OWASP Security RAT ("Requirement Automation Tool") Project
Live stream recording of the OWASP SecurityRAT ("Requirement Automation Tool") Project Showcase at Global AppSec Amsterdam Conference . OWASP Security RAT (Requirement Automation Tool) is a tool supposed to assist with the problem of addressing security requirements during application development.
The minimum viable security (MVS) approach, enables us to easily bake security into our config files, apps, and CI/CD processes with a few simple controls - and the great part? It’s easily achievable through open-source tooling. In this talk we will focus on five critical security controls that will be integrated as part of the CI/CD pipeline by leveraging some excellent open source tools in addition to custom controls to ensure proper enforcement of MFA via Github Security. These controls will provide a foundational framework for securing your applications from the first line of code, which will make it possible to continuously iterate and evolve your security maturity all the way through advanced layers of security that come with time, as well as increased experience with your deployments, stacks, and security posture. Code examples & demos will be showcased as part of this session.
SPEAKER:
Raz Probstein (@RazProbstein)
Raz comes with years of experience in both leadership and technology, having served not only as Young Ambassador to the state of Israel, as well as headhunted and selected as Young Researcher at the prestigious Weizmann Institute for multi-disciplinary scientific research. Today she serves as a Solution Engineer at Jit, coming to the role with years of experience as a FullStack Engineer and years of experience in a diversity of programming languages from Python, to Javascript and C/C#, from the elite IDF unit 81 - where she was not only one of a handful of women serving in a cybersecurity role, she also mentored women to help drive more gender diversity in the unit. Today she is studying Biotechnology at the Open University, and is passionate about building cloud native security tooling developers will love
This talk was presented at the OWASP London Chapter meetup on December 5th, 2003 kindly hosted by Thought Machine
...
https://www.youtube.com/watch?v=xh6fyce_bNk
This talk was presented at OWASP London Chapter meeting on 29th September 2016.
Following the PoC of thermostat ransomware Ken Munro and Andrew Tierney performed at DefCon 24, this presentation digs even deeper into IoT devices and their apps. Staying with the thermostat Ken and Andrew will walk through the ransomware attack and then move onto general malware - which has no easy method for detection. Even when firewalled these devices are still vulnerable to local attacks so we’ll show you how you can achieve a compromise. We’ll also take a look at CSRF spraying, IoT gear in public areas, supply chain tampering, and malicious firmware updates.
...
https://www.youtube.com/watch?v=sg-TnUUXdsA
"SBOMS and why they can help make your software more secure" - Anthony Harrison
With a growing interest (or maybe it is just awareness) in Software Bill of Material (SBOM) raised by various initiatives from governments (US, EU and now the UK with the recently announced consultation on software security and resilience), SBOMs are starting (in certain markets) to form part of the development landscape. As software systems become increasingly complex relying on an extensive (and often unknown) software supply chain, it is essential to have a full understanding of all of the components which are used in a solution. This applies at all stages of the life cycle and an SBOM is considered to be a key artefact in providing the necessary information to support a vulnerability management process. This talk will explain what a SBOM is, how and when they should be produced (and some of the challenges that need to be overcome) and demonstrate how they should form part of a DevSecOPs lifecycle. I will try and supplement the talk with some demonstrations using a number of open source applications.
SPEAKER BIO:
Anthony Harrison
Anthony is an independent systems/software/cyber consultant. Anthony is a member of the OpenSSF SBOM Everywhere working group and SBOM Forum. Anthony has presented on SBOMs at FOSDEM (2002 and 2023), EuroPython 2022 and at PyCascades (Vancouver). In his spare time Anthony teaches Python at Manchester CoderDojo and has acts as a mentor for Google Summer of Code (GSOC) projects supported by the Python Software Foundation
----
This talk was presented at the @OWASPLondon on April 18th, 2024 kindly hosted by ThoughtMachine and sponsored by @CheckmarxOfficial
--
Do you want to attend OWASP London meetups in person? Follow OWASPLondon on LinkedIN/Meetup/EventBrite/Facebook/Twitter.
Please SUBSCRIBE to this channel so you get notified when new videos are published
#OWASP #OWASPLondon #SCA #AppSec
...
https://www.youtube.com/watch?v=kAn4yjg3pqY
OWASP ZAP is great tool but it's not magic! When used in a CI/CD pipeline, ZAP needs some help to discover the routes through a web application. Basic authentication, user logins and form validation can all stop ZAP in its tracks. I show how to drive ZAP using Selenium scripts and increase the security coverage of a web application.
Speaker Bio: Mark Torrens works for Kainos as a Security Architect and this year is completing an MSc in Cyber Security at the University of York.
This lightning talk was presented at OWASP London Chapter Meeting on 30-Aug-2018 at Microsoft Reactor.
Presentation slides can be downloaded here: https://www.owasp.org/images/2/27/OWASPLondon-OWASP-ZAP-Selenium-20180830-PDF.pdf
...
https://www.youtube.com/watch?v=jFBNCM61DbA
Decoding Software Composition Analysis (SCA): Unveiling Pain Points in SCA - Kaiwen Jiang
An overview of Software Composition Analysis (SCA) and its significance in bolstering software security. It includes discussions on SCA tools and key steps for implementation, and addresses challenges associated with SCA adoption.
