialize in secure way! Next time you develop your awesome web or mobile app or a microservice, keep in mind how a clever attacker could create and supply malicious data to your application, and thinking like a hacker you could write more secure code!

Speakers
avatar for Alexei Kojenov

Alexei Kojenov

Lead Product Security Engineer, Salesforce
Alexei began his career as a software developer. A decade later, he realized that breaking code was way more fun than writing code, and decided to switch direction. He is now a full-time application security professional, with several years of assisting engineering teams in delivering... Read More →


Friday September 27, 2019 11:55am - 12:40pm CEST
D202

11:55am CEST

The Security we Need: Designing Usable IoT Security
Most tech users or consumers don't care about the intricacies of the security technologies or features in products they use, but just expect the products to work securely! If the security controls you build aren't readily usable, chances are they're ignored or turned off. That's a nightmare for IoT. The Internet of Things (IoT) is unique in that it drastically increases the number of devices that users are required to manage and use securely. As such, IoT systems do not only need to have secure defaults, but their security mechanisms shouldn’t hinder reasonable use of the system. In this talk, we shall explore the challenges of security usability in IoT. We will use real-world examples and architectural patterns to demonstrate how to design IoT security controls that aren't another tech headache... security controls that are used, not dodged.

Speakers
avatar for Damilare D. Fagbemi

Damilare D. Fagbemi

Software Security Architect, Intel Corporation
Damilare D. Fagbemi is a Security Architect at Intel Corporation where he has had the pleasure of working with talented product teams to architect and build a secure Internet of Things (IoT), web, mobile, and thick client solutions. He also leads the Libraries Product Security Expert... Read More →


Friday September 27, 2019 11:55am - 12:40pm CEST
D203

11:55am CEST

Web Goat
Speakers
avatar for Nanne Baars

Nanne Baars

Developer, Xebia
Nanne is a security software developer at Xebia with a focus on Java development and one of the projects leads for the OWASP WebGoat project.


Friday September 27, 2019 11:55am - 12:40pm CEST
D301

12:40pm CEST

Lunch
Friday September 27, 2019 12:40pm - 1:45pm CEST
Elicium 2

1:45pm CEST

The State of Credential Stuffing and the future of Account Takeovers
Credential Stuffing has existed since the first leaked password but has exploded in the past 3 years. Why? What has changed and where does it go from here? The tools that enable credential stuffing attacks and other OWASP Automated Threats are converging on a single strategy, the complete imitation of user behavior and characteristics – real user behavior on real devices on real home networks. This level of extreme mimicry makes discerning good from bad difficult and the web is having a hard time keeping up. This level of sophistication is not cheap and is only possible because the cost vs value of modern credential stuffing attacks is weighted dramatically in an attacker's favor. This session will go over the modern attack landscape, the cost of an attack, the value of stolen accounts, and makes predictions about where attacks go from here.

Speakers
avatar for Jarrod Overson

Jarrod Overson

Director, F5
Jarrod is a Director of Engineering at Shape Security where he led the development of Shape's Enterprise Defense. Jarrod is a frequent speaker on modern web threats and cybercrime and has been quoted by Forbes, the Wall Street Journal, CNET among others. He’s the co-author of O’Reilly’s... Read More →


Friday September 27, 2019 1:45pm - 2:30pm CEST
D201

1:45pm CEST

No More Whack-a-Mole: How to Find and Prevent Entire Classes of Security Vulnerabilities
In software development, we frequently see the same logical coding mistakes being made repeatedly over the course of a project’s lifetime, and often across multiple projects. When these mistakes lead to security vulnerabilities, the consequences can be severe. No one knows this better than companies like Google and Microsoft, whose software is used by millions of people every day. With each code vulnerability discovered, we’re presented with an opportunity to investigate how often this mistake is repeated, whether there are any other unknown vulnerabilities as a result, and implement an automated process to prevent it reappearing. In this talk, I’ll be introducing Variant Analysis, a new process being pioneered by security teams at a number of companies including Google and Microsoft, that does just this. I’ll discuss how it can be integrated into your development and security operations, and also share some stories from the trenches.

