Vulnerable Dependencies - The Toxic Relation

Every code inevitably depends on libraries and other components. They, in turn, have transitive dependencies. Have you wondered, apart from the features, what more do you inherit? What if those libraries are vulnerable? What if they silently inject ways for attackers to misuse your code? How would you ever know if you use vulnerable dependencies? It's not even in your hands! ...Or is it?

How to shift security testing left

Most security efforts today rely on late-cycle reactive techniques such as penetration testing. Late testing means that we often find things after than can easily be fixed and is by its nature always trailing behind the newest efforts of the adversaries. Such actions are a necessary part of a secure software lifecycle but have shown that they aren’t up to the task of creating systems that are “Secure-by-design.” To achieve maximum security, we must shift security efforts left and perform them earlier in the software lifecycle. We’ll explore the various techniques like DAST to begin security testing earlier in the cycle, decouple it from physical constraints, and how to move even further left by preventing the code that is vulnerable to attacks in the first place with static analysis based on secure software engineering standards.

Creating Your Own Hacking Lab

As a cybersecurity professional, it’s important that you establish a “laboratory” for you to practice your skills and test new vulnerabilities. As with any skill, before you do anything in the real world you need to practice, practice, and then practice some more. The time to learn a new tool or “try something out” isn’t on a live network or an engagement. In this session Dale will present you with different ways to create an environment that you can use to enhance your learning while wearing your “hacker hoodie” (sold separately ;-) ) and keeping your production network safe from harm.

Using Pre-Production Observability in QA & DevSecOps to Ship Secure Applications

Security and compliance issues identified after code has been pushed to production are common. Why aren’t these issues caught during pre-production testing or staging? Static code scanning is by no means sufficient. DAST tools haven't changed for 15 years. Observability is the solution. In this session, we will discuss why runtime visibility into your app's security behavior is key, and how to provide seamless ingrained security observability during pre-production testing and DevSecOps using DeepFactor. You’ll leave our discussion armed with the knowledge to immediately leverage pre-production observability with clear, actionable insights to help your dev team consistently deploy secure apps with confidence.

Intro to AppSec

In this session, Tanya Janca will teach you the foundations of application security, which is basically how do you ensure you're creating secure software? This is not going to be a super-duper duper advance talk if you know nothing about it -- that's OK. If you already know some stuff about it, Tanya might teach you a couple of new things. Come find out why AppSec is Tanya's complete and total obsession and how it can help you and your team's security efforts.

Do You Know How to Prioritize Your Open Source Findings?

Listen in and learn how we co-developed “susceptibility analysis”, which allows developers and application security engineers to understand whether a publicly disclosed vulnerability has actually been invoked in your customer code, and more importantly, whether attacker-controlled input reaches that function. No magic, no empty promises, just good research from Sonatype to the patching function and deep dive static analysis from Fortify.

Integrated Software Bill of Materials (SBoM) into DevSecOps

Discover what is Software Bill of Materials (SBoM) and why it's so important as part of your security testing plans.

Learn how to threat model using an interactive board game

The technique of threat modeling is often intimidating to engineers with little or no security experience. Using the open-source board game, I've developed technical and non-technical individuals to explore the concepts of threat modeling without worrying about the detail behind learning the techniques. Players learn about the hacker mindset, gain an understanding of value, and begin to dig into defense in depth using the risk control residual risk methodology. All this before even knowing what threat modeling is. The session ends by looping back over leanings and equating them to the various threat modeling competencies.

Bringing Fuzz Testing to the Mainstream

Fuzz testing is useful for finding flaws that other security and quality testing methods cannot. But it's been challenging to use. See how GitLab is integrating this powerful technology as an automated byproduct of your CI pipeline.

How to build DevSecOps Pipeline as Code!

You've heard the hype and read dozens of blog posts on DevSecOps. Finally, your organization has decided to make this cultural shift to take advantage of automation and the benefits of DevOps. However, making this shift as an engineering team can often be cumbersome because many tech professionals are still unfamiliar with the technologies required to implement a complete DevOps pipeline, let alone one that includes security automation as well. In this talk, I will introduce Microcosm, a miniature, secure DevOps pipeline we developed at the SEI available through infrastructure as code. Microcosm represents a miniature version of a secure DevOps pipeline compared to what you find in a large, enterprise environment. In this talk, I will go through crucial principles DevSecOps pipeline and share our lesson learned examples with the Security community.

Security in your pocket; Android application security for beginners

In this session, we'll be doing a practical example of how we can analyze Android applications for vulnerabilities and the tools that are available to help us. We'll be going beyond vulnerability scanners and looking at how we can manually test for common security issues, including one that won me a not-insignificant amount of money in bug bounties and another that let me see all the user details for an "adult" virtual reality application.

Attacking AI with Adversarial Inputs and How to Defend against It!

AI models are vulnerable to subtle adversarial disturbances applied to the inputs. These adversarial disturbances, though not noticeable to the human eye, can easily mislead the AI. In this talk, we cover this phenomenon and briefly describe Modzy’s unique solution for defending against adversarial attacks.

Teach Yourself Penetration Testing: A hands on walkthrough of the Capsulecorp-pentest environment

A hands-on walkthrough of the Capsulecorp-pentest environment. Discover a quick way to stand up a test environment for conducting an internal network penetration test that you can practice your security testing skills against.

Developing a Security Test Methodology