- 1 300
- 3 373 335
OWASP Foundation
Registrace 6. 09. 2013
Watch recordings from OWASP AppSec conferences and expand your knowledge on application security.
This channel was created by the OWASP Media Project to gather, consolidate and promote OWASP content in video format on a central appealing hub.
The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.
Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
This channel was created by the OWASP Media Project to gather, consolidate and promote OWASP content in video format on a central appealing hub.
The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.
Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
OWASP 2024 Global AppSec Lisbon -- Promo
Learn more and register: lisbon.globalappsec.org/
-
Managed by the OWASP® Foundation
owasp.org/
-
Managed by the OWASP® Foundation
owasp.org/
zhlédnutí: 304
Video
Security for Citizen Developers: Low-Code/No-Code Cybersecurity Threats
zhlédnutí 460Před 21 dnem
Read more: owasp.org/www-project-top-10-low-code-no-code-security-risks/ dev.to/owasp/security-for-citizen-developers-low-codeno-code-cybersecurity-threats-1f6f czcams.com/video/yh9JdLl4NhY/video.html - Managed by the OWASP® Foundation owasp.org/
AI and API Security Panel
zhlédnutí 971Před měsícem
AI is changing everything...including the API security landscape! What problems can developers and security professionals expect? Panelists: Aubrey King PR Lead, OWASP Top 10 for LLM Apps Community Evangelist, F5 DevCentral Cameron Delano Security Solutions Architect, F5 Corey Ball Author of "Hacking APIs" Dan Barahona Co-Founder, APISec University - OWASP Top 10 for LLMs: owasp.org/www-project...
The State of Secure DevOps - Security enables Velocity
zhlédnutí 589Před 3 měsíci
Slides: static.sched.com/hosted_files/owasp2023globalappsecwashin/4b/Final_The State of DevOps - Security Enables Velocity - AppsecUS.pdf As technology teams continue to accelerate and evolve, so do the quantity and sophistication of security threats. It's easy to emphasize the importance of security and suggest that teams need to prioritize it, but doing so becomes an extensive change manageme...
OpenCRE.org - Universal Translator for Security
zhlédnutí 221Před 3 měsíci
Slides: static.sched.com/hosted_files/owasp2023globalappsecwashin/7c/2023OpenCRE-at-WashingtonDC.pdf In security, it is important to understand the whole chain: from regulation to business risk, to requirement, to code example, to vulnerability, to test method, to tool configurations. However, so far there hasn’t been a solid way to interconnect standards, documentation, and tooling. Standards ...
Level Up Your Security Champions (and Your Program)
zhlédnutí 191Před 3 měsíci
Slides: static.sched.com/hosted_files/owasp2023globalappsecwashin/d9/Chuck Willis - 2023 OWASP AppSec DC - Level Up Your Security Champions (and Your Program).pdf Security Champions are a mainstay of current application security programs. A number of great documents and presentations are available to help you get a program started. Datadog security engineers had used those resources to build an...
How to Avoid Potholes When Scaling Your Application Security Program
zhlédnutí 128Před 3 měsíci
Slides: static.sched.com/hosted_files/owasp2023globalappsecwashin/92/2023-10 - Global AppSec - Building a Scaled Application Security Program.pdf Have you ever wondered what it is like to build an Application Security program at a very large organization? Or an organization that had experienced hyper-growth and the security team’s growth was not at the same pace as Engineering? What about an or...
Bootstrap Your Software Security with OWASP SAMM 2.1
zhlédnutí 164Před 3 měsíci
Zip file containing slides and other files: static.sched.com/hosted_files/owasp2023globalappsecwashin/c4/global appsec dc 2023.zip This presentation will provide an overview of the OWASP SAMM 2.1 framework. SAMM stands for Software Assurance Maturity Model. Our mission is to provide an effective and measurable way for you to analyze and improve your secure development lifecycle. SAMM supports t...
“Shift Left” Isn’t What You Expected
zhlédnutí 291Před 3 měsíci
Let’s address the elephant in the room - “Shift left” hasn’t had the impact on our software security as many of us expected it to have. While it has influenced security in an indispensable way, I argue that “shift left” should be viewed as a tactic in a larger management strategy rather than a solution to solve appsec woes. I will review the success and limitations of “shift left” and how we ca...
