Loading…
Attending this event?
Tuesday, October 1
 

9:00am GMT+08

1-Day Training: Red Teaming the Software Supply Chain
Tuesday October 1, 2024 9:00am - 5:00pm GMT+08
***Training tickets require a separate ticket purchase than the conference***


The software supply chain is under increasing threat. New attacks and threats have popped up that we couldn't have imagined even two years ago. Total attacks on the software supply chain are increasing by more than 730% year on year since 2019.  One way for organizations to combat this growing threat is to empower their offensive security teams to test the software supply chains for that organization.  But many offensive security teams are ill-prepared to tackle this new attack surface so that’s why I created this training curriculum.


The purpose of this training is to help security practitioners learn how to expand the scope of their knowledge and toolkit to address the security posture of a specific software supply chain (SSC).   I will show them a framework (TVPO) that will show them how to assess and test existing supply chains via focused red-teaming activities.


This framework helps red-teamers learn how software is created by identifying how a target writes, builds and deploys its applications.   Not all existing red-teamers will know how this process works, so we will use a typical CI/CD workflow as an example.  Are malicious actors targeting your customers?  Are they targeting your tech stack or are they targeting you for political reasons?  Do they want your source code?  Do they want access to the data you have?  These are important questions to ask and talk about with your red team because they help the team identify and assess risk for their organizations specific circumstances, which then allows them to prioritize their operations.


This presentation will rely heavily on the Visualizing Software Supply Chain document and its in-depth description of the ten stages of the software supply chain:  People, local requirements, source code, integration, deployment, runtime, hardware, DNS, services and cloud.


We will go through the different stages of the SSC and talk about the different security controls that exist at each stage.   We will reference the OSC&R framework to identify specific attack vectors and security controls for a target software supply chain.  From that insight will come an understanding of the weaknesses and attack vectors available against that target.

Finally, in the second half of the day we will get very hands on and learn how to craft attacks for different stages of the software supply chain.  


This 8 hour training session will have 4 main takeaways:

  1. How broad the software supply chain is. There is a LOT of attack surface across the whole of the software supply chain.
  2. How to use the TVPO methodology to threat model a specific software supply chain. What are attackers looking for?
  3. The participants will learn a framework to build their red team infrastructure and functions, so they can run offensive operations against different types of software supply chains.  
  4. Finally, we will work with a custom built interactive CTF that I built just for this training session.  The audience will be able to enjoy an interactive red team engagement against a real open-source project.
Speakers
avatar for Paul McCarty

Paul McCarty

Founder, SourceCodeRED
Paul is a DevSecOps OG and has built a reputation for delivering offensive security functions for (and against!) the software supply chain. He founded SecureStack, a pioneering cloud-native software supply chain security startup in 2017. More recently, he's founded SourceCodeRED a... Read More →
Tuesday October 1, 2024 9:00am - 5:00pm GMT+08
Level 3 Jasmine Ballroom 3805 Marina Bay Sands Singapore

9:00am GMT+08

1-Day Training: Threat Modelling: From none to done
Tuesday October 1, 2024 9:00am - 5:00pm GMT+08
This session offers participants an interactive introduction to application Threat Modelling and its use as a technique for identifying consequential ("Yes, and...") security requirements. A key focus of this course is applying Threat Modelling as a daily practice within your organization's software development processes, to improve the overall quality and security of the applications you build.  


In addition to addressing key questions around the "Five Ws," the presentation will cover the instructor's "Seven Questions" approach (adapted from Adam Shostack's "Four Questions") to developing a model, and include several interactive exercises to provide direct experience. 


We'll wrap up the day with a brief review of available modelling tools - including a hands-on look at a few free/freemium tools - along with a discussion of the opportunities and challenges for introducing Threat Modelling into your SDLC.

