OWASP AppSec Days Singapore 2024

In an era where digital transformation is accelerating, our future is being written, "coded", by the decisions we make today. But securing this future requires more than just traditional security measures; it demands the ingenuity of hackers and the power of community-driven collaboration. This keynote explores how the hacker mindset and community innovation are key to embedding security into the very DNA of our digital infrastructure. By leveraging the creativity, curiosity, and collaborative spirit of the hacking community, we can craft a resilient digital future where security is not an afterthought but a fundamental element. This talk will challenge you to rethink how we approach security, empowering hackers and communities to shape a safer, more secure digital world—one line of code at a time.

The Open Web Application Security Project (OWASP) boasts over 200 Projects, whose volunteers have developed tools and resources covering nearly every aspect of application security and software assurance. The challenge lies in knowing what they are, where to find them, and how they can help.

In this talk, we'll present brief glimpses of more than 30 interesting and useful OWASP Projects - including the current Flagship and Production Projects. We'll provide insights into how each can be used to build and improve your AppSec program, in every phase of the development lifecycle.

As AppSec professionals, securing and protecting our users and business is paramount. This session will delve into data from the OWASP Appdome Global Consumer Mobile Security Expectations Report, launched at OWASP Global AppSec in Lisbon, with a focus on Singapore and APAC consumer insights. We will explore the latest mobile threats such as social engineering, vishing, smishing, fraud, overlay attacks, accessibility exploits, bots, and more. Additionally, we'll provide updates on the OWASP mobile project and demonstrate how to leverage consumer voices in security discussions with developers and business leaders to drive prioritization and success in your mobile AppSec program. This session is applicable to all AppSec teams, whether focused on mobile, web, or API security.

Real examples of API security breaches, how they map to the OWASP API Security Top 10, and what you can do about it in your own projects. This presentation will dive deep into recent API security incidents, illustrating the vulnerabilities outlined in the OWASP API Security Top 10 – 2023. We will explore practical mitigation strategies to enhance the security of your APIs and protect your data from similar threats.

This presentation captures findings from a public AI security challenge designed to evaluate the resilience of Large Language Models (LLMs) against prompt injection attacks. The experiment involved an Attack & Defence wargame where participants were tasked with securing their LLMs, specifically preventing secret phrase disclosure. They were given access to the source code of the app that interfaced with OpenAI API. Simultaneously, participants were to attack other LLMs in an attempt to exfiltrate the secret phrase. A notable aspect of this experiment was the real-time evolution of defensive strategies and offensive tactics by participants. The results indicated that all LLMs were exploited at least once. This underscores how there is no silver bullet for securing against prompt injection and that it remains as an open problem.