Early next month, OWASP AppSec Day is set to kick off at the Melbourne Convention Exhibition Centre (Goldfields Theatre). Australia’s only conference dedicated entirely to building and deploying secure web and mobile applications is sure to deliver interesting security ideas from prominent speakers across the globe. As it has done since its inception in 2017. So if you haven’t already, we recommend you add AppSec Day, Australia to your conference calendar. And while you’re there be sure to attend the following talks this year:
- Security Learns to Sprint: DevSecOps (Keynote) - Tanya Janca
From the Speaker: This talk will argue that DevOps could be the best thing to happen to application security since OWASP, if developers and operations teams are enabled to make security a part of their everyday work. With a ratio of 100/10/1 for Development, Operations, and Security, security now needs to concentrate on creating tools, processes and opportunities for dev and ops that result in more-secure products, instead of trying to do it all themselves like they did in days past. Security can no longer be a gate or stumbling block, and ‘adding security in’ can no longer be used as a justification for project delays. If developers are sprinting, then we need to sprint too. So put on your running shoes; it’s time for DevSecOps!
- A Purple Team View of Serverless and GraphQL Applications - Abhay Bhargav
From the Speaker: Serverless Technology (Functions as a Service) is fast becoming the next "big thing" in the world of distributed applications. GraphQL (API Query Language) is the natural companion to serverless apps, where traditional REST APIs are replaced with GraphQL to provide greater flexibility, greater query parameterization and speed. The convergence of serverless functions and graphic provides attackers with some unique attack possibilities that can lead to lateral movement across Cloud APIs or financial attacks (DoS) that can literally run organizations out of business.
This talk presents a red-team perspective of the various ways in which testers can discover and exploit serverless and/or GraphQL driven applications to compromise sensitive information, and gain a deeper foothold into database services, IAM services and other cloud components. The talk also features real-world serverless and graphql implementations, specifically to highlight the lack of frameworks, tooling and security mechanisms that makes life much harder for developers to implement, therefore, easier for attackers to compromise
- Keeping up with Open Source Security - An Automated, Developer Focused Approach - Edwin Kwan
From the Speaker: Over 85% of a modern application is built from open source components. There are security issues being discovered regularly in open source components. Staying on top of those security issues is hard, especially when you are moving fast with DevSecOps. This talk will cover our approach to making security an enabler rather than a bottleneck. We created some tools around open source scanners to allow self-service of security and automating time-based waivers.
- The Absolute AppSec Secure Code Review Framework - Seth Law
From the Speaker: Let’s face it, performing a manual review of someone else’s source code is hard. It takes time, effort, expertise, and grit to actually figure out what the application does, how the developer implemented it, and if there should be any changes. From an application security perspective, this becomes even more difficult because of the security nuances of multiple languages that must be understood in order to identify and squash vulnerabilities. On top of that, most security reviews must be performed within a limited amount of time against more lines of code than recommended in standard code review best practices. After performing secure code reviews for over a decade, it becomes easier to identify a pattern and framework to address security concerns within code quickly and efficiently. This talk will introduce the Absolute AppSec Secure Code Review Framework to attendees and discuss lessons learned, code review tips and tricks, and strategies for quickly assessing code that can be used by reviewers immediately.
- Spot the vuln - Identifying security problems in source code - Eldar Marcussen
From the Speaker: Do you know source code? or perhaps you know vulnerabilities? See where they intersect and how most vulnerabilities are created. This talk will present a plethora off *common* vulnerabilities introduced by programming mistakes. Perhaps you have seen a "spot the vulnerability" challenge on social media before? Come along and see if you can spot the vulnerability in the presented code snippets before they are explained. Come participate in this light-hearted "spot the vuln" session. Several languages will be presented, audience participation will be rewarded.