Speakers
avatar for John DiLeo

John DiLeo

Application Security Lead, OWASP New Zealand
Dr. John DiLeo leads the OWASP New Zealand Chapter. In his day job, John is the Application Security Lead at Gallagher Security in Hamilton. Before joining Gallagher, John led the Application Security Services team at Datacom NZ, providing support and guidance to clients in launching... Read More →
Tuesday October 1, 2024 9:00am - 5:00pm GMT+08

10:30am GMT+08

AM Coffee Break
Tuesday October 1, 2024 10:30am - 11:00am GMT+08
Tuesday October 1, 2024 10:30am - 11:00am GMT+08
Room: Level 3 Jasmine Ballroom Foyer Marina Bay Sands Singapore

3:00pm GMT+08

PM Coffee Break
Tuesday October 1, 2024 3:00pm - 3:30pm GMT+08
Tuesday October 1, 2024 3:00pm - 3:30pm GMT+08
Room: Level 3 Jasmine Ballroom Foyer Marina Bay Sands Singapore
 
Wednesday, October 2
 

8:00am GMT+08

Expo Hall
Wednesday October 2, 2024 8:00am - 5:00pm GMT+08
Wednesday October 2, 2024 8:00am - 5:00pm GMT+08
Room: Level 3 Jasmine Ballroom 3801AB-3 & 3901AB-3 Marina Bay Sands Singapore

8:50am GMT+08

Opening Note
Wednesday October 2, 2024 8:50am - 9:00am GMT+08
Wednesday October 2, 2024 8:50am - 9:00am GMT+08
Room: Jasmine Ballroom Marina Bay Sands Convention Center

9:05am GMT+08

Future as Code: Hackers, Community, and the Fabric of Our Digital World (Keynote)
Wednesday October 2, 2024 9:05am - 9:45am GMT+08
In an era where digital transformation is accelerating, our future is being written, "coded", by the decisions we make today. But securing this future requires more than just traditional security measures; it demands the ingenuity of hackers and the power of community-driven collaboration. This keynote explores how the hacker mindset and community innovation are key to embedding security into the very DNA of our digital infrastructure. By leveraging the creativity, curiosity, and collaborative spirit of the hacking community, we can craft a resilient digital future where security is not an afterthought but a fundamental element. This talk will challenge you to rethink how we approach security, empowering hackers and communities to shape a safer, more secure digital world—one line of code at a time.
Speakers
avatar for Emil Tan

Emil Tan

Head Crew & Co-Founder, Division Zero (Div0), Singapore Cybersecurity Community Group
Emil Tan is currently serving the role of Cyber Strategist and Market Lead in Critical Infrastructure at Booz Allen Hamilton. He is also the Chief Community Officer (CCO) at Red Alpha Cybersecurity, a leading cybersecurity talent development company, and the Chair of the CREST Asia... Read More →
Wednesday October 2, 2024 9:05am - 9:45am GMT+08
Room: Jasmine Ballroom Marina Bay Sands Convention Center
  Keynote

9:30am GMT+08

Ready Set Hack CTF: (separate ticket purchase):THE AppSec Arena Showdown Challenges
Wednesday October 2, 2024 9:30am - 12:30pm GMT+08
OWASP AppSec Days Singapore brings you an exciting, offensive, jeopardy-style Capture the Flag (CTF) event on October 2, 2024.  We have collaborated with Cybercohesion and WARZONE (one platform, all CYBER) to bring this thrilling competition to the OWASP AppSec Days Singapore Conference, happening at the iconic Marina Bay Sands Singapore.

This CTF offers participants the opportunity to test their offensive application security skills in a competitive and engaging environment. Join us for a full day of challenging scenarios and the chance to showcase your experiense alongside fellow security professionals.