Speakers
avatar for Sam Lanning

Sam Lanning

Developer Advocate, Semmle Inc
Sam started working at Semmle in October 2014, after deciding to drop out of his Masters at Oxford University after having completed his undergraduate Computer Science degree there. Sam was the first full-time developer for Semmle’s LGTM platform and worked on it for over 3 years... Read More →


Friday September 27, 2019 1:45pm - 2:30pm CEST
D202

1:45pm CEST

ScriptProtect: Mitigating Unsafe Third-Party JavaScript Practices
The direct client-side inclusion of cross-origin JavaScript resources in Web applications is a pervasive practice to consume third-party services and to utilize externally provided libraries. The downside of this practice is that such external code runs in the same context and with the same privileges as the first-party code. Thus, all potential security problems in the code directly affect the including site. To explore this problem, we present an empirical study which shows that more than 25% of all sites affected by Client-Side Cross-Site Scripting are only vulnerable due to a flaw in the included third- party code. Motivated by this finding, we propose ScriptProtect, a non- intrusive transparent protective measure to address security is- sues introduced by external script resources. ScriptProtect au- tomatically strips third-party code from the ability to conduct un- safe string-to-code conversions. Thus, it effectively removes the root-cause of Client-Side XSS without affecting first-party code in this respective. As ScriptProtect is realized through a light- weight JavaScript instrumentation, it does not require changes to the browser and only incurs a low runtime overhead of about 6%. We tested its compatibility on the Alexa Top 5,000 and found that 30% of these sites could benefit from ScriptProtect’s protection today without changes to their application code.

Speakers
avatar for Marius Musch

Marius Musch

Marius Musch is a PhD candidate at the Insitute for Application Security at TU Braunschweig in Germany. His field of research is web application security with a focus on client-side attacks and large-scale analyses.


Friday September 27, 2019 1:45pm - 2:30pm CEST
D203

2:35pm CEST

Making the web secure, by design ++
Over 10 years of experience in web application security bundled into a single application! The OWASP Security Knowledge Framework (SKF) is a vital asset to the coding toolkit of you and your development team. Use SKF to learn and integrate security by design in your web application. During the last 5 years since we released the SKF a lot has changed. We took all the challenges and problems that both security and development teams are facing and re-shaped the SKF to fit their needs most effective. In a nutshell the OWASP security knowledge framework: * trains your developers in writing secure code * facilitates security by design by providing the right security requirements * integrates seamlessly in your favorite source control systems * provides containerized labs with detailed write-ups to train developers to do verification on their code. We want to take the stage to introduce the new release of the SKF!

Speakers
avatar for Glenn ten Cate

Glenn ten Cate

Flagship project leader, OWASP
As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium Glenn has over 15 years experience in the field of security. One of the founders of defensive development def[dev]eu a security training and conference series dedicated to helping you build and maintain... Read More →
avatar for Riccardo ten Cate

Riccardo ten Cate

As a penetration tester from the Netherlands Riccardo specializes in application security and has extensive knowledge in securing applications in multiple coding languages. Riccardo has many years of experience in training and guiding development teams becoming more mature and making... Read More →


Friday September 27, 2019 2:35pm - 3:20pm CEST
D201

2:35pm CEST

Breaches Are Everywhere. What’s a Good Security Leader to Do?!
Breaches are on the news seemingly weekly, as organizations are struggling to secure their data. Phishing attacks are proliferating and going after our workforce. Ransomware has taken several victims and is also escalating. In this talk, I will share strategies to combat the rise of cybercrime, and how to make your networks more secure. I will discuss administrative, technical, and physical security controls. Have you built a sustainable and dynamic Information Security Plan? Have you shared this with upper management and gotten their buy-in and support? Have you initiated a balanced Security Awareness Program? Are you regularly running scans of both your network and your applications? Are you monitoring your network to detect unusual activity? What about when that dreaded intrusion into your network occurs? Do you know what to do? Are you testing and evaluating your security controls on a regular basis? How often do you test your Disaster Recovery Plan and your Incident Response Plan? Do you have the right people on your IR team? We are entrusted with highly sensitive data and must utilize best practices to secure it. Come learn if you are doing this and ensure that you indeed protect your confidential information. Don't allow your organization to become the next victim of a breach.

Speakers
avatar for Richard Greenberg

Richard Greenberg

Richard Greenberg, CISSP is a well-known Cyber Security Leader and Evangelist, CISO, Advisor, and speaker.Richard brings over 30 years of management experience and has been a strategic and thought leader in IT and Information Security. His Project Management, Security Management and... Read More →


Friday September 27, 2019 2:35pm - 3:20pm CEST
D202

2:35pm CEST

Five key trends in application security
Today’s hyper-connected businesses rely on a broad set of web, mobile, and API-based applications to connect customers, partners, and suppliers across the Internet. Retirement planning, interacting with likeminded hobby enthusiasts, loyalty program participation while purchasing our favorite goods and services are just a few examples. These applications incorporate a wide range of application endpoints, such as a registration, login, or forgot user name/password. More often than not, there are mobile and web specific variations that connect to a web of APIs.



While striking a delicate balance between speed of deployment and security-induced friction, CIOs and CISOs must consider five key industry trends that may impact their approach to application security.

· How will a multi-cloud and possibly a multi-CDN deployment impact application security?

· DevSecOps: can it be as nimble as DevOps?

