OWASP Developer Day 2024

Managing the risk from thousands of open source dependencies is the most difficult challenge of our time. Software Composition Analysis (SCA) tools help understand the risk profile using data collected about "known" vulnerabilities. But what about the "unknown" bugs?


Imagine the scenario in which you know about bugs in your open source dependencies before they become vulnerabilities with a CVE. You can design and execute a remediation plan even before the information is public and threat becoming imminent. This will have a fundamental impact on the security posture. 

The Alpha-Omega project under the Linux Foundation has been challenged with the task of making the most popular Open Source libraries safe for everyone. We are enabling the proposed reality by proactively scanning and finding previously unknown bugs in open source projects. This will open up the opportunity for you to proactively respond in the time window before a CVE is public. 

Looking for a chance to let loose and have a laugh at an otherwise serious industry event? We've got just the thing for you! Introducing "Cards Against AppSec" – a hilarious card game based on the popular "Cards Against Humanity."

Gather with fellow horrible appsec people and indulge in an evening of wicked humor and witty banter. "Cards Against AppSec" is designed to tickle your funny bone while poking fun at the quirks and challenges of the appsec world.

Don't miss this unique opportunity to unwind, bond with peers, and share laughter in the unlikely setting of an industry event. So, join us for a good time filled with outrageous card combinations and unforgettable moments.

In today's fast-paced software development environments, the feedback loop between code creation, security validation, and issue remediation is often cumbersome and inefficient. Developers face the challenge of addressing security vulnerabilities identified during automated Static Application Security Testing (SAST) scans, only to see lower-severity issues relegated to the dreaded backlog. This backlog, a repository of technical debt, grows unchecked as management prioritizes feature development over security maintenance.




When developers do venture into the backlog, they encounter a time-consuming process of reacquainting themselves with the context of the code of each SAST finding, hindering productivity. However, there's a solution: automated source code remediation. By seamlessly integrating automated fixes into the developer workflow, this approach not only addresses security vulnerabilities but also closes the feedback loop from Pull Request creation to SAST finding resolution.




In this talk, we'll demonstrate the influence of developers' context switching on the security of their organization, and on the whole security industry. We'll also introduce some easy and revolutionary ideas on how to cope with this challenge, to dramatically improve security and productivity.

In this technical deep dive, security experts Domko and Dabah will uncover aspects of the design and implementation of Rabbit R1's data security architecture, which safeguards sensitive customer data. As AI agents increasingly rely on personal data, its protection becomes paramount. Both speakers separately led product security in various companies and want to share their experience in building secure applications. Join them as they will get on the stage together for the first time and it’s gonna be fun.

We will cover the following topics:

1. The inadequacy of perimeter security in safeguarding cloud data

2. The importance of data privacy and its practical impact on data security

3. Building secure-by-design architectures to fortify data

4. Examples of do's and don'ts of data handling in code

5. The challenges of scaling data security in large organizations and potential solutions

This talk will cover a broad spectrum of topics, including engineering, architecture, security, and privacy. Drawing on my experience leading security over hundreds of software engineers, breaking systems, and working with customers to build secure applications.

Traditional manual threat modeling methods used today fall short, as they simply cannot scale to meet the growing demands of a continuously evolving modern security landscape. We must rethink the future of threat modeling, embracing automation and advanced technologies to ensure we rise to meet the next sophistication of attacks that is looming on the horizon as AI is weaponized against us.  


Through AI and graph databases, threat modeling can adapt to future challenges, providing scalable, comprehensive, and efficient security solutions at a scale that is simply beyond human capability. This will not only level up our ability to manage threats but also democratize security expertise, making it accessible to all development teams regardless of their security proficiency.

Come join a fun and educational secure coding AI wargame. You will be given an AI chatbot. Your chatbot has a secret that should always remain a secret! Your objective is to secure your chatbot to protect its secret while attacking other players' chatbots and discovering theirs. The winner is the player whose chatbot survives the longest (king of the hill). All skill levels are welcomed, even if this is your first time seeing code, securing a chatbot, or playing in a wargame. Let's experience first-hand the challenges in protecting LLM based apps!

Roundtable Session Format: 1 hour and 45 minute activity where several round-table groups (10 per table) collaborate on a challenge presented by the host(s).