08:30 - 09:00 | Doors open and morning coffee | ||
09:00 - 09:15 | Opening / Welcome by Sebastien Deleersnyder | ||
09:15 - 09:55 | Rob van der Veer | The state of the art in AI security | |
09:55 - 10:35 | Frans van Buul | Everything-as-Code: Pushing the boundaries of SAST | |
10:35 - 11:05 | Break | ||
11:05 - 11:45 | Sarah-Jane Madden | Far from green fields - introducing Threat modelling to established teams | |
11:45 - 12:25 | Jeroen Prinse | A quest to tame DevOps Unicorns | |
12:25 - 13:25 | Lunch | ||
13:25 - 14:05 | Niels Tanis | Using WebAssembly to run, extend, and secure your application | |
14:05 - 14:45 | Pieter De Cremer | Secure defaults: a scalable security approach for modern development | |
14:45 - 15:25 | Stefan Simenon | How to implement with DevSecOps in large complex organizations | |
15:25 - 15:55 | Break | ||
15:55 - 16:35 | Himanshu Mehta | Down the Rabbit Hole: Exploring GraphQL Exploitation | |
16:35 - 17:15 | Björn Kimminich | OWASP Juice Shop - An Open Source Software (and security) Fairytale | |
17:15 - 17:30 | Closing by Priyam Awasthy |
09:15 - 09:55 - Check out the streaming feed!
Rob will bring you up to date on the latest advancements in AI and security. How OpenCRE-Chat uses AI to democratize security. The Large Language Model top 10. The Machine Learning top 10. The OWASP AI guide. Rob's role in security standardization for the EU AI Act. How OWASP is bringing together experts around the world to collaborate on this subject. The latest AI threats, the latest insights into how you can protect AI systems. And last but not least: what coding with GenAI means for software development, and security in particular.
Rob van der Veer has a 30-year-long background in building secure software and running software businesses. AI, cyber security and privacy have been constant themes in his career, from hacking the British RAF in 1986, to building AI solutions for national security. At the Software Improvement Group, Rob established the AI, security, and privacy practices. He is involved in a range of standardization initiatives (e.g. OWASP SAMM, ENISA, ISO/IEC 5338, CIP, AI security & privacy guide, EU AI-act, and the EU Cyber Resilience Act). He co-leads the OWASP integration project, with OpenCRE.org as the main result.
09:55 - 10:35 - Check out the streaming feed!
Static Application Security Testing (SAST) is the well-known practice of analyzing a program's source code using automated techniques to detect potential security problems. A key aspect of this is dataflow analysis, also known as taint analysis. In this case, the SAST tool tries to find paths between entry points of potential attacks, such as web request parameter, and program locations where such an attack could manifest itself, such as non-escaped SQL statements.
While this is a tried-and-true approach for many important cases, such as Java and C# web applications, it’s no longer enough as we’re entering the “everything as code” era. As infrastructure becomes code (CloudFormation, Terraform, Bicep, etc.), contracts become code (Solidity, Viper), circuits become code (VHDL, Verilog), etc., all these things could potentially be analyzed using SAST technology. SAST users are seeing this potential and are demanding SAST providers to extend their offerings in this direction. However, doing so is not a straightforward extension of standard SAST functionality into new languages and libraries.
In this talk, we’ll have a look at the frontier of SAST technology, looking at two specific examples and their peculiarities&#amp; Bicep (Microsoft’s IaC language for Azure), and Solidity (the most widely used language for smart contracts).
Based out of the Netherlands, Frans van Buul is senior product manager for Fortify SAST at OpenText. As such, he leads the further development of the SAST product by a global team of developers and researchers. While it’s not officially part of his job description, Frans loves to be hands-on and codes a lot: vulnerable code examples in a large variety of languages, Java code with SAST analysis algorithms, and random stuff in his spare time. Before transitioning into product management two years ago, Frans held several other positions that provided him with the relevant background. He’s been a security consultant and auditor at PwC, a Java developer and architect at several companies, and a Fortify SAST sales engineer and sales engineering leader.
11:05 - 11:45 - Check out the streaming feed!
'Far from green fields - introducing Threat modelling to established teams' takes a look at the unique challenges of introducing Threat Modelling to well established software teams.
