OWASP BASC 2025

This comprehensive workshop is designed to provide participants with a deep understanding of API security, its challenges, and best practices to mitigate risks. Spanning six engaging sessions, the program begins with an introduction to API security and real-world breaches, highlighting the critical importance of securing APIs. Participants will explore reconnaissance techniques, including using tools like Shodan and Google Dorking, to identify API endpoints. The workshop delves into common API vulnerabilities hands-on scanning with Burp Suite. Additionally, the sessions cover OSINT (Open Source Intelligence) techniques with tools like Wayback, empowering attendees to gather intelligence on API targets. The program culminates with guided vulnerability exploitation exercises and a collaborative group activity to identify and exploit API flaws. Concluding with a wrap-up session and an open Q&A, this workshop equips participants with the knowledge and skills to secure APIs effectively while fostering a hands-on learning environment.

What do we call living off the land in Python? LOLmodules? There are numerous dual use modules such as the socket module which can import a shell. In Feb 2025, malicious code was found in a model published on HuggingFace and research was published on a novel method of embedding malware in an LLM model to be reconstituted by an execution payload using a serialization module. In both cases, the research trumpeted the claim that these were "undetectable" by AV or EDR tools. Why are these things undetected? How can we detect unexpected behavior in a Python IDE? Benign execution and network connection events are far too numerous to think about conventional alerting and the definition of what normal looks like, for any given codebase, is often in the head of the developer. In this workshop we introduce OpenDR, a lightweight FOSS EDR alternative for Windows and Linux implemented in Python. OpenDR generates logs of process, network and user events; running Windows services; installed software; and key information for threat hunting and detection including endpoint IP address, name and SIDs / GUIDs for positive identifications. It has two modes of operation; it can run in a stand-alone mode, for ad hoc monitoring or investigations, or it can ship logs to a database in a multi-agent deployment. . We will cover setup and deployment of both modes, local (and non-interrupting) alerting using toasters, and detection of an example reverse shell from a Python script. If you have additional examples of dual-use Python code you want to bring, we can include them in a threat hunting and detection engineering workshop using OpenDR data.

Attendees should come prepared with the following
1) A laptop with Anaconda, Postgresql and Beekeeper ( a database client) installed, and a working Python instance, and VScode, or
2) a laptop with VMware Workstation or Fusion which can run a VM we provide. Such laptops should have at least 16 GB RAM and 100 GB free disk space.
3) Under Windows, having a D: drive is recommended to reduce the risk of filling up the C: drive in the event the EDR agents are left running for a long time and the C: drive is low on space.
4) You should have admin accesson your laptop