Moving Forward By Looking Back: Data Collection and Analysis at OWASP
zhlédnutí 135Před 3 měsíci
Slides: static.sched.com/hosted_files/owasp2023globalappsecwashin/1c/Global_AppSec_DC_BGlas_MovingForwardByLookingBack.pdf We are eternally searching for answers to the questions "How are we doing?", "How do we compare?", "What should we do next?", "Are we improving?". To help answer these questions and move forward, we can leverage data to learn from the past. We will discuss lessons learned f...
Influencing Without Authority: The Foundations of a Successful Security Department of Yes
zhlédnutí 224Před 3 měsíci
Slides: static.sched.com/hosted_files/owasp2023globalappsecwashin/ad/Influencing Without Authority - The Foundations of a Successful Security Department of Yes.pdf In today’s technology and business landscape, security is a critical component of any successful organization. However, driving the goals of a security organization can be challenging, particularly when that organization resides in a...
Better Protect Sensitive Data in the Cloud with Client-Side Application Layer Encryption
zhlédnutí 380Před 3 měsíci
Cloud providers have made significant progress in securing their infrastructure and data centers. However, application owners are still responsible for securing their own data. In this talk, we will discuss the benefits of using client-side application layer encryption to bring your own encryption and protect sensitive data in the cloud. We will explain how to use this technique to provide encr...
Cutting to the chase: Security Design and Guidance at scale
zhlédnutí 1,1KPřed 3 měsíci
In 2021, OWASP added A04:2021 - Insecure Design as a new category focusing on risks related to design and architectural flaws, with a call for more use of threat modeling, secure design patterns, and reference architectures. In a cloud-native, agile environment with hundreds of services operating at scale for products, security needs to be proactive, comprehensive, context and data driven with ...
From SBOMs to F-Bombs: Vulnerability Analysis, SCA Tools, and False Positives & Negatives
zhlédnutí 343Před 3 měsíci
From SBOMs to F-Bombs: Vulnerability Analysis, SCA Tools, and False Positives & Negatives
Using WebAssembly to run, extend, and secure your application!
zhlédnutí 153Před 3 měsíci
Using WebAssembly to run, extend, and secure your application!
No Code you shall use, malware you shall get
zhlédnutí 185Před 3 měsíci
No Code you shall use, malware you shall get
AppSec Threats Deserve Their Own Incident Response Plan
zhlédnutí 101Před 3 měsíci
AppSec Threats Deserve Their Own Incident Response Plan
Credential Sharing as a Service: the Dark Side of No Code
zhlédnutí 171Před 3 měsíci
Credential Sharing as a Service: the Dark Side of No Code
Everything-as-Code: Pushing the boundaries of SAST
zhlédnutí 177Před 3 měsíci
Everything-as-Code: Pushing the boundaries of SAST
Automated Security Testing with OWASP Nettacker
zhlédnutí 247Před 4 měsíci
Automated Security Testing with OWASP Nettacker
AI Red Teaming LLM: Past, Present, and Future
zhlédnutí 858Před 4 měsíci
AI Red Teaming LLM: Past, Present, and Future
Could Passwordless be Worse than Passwords?
zhlédnutí 141Před 4 měsíci
Could Passwordless be Worse than Passwords?
Hacking & Securing Android Applications
zhlédnutí 163Před 4 měsíci
Hacking & Securing Android Applications
Metrics, metrics everywhere - from which ones I should be scared?
zhlédnutí 184Před 4 měsíci
Metrics, metrics everywhere - from which ones I should be scared?
Discovering Shadow Vulnerabilities in Popular Open-Source Projects A Journey Through Reverse-Fuzzing
zhlédnutí 199Před 4 měsíci
Discovering Shadow Vulnerabilities in Popular Open-Source Projects A Journey Through Reverse-Fuzzing
thank you for all of your hard work jc
I just discovered this video and the content is amazing. I see it’s from a few months ago; do you have any more recent videos or articles you suggest on this topic?
Thank you
Cant see the slides
Okay thanks
The part where talks about spoofing a ship's gps signal really made me think of the Key bridge incident. I'm not saying it was hacked, but the fact that it's possible is mind boggling.
