Loading…
Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

California Room [clear filter]
Wednesday, October 10
 

10:00am

Project Reviews
Limited Capacity seats available

We will be reviewing the following projects:
Lab to Flagship Status
OWASP Benchmark Project
OWASP Dependency Track Project

Incubator to Lab Status
OWASP Mobile Security Testing Guide
OWASP Glue Tool Project

Other projects may be added as they come up.  Project leader help in reviewing these projects would be greatly appreciated.


Speakers
HB

Harold Blankenship

OWASP Foundation


Wednesday October 10, 2018 10:00am - 5:00pm
California

6:30pm

OWASP Leaders' Workshop
Matt Tesauro. Director of Community and Operations
Harold Blankenship. Director, Projects and Technology Support Dawn Aitken. Community Manager

The OWASP Leader Workshop is designed for OWASP members currently leading or interested in starting a chapter  in their local area or a project .
We are hosting a sessions to learn from each other how to run chapter activities, what types of events to host and how to promote them, outreach with education and other organizations, as well as where to access funding and how to spend it. Here you will also learn about ongoing efforts as well as be able to give insight into how better to tailor them. The session description is a starting point for discussion, but the discussion is yours.
 Attendees will receive special edition OWASP Leader's shirts.

Wednesday October 10, 2018 6:30pm - 9:30pm
California
 
Friday, October 12
 

8:15am

Project Showcase: ZAP Heads Up Display
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.   Come and learn about ZAP and the new feature: Heads Up Display

Speakers

Friday October 12, 2018 8:15am - 8:50am
California

10:15am

Project Showcase: Amass
 Amass is an in-depth DNS Enumeration and Network Mapping written in Go. It helps organizations fill in blind spots for their their presence and exposure to the internet. Amass reaches out to more than 30 passive data sources to learn about the DNS namespace of a target domain.


Speakers
avatar for Jeff Foley

Jeff Foley

Manager, Penetration Testing & Red Teaming, National Grid


Friday October 12, 2018 10:15am - 10:50am
California

11:00am

Project Showcase: Glue Tool
The OWASP Glue Tool Project is a tools based project intended to make security automation easier.  It is essentially a ruby gem that co-ordinates the running of different analysis tools and reporting from those tools.

Speakers

Friday October 12, 2018 11:00am - 11:35am
California

11:45am

Project Showcase: Dependency Track
Dependency-Track is an intelligent Software Composition Analysis (SCA) platform that allows organizations to identify and reduce risk from the use of third-party and open source components. The platform integrates with multiple sources of vulnerability intelligence including the National Vulnerability Database (NVD), NPM Public AdvisoriesSonatype OSS Index, and VulnDB from Risk Based Security

In this session you'll learn about Dependency-Track, it's bill-of-material approach to providing continuous component analysis, and many of the automation options that are available with the platform.

https://dependencytrack.org/

https://github.com/DependencyTrack

https://twitter.com/DependencyTrack

Speakers
avatar for Steve Springett

Steve Springett

Senior Security Architect, ServiceNow
Steve educates teams on the strategy and specifics of developing secure software.He practices security at every stage of the development lifecycle by leading sessions on threat modeling, secure architecture and design, static/dynamic/component analysis, offensive research, and defensive... Read More →



Friday October 12, 2018 11:45am - 12:20pm
California

1:00pm

Project Showcase: Lunch with the Internet of Things Top Ten
Grab your lunch and bring it to the California room: The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies. The project defines a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities. 

Speakers

Friday October 12, 2018 1:00pm - 1:20pm
California

1:30pm

Project Showcase: Code Pulse and Attack Surface Detector
White hat penetration testers are generally at a disadvantage compared to the malicious attackers they help defend against. They have limited time and resources to secure the entire application, whereas attackers have unlimited time and may only need a single vulnerability. This session will discuss how web application penetration testers can improve the efficiency and comprehensiveness of their white box testing using two new open source OWASP tools. These tools leverage access to application source code and server bytecode to provide an advantage to the penetration tester working with the development team.

The first tool, OWASP Code Pulse, uses glass box testing techniques to instrument the web application server bytecode to provide real-time code coverage while testing the application. This allows the penetration tester to measure how much of the application’s server code their testing has touched, and visually displays gaps in their testing coverage. This real-time feedback helps testers tune their testing to maximize the amount of code covered, compare performance of different testing tools and activities, and communicate useful metrics of testing activity to others.

The second tool, Attack Surface Detector performs static code analysis to first detect the web application endpoints, parameters, and parameter datatypes. This information is then pulled into the Burp Suite and OWASP ZAP web application testing suites to allow for rapid dynamic testing of the discovered attack surface. The benefit of this approach over traditional spidering techniques is that hidden endpoints are found without brute force guessing, and optional parameters not seen in the client-side code are discovered. The Attack Surface Detector is being continually updated; the most recently added functionality includes seeing endpoint differences between application versions, so penetration testers can focus their testing only on the changes.

Recent features and major releases will be discussed, a brief demonstration of the tools will be given, and a question and answer portion will complete the session. We are particularly interested in feedback from the audience on whether these tools help their specific needs and what future improvements would make them even better.

Speakers
avatar for Ken Prole

Ken Prole

CTO, CodeDx
Ken Prole is the CTO of Code Dx and Principal Investigator for Secure Decisions. He has a passion for helping organizations through the process of building secure applications. He has published several articles on cyber security in peer-reviewed journals and is active in the application... Read More →


Friday October 12, 2018 1:30pm - 2:05pm
California

2:15pm

Project Showcase: SEDATED
The SEDATED Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure) focuses on preventing sensitive data such as user credentials and tokens from being pushed to GitHub. Developers are constantly pushing changes to GitHub and may try pushing a commit that contains sensitive information. The SEDATED application will help catch and prevent that.


Friday October 12, 2018 2:15pm - 2:50pm
California