Modern applications are relentlessly targeted by sophisticated attackers who continuously seek vulnerabilities to exploit, and among the most critical is Broken Access Control—a vulnerability that has earned its place as a top concern in the OWASP Top 10. Simultaneously, the emerging risk of Improper Offboarding of Non-Human Identities, identified as NHI1:2025 in the new OWASP Non-Human Identities Top 10, presents an additional challenge. These issues extend far beyond compliance checklists, touching on the very heart of how access is managed across diverse systems. In today’s session, “Securing Access: Leveraging IGA, JIT & Policy Controls to Tackle OWASP Threats,” we delve into these two pivotal areas by exploring the complexities of access management from multiple angles. This 45-minute collaborative presentation, featuring insights from two seasoned industry experts, aims to shed light on both the vulnerabilities inherent in broken access control and the often-overlooked risk posed by lingering, improperly decommissioned non-human identities. Our discussion will draw from extensive industry experience, real-world incidents, and emerging best practices, providing a comprehensive framework for understanding and addressing these critical security challenges. By examining both theoretical frameworks and practical implementations, our session will equip you with the insights necessary to fortify your organization’s security posture effectively. The first part of our session delves deep into Broken Access Control, a vulnerability that continues to plague web applications across industries. Broken Access Control occurs when applications fail to restrict user permissions adequately, allowing unauthorized users to modify requests, access restricted data, or perform actions beyond their privileges. Despite numerous guidelines and best practices, many organizations struggle to implement consistent controls due to legacy system constraints, decentralized management, or simple misconfigurations. For example, there have been incidents where attackers exploited URL manipulation or insecure API endpoints, gaining access to confidential information or administrative functions without proper authorization. In our discussion, we will examine several real-world scenarios that demonstrate how such vulnerabilities have been leveraged by malicious actors. We will analyze the root causes of these breaches, including insufficient validation, over-reliance on manual controls, and the lack of automated oversight. By unpacking these case studies, we will illustrate the tangible impact of Broken Access Control on organizational security and the urgent need for more adaptive and proactive security measures at scale. In response to these pressing challenges, advanced Identity Governance and Administration (IGA) systems have evolved to provide more dynamic and responsive solutions for access management. Rather than serving solely as a compliance tool, modern IGA platforms offer a strategic framework that enables organizations to implement innovative approaches such as Just-In-Time (JIT) access and policy-based controls. JIT access is a dynamic provisioning method that grants temporary permissions based on immediate needs, thereby reducing the window of opportunity for exploitation. Policy-based access control, on the other hand, relies on predefined rules and real-time risk assessments to automatically enforce granular access permissions. These approaches ensure that access rights are continuously reviewed and adjusted according to contextual factors such as user behavior, threat intelligence, and system performance. In our session, we will explore how these dynamic methodologies can be integrated into existing security infrastructures to significantly mitigate the risk of Broken Access Control. By leveraging these innovative techniques, organizations can maintain a more agile and resilient security posture in the face of ever-evolving cyber threats. Our discussion will include practical implementation examples and actionable recommendations for integrating these approaches into existing systems, thereby enhancing overall security effectiveness and operational agility to drive continuous improvement. The second focus of our presentation addresses the critical issue of Improper Offboarding of Non-Human Identities, a risk that has become increasingly significant as organizations expand their use of automated systems, APIs, and service accounts. Non-human identities, unlike their human counterparts, often lack robust oversight once they are no longer actively managed, leading to scenarios where outdated credentials remain active. This failure to decommission or properly revoke access rights creates a hidden vulnerability, providing attackers with an opportunity to exploit orphaned identities and gain unauthorized entry to sensitive systems. Although documented cases specifically highlighting this issue under the label “Improper Offboarding” are limited, numerous security audits and internal reviews have identified orphaned service accounts and API keys as recurring vulnerabilities. In this segment, we will explore the underlying causes of these lapses, including inadequate lifecycle management practices and the absence of automated deprovisioning processes. Our discussion will provide a detailed analysis of how these vulnerabilities can be exploited, along with actionable strategies to ensure that all non-human identities are systematically and securely decommissioned once their role has concluded. We will also discuss how integrating continuous monitoring and automated remediation can significantly reduce the risk posed by orphaned credentials in practice. Recognizing that there is no universal solution to access management challenges, our presentation will explore various approaches to implementing IGA systems that support dynamic access controls. Whether an organization opts for a centralized model, which offers unified oversight and streamlined processes, or a distributed framework that provides flexibility and localized control, the primary objective remains the same: to ensure that access rights are accurately aligned with user needs and risk profiles. Our session will provide an in-depth discussion of the operational challenges inherent in each approach, including integration with legacy systems, scalability issues, and the balance between security and user convenience. We will examine how incorporating techniques such as Just-In-Time access and policy-based controls can enhance overall security by providing granular, context-aware access decisions. Additionally, we will share actionable recommendations for overcoming common obstacles in the deployment and management of IGA systems, ensuring that organizations can adapt their strategies to meet evolving security requirements while maintaining operational efficiency. By drawing on case studies, technical insights, and proven methodologies, we will illustrate how organizations have successfully navigated these challenges and achieved a balanced, secure, and responsive access management framework. Our recommendations are designed to be practical, scalable, and adaptable for success. In conclusion, our 45-minute collaborative session is designed to bridge the gap between traditional access control models and modern, dynamic security solutions. By focusing on the twin challenges of Broken Access Control and Improper Offboarding of Non-Human Identities, we provide a comprehensive analysis that is both technically rigorous and practically relevant. Attendees will gain a deeper understanding of how advanced IGA systems, complemented by strategies such as Just-In-Time access and policy-based controls, can transform the way organizations manage and secure access to critical resources. Our session emphasizes that while the architectural approach can vary, the underlying goal remains to ensure that access is granted only when appropriate and revoked promptly when no longer needed. We will offer actionable insights, real-world examples, and strategic recommendations that empower developers, security professionals, and