Great talk by 4 great people. I'm fortunate to know Aubrey for years and have met with Cameron and Dan and looking forward to meeting Corey some day. Thanks for putting this content out, well worth my time.
Thanks for sharing! However do you have a tutorial which implements Backend For Frontend (BFF) framework with Authorization code with PKCE in addition to this tutorial? It is unsafe to store access token on browser.
Actually, you've been publishing videos for the past 9 years, and you're still posting them today. You don't have many subscribers, but you're incredibly strong and patient.
That's the reason why WAF and API Gateway are never be enough.....
how to login and owasp mail password
?
excellent insights in this presentation, thanks for sharing
I don't agree with the conclusion of this talk. The whole point of BFF and http-only auth cookies is to prevent an attacker that has gained acces to execute js code through an xss attack, to steal the auth-token from your storage and thereby execute requests on your behalf. If an attacker has managed to sucessfully gain access, he can execute api calls directly from the clients browser with or without bff.
superb! you guys are awesome! Keep up the good work!
1 question Have anyone know webuy0day website or something (relax I just asking😅😅😅)
one of the worst presentation ever seen!
couldn't read anything on the screen. should present it in full screen mode because that's the important part
Awesome. But It's almost 4.5 years, when can we expect this as Open Source :(
Thanks :)
how did you find that password?
Great conversation.
FIDO2 with keys and credentials generated by the user himself/herself is more private and you don't need to give up your face, phone number or email etc. Great!
In non-cloud, like a dedicated nginx server, can we integrate coraza?
I suggest replacing nginx with envoy, it’s much easier to integrate
I JUST WANT TO GET INTO MY DAMN CAR WITHOUT PAYING 500 BUCKS FOR A KEY!!!
The more I watch this man’s videos the more I respect him.
Legends without cars are watching ❤❤
but most of all samy is my hero
Super clean and to the point. Thanks!
👀
Still rocks🤞
Thanks a lot, great explanation
what if Cookies are set to lax but Access Control Allow Credentials is being sent as true. As Lax does not allow cookies to be set in XHR requests. how will the cookies be sent?
wondering about the same thing, did you find the answer?
@@somebody3014 Hey man, Lax settings are prioritised. Even if one condition is false, the cookies are not sent. So in my question cookies will not be sent as even Allow Credentials are true, Cookies are LAX (one true condition and one false) No cookies will be sent. Hope that clears the doubt.
Promo_SM
Blessing
All well said - how about some suggestions on how to protect yourself from key fob attacks? A simple one is to shield the key fob with a simple faraday cage, such as an aluminum foil, while at home or in the parking lot, if it comes to that.
Excellent keynote!
can you please provide the link to the mentioned web series?
Super
Nice and great explanation ❤
Your keynote speaker, Jackie Singh, was fired from the Biden Administration for her history of racist and homophobic troll posts made while a member of the White supremacist group GNAA. She was also alleged to have engaged in sexual activity with minors and sent them nudes in exchange for help in her "hacking", she doxxed the identity and location of a 13 year old girl ( Loli Chan) putting her in danger from predators because she was jealous of the attention she was getting, and she is currently living in Puerto Rico, where she is hiding from her hundreds of thousands of dollars in debt to the IRS and other creditors.
Explain why you hosted Jackie Singh please, a literal known troll and racist debt fraudster? Oh I'm sure she'll just tell you we're "trolls". Quite convenient. Do your research.
He is high, pretty sure.
thank u
Can you please show full video of setting up a Coraza with coreruleset on go web app.
I guess it's all in the video, what do you need more?
@@zufardhiyaulhaq146, well try to setup it up, then you understand my kind request.
NO OWASP LITTLE BABY CHILD!!! YOU WILL LET ME COMMENT ON THE JACKIE VIDEO CHILD OR YOU WILL GO TO PRISON FOR THE CYBERCRIME OF ATALKING! ENJOY PRISON STALKER!
You guys really didn't even do an ounce of research on old Jackie before giving her a spot at the conference, huh? Pretty ironic.
This is video is 9 years ago do you have an updated video? Like maybe something thats more recent like 2023?
You talked about android and iphone, what about a phone that has GRAPHINE OS installed on it?