Ready Set Hack: THE AppSec Arena Showdown Challenges:

Morning Session: Cryptography Challenges | Time: 9:30 AM - 12:30 PM  (Players need to be at Venue by 9am as we will do a event brief)
Challenges: BLOWFISH | CUSTOM | S33DER
Afternoon Session: Web Security Challenges | Time: 1:30 PM - 4:00 PM
Challenges: CCTV | KAER MORHEN COIN | REVIEW

Scoring Details:
  • Speed: The first player to score gets 100% of the points, with subsequent players receiving progressively lower scores.
  • Accuracy: Points are awarded based on the accuracy of the solutions. For wrong attempt there is no negative scoring.

Wednesday October 2, 2024 9:30am - 12:30pm GMT+08
Room: Jasmine Ballroom Marina Bay Sands Convention Center

9:50am GMT+08

Leveraging OWASP Projects and Tools in Your AppSec Program
Wednesday October 2, 2024 9:50am - 10:30am GMT+08
The Open Web Application Security Project (OWASP) boasts over 200 Projects, whose volunteers have developed tools and resources covering nearly every aspect of application security and software assurance. The challenge lies in knowing what they are, where to find them, and how they can help.

In this talk, we'll present brief glimpses of more than 30 interesting and useful OWASP Projects - including the current Flagship and Production Projects. We'll provide insights into how each can be used to build and improve your AppSec program, in every phase of the development lifecycle.
Speakers
avatar for John DiLeo

John DiLeo

Application Security Lead, OWASP New Zealand
Dr. John DiLeo leads the OWASP New Zealand Chapter. In his day job, John is the Application Security Lead at Gallagher Security in Hamilton. Before joining Gallagher, John led the Application Security Services team at Datacom NZ, providing support and guidance to clients in launching... Read More →
Wednesday October 2, 2024 9:50am - 10:30am GMT+08
Room: Jasmine Ballroom Marina Bay Sands Convention Center

10:30am GMT+08

AM Coffee Break
Wednesday October 2, 2024 10:30am - 10:45am GMT+08
Wednesday October 2, 2024 10:30am - 10:45am GMT+08
Room: Level 3 Jasmine Ballroom Foyer Marina Bay Sands Singapore

10:45am GMT+08

Enhancing Kubernetes Security: File Integrity Monitoring with eBPF
Wednesday October 2, 2024 10:45am - 11:25am GMT+08
In this session we will leverage the Extended Berkeley Packet Filter (eBPF) technology for enhanced File Integrity Monitoring (FIM) solution for Kubernetes. This talk will cover the basics of eBPF, its advantages over traditional FIM methods, and practical implementation techniques. We will showcase OWASP KubeFIM which is an open source FIM solution for Kubernetes, and discuss future prospects for eBPF in security applications. Attendees will gain practical knowledge on setting up eBPF for FIM, understanding its benefits, and navigating potential challenges.
Speakers
avatar for Abhijit Chatterjee

Abhijit Chatterjee

Independent Consultant
As an independent infrastructure and security consultant, I specialize in helping organizations optimize their development operations and fortify their security posture.
Wednesday October 2, 2024 10:45am - 11:25am GMT+08
Room: Jasmine Ballroom Marina Bay Sands Convention Center

11:30am GMT+08

Supercharge your AppSec Program with OWASP Appdome Consumer Mobile Security Report 2024 and OWASP MASVS
Wednesday October 2, 2024 11:30am - 12:10pm GMT+08
As AppSec professionals, securing and protecting our users and business is paramount. This session will delve into data from the OWASP Appdome Global Consumer Mobile Security Expectations Report, launched at OWASP Global AppSec in Lisbon, with a focus on Singapore and APAC consumer insights. We will explore the latest mobile threats such as social engineering, vishing, smishing, fraud, overlay attacks, accessibility exploits, bots, and more. Additionally, we'll provide updates on the OWASP mobile project and demonstrate how to leverage consumer voices in security discussions with developers and business leaders to drive prioritization and success in your mobile AppSec program. This session is applicable to all AppSec teams, whether focused on mobile, web, or API security.
Speakers
avatar for Brian Reed