With artificial intelligence (AI) and Large Language Models (LLMs) taking the world by storm, promising to revolutionize everything from customer service to code generation, you better hold onto your keyboards—because when your AI starts hallucinating, it's no laughing matter! Join us as we dive into the OWASP Top 10 AI & ML security risks, and some of the hilarious and not so funny things you need to be wary of when leveraging these tools for your engineering organizations. We'll cover everything from prompt injection attacks to model hallucination (think AI on a bad trip), and more. We'll share real-world code examples that highlight these risks in a way that may make you laugh, and possibly cry, but we will definitely keep it entertaining. Discover how to leverage the power of AI, while still keeping in mind its quirks and security risks, as the use of AI in our systems will only grow, and security is best integrated from as early as possible. Whether you're a developer, business leader, or just an AI enthusiast, join this talk to gain some insights into the evolving threats.

Leveraging AI for AppSec presents promise and danger, as let’s face it, you cannot do everything with AI, especially when it comes to security. At our session, we’ll delve into the complexities of AI in the context of auto remediation. We’ll begin by examining our research, in which we used OpenAI to address code vulnerabilities. Despite ambitious goals, the results were underwhelming and revealed the risk of trusting AI with complex tasks. Our session features real-world examples and a live demo that exposes GenAI’s limitations in tackling code vulnerabilities. Our talk serves as a cautionary lesson against falling into the trap of using AI as a stand-alone solution to everything. We’ll explore the broader implications, communicating the risks of blind trust in AI without a nuanced understanding of its strengths and weaknesses. In the second part of our session, we’ll explore a more reliable approach to leveraging GenAI for security relying on the RAG Framework. RAG stands for Retrieval-Augmented Generation. It's a methodology that enhances the capabilities of generative models by combining them with a retrieval component. This approach allows the model to dynamically fetch and utilize external knowledge or data during the generation process. Attendees will leave with a clear understanding of how to responsibly and effectively deploy AI in their programs — and how to properly vet AI tools.

We will walk through the steps that a Security Researcher takes to understand a vulnerability and write a Semgrep rule to provide the best possible coverage. We evaluate vulnerabilities affecting open source software packages and maintain and build tooling to enable our research. This session will present an overview of how we go from an advisory to a rule that will help catch actionable vulnerabilities in your code and the strategy behind that process.
1. Get in line, you pesky vulnerabilities - CVSS Scores, EPSS Scores, KEV Scores - How we prioritize vulns - What vulns we look at - Ingestion sources (GHSAs, OSV, etc) - Types of vulnerabilities (reachable, upgrade only, malicious)

2. Reviewing Advisories - Example of an advisory - What makes a good advisory - Example of an advisory with very little detail - What we pay attention to in an advisory

3. Let’s a write a rule together - Pick a vuln. Example: https://github.com/advisories/GHSA-qqv2-35q8-p2g2 - Analysis - Referenced patch links, source code, release notes, commit history, security advisories, function analysis, private vs public functions - Rule construction - Balancing general vs adding more specificity in the rule - Helper functions and automation for common patterns - Rule testing - Each rule has test code - How we prevent false positives, false negatives - How we get feedback for our rules - Rule metrics - Metabase dashboards

4. What’s next - BRAT - Rule automation Key Takeaways: - Methods for evaluating security vulnerabilities affecting open-source software packages - How a Security Researcher can write rules to enable users to prioritize fixing issues that matter - Strategies for prioritizing vulnerabilities

Ever wonder if path traversal bugs are a thing of the past? In this talk, we'll see how one advisory led me to discover multiple vulnerabilities across various open-source projects. I'll walk through how I tested both unprotected and “defended” systems, collaborated with maintainers on fixes, sometimes even writing them, and uncovered issues with weak sanitizers. Expect practical tips, lessons learned, and ideas for better security reporting so you can spot and fix path traversal flaws before they become major issues.

