Preventing Mobile App and API Abuse

An overview of the mobile and API security cat and mouse game (securely storing secrets, TLS, cert pinning, bypassing protections via decompiling apps and hooking key functionality, OAuth2, etc.), described through an example back and forth between a package delivery service company and an attacker-run website trying to exploit it.

Securing Third Party Applications at Scale

This talk describes each step of a methodology to secure third-party apps in general, and then how they do it at Salesforce. A nice combination of both principles and implementation.

Slack App Security: Securing your Workspaces from a Bot Uprising

Kelly and Nikki discuss the fundamental challenges in securing Slack apps and the App Directory, the steps Slack is taking now, and what Slack is planning to do in the future.

Startup Security: Starting a Security Program at a Startup

The Call is Coming From Inside the House: Lessons in Securing Internal Apps

The Unabridged History of Application Security

Jim gives a fun and engaging history of computer security, with an overall encouraging message

The White Hat’s Advantage: Open-source OWASP tools to aid in penetration testing coverage

Vincent describes how two OWASP tools, Attack Surface Detector and Code Pulse, can make penetration testers more effective and demos using them.

Threat Model Every Story: Practical Continuous Threat Modeling Work for Your Team

Izar describes the attributes required by threat modelling approaches in order to succeed in Agile dev environments, how to build an organization that continuously threat models new stories, how to educate devs and raise security awareness, and PyTM, a tool that lets you express TMs via Python code and output data flow diagrams, sequence diagras, and reports.

Usable Security Tooling - Creating Accessible Security Testing with ZAP

In this talk, David gives an overview and demo of ZAP’s new heads-up display (HUD), an intuitive and awesome way to view OWASP ZAP info and use ZAP functionality from within your browser on the page you’re testing.

Working with Developers for Fun and Progress

A​ Pragmatic Approach for Internal Security Partnerships

Cloud Forensics: Putting The Bits Back Together

Brandon describes an experiment he did in AWS forensics (e.g. Does the EBS volume type or instance type matter when recovering data?) and gives some advice on chain of custody and cloud security best practices.