We doing security wrong. We’re living in a construct where we chase vulnerabilities, patch-levels, configurations, etc. We chase around the unimportant because it’s what we’ve always done. It wasn’t wrong then, but times have changed. What if I told you there was another way, a way out of the chaos, a way to clear (most) of the alert-fatigue and focus on what is important. Today we need to be data-centric as that’s what attackers are after, and losing control of it gets CISOs fired – be it data-leaks, ransom-ware, or breaches of compliance/privacy. But we’re losing this battle because data is everywhere, so how does one decide what is or isn’t important? SPEAKER BIO Mike Andrews(@ma) Mike Andrews is head of engineering and product at Open Raven – a VC funded startup in the data security space (and promises that this talk, in no way, is a product pitch!). He’s previously held leadership roles at Oracle and Microsoft, joining security, engineering, and DevOps/SRE, but started out in academia researching programmer psychology and productivity, and “fell into” security via a strange convergence of bug reporting, government contracts, and early days of OWASP. He’s the author of “How to break web software” – one of the first WebAppSec books way back in early 2000’s, and is still surprised that he’s receiving royalties off it. This talk was presented at the OWASP London Chapter Meetup on February 28thth, 2023 at Monzo Bank London offices #OWASPLondon ... https://www.youtube.com/watch?v=NPImSK42uSU

This talk was presented at the OWASP London Chapter [ONLINE] Meeting on 04 March 2021 GraphQL is becoming the next big API technology for developers, but with new technology comes new risk, and for us that means bug bounties! In this talk you will learn everything GraphQL, from how it works to what kind of bugs are common. Speaker Bio: KATIE PAXTON-FEAR (@InsiderPhD) Katie is a Lecturer in Cyber Security at Manchester Metropolitan University, however, in her free time, she's a bug bounty hunter and an educational YouTuber. She started out hacking in June 2019 during a HackerOne mentorship program and now hopes to be a mentor to others, creating educational cyber security videos on YouTube. In her videos, she attempts to bridge the gap between "I know what bug bounties are" and "bug bounty hunter" giving advice specifically tailored to bug hunting. She's now produced over 50 videos on bug bounty hunting for an audience of over 25,000 YouTube subscribers. Aimed at a beginner audience these go from finding your first bug, to how to use specific tools, to how to find specific bug classes. Katie has discovered and responsibly reported security vulnerabilities to several large organisations such as Verizon Media and the US Department of Defense Index: 00:00 OWASP Introduction and Member Benefits 01:31 Katie's talk start - About Katie 05:31 What is GraphQL? 09:21 Where to Find GraphQL 12:19 Queries 15:10 Mutations 18:01 Why is it important to learn GraphQL syntax? 19:32 Introspection 17:15 GraphQL IDE 27:55 InQL Burp add-on and scanner 28:40 GraphQL Map 19:43 Common GraphQL Bugs 32:47 How To Hack GraphQL APIs 41:15 Q&A session Presentation Slides can be downloaded from the OWASP London GitHub repo here: https://github.com/OWASP/www-chapter-london/raw/master/assets/slides/GraphQL_Hacking-Katie_Paxton_Fear_OWASPLondon.pdf #BugBounty #OWASP #GraphQL #InsiderPhD ... https://www.youtube.com/watch?v=GlvNwhq-uBg