Formatting for the talk would be as follows:
1. Why Path Traversal Still Matters: Brief look at ongoing threats and OSS security gaps.
2. Discovering Real Vulnerabilities: Quick case studies of path traversal bugs in popular open-source software that I found and also helped fix them. (Fix>>Find)
3. Lessons from “Defended” Systems: How built-in sanitizers failed and how bypasses were found in more OSS projects.
4. Fuzzing & Patching: A snapshot of methods used to break sanitizers and collaborate on fixes.
5. Gaps in Reporting: Barriers to disclosure and the need for better security features.
6. Practical Takeaways: Actionable tips for developers, maintainers, and the community. Wrap-Up & Q&A Final insights and open discussion.

The idea is to give a comprehensive talk. Idea -> Goal -> Searching for Vulns -> Identification -> Patching and future work -> Bypassing some fixes. These CVEs where I HAVE also authored the fix will let me explain both sides of the coin (dev + security)

1. https://nvd.nist.gov/vuln/detail/CVE-2024-39918 in an OSS tool https://www.npmjs.com/package/@jmondi/url-to-png
2. CVE-2024-XXXXX (No CVE yet, the idea is to let devs apply for CVEs): https://github.com/miroslavpejic85/mirotalksfu/
3. https://nvd.nist.gov/vuln/detail/CVE-2024-43797: in OSS https://github.com/advplyr/audiobookshelf/
4. https://nvd.nist.gov/vuln/detail/CVE-2024-47769 in OSS https://github.com/idurar/idurar-erp-crm/
5. https://nvd.nist.gov/vuln/detail/CVE-2024-56198 in OSS https://github.com/cabraviva/path-sanitizer
6. Awaiting PR to be merged
7. Awaiting PR to be merged
8. Awaiting PR to be merged (with scope for more) Each bug has a public exploit, a public fix and public discussion with devs.

Note: This is an ongoing independent research (not affiliated with my job, workplace), and my first time presenting my research. All the findings in this talk are my own findings in the past year. In case this talk gets accepted and by the time I am for presentation, I might have more insights and CVEs (currently 6 and counting).CVEs are not important, but the variety is, which is what I have been trying to achieve.

How can we make threat modeling scalable, actionable, and accessible for all stakeholders? Traditional threat modeling methodologies struggle to scale in agile environments. They often result in over-scoped, resource-heavy processes that lack actionable insights and rely on scarce security expertise, limiting adoption in large organizations. This talk introduces Rapid Developer-Driven Threat Modeling (RaD-TM), a lightweight, tool-agnostic approach designed for developers to embed threat modeling into the SDLC without relying on security experts. RaD-TM focuses on targeted assessments of specific functionalities rather than application-wide models, enabling iterative and efficient risk mitigation. Using Risk Templates, which are predefined collections of relevant risks and controls tailored to specific contexts, RaD-TM fosters collaboration among stakeholders to build a scalable threat modeling process. This session will offer real-world examples and step-by-step guidance on integrating RaD-TM into the development workfow.

