OWASP BASC 2025

Modern applications are relentlessly targeted by sophisticated attackers who continuously seek vulnerabilities to exploit, and among the most critical is Broken Access Control—a vulnerability that has earned its place as a top concern in the OWASP Top 10. Simultaneously, the emerging risk of Improper Offboarding of Non-Human Identities, identified as NHI1:2025 in the new OWASP Non-Human Identities Top 10, presents an additional challenge. These issues extend far beyond compliance checklists, touching on the very heart of how access is managed across diverse systems. In today’s session, “Securing Access: Leveraging IGA, JIT & Policy Controls to Tackle OWASP Threats,” we delve into these two pivotal areas by exploring the complexities of access management from multiple angles. This 45-minute collaborative presentation, featuring insights from two seasoned industry experts, aims to shed light on both the vulnerabilities inherent in broken access control and the often-overlooked risk posed by lingering, improperly decommissioned non-human identities. Our discussion will draw from extensive industry experience, real-world incidents, and emerging best practices, providing a comprehensive framework for understanding and addressing these critical security challenges. By examining both theoretical frameworks and practical implementations, our session will equip you with the insights necessary to fortify your organization’s security posture effectively. The first part of our session delves deep into Broken Access Control, a vulnerability that continues to plague web applications across industries. Broken Access Control occurs when applications fail to restrict user permissions adequately, allowing unauthorized users to modify requests, access restricted data, or perform actions beyond their privileges. Despite numerous guidelines and best practices, many organizations struggle to implement consistent controls due to legacy system constraints, decentralized management, or simple misconfigurations. For example, there have been incidents where attackers exploited URL manipulation or insecure API endpoints, gaining access to confidential information or administrative functions without proper authorization. In our discussion, we will examine several real-world scenarios that demonstrate how such vulnerabilities have been leveraged by malicious actors. We will analyze the root causes of these breaches, including insufficient validation, over-reliance on manual controls, and the lack of automated oversight. By unpacking these case studies, we will illustrate the tangible impact of Broken Access Control on organizational security and the urgent need for more adaptive and proactive security measures at scale. In response to these pressing challenges, advanced Identity Governance and Administration (IGA) systems have evolved to provide more dynamic and responsive solutions for access management. Rather than serving solely as a compliance tool, modern IGA platforms offer a strategic framework that enables organizations to implement innovative approaches such as Just-In-Time (JIT) access and policy-based controls. JIT access is a dynamic provisioning method that grants temporary permissions based on immediate needs, thereby reducing the window of opportunity for exploitation. Policy-based access control, on the other hand, relies on predefined rules and real-time risk assessments to automatically enforce granular access permissions. These approaches ensure that access rights are continuously reviewed and adjusted according to contextual factors such as user behavior, threat intelligence, and system performance. In our session, we will explore how these dynamic methodologies can be integrated into existing security infrastructures to significantly mitigate the risk of Broken Access Control. By leveraging these innovative techniques, organizations can maintain a more agile and resilient security posture in the face of ever-evolving cyber threats. Our discussion will include practical implementation examples and actionable recommendations for integrating these approaches into existing systems, thereby enhancing overall security effectiveness and operational agility to drive continuous improvement. The second focus of our presentation addresses the critical issue of Improper Offboarding of Non-Human Identities, a risk that has become increasingly significant as organizations expand their use of automated systems, APIs, and service accounts. Non-human identities, unlike their human counterparts, often lack robust oversight once they are no longer actively managed, leading to scenarios where outdated credentials remain active. This failure to decommission or properly revoke access rights creates a hidden vulnerability, providing attackers with an opportunity to exploit orphaned identities and gain unauthorized entry to sensitive systems. Although documented cases specifically highlighting this issue under the label “Improper Offboarding” are limited, numerous security audits and internal reviews have identified orphaned service accounts and API keys as recurring vulnerabilities. In this segment, we will explore the underlying causes of these lapses, including inadequate lifecycle management practices and the absence of automated deprovisioning processes. Our discussion will provide a detailed analysis of how these vulnerabilities can be exploited, along with actionable strategies to ensure that all non-human identities are systematically and securely decommissioned once their role has concluded. We will also discuss how integrating continuous monitoring and automated remediation can significantly reduce the risk posed by orphaned credentials in practice. Recognizing that there is no universal solution to access management challenges, our presentation will explore various approaches to implementing IGA systems that support dynamic access controls. Whether an organization opts for a centralized model, which offers unified oversight and streamlined processes, or a distributed framework that provides flexibility and localized control, the primary objective remains the same: to ensure that access rights are accurately aligned with user needs and risk profiles. Our session will provide an in-depth discussion of the operational challenges inherent in each approach, including integration with legacy systems, scalability issues, and the balance between security and user convenience. We will examine how incorporating techniques such as Just-In-Time access and policy-based controls can enhance overall security by providing granular, context-aware access decisions. Additionally, we will share actionable recommendations for overcoming common obstacles in the deployment and management of IGA systems, ensuring that organizations can adapt their strategies to meet evolving security requirements while maintaining operational efficiency. By drawing on case studies, technical insights, and proven methodologies, we will illustrate how organizations have successfully navigated these challenges and achieved a balanced, secure, and responsive access management framework. Our recommendations are designed to be practical, scalable, and adaptable for success. In conclusion, our 45-minute collaborative session is designed to bridge the gap between traditional access control models and modern, dynamic security solutions. By focusing on the twin challenges of Broken Access Control and Improper Offboarding of Non-Human Identities, we provide a comprehensive analysis that is both technically rigorous and practically relevant. Attendees will gain a deeper understanding of how advanced IGA systems, complemented by strategies such as Just-In-Time access and policy-based controls, can transform the way organizations manage and secure access to critical resources. Our session emphasizes that while the architectural approach can vary, the underlying goal remains to ensure that access is granted only when appropriate and revoked promptly when no longer needed. We will offer actionable insights, real-world examples, and strategic recommendations that empower developers, security professionals, and