Brian Reed

Appdome
Brian has been working with OWASP mobile project for 9 years serving as an OWASP MAS Advocate, contributor and speaker at dozens and dozens of owasp global, regional and local meetups and other cyber and mobile communities . With nearly 20 years in mobile security, he's a recognized... Read More →
Wednesday October 2, 2024 11:30am - 12:10pm GMT+08
Room: Jasmine Ballroom Marina Bay Sands Convention Center

12:10pm GMT+08

Lunch with Exhibitors
Wednesday October 2, 2024 12:10pm - 1:10pm GMT+08
Wednesday October 2, 2024 12:10pm - 1:10pm GMT+08

1:10pm GMT+08

Unlocking the Gates - Understanding Authentication Bypass Vulnerabilities
Wednesday October 2, 2024 1:10pm - 2:00pm GMT+08
During the session, I will present an extensive array of over 15 distinct techniques and vulnerabilities that can be exploited for authentication bypass or account takeover. Some of the vulnerabilities I will cover include Session Puzzling, Session Fixation, Rate Limit Bypasses, Broken Brute-Force Protection, 2FA/OTP Misconfigurations, HTTP-Parameter Pollution, PHP Type Juggling, and many more. These insights will provide attendees with a comprehensive understanding of the various methods used by attackers to compromise authentication mechanisms and take control of user accounts.
Speakers
avatar for Vikas Khanna

Vikas Khanna

Technical Specialist, Privasec
I am specialized in Web Application and API Security Assessments, with extensive experience across various industries including Finance, E-Commerce, Employee Management, Food, Beverages, and Fitness. My successful bug bounty hunting endeavours have led to the discovery of security... Read More →
Wednesday October 2, 2024 1:10pm - 2:00pm GMT+08
Room: Jasmine Ballroom Marina Bay Sands Convention Center

1:30pm GMT+08

Ready Set Hack CTF: (separate ticket purchase):THE AppSec Arena Showdown Challenges
Wednesday October 2, 2024 1:30pm - 4:00pm GMT+08
OWASP AppSec Days Singapore brings you an exciting, offensive, jeopardy-style Capture the Flag (CTF) event on October 2, 2024.  We have collaborated with Cybercohesion and WARZONE (one platform, all CYBER) to bring this thrilling competition to the OWASP AppSec Days Singapore Conference, happening at the iconic Marina Bay Sands Singapore.

This CTF offers participants the opportunity to test their offensive application security skills in a competitive and engaging environment. Join us for a full day of challenging scenarios and the chance to showcase your experiense alongside fellow security professionals.

Ready Set Hack: THE AppSec Arena Showdown Challenges:

Morning Session: Cryptography Challenges | Time: 9:30 AM - 12:30 PM  (Players need to be at Venue by 9am as we will do a event brief)
Challenges: BLOWFISH | CUSTOM | S33DER
Afternoon Session: Web Security Challenges | Time: 1:30 PM - 4:00 PM
Challenges: CCTV | KAER MORHEN COIN | REVIEW

Scoring Details:
  • Speed: The first player to score gets 100% of the points, with subsequent players receiving progressively lower scores.
  • Accuracy: Points are awarded based on the accuracy of the solutions. For wrong attempt there is no negative scoring.

Wednesday October 2, 2024 1:30pm - 4:00pm GMT+08
Room: Jasmine Ballroom Marina Bay Sands Convention Center