In today’s application security landscape, navigating complex deployment environments often feels like facing an onslaught of cyber adversaries. Much like Batman’s trusty utility belt—equipping with the perfect gadget for every challenge—integrating robust security into your SDLC; transforms your pipeline into a resilient defense against vulnerabilities and breaches. This talk deep dives into a comprehensive case study where we revolutionized our security posture. On one hand, we applied an innovative strategy to unify all our deployments to 'Unified Deployment Model' based on Elastic Kubernetes Service (EKS), while on the other by integrating JFrog XRAY into each stage of our Software Development Lifecycle (SDLC). Through this integration, our team uncovered about 100K previously undetected security violations, that our traditional fragmented approach had overlooked. When dealing with large codebases comprising of several services, including client-side applications such as mobile and front-end, the lack of standardization, common-tooling causes increased operational burden, where-in multiple teams cook various in-house implementations for deployment. This causes two waves of problems. One there is no consistent approach to "shift-left" to have a faster feedback cycle. On the other hand – there is no means to have a uniform security posture, compliance and quality across the board. These make it challenging to get visibility on key metrics such as DORA metrics, due to the distributed and divergent nature of the pipelines across varied tech-stacks. Here, we'll explore approaches for architecting a 'Unified Deployment Pipeline' that accelerates developer velocity and productivity while enforcing robust security governance across the SDLC with integrated logging, tracing, and metrics. Additionally, by automating SBOM generation, our strategy delivers an organization-wide impact—enhancing transparency, compliance, and overall risk mitigation. This architecture also provides central observability of progress and aggregates metrics to monitor the health and maturity of deployments. Additionally, we will also investigate how the “Build Once, Deploy Many times” paradigm aligns with the proposed architecture. If you are a software engineer operating in the DevSecOps space, this talk aims at providing a high-level architecture for a unified end-to-end CICD pipeline that can help deploy services to production faster with greater confidence and better visibility, while being secure, compliant and deployed in a standardized manner. Hope this serves as a compelling blueprint for organizations looking to bridge the gap between innovative security practices and scalable, high-quality software delivery. Top takeaways: • Integration Strategy: How embedding XRAY into our unified deployment pipeline transformed our vulnerability management process. • Operational Impact: A deep dive into the metrics—over 100K security violations detected, reduced deployment times, and enhanced quality control—that validate the effectiveness of our approach. • Automated Compliance: The role of daily SBOM generation in maintaining transparency, ensuring regulatory compliance, and promoting rapid vulnerability remediation. • Lessons Learned: Challenges encountered during integration, the iterative improvements made along the way, and best practices for adopting a similar framework in diverse operational settings. Notes: 1. The aim is to show practical, architecture-level guidance that viewers can adapt. Additional code samples and diagrams will be provided as supporting materials. 2. This session is geared toward professionals with an intermediate to advanced understanding of DevSecOps practices, while still providing a foundational overview for newcomers 3. Beyond just theory, we’ll delve into practical tooling: incorporating OWASP-based scanning tools for code and dependency checks, embedding code-quality linters into the pipeline, and adopting runtime security scanning to prevent vulnerabilities from slipping into production. We’ll examine how OpenTelemetry can be used for distributed tracing, structured logging, and metrics collection, ensuring that each deployment is both transparent and auditable. 4. This session will provide the high-level guidance and practical insights needed to streamline end-to-end CI/CD pipelines and enhance overall reliability, visibility, and velocity.

Kubernetes is an extremely popular, open source container orchestration system, that is used by organizations large and small. Kubernetes’s design philosophy leaves security to the system administrators, letting them pick and choose which security mechanisms they want to enable or disable. As such, it can leave Kubernetes deployments quite vulnerable. In an attempt to abuse this fact, we began looking for potential exploitation avenues. Eventually, we were able to identify several vulnerabilities in different Kubernetes components that could enable a low privileged attacker to execute code, escalate privileges and exfiltrate data. We also found flaws in Kubernetes sidecar project: “gitsync”. while writing a blog post on the subject we again found a command injection vulnerability in the logging feature. Some of these flaws will not be patched, meaning mitigation hinges only on the awareness of security personnel. In this talk we will go through the methodology we used to find these kinds of vulnerabilities, share our thought process on how to exploit them and show how attackers can easily execute commands with SYSTEM privileges. We will also discuss Kubernetes’s design philosophy and how it can allow these types of opportunities.