SPEAKER BIO:
Kaiwen Jiang is an Application Security Engineer at Wise, with expertise in threat modeling, secure code scanning, and bug bounty initiatives. She extends her insights beyond work with a captivating AppSec learning blog at https://appseckiki.medium.com
Kaiwen also shares her personal world with the lovely cat Joe Maroon 11, and is passionately devoted to Taylor Swift.
----
This talk was presented at the @OWASPLondon Chapter Meetup on Aoril 18th, 2024 kindly hosted by ThoughtMachine and sponsored by @CheckmarxOfficial
--
Do you want to attend @OWASPLondon meetups in person? Follow OWASPLondon on LinkedIN/Meetup/EventBrite/Facebook/Twitter.
Please SUBSCRIBE to this channel so you get notified when new videos are pubished
#OWASP #OWASPLondon #SCA #AppSec
...
https://www.youtube.com/watch?v=QhrsMRi5QkE
OWASP London Chapter Meeting 26th-Jan-2017. Talks presented by @DinisCruz:
Introducing OWASP Summit 2017
Dinis will talk us through the open source tool he has been building for some time - the tool to perform and visualise the assessments using the OWASP Software Assurance Maturity Model (SAMM) and Building Security in Maturity Model (BSIMM) .
Speaker Profiles:
Dinis Cruz
Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to 'Automate Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform.
Francois Raynaud
Francois is the founder of DevSecCon a conference dedicated to DevSecOps, the fusion of Devops and Secops. He is actively involved in security automation projects supporting continuous delivery and currently working as the enterprise security architect for a global retailer preceded by 17 years at ASOS, Betfair, Verizon Business, HSBC and RSA where his consulting engagement spanned across implementing CERT teams, incident response strategy, security architecture design, IT security management and penetration testing.
...
https://www.youtube.com/watch?v=n6R_pJh3l0w
Mark Curphey, founder of OWASP recently wrote an article called The Security Tools Crash is Coming that had a lot of praise from security practitioners and unsurprisingly met with some disdain from some security startup founders and venture capitalists. In this talk Mark will run through the key points of the article and then talk about what he believes in the next generation of tools meeting AppSec and CloudSec into interoperable cloud native platforms.
SPEAKER BIO
Mark Curphey (@crashappsec)
Mark is the founder of OWASP, he is also founder and CEO of SourceClear (acquired by Veracode in 2018) and the co-founder of Open Raven (https://www.openraven.com), a data security company. Mark moved to the U.S. in 2000 to join Internet Security Systems (now a part of IBM), he also held roles including director of application security at Charles Schwab, VP of Professional Services at Foundstone, McAfee and lead the security tools team at Microsoft. Mark holds a Masters of Information Security from Royal Holloway University. After having lived for many years in Seattle and San Francisco Mark makes his return to Great Britain where he continues to work on his next big project. Mark is also an avid cyclist.
----
This talk was presented at the OWASP London Chapter Meeting on December 15th, 2022 kindly hosted by Thought Machine @thoughtmachine6830
#OWASP #DevSecOps #OWASPLondon
...
https://www.youtube.com/watch?v=0E61QBVnCNo
"Twenty Years - So we've solved AppSec issues right?"
The Evolution of Application Security - Daniel Cuthbert
SPEAKER BIO:
Daniel Cuthbert loves doing security research. With a career spanning over 20 years on both the offensive and defensive side, he's seen the evolution of hacking from small groups of curious minds to organised criminal networks and nation states we see today. He is the original co-author of the OWASP Testing Guide, released in 2003 and now the co-author of the OWASP Application Security Verification Standard (ASVS) and sits on the UK Government Cybersecurity Advisory Board.
Daniel is also one of the first 3 individuals who started the OWASP London Chapter back in 2004!
--
This talk was presented at the OWASP London 20th Anniversary Meetup on 22nd February 2024 kindly hosted by Google and sponsored by Apiiro, Sage, Phoenix Security and Licel
...
https://www.youtube.com/watch?v=CmTD5XIWnuQ
- live stream recording at OWASP Global AppSec Amsterdam 2019 Conference - apologies for a low resolution video (there is a 480p version on OWASP London Chapter Facebook page) .
This presentation was from the Project Showcase Track which was not officially recorded by the conference organisers.
Presented by Erez Yalon and Inon Shkedy - OWASP API Security Project Leader
OWASP API Security Project:
How are API-based apps different than traditional apps?
Why do this apps deserve their own OWASP security project?
Roadmap of the project
Introducing API Security Top 10 - V1.0 in depth
Next steps:
Join the mailing list:
https://groups.google.com/a/owasp.org/d/forum/api-security-project
Join the effort:
https://github.com/OWASP/API-Security/tree/develop/
https://github.com/OWASP/API-Security/issues
...
https://www.youtube.com/watch?v=Jmyl6GoTaao