Microsoft introduced threat modelling as part of the trustworthy computing initiative back in the early 2000s. This was in response to issues they were facing maintaining the trust of their user base in the light of several high profile security issues. Nobody would categorise Microsoft as a startup in 2002 and nobody at Microsoft was suggesting that they stop moving forward with planned features and advancements while they adjusted their practices. Why is it so that so much of the material available to support you as you roll out threat modelling describes it in the context of greenfield projects? Most of us need to know how to successfully introduce this highly effective shift-left security practice to real teams; teams that are running at pace on the tread mill of change, spinning the plates of customers commitments and feature enhancements. In this talk, I will share the experiences of a 3 year journey I have been on to introduce threat modelling to my colleagues across a range of product offerings. We made some mistakes, we learned some lessons the books could not have taught us but ultimately we succeeded and in succeeding we learned that introducing threat modelling is only the beginning.
Originally conceived in a pre-COVID world, this talk has been updated to include a look at the challenges and some surprising advantages of threat modelling on remote teams, the impact of legislation and the pros and cons of AI for the practice.
Sarah-Jane is the Chief Information Security Officer of Sensing Technology Group - a part of Fortive. She has over 20 years software experience from the most formal environments to 'let's fix it in production' type teams. She has been a longtime advocate of deliberate application security as a partnership with product management and believes that security does not have to be an overhead. A strong proponent of threat modeling, she believes it is an essential practice for every team driving towards the goal of secure by design.
11:45 - 12:25 - Check out the streaming feed!
In my presentation I will take the audience with me on my quest implementing a Secure DevOps program in large organizations. I will share my epic failures and successes and provide the audience with actionable insights that they can take with them on their Secure DevOps journey to prevent common pitfalls.
The presentation will cover anything from the needed culture change within organizations and with security officers/CISO's to tool selection, implementation and configuration and anything that can go wrong. All experiences are based on real life events which give me the perfect opportunity to explain the failures and how we solved it.
It will not be a in depth technical presentation, but by storytelling challenging the thinking of/and inspiring the audience with regards to Secure DevOps/Agile information security. I will engage with the audience to share their pitfalls and successes and provide a learning experience for all attendees.
Jeroen is a freelance (C)ISO/Security Architect, currently working for the Dutch National Cyber Security Centre (NCSC-NL) as their CISO. He is on a mission to transform the way of working of security professionals to deliver first-time right, secure by design products and services for customers while enabling organizations to do business by automating information security as much as possible and changing security from compliance to a service.
13:25 - 14:05 - Check out the streaming feed!
WebAssembly (WASM) has come a long way since its first release in 2017. As a technology stack running inside the web browser, it even allows products like Adobe Photoshop to run in that context. Now with a standard called WASI, WASM is expanding beyond the browser to run in a server-based context.
Had WASM and WASI been around in 2009, Docker would not have existed according to one of its founders, Solomon Hykes. WASM has a strong security posture given how it works with linear memory space and how it supports a sandboxed-based environment called “nano-process”, which uses a capabilities-based security model.
In this session we'll start out with going through some of the basic security features of WASM and then move to running and extending an application it with WASM. After that we'll focus on the security features and use the sandbox and the capabilities based security model to limit what it's allowed to do.
Niels Tanis has got a background in .NET development, pentesting and security consultancy. He is Microsoft MVP and has been involved in breaking, defending and building secure applications. He joined Veracode in 2015 and right now he works as a security researcher on a variant of languages and technologies related to Veracode’s Binary Static Analysis service. He is married, father of two and lives in a small village just outside Amersfoort, The Netherlands.
14:05 - 14:45 - Check out the streaming feed!
Self-service security does not mean you let your developers fix all the security bugs themselves. Nor does it mean only focusing on high-priority issues. Fundamentally, the aim is to make it easy to write secure code and make it hard to write insecure code. Instead of playing bug whack-a-mole, with secure defaults, we build scalable solutions for repetitive tasks required by multiple teams. These solutions are often called secure defaults, secure guardrails, or the paved road.
Once these building blocks are in place, the security team greatly reduces the time spent on preventing these vulnerabilities in all phases of the development cycle. Threat modeling, code reviewing, findings triaging, and bug bounty reviews; many of these tasks become trivial and are reduced to boolean questions: “Is the secure default used or not?”