· What is the impact of the exponential use of APIs?

· Microservices, service-mesh and serverless computing – what’s it mean to my security posture?

· Data residency and data privacy laws – how will they impact me?

We will discuss various technology and deployment architecture options given these application security trends.

Speakers
avatar for Ameya Talwalkar

Ameya Talwalkar

Co-founder and Chief Product Officer, Cequence Security
Ameya is the co-founder and Chief Product Officer at Cequence Security,  a company disrupting the application security space. Over the past five years, Ameya has helped several Fortune 500 companies fight various kinds of Automated Threats. Ameya has over 20 years of experience in... Read More →


Friday September 27, 2019 2:35pm - 3:20pm CEST
D203

3:20pm CEST

PM Coffee Break
Friday September 27, 2019 3:20pm - 4:05pm CEST
Elicium 2

4:05pm CEST

How I Could Have Stolen Your Photos From Google
Writing secure software is hard and even the biggest companies are making some mistakes. There is a need to both learn secure coding and to find bugs in web applications. If you have ever wondered how to start hunting for bugs, then my story is definitely for you. Have you sent an email in your life? Or a POST request? Have you seen Base64 encoded data? If the answer to these questions is yes, then congratulations – you have the required technical knowledge and you could have found some serious security issues in Google. In this talk, I will share my story of finding my first three web application bugs in Google products. The goal of the talk is to show you that all you need is a hacker’s mindset, free time and lots of curiosity to be a successful bug hunter - or at least that's how I started hunting for bugs. I will demonstrate the bugs and fixes in hands-on examples.

Speakers

Friday September 27, 2019 4:05pm - 4:50pm CEST
D203

4:05pm CEST

How To Learn (And Teach) Hacking
We started hacking a couple of years back, competing in capture the flag competitions. Hacking through the weekends and winning prizes sure was a lot of fun. But it‘s nothing compared to the joy of teaching offensive security to students and observing them surpass themselves every week. For multiple semesters now, we‘re teaching hacking to undergraduate students. Somehow we managed to make our course the most attended one in the whole bachelor program. Our lecture doesn't follow teacher centered methods, but utilizes problem based learning and lessons learned from capture the flag competitions. Since teaching also means learning, we worked in a lot of feedback from our students and aligned the contents of the course. In this talk we‘ll explain how to learn and teach this challenging topic, how to correctly use problem based learning in teaching and how to avoid typical pitfalls.

Speakers
avatar for Ruben Gonzalez

Ruben Gonzalez

Security Researcher
Ruben is a security researcher and first-year Ph.D. student at the Institute For Security Research in Bonn, Germany.His main research focus lies on the security of cryptographic protocols and implementations.In his spare time, he likes hacking stuff and playing CTFs with the RedRocket.club... Read More →


Friday September 27, 2019 4:05pm - 4:50pm CEST
D201

4:05pm CEST

Fast Forwarding mobile security with the OWASP Mobile Security Testing Guide
So you have a mobile application and you want to have it secured? Introducing the OWASP Mobile Security Testing Guide (MSTG)! In this talk we will show you how both the MSTG and the Mobile Application Security Verification Standard (MASVS) can help you to secure your Mobile application. We will start by introducing both the MASVS and MSTG and then head off into some nice mobile hacking demos in both iOS and Android. Want to secure your app? See you there!

Speakers
avatar for Jeroen Willemsen

Jeroen Willemsen

Principal Security Architect, Xebia
Jeroen is a principal security architect at Xebia with a passion for mobile security and risk management. He has supported companies as a security coach, a security engineer and as a full-stack developer, which makes him a jack of all trades. He loves explaining technical subjects... Read More →


Friday September 27, 2019 4:05pm - 4:50pm CEST
D202

5:00pm CEST

An Infosec Timeline - Noteworthy Events from 1970 to 2050
A closing note is usually an event that attendees cannot really dedicate
much attention to. The conference is almost over, everyone is tired,
stuffed with heap-tons of fresh information and ready to travel home.

So, let's just lean back and look at our wonderful field from a rather
wide-angle and see what happened between 1970 and right now.

But let's not stop there and also look into the future and see where we
will end up in 2050. Our speaker will use his prophetic skills and
connections to the spiritual world and provide an outlook on major
infosec milestones yet to come. It will be GREAT.

Speakers
avatar for Mario Heiderich

Mario Heiderich

Founder, Cure 53
Dr.-Ing. Mario Heiderich, aging but still somewhat handsome heart-breaker, ex-security researcher and now a more or less overpaid secretary is from Berlin, still likes everything between lesser- and greater-than, also fine-food and wine-parings and leads a small yet exquisite pen-test... Read More →


Friday September 27, 2019 5:00pm - 5:45pm CEST
Elicium 1