OWASP AppSec California 2019 kicks off on the 22nd of January at Annenberg Community Beach House in Southern California. Like previous years, in addition to valuable training opportunities, the conference is stacked with interesting talks by prominent speakers. This provides a great opportunity for information security professionals to catch up with the latest innovation and trends within their industry. So if you aren’t planning to already, we recommend you attend OWASP AppSec Cali this year and to those that have decided on attending, here’s a quick list of talks we believe are a must attend for security professionals.
An Attacker's View of Serverless and GraphQL Apps
Speaker: Abhay Bhargav
Serverless Technology (Functions as a Service) is fast becoming the next "big thing" in the world of distributed applications. Organizations are investing a great deal of resources in this technology as a force-multiplier, cost-saver and ops-simplification cure-all.
This talk presents a red-team perspective of the various ways in which testers can discover and exploit serverless and/or GraphQL driven applications to compromise sensitive information, and gain a deeper foothold into database services, IAM services and other other cloud components. The talk consists of a few demos that will aim at illustrating practical attacks and attack possibilities against Serverless and GraphQL applications.
Threat Model Every Story: Practical Continuous Threat Modeling Work for Your Team
Speaker: Izar Tarandach
In today’s agile world product design emerges as it develops. How do we cope with that in Threat Modeling? This talk explores the way Autodesk is moving to a team-based collaborative and continuous Threat Modeling methodology, and how the dialog has moved the dependency away from security SMEs and into the team. PyTM, an Open Source threat-modeling-as-code support system is also presented.
Lightning Talk: Building Cloud-Native Security for Apps and APIs with NGINX
Speaker: Stepan Ilyin
NGINX is a very flexible platform that can be enhanced with strong security capabilities if you know what components you need and how to cook them. With the right set of modules and tricks, everyone can get security visibility and real-time protection against OWASP Top 10 attacks, bots, application abuse and potential data leakage issues. Over the course of this talk, Stepan aims to provide practical methods that Dev, Sec and Ops teams can use whether NGINX is deployed as an ingress controller, an API gateway, a load balancer or an application server.
CISO Panel: Baking Security Into the SDLC
Moderator: Richard Greenberg
Speaker: Coleen Coolidge, Martin Mazor, Bruce Phillips, Shyama Rose
Ever wonder how CISOs are coping with the rapid changes in application development methodologies and the constant resulting updates and pressures to publish? Where, when and how they are incorporate security in the mix? Hear real-world experiences from CISOs themselves on how they are managing this.
Lightning Talk: How to lose a Container in 10 mins
Speaker: Sarah Young
Moving to the cloud and deploying containers? In this talk Sarah will discuss both the mindset shift and tech challenges, with some common mistakes made in real-life deployments along with some real life (albeit redacted) examples. We’ll also look at what happens to a container that’s been left open to the Internet for the duration of the talk.
Game On! Adding Privacy to Threat Modeling
Speaker: Adam Shostack, Mark Vinkovits
Specifically looking at privacy, due to its obvious relevance recently, this presentation will show an extension of the Elevation of Privilege card game that LogMeIn has adopted to meet its privacy by design requirements. It will show the research that helped define the cards of the suit and give a quick overview of the individual cards. By the end of the talk, practitioners will have a new toolset to include in their security and privacy processes. Furthermore interested listeners will hear methods on how to design extensions to already available games, allowing them to incorporate topics they feel necessary for their work practices into fun exercises.
Can Kubernetes Keep a Secret?
Speaker: Omer Levi Hevroni
The first part of this session will cover the challenges faced when using Kubernetes secrets (from a usability and security point of view). The second part will discuss some of the existing solutions (Sealed Secrets, Helm Secrets and others), their pros, and cons, and then feature Kamus: how it works, what problems it solves, how it differs from other solutions, and what threats it can help mitigate (and what threats it can’t).
The talk will cover all that is required to know so you can run Kamus on your own cluster and use it for secret management. Join me for this session to learn how you can build a Kubernetes cluster than can keep a secret ― for real.
Authorization in the Micro Services world with Kubernetes, ISTIO and Open Policy Agent
Speaker: Sitaraman Lakshminarayanan
Micro Services enables developers to break down the monolithic application into smaller and manageable micro services. It is accelerated by Cloud Native platforms such as Kubernetes and ISTIO. However the challenge of enforcing finer grained authorization at API got even more complicated.
In this talk we will explore how Open Policy Agent(OPA) can be used to enforce fine grained authorization programmatically and integrate it with ISTIO. We will also compare how Kubernetes as a platform has made it possible to enforce programmatic finer grained authorization that is external to Kubernetes infrastructure. Attendees can also expect to walk away with knowledge of how one can use OPA to enforce authorization policies for Kubernetes API.
Netflix's Layered Approach to Reducing Risk of Credential Compromise
Speaker: Will Bengtson, Travis McPeak
Building a secure system is like constructing a good pizza – each individual layer adds flavor that ultimately builds to the perfect bite. Netflix has hand-crafted ingredients that by themself are scrumptious, but when placed together strategically on the crust (read: cloud), constructs a pizza so large that any pizza lover (read: attacker) would be challenged to finish. From this session attendees are expected to learn the secret to the sauce that is Netflix Infrastructure Security, and be equipped to start baking pizza in their own kitchen, and leave satisfied.
Lighting Talk: Usable Security Tooling - Creating Accessible Security Testing with ZAP
Speaker: David Scrobonia
Introducing security testing tools to a QA or developer workflow can be difficult when the tools aren't easy or intuitive to use. Even for security professionals, the friction of cumbersome security tooling can prevent them from getting the most from a tool or being effective with their time.
This talks focuses on a new development of the OWASP ZAP project, the Heads Up Display, and how it can enable developers and security professionals alike to get the most out of the attack proxy. By coupling ZAP closer to the browser and presenting a new UI we can enable new ways to interact with and extend ZAP that will make using it more intuitive. The talk will cover the motivation behind the project, the browser technologies that power it, and how you can start using it.