In this talk, we will go over some of the fundamentals of why security teams must scale and how this can be achieved with secure defaults. We will discuss some examples of real companies like Netflix, Google, Semgrep, and Snowflake applying this approach. In the second half of this presentation, I present practical tips and guidelines on how to get started and which features in security tools can make the adoption of secure defaults easier.
Pieter De Cremer (@0xDC0DE) is a Senior Security Researcher at Semgrep, a startup working on open source static analysis tools that fit the modern developer workflow. Previously Pieter obtained his PhD doing research for the company Secure Code Warrior in cooperation with Ghent University. Pieter designed, implemented, and evaluated improvements to both training and tools provided by this company. Pieter hosts a youtube channel where he creates Semgrep tutorials as well as other security research content (https://www.youtube.com/@0xDC0DE) and has previously spoken at conferences such as OWASP, BruCON, BSides, and DEF CON. In his spare time, Pieter enjoys hitting the security conference circuit to engage with other enthusiasts around the world, his afternoon coffee ritual, and a few rounds of Apex Legends.
14:45 - 15:25 - Check out the streaming feed!
It is not easy to implement DevSecOps in an organization. In large complex organizations it is even more difficult to implement. Stefan will elaborate in his talk about main challenges and how to overcome them. He also will provide experiences and best practices.
I am an IT professional passionate about topics such as Continuous Integration Continuous Delivery, Software Quality, Tooling, DevSecOps, Cloud and the management of the cultural, organizational, team and technological changes associated with these approaches.
When working in complex multi-stakeholder environments, I use my social and communication skills combined with in depth IT knowledge and a sense of humor, to manage and overcome challenge.
I like to share and have shared this passion by speaking at several seminars and conferences
15:55 - 16:35 - Check out the streaming feed!
"Down the Rabbit Hole: Exploring GraphQL Exploitation" is an in-depth exploration into the world of GraphQL from a security perspective. This talk is designed for those with a keen interest in understanding the latest advancements in web technologies and their potential vulnerabilities. It provides a roadmap to navigate the complexities of GraphQL, demonstrating efficient methodologies for building and consuming APIs while highlighting potential security risks.
The talk delves into the diverse ecosystem of tools, libraries, and frameworks available across various programming languages, offering real-time data updates through its subscription mechanism. It also discusses the practical implementation and integration of GraphQL in different environments, emphasizing potential security implications. Whether you’re an experienced developer or a cybersecurity professional, this talk will arm you with the necessary knowledge and tools to effectively exploit and secure GraphQL implementations.
I possess both expertise and passion in the field of Offensive and Defensive Security. I serve as an advisory board member for the EC-Council’s Licensed Penetration Tester group and HackersEra. I actively participate in numerous bug bounty and Capture the Flag programs worldwide, and have been invited to present my research at several prestigious international security conferences, including BlackHat, RSAC USA, ICS Singapore, Hack In Paris, HITB (Amsterdam, Dubai, Abu Dhabi), SecurityFest (Sweden), InfoSecurity (London), Offzone (Moscow), NanoSec (Malaysia), DSCI, National Cyber Security Conference, Best of the world Conference & Hakon. My previous roles include Head of Cyber Threat Intelligence at Hive Pro, Senior Security Researcher at Darkmatter, and leading a global team of security intelligence at Symantec. These experiences have provided me with valuable insights and fueled my desire to continue growing as a creative leader in the field of cyber-security.
16:35 - 17:15 - Check out the streaming feed!
Once upon a time, developers and security experts relied on mostly server-side rendered vulnerable applications to train their web hacking skills. In 2014 the Juice Shop entered the stage as one of the first Rich Internet Application representatives. What started as a personal pet project with two dozen hacking challenges, became an OWASP Flagship project shortly after and grew in size, scope and use case coverage significantly over the years. Join Björn Kimminich on a tour through the origins, history and evolution of OWASP Juice Shop from 2014 to 2023, closing with a peek into the future of this juicy hacking delicacy.
Björn works as Product Group Lead Application Ecosystem at Kuehne + Nagel, responsible – among other things – for the Application Security program in the corporate IT. He is an OWASP Lifetime Member, the project leader of the OWASP Juice Shop, and a co-chapter leader for the OWASP Germany Chapter. Björn also currently chairs the OWASP Project Committee.