2:05pm GMT+08

Hunting for 0 & 1days by tracking Out of Bound Requests
Wednesday October 2, 2024 2:05pm - 2:40pm GMT+08
Out of Bound (OOB) tools (such as Interact.sh, Burp collaborator, etc) are powerful tools for penetration testers who want to find and exploit blind vulnerabilities. Blind vulnerabilities are those that do not show any output in the response, making them hard to detect and OOB tools can make the vulnerable server send a request to a controlled server, where the tool can capture the request and reveal the vulnerability. OOB tools are especially useful for finding SSRF, SQLi, XXE, RCE vulnerabilities, and can also be used to exfiltrate data from the target. They are often used in manual penetration testing activities where pentesters or attackers send requests to the web server using these tools to identify the presence of vulnerability. This happened in Log4J and Text4shell vulnerability exploitation too where mass scanning took place. In this talk, we will discuss about how to effectively leverage this known concept of Out of band testing to identify security vulnerabilities that are actively being tested for or exploited using techniques such as process hierarchy validation, request baselining, etc. In this talk, we will also discuss how to identify and hunt for OOB adversarial infrastructure using techniques such as response fingerprinting, network analysis, and process execution logs. This will help them identify attacks known or unknown against web applications. The talk will also cover some case studies of real-world attacks where OOB tools were used or detected. This talk will give you a comprehensive overview of the various techniques that can be used by defenders to detect unusual out of bound requests originating out of web applications.
Speakers
SS

Surya Subhash

Security Researcher, Microsoft
Subhash is a Security Engineer with Microsoft. Previously, he was a Red Teamer with EY & PwC (India practices). He's a blue teamer by day and a security researcher & red teamer by the night. He is passionate about security research and creating new tools. He was a bug bounty hunter... Read More →
Wednesday October 2, 2024 2:05pm - 2:40pm GMT+08
Room: Jasmine Ballroom Marina Bay Sands Convention Center

2:50pm GMT+08

API Security Top 10 for Real
Wednesday October 2, 2024 2:50pm - 3:30pm GMT+08
Real examples of API security breaches, how they map to the OWASP API Security Top 10, and what you can do about it in your own projects. This presentation will dive deep into recent API security incidents, illustrating the vulnerabilities outlined in the OWASP API Security Top 10 – 2023. We will explore practical mitigation strategies to enhance the security of your APIs and protect your data from similar threats.
Speakers
avatar for Jon Scheele

Jon Scheele

Founder and CEO, Blue Connector
Jon Scheele has over 20 years experience in leading technology strategy, data analytics, security, and interoperability initiatives in financial services and telecommunications.Jon leads training and projects for clients to define digital product strategies and roadmaps aligned with their business objectives.Jon excels in assembling multi-disciplinary teams to identify customer needs, develop, launch, and govern digital products, and cultivate vibrant de... Read More →
Wednesday October 2, 2024 2:50pm - 3:30pm GMT+08
Room: Jasmine Ballroom Marina Bay Sands Convention Center

3:30pm GMT+08

PM Coffee Break
Wednesday October 2, 2024 3:30pm - 3:45pm GMT+08
Wednesday October 2, 2024 3:30pm - 3:45pm GMT+08
Room: Level 3 Jasmine Ballroom Foyer Marina Bay Sands Singapore

3:45pm GMT+08

LLM Security Is Broken: Data Collected From An AI Wargame
Wednesday October 2, 2024 3:45pm - 4:25pm GMT+08
This presentation captures findings from a public AI security challenge designed to evaluate the resilience of Large Language Models (LLMs) against prompt injection attacks. The experiment involved an Attack & Defence wargame where participants were tasked with securing their LLMs, specifically preventing secret phrase disclosure. They were given access to the source code of the app that interfaced with OpenAI API. Simultaneously, participants were to attack other LLMs in an attempt to exfiltrate the secret phrase. A notable aspect of this experiment was the real-time evolution of defensive strategies and offensive tactics by participants. The results indicated that all LLMs were exploited at least once. This underscores how there is no silver bullet for securing against prompt injection and that it remains as an open problem.
Speakers
avatar for Dr. Pedram Hayati