We will walk through the steps that a Security Researcher takes to understand a vulnerability and write a Semgrep rule to provide the best possible coverage. We evaluate vulnerabilities affecting open source software packages and maintain and build tooling to enable our research. This session will present an overview of how we go from an advisory to a rule that will help catch actionable vulnerabilities in your code and the strategy behind that process.
1. Get in line, you pesky vulnerabilities - CVSS Scores, EPSS Scores, KEV Scores - How we prioritize vulns - What vulns we look at - Ingestion sources (GHSAs, OSV, etc) - Types of vulnerabilities (reachable, upgrade only, malicious)

2. Reviewing Advisories - Example of an advisory - What makes a good advisory - Example of an advisory with very little detail - What we pay attention to in an advisory

3. Let’s a write a rule together - Pick a vuln. Example: https://github.com/advisories/GHSA-qqv2-35q8-p2g2 - Analysis - Referenced patch links, source code, release notes, commit history, security advisories, function analysis, private vs public functions - Rule construction - Balancing general vs adding more specificity in the rule - Helper functions and automation for common patterns - Rule testing - Each rule has test code - How we prevent false positives, false negatives - How we get feedback for our rules - Rule metrics - Metabase dashboards

4. What’s next - BRAT - Rule automation Key Takeaways: - Methods for evaluating security vulnerabilities affecting open-source software packages - How a Security Researcher can write rules to enable users to prioritize fixing issues that matter - Strategies for prioritizing vulnerabilities

In today’s application security landscape, navigating complex deployment environments often feels like facing an onslaught of cyber adversaries. Much like Batman’s trusty utility belt—equipping with the perfect gadget for every challenge—integrating robust security into your SDLC; transforms your pipeline into a resilient defense against vulnerabilities and breaches. This talk deep dives into a comprehensive case study where we revolutionized our security posture. On one hand, we applied an innovative strategy to unify all our deployments to 'Unified Deployment Model' based on Elastic Kubernetes Service (EKS), while on the other by integrating JFrog XRAY into each stage of our Software Development Lifecycle (SDLC). Through this integration, our team uncovered about 100K previously undetected security violations, that our traditional fragmented approach had overlooked. When dealing with large codebases comprising of several services, including client-side applications such as mobile and front-end, the lack of standardization, common-tooling causes increased operational burden, where-in multiple teams cook various in-house implementations for deployment. This causes two waves of problems. One there is no consistent approach to "shift-left" to have a faster feedback cycle. On the other hand – there is no means to have a uniform security posture, compliance and quality across the board. These make it challenging to get visibility on key metrics such as DORA metrics, due to the distributed and divergent nature of the pipelines across varied tech-stacks. Here, we'll explore approaches for architecting a 'Unified Deployment Pipeline' that accelerates developer velocity and productivity while enforcing robust security governance across the SDLC with integrated logging, tracing, and metrics. Additionally, by automating SBOM generation, our strategy delivers an organization-wide impact—enhancing transparency, compliance, and overall risk mitigation. This architecture also provides central observability of progress and aggregates metrics to monitor the health and maturity of deployments. Additionally, we will also investigate how the “Build Once, Deploy Many times” paradigm aligns with the proposed architecture. If you are a software engineer operating in the DevSecOps space, this talk aims at providing a high-level architecture for a unified end-to-end CICD pipeline that can help deploy services to production faster with greater confidence and better visibility, while being secure, compliant and deployed in a standardized manner. Hope this serves as a compelling blueprint for organizations looking to bridge the gap between innovative security practices and scalable, high-quality software delivery. Top takeaways: • Integration Strategy: How embedding XRAY into our unified deployment pipeline transformed our vulnerability management process. • Operational Impact: A deep dive into the metrics—over 100K security violations detected, reduced deployment times, and enhanced quality control—that validate the effectiveness of our approach. • Automated Compliance: The role of daily SBOM generation in maintaining transparency, ensuring regulatory compliance, and promoting rapid vulnerability remediation. • Lessons Learned: Challenges encountered during integration, the iterative improvements made along the way, and best practices for adopting a similar framework in diverse operational settings. Notes: 1. The aim is to show practical, architecture-level guidance that viewers can adapt. Additional code samples and diagrams will be provided as supporting materials. 2. This session is geared toward professionals with an intermediate to advanced understanding of DevSecOps practices, while still providing a foundational overview for newcomers 3. Beyond just theory, we’ll delve into practical tooling: incorporating OWASP-based scanning tools for code and dependency checks, embedding code-quality linters into the pipeline, and adopting runtime security scanning to prevent vulnerabilities from slipping into production. We’ll examine how OpenTelemetry can be used for distributed tracing, structured logging, and metrics collection, ensuring that each deployment is both transparent and auditable. 4. This session will provide the high-level guidance and practical insights needed to streamline end-to-end CI/CD pipelines and enhance overall reliability, visibility, and velocity.