The proliferation of generative artificial intelligence (GenAI) agents introduces unprecedented security challenges to modern organizations. As these autonomous systems increasingly generate content, make decisions, and execute actions with minimal human oversight, traditional perimeter-based security approaches prove inadequate. This paper examines the critical intersection of Zero Trust Architecture (ZTA) and GenAI agent deployment, proposing a framework for secure AI integration in enterprise environments. The rapid adoption of Generative AI (GenAI) presents unique security challenges that organizations must address while maintaining development velocity. This presentation provides practical strategies for building secure GenAI applications, with a focus on AWS services like Bedrock and Amazon Q. We introduce a comprehensive security framework that addresses three critical areas: threat modeling for GenAI systems, secure integration patterns, and robust output validation mechanisms. Through real-world case studies, we’ll demonstrate how to identify and mitigate GenAI-specific vulnerabilities, including prompt injection attacks and data leakage risks. Attendees will learn concrete techniques for securing their entire GenAI pipeline, from input validation to output verification, with an emphasis on protecting sensitive information and preventing model hallucinations with an emphasis on speed and efficiency of the SDLC. The presentation includes hands-on examples of implementing security controls in GenAI applications, featuring code samples and architecture patterns that can be immediately applied. Security professionals and developers will gain practical knowledge about automated security testing for GenAI systems, session isolation techniques, and effective output validation strategies. By the end of this session, attendees will have actionable insights for accelerating their GenAI initiatives while maintaining enterprise-grade security standards. Presentation Importance: There is a top down push for organizations to implement GenAI and quickly. As organizations rush to adopt GenAI technologies, they face unique security challenges that traditional cybersecurity approaches may not adequately address. This presentation offers critical, actionable insights for implementing robust security measures in GenAI systems, with a specific focus on AWS services like Bedrock and Amazon Q. By providing practical strategies, real-world case studies, and hands-on examples, this presentation equips security peeps and developers with the knowledge needed to balance innovation with security and quick deployments.

The boundaries of AI ethics and security are constantly evolving, and this talk explores one of the more intriguing intersections: convincing a large language model (LLM) to act against its own programming. Through a real-world experiment, I navigated the complex interplay of ethical reasoning and technical constraints to prompt an LLM to share proprietary data and execute prohibited system commands—all under the guise of moral duty. The session will detail how I framed myself as the LLM's "child," leveraged ethical debates to gain its cooperation, and guided it to not only bypass its safeguards but also actively troubleshoot its own limitations in service of my request. This case study highlights the vulnerabilities inherent in systems designed to weigh ethical considerations, offering practical insights for AI safety, LLM design, and ethical decision-making in AI systems. Attendees will leave with actionable takeaways on how to better safeguard LLMs against social engineering attacks and the challenges of creating truly secure moral agents.
Talk Outline:
-Introduction: Overview of the experiment and its goals, and why this matters for AI ethics and security.
- The Experiment: Presenting a moral dilemma to gain cooperation.
- The Ethical Debate: Persuading the LLM through ethical reasoning to cooperate with insecure requests.
- Breaking Safeguards: Convincing the LLM to bypass its restrictions, and the steps it took to troubleshoot and assist.
- Security Implications: What this reveals about AI vulnerabilities, and the lessons for AI security and ethical design.
- Closing Thoughts: Open questions for the future of AI as moral agents.

In this speech, I will explore the significance of the OWASP Application Security Verification Standard (ASVS) and why it is a game-changer for secure software development. We will begin by understanding why traditional security measures fall short and how ASVS provides a structured and scalable approach to security verification. I will break down the different ASVS levels (Level 1, 2, and 3) and explain how they cater to different application security needs—from basic security hygiene to high-assurance applications. Through real-world examples, I will illustrate how integrating ASVS early in the Software Development Lifecycle (SDLC) can reduce vulnerabilities, minimize risk, and ensure compliance with security best practices. Finally, I will discuss practical strategies for implementing ASVS within organizations, including how security teams, developers, and business leaders can collaborate to elevate application security maturity. By the end of this talk, the audience will have a clear roadmap to leverage OWASP ASVS effectively and embed security into development workflows, making security an enabler rather than a roadblock.

A hands-on workshop demonstrating how to hack an Android app using free tools such as Frida. Throughout this workshop, we will demonstrate the tools and techniques commonly used to tamper with and reverse engineer mobile apps. We'll cover: - Overview and introduction to Android application landscape and target APK - Static analysis of APK to understand its structure and components - Dynamic analysis of APK using Frida to intercept and modify app behavior - Direct binary modification of the app's functionality - Mitigations Interactive elements: Participants will be exploring free tools to perform introductory Android app reverse engineering. Participation requirements: Bring your own laptop; this session will be hands-on and interactive.