Dr. Pedram Hayati

Founder and CEO, SecDim
Dr. Pedram Hayati is the Founder and CEO of SecDim, where he focuses on redefining developer engagement in security through developer-oriented wargames. As a security researcher proficient in OffSec and AppSec, he has reported thousands of vulnerabilities to Fortune 500 companies... Read More →
Wednesday October 2, 2024 3:45pm - 4:25pm GMT+08
Room: Jasmine Ballroom Marina Bay Sands Convention Center

4:30pm GMT+08

The Dark Side of AI: Exploring Adversarial Threats
Wednesday October 2, 2024 4:30pm - 5:10pm GMT+08
As artificial intelligence (AI) becomes an integral part of our digital landscape, the looming threat of adversarial attacks casts a shadow over its immense potential. This presentation takes a technical deep dive into the evolving landscape of AI security and the relentless tactics employed by adversaries to exploit vulnerabilities. Attendees will gain insights into the various attacker strategies including OWASP LLM TOP 10, and security flaws in LLM frameworks that are exploitable. Moreover, there will be demos of adversarial AI attacks on POC applications. Demos covered include the Fast Gradient Sign Method (FGSM), Prompt injection to Code execution, Poisoning Training Data, Model Serialization Attacks, and SQL injection in LLM applications. The session aims to equip attendees with a comprehensive understanding of the adversarial tactics prevalent in AI security and empower them to guard against the shadows that threaten AI systems.
Speakers
avatar for Alex Devassy

Alex Devassy

security engineer, AppViewX India
Alex is a senior security engineer at AppViewX India, specializing in penetration testing to enhance application security. He's passionate about researching new attack vectors in focused technology domains. Among his achievements, he co-authored the chapter "Safeguarding Blockchains... Read More →
Wednesday October 2, 2024 4:30pm - 5:10pm GMT+08
Room: Jasmine Ballroom Marina Bay Sands Convention Center

5:15pm GMT+08

Unlocking the Power of Security Culture: A Journey Beyond Shifting Left
Wednesday October 2, 2024 5:15pm - 5:55pm GMT+08
In this talk, I will discuss various initiatives that security teams can adopt to build strong relationships with engineers and foster a behavioral change. Attendees will gain insights into the holistic approach needed to integrate security seamlessly into the development process.














Speakers
avatar for Gowtham Sundar

Gowtham Sundar

I am a cybersecurity professional with extensive experience in application security. My expertise includes leading teams, developing strategies and implementing initiatives to strengthen the security posture of organizations. I'm always eager to share my knowledge and insights with... Read More →
Wednesday October 2, 2024 5:15pm - 5:55pm GMT+08
Room: Jasmine Ballroom Marina Bay Sands Convention Center

6:00pm GMT+08

The Final Frontier of Web Security: Moving Beyond Secure Web Gateways (Keynote)
Wednesday October 2, 2024 6:00pm - 6:40pm GMT+08
The web browser is the most used enterprise application, but the least protected. For almost two decades, Secure Web Gateways, as part of SASE / SSE framework, served as the primary defence against web threats by monitoring the network layer. However, as browsers have evolved into complex, OS-like environments and web applications have grown in intricacies, Secure Web Gateways have become outdated and ineffective. In this keynote, we we will expose the inherent architectural flaws of Secure Web Gateways, particularly their inability to defend against modern web attacks like 'Last Mile Reassembly attacks.' The argument is clear: Secure Web Gateways are no longer viable as the guardian of the web. The future of web security lies in browser-native solutions that operate directly within the browser, leveraging rich browser data to drive advanced web attack detection algorithms.
Speakers
avatar for Vivek Ramachandran

Vivek Ramachandran

Founder, SquareX
Vivek Ramachandran is a security researcher, book author, speaker-trainer, and serialentrepreneur with over two decades of experience in offensive cybersecurity. He is currentlythe founder of SquareX, building a browser-native security product focused on detecting,mitigating, and... Read More →
Wednesday October 2, 2024 6:00pm - 6:40pm GMT+08
Room: Jasmine Ballroom Marina Bay Sands Convention Center