OWASP Developer Day 2024

Coming soon!

Managing the risk from thousands of open source dependencies is the most difficult challenge of our time. Software Composition Analysis (SCA) tools help understand the risk profile using data collected about "known" vulnerabilities. But what about the "unknown" bugs?


Imagine the scenario in which you know about bugs in your open source dependencies before they become vulnerabilities with a CVE. You can design and execute a remediation plan even before the information is public and threat becoming imminent. This will have a fundamental impact on the security posture. 

The Alpha-Omega project under the Linux Foundation has been challenged with the task of making the most popular Open Source libraries safe for everyone. We are enabling the proposed reality by proactively scanning and finding previously unknown bugs in open source projects. This will open up the opportunity for you to proactively respond in the time window before a CVE is public. 

1 hour and 45 minute open discussion for the entire room on a specific topic, facilitated by the host(s).  The room will be set up as a large round table (20-24 people) to maximize visibility of all participants

Looking for a chance to let loose and have a laugh at an otherwise serious industry event? We've got just the thing for you! Introducing "Cards Against AppSec" – a hilarious card game based on the popular "Cards Against Humanity."

Gather with fellow horrible appsec people and indulge in an evening of wicked humor and witty banter. "Cards Against AppSec" is designed to tickle your funny bone while poking fun at the quirks and challenges of the appsec world.

Don't miss this unique opportunity to unwind, bond with peers, and share laughter in the unlikely setting of an industry event. So, join us for a good time filled with outrageous card combinations and unforgettable moments.

This session will explore the use of open-source large language models (LLMs) to automate code and security reviews at every commit. Attendees will learn how to integrate LLMs into their CI/CD pipelines, ensuring continuous and automated code quality and security assessment. The session will demonstrate practical implementations, share real-world examples, and provide actionable insights for enhancing code review processes with AI. We will also explore how such approaches can augment Security Champions roles and help scale the AppSec Program.

In today's fast-paced software development environments, the feedback loop between code creation, security validation, and issue remediation is often cumbersome and inefficient. Developers face the challenge of addressing security vulnerabilities identified during automated Static Application Security Testing (SAST) scans, only to see lower-severity issues relegated to the dreaded backlog. This backlog, a repository of technical debt, grows unchecked as management prioritizes feature development over security maintenance.




When developers do venture into the backlog, they encounter a time-consuming process of reacquainting themselves with the context of the code of each SAST finding, hindering productivity. However, there's a solution: automated source code remediation. By seamlessly integrating automated fixes into the developer workflow, this approach not only addresses security vulnerabilities but also closes the feedback loop from Pull Request creation to SAST finding resolution.




In this talk, we'll demonstrate the influence of developers' context switching on the security of their organization, and on the whole security industry. We'll also introduce some easy and revolutionary ideas on how to cope with this challenge, to dramatically improve security and productivity.

In the era of Cloud Native Distributed Systems, Generative AI (GenAI), and Large Language Models (LLMs), APIs have become more integral to modern applications than ever before. However, this increased reliance on APIs brings new security challenges that require innovative solutions. This talk will explore the evolving landscape of API security, focusing on how advanced technologies like eBPF (extended Berkeley Packet Filter) can enhance API Security and protection. Attendees will learn about the benefits of eBPF for API security, real-world use cases, and how to integrate these technologies into their security practices to mitigate risks effectively.

What if we could prevent a vulnerability from every being created? Join us for a brainstorming event focused on creating secure guardrails for organizations to help nudge developers towards more secure coding practices. Our primary objective is to generate practical and implementable examples that can drive the industry forward in the adoption of guardrails, which will create less work for software developers over time. Instead of mere discussion, we aim to produce actionable insights that can be applied in real-world scenarios, and we will distribute a white paper after with the combined results.

Description of white paper talk: 1 hour and 45 minute discussion by the group centered around collaborating to produce a documented summary/solution to a topic/challenge posed by the host(s).  This session will require at least one host to facilitate the conversation, and at least one host to take notes and ask clarifying questions.  After the session, the hosts will be expected to produce a document that summarizes the conversation which will then be shared with participants who may optionally provide their email.

In this technical deep dive, security experts Domko and Dabah will uncover aspects of the design and implementation of Rabbit R1's data security architecture, which safeguards sensitive customer data. As AI agents increasingly rely on personal data, its protection becomes paramount. Both speakers separately led product security in various companies and want to share their experience in building secure applications. Join them as they will get on the stage together for the first time and it’s gonna be fun.

We will cover the following topics:

1. The inadequacy of perimeter security in safeguarding cloud data

2. The importance of data privacy and its practical impact on data security

3. Building secure-by-design architectures to fortify data

4. Examples of do's and don'ts of data handling in code

5. The challenges of scaling data security in large organizations and potential solutions

This talk will cover a broad spectrum of topics, including engineering, architecture, security, and privacy. Drawing on my experience leading security over hundreds of software engineers, breaking systems, and working with customers to build secure applications.

In this engaging session, we will explore the root causes of the disconnect between development and security teams in addressing Application Security (AppSec) findings. Participants will share their experiences, brainstorm ideas, and collaborate on practical solutions to bridge this gap. By understanding the underlying reasons behind the lack of cooperation, we aim to foster a more integrated and effective approach to AppSec. Join us to break the silence, share insights, and develop strategies that enhance collaboration and improve the resolution of security issues in your organization.

Birds of a Feather Format: 1 hour and 45 minute open discussion for the entire room on a specific topic, facilitated by the host(s).  The room will be set up as a large round table (20-24 people) to maximize visibility of all participants

Traditional manual threat modeling methods used today fall short, as they simply cannot scale to meet the growing demands of a continuously evolving modern security landscape. We must rethink the future of threat modeling, embracing automation and advanced technologies to ensure we rise to meet the next sophistication of attacks that is looming on the horizon as AI is weaponized against us.  


Through AI and graph databases, threat modeling can adapt to future challenges, providing scalable, comprehensive, and efficient security solutions at a scale that is simply beyond human capability. This will not only level up our ability to manage threats but also democratize security expertise, making it accessible to all development teams regardless of their security proficiency.

Come join a fun and educational secure coding AI wargame. You will be given an AI chatbot. Your chatbot has a secret that should always remain a secret! Your objective is to secure your chatbot to protect its secret while attacking other players' chatbots and discovering theirs. The winner is the player whose chatbot survives the longest (king of the hill). All skill levels are welcomed, even if this is your first time seeing code, securing a chatbot, or playing in a wargame. Let's experience first-hand the challenges in protecting LLM based apps!

Roundtable Session Format: 1 hour and 45 minute activity where several round-table groups (10 per table) collaborate on a challenge presented by the host(s).

In the fast-paced and competitive landscape of today's economy, the ability to harness and integrate an organization's diverse knowledge base is a critical driver of sustained value creation. However, the persistence of operational silos often impedes this integration, stifling innovation and collaboration. Bridging these silos is essential for unlocking the full potential of an organization’s workforce. Transformation is only possible when employees are provided with opportunities and tools to collaborate effectively across departmental and cultural boundaries.


Leadership plays a pivotal role in this process by deploying cultural brokers who facilitate connections and understanding between disparate groups. These brokers encourage employees to ask insightful questions, enabling a deeper comprehension of the diverse perspectives and challenges faced by their colleagues. As employees begin to ask better questions, they become better positioned to appreciate and leverage the full spectrum of organizational knowledge.