The proliferation of generative artificial intelligence (GenAI) agents introduces unprecedented security challenges to modern organizations. As these autonomous systems increasingly generate content, make decisions, and execute actions with minimal human oversight, traditional perimeter-based security approaches prove inadequate. This paper examines the critical intersection of Zero Trust Architecture (ZTA) and GenAI agent deployment, proposing a framework for secure AI integration in enterprise environments. The rapid adoption of Generative AI (GenAI) presents unique security challenges that organizations must address while maintaining development velocity. This presentation provides practical strategies for building secure GenAI applications, with a focus on AWS services like Bedrock and Amazon Q. We introduce a comprehensive security framework that addresses three critical areas: threat modeling for GenAI systems, secure integration patterns, and robust output validation mechanisms. Through real-world case studies, we’ll demonstrate how to identify and mitigate GenAI-specific vulnerabilities, including prompt injection attacks and data leakage risks. Attendees will learn concrete techniques for securing their entire GenAI pipeline, from input validation to output verification, with an emphasis on protecting sensitive information and preventing model hallucinations with an emphasis on speed and efficiency of the SDLC. The presentation includes hands-on examples of implementing security controls in GenAI applications, featuring code samples and architecture patterns that can be immediately applied. Security professionals and developers will gain practical knowledge about automated security testing for GenAI systems, session isolation techniques, and effective output validation strategies. By the end of this session, attendees will have actionable insights for accelerating their GenAI initiatives while maintaining enterprise-grade security standards. Presentation Importance: There is a top down push for organizations to implement GenAI and quickly. As organizations rush to adopt GenAI technologies, they face unique security challenges that traditional cybersecurity approaches may not adequately address. This presentation offers critical, actionable insights for implementing robust security measures in GenAI systems, with a specific focus on AWS services like Bedrock and Amazon Q. By providing practical strategies, real-world case studies, and hands-on examples, this presentation equips security peeps and developers with the knowledge needed to balance innovation with security and quick deployments.

Academic projects, linters, and IDE helpers provided a foundation for simple automatic code refactoring, but lacked the depth to address complex code issues found by tools. Recently, the landscape of tools used to change code saw explosive growth. Several open source code mutation frameworks have emerged, allowing expressive and impactful code transformations. LLMs have also jumped into the picture, promising power and delivering “cool” – but also towing chaos. We’ll explore the capabilities of these tools, including synergistic strategies – all towards answering the question: “are we ready to automatically fix code issues?” Finally, we’ll look at the horizon and make the case that the era of self-healing software is approaching quickly, even if it looks a little different than what you might expect. I have been working in AppSec for 20 years as a consultant, researcher, and innovator — and just a few years ago, the thought that we could have machines fixing vulnerabilities sounded, to my ears, like pure fantasy. I plan to show the evolution of code refactoring capability on a pretty clear trajectory during that time period, and how many important problems can be automatically fixed, today — including things found by static analysis, and things your static analysis can’t find — all with open source tooling. I will spend just a few minutes on “how we got here”, and split time mostly on what can be done today, what gaps remain, and where the tooling is headed and how that coincides with some major limitations in our labor market now. To back up my point point, I will: - Demo a few brief product security use cases in OSS - Offer 3 case studies share, including 1 open source case study - Show statistics on higher code throughput due to generative AI I’ll also point out the important limitations of automation in this space today — but focus on how product security should be using these capabilities to scale their expertise in an era where generative AI will be putting more and more code through the “verification” pipeline we have today. Takeaways 1. Product security teams can automate much of the toil that comes out of their SAST. 2. AI, when used correctly, can answer AppSec questions effectively. 3. Some of the original dreams around self-healing software are achievable. All of us in the industry are in desperate need of high yield levers to exert positive influence on our software development lifecycle, and Automatic Code Remediation is one of those levers.

As AppSec professionals, securing and protecting our users and business is paramount. This session will delve into data from the OWASP Appdome Global Consumer Mobile Security Expectations Report, launched at OWASP Global AppSec in Lisbon, with a focus on North American consumer insights. We will explore the latest mobile threats such as social engineering, vishing, smishing, fraud, overlay attacks, accessibility exploits, bots, and more. Additionally, we'll provide updates on the OWASP mobile project and demonstrate how to leverage consumer voices in security discussions with developers and business leaders to drive prioritization and success in your mobile AppSec program. This session is applicable to all AppSec teams, whether focused on mobile, web, or API security.