Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

California Room [clear filter]
Wednesday, October 10


Project Reviews
Limited Capacity seats available

We will be reviewing the following projects:
Lab to Flagship Status
OWASP Benchmark Project
OWASP Dependency Track Project

Incubator to Lab Status
OWASP Mobile Security Testing Guide
OWASP Glue Tool Project

Other projects may be added as they come up.  Project leader help in reviewing these projects would be greatly appreciated.


Harold Blankenship

OWASP Foundation

Wednesday October 10, 2018 10:00am - 5:00pm


OWASP Leaders' Workshop
Matt Tesauro. Director of Community and Operations
Harold Blankenship. Director, Projects and Technology Support Dawn Aitken. Community Manager

The OWASP Leader Workshop is designed for OWASP members currently leading or interested in starting a chapter  in their local area or a project .
We are hosting a sessions to learn from each other how to run chapter activities, what types of events to host and how to promote them, outreach with education and other organizations, as well as where to access funding and how to spend it. Here you will also learn about ongoing efforts as well as be able to give insight into how better to tailor them. The session description is a starting point for discussion, but the discussion is yours.
 Attendees will receive special edition OWASP Leader's shirts.

Wednesday October 10, 2018 6:30pm - 9:30pm
Friday, October 12


Project Showcase: ZAP Heads Up Display
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.   Come and learn about ZAP and the new feature: Heads Up Display


Friday October 12, 2018 8:15am - 8:50am


Project Showcase: Amass
 Amass is an in-depth DNS Enumeration and Network Mapping written in Go. It helps organizations fill in blind spots for their their presence and exposure to the internet. Amass reaches out to more than 30 passive data sources to learn about the DNS namespace of a target domain.

avatar for Jeff Foley

Jeff Foley

Manager, Penetration Testing & Red Teaming, National Grid

Friday October 12, 2018 10:15am - 10:50am


Project Showcase: Glue Tool
The OWASP Glue Tool Project is a tools based project intended to make security automation easier.  It is essentially a ruby gem that co-ordinates the running of different analysis tools and reporting from those tools.


Friday October 12, 2018 11:00am - 11:35am


Project Showcase: Dependency Track
Dependency-Track is an intelligent Software Composition Analysis (SCA) platform that allows organizations to identify and reduce risk from the use of third-party and open source components. The platform integrates with multiple sources of vulnerability intelligence including the National Vulnerability Database (NVD), NPM Public AdvisoriesSonatype OSS Index, and VulnDB from Risk Based Security

In this session you'll learn about Dependency-Track, it's bill-of-material approach to providing continuous component analysis, and many of the automation options that are available with the platform.




avatar for Steve Springett

Steve Springett

Senior Security Architect, ServiceNow
Steve educates teams on the strategy and specifics of developing secure software.He practices security at every stage of the development lifecycle by leading sessions on threat modeling, secure architecture and design, static/dynamic/component analysis, offensive research, and defensive... Read More →

Friday October 12, 2018 11:45am - 12:20pm


Project Showcase: Lunch with the Internet of Things Top Ten
Grab your lunch and bring it to the California room: The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies. The project defines a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities. 


Friday October 12, 2018 1:00pm - 1:20pm


Project Showcase: Code Pulse and Attack Surface Detector
White hat penetration testers are generally at a disadvantage compared to the malicious attackers they help defend against. They have limited time and resources to secure the entire application, whereas attackers have unlimited time and may only need a single vulnerability. This session will discuss how web application penetration testers can improve the efficiency and comprehensiveness of their white box testing using two new open source OWASP tools. These tools leverage access to application source code and server bytecode to provide an advantage to the penetration tester working with the development team.

The first tool, OWASP Code Pulse, uses glass box testing techniques to instrument the web application server bytecode to provide real-time code coverage while testing the application. This allows the penetration tester to measure how much of the application’s server code their testing has touched, and visually displays gaps in their testing coverage. This real-time feedback helps testers tune their testing to maximize the amount of code covered, compare performance of different testing tools and activities, and communicate useful metrics of testing activity to others.

The second tool, Attack Surface Detector performs static code analysis to first detect the web application endpoints, parameters, and parameter datatypes. This information is then pulled into the Burp Suite and OWASP ZAP web application testing suites to allow for rapid dynamic testing of the discovered attack surface. The benefit of this approach over traditional spidering techniques is that hidden endpoints are found without brute force guessing, and optional parameters not seen in the client-side code are discovered. The Attack Surface Detector is being continually updated; the most recently added functionality includes seeing endpoint differences between application versions, so penetration testers can focus their testing only on the changes.

Recent features and major releases will be discussed, a brief demonstration of the tools will be given, and a question and answer portion will complete the session. We are particularly interested in feedback from the audience on whether these tools help their specific needs and what future improvements would make them even better.

avatar for Ken Prole

Ken Prole

CTO, CodeDx
Ken Prole is the CTO of Code Dx and Principal Investigator for Secure Decisions. He has a passion for helping organizations through the process of building secure applications. He has published several articles on cyber security in peer-reviewed journals and is active in the application... Read More →

Friday October 12, 2018 1:30pm - 2:05pm


Project Showcase: SEDATED
The SEDATED Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure) focuses on preventing sensitive data such as user credentials and tokens from being pushed to GitHub. Developers are constantly pushing changes to GitHub and may try pushing a commit that contains sensitive information. The SEDATED application will help catch and prevent that.

Friday October 12, 2018 2:15pm - 2:50pm