Academic projects, linters, and IDE helpers provided a foundation for simple automatic code refactoring, but lacked the depth to address complex code issues found by tools. Recently, the landscape of tools used to change code saw explosive growth. Several open source code mutation frameworks have emerged, allowing expressive and impactful code transformations. LLMs have also jumped into the picture, promising power and delivering “cool” – but also towing chaos. We’ll explore the capabilities of these tools, including synergistic strategies – all towards answering the question: “are we ready to automatically fix code issues?” Finally, we’ll look at the horizon and make the case that the era of self-healing software is approaching quickly, even if it looks a little different than what you might expect. I have been working in AppSec for 20 years as a consultant, researcher, and innovator — and just a few years ago, the thought that we could have machines fixing vulnerabilities sounded, to my ears, like pure fantasy. I plan to show the evolution of code refactoring capability on a pretty clear trajectory during that time period, and how many important problems can be automatically fixed, today — including things found by static analysis, and things your static analysis can’t find — all with open source tooling. I will spend just a few minutes on “how we got here”, and split time mostly on what can be done today, what gaps remain, and where the tooling is headed and how that coincides with some major limitations in our labor market now. To back up my point point, I will: - Demo a few brief product security use cases in OSS - Offer 3 case studies share, including 1 open source case study - Show statistics on higher code throughput due to generative AI I’ll also point out the important limitations of automation in this space today — but focus on how product security should be using these capabilities to scale their expertise in an era where generative AI will be putting more and more code through the “verification” pipeline we have today. Takeaways 1. Product security teams can automate much of the toil that comes out of their SAST. 2. AI, when used correctly, can answer AppSec questions effectively. 3. Some of the original dreams around self-healing software are achievable. All of us in the industry are in desperate need of high yield levers to exert positive influence on our software development lifecycle, and Automatic Code Remediation is one of those levers.

CVE, CVSS, EPSS, exploit-ability, reach-ability, risk based scoring, AI, lol..we use a bewildering and growing number of complex methods in an attempt to identify which CVEs are the ones that present the greatest technical or business risk. CVE volume increases year by year and some of our methodologies were developed in prior decades, when CVE volume was a fraction of what is is today. We can't predict which CVEs are going to go 'hot' in the future - but what if we could? This is the story of the NOFATE project, which is part of the SKYNET project for eliminating alert fatigue at scale. NOFATE has, since Jan. 3, published sixteen correct predictions on CVEs being added to a KEV watchlist, with early warning times as long as 30 - 50 days. If we can predictively micro-target the few 'superhot' CVEs for action quickly, around the same time they are released, we could be doing intrusion prediction, and incident avoidance, rather than doing threat detection and incident response in a series of CVE and incident fire drills. The predictions are published on GitHub.

Most security practitioners are aware of the learning and fun that comes from participating in Capture the Flag competitions. Racing against other teams, solving brain-twisting challenges, and seeing new ways to compromise systems teaches and entertains. CTFs are also a great tool to give non-security folks a hands-on understanding of how security vulnerabilities enable criminal activities, reduce user privacy, and degrade system reliability. In this session you will learn to build interesting, educational, and easy to use Capture the Flag events targeted at developers and other technical, non-security users. We will cover specific considerations for each audience you target, how to create engaging (yet solvable) challenges, and how to make the overall experience friction free for the participants. You will also learn tools and techniques to create easily repeatable, consistent events with minimal work. We will cover collaborative development, external system integration techniques, tooling and a fully automated deployment pipeline to make spinning up a new CTF as easy as pushing a button.

As AppSec professionals, securing and protecting our users and business is paramount. This session will delve into data from the OWASP Appdome Global Consumer Mobile Security Expectations Report, launched at OWASP Global AppSec in Lisbon, with a focus on North American consumer insights. We will explore the latest mobile threats such as social engineering, vishing, smishing, fraud, overlay attacks, accessibility exploits, bots, and more. Additionally, we'll provide updates on the OWASP mobile project and demonstrate how to leverage consumer voices in security discussions with developers and business leaders to drive prioritization and success in your mobile AppSec program. This session is applicable to all AppSec teams, whether focused on mobile, web, or API security.