In 2020 Google changed the default SameSite behaviour for cookies to Lax and Safari enabled full 3rd party cookie blocking. These changes required updates to a vast range of sites. In 2022 Firefox introduced a unique concept of cookie buckets to improve privacy, while still trying to not break single sign on and other valid solutions.

Using cookies and making sure they work across different browsers is harder than ever. And there is more to come...

Talk (60 min)

The Future of Cookies

Security

But don't sit back and relax just yet; there's more to security than setting up a firewall! During development, you still need to keep many other security considerations in mind to ensure your application is protected against attacks executed by cybercriminals. Join me in this session and learn what kind of attacks Azure WAF can block for you automatically and what is left for you to consider to ensure a secure Azure PaaS web app as a developer.

Hacker vs Azure Web Application Firewall

Cloud Security

Application Security

Hacking

In this demo heavy session you'll learn about commonly seen pitfalls, how to avoid them and how to monitor escalation paths in Entra ID over time.

Surprising ways to escalate privileges in Entra ID

Security Tooling

The session includes:
- Containers 101
- Backdooring Docker containers images
- Poisoning images on Azure Container Registry
- Compromise containers on Azure Container Instance
- Compromise containers on Azure Kubernetes Services
- Vulnerability Assessment

Pentesting Azure Container Services

Containers

Kubernetes

This makes the process of building great software easier and faster, but what about more secure? In this session, we’ll demonstrate how GitHub Copilot and ChatGPT can help developers write more secure code through real-world use cases. The audience will come away with tips and best practices from the lessons we learned from experimenting with the tools.

Human vs AI: How to ship secure code

Machine Learning

Programming

SDLC

Tools

Sarah has been leading Microsoft's internal efforts to create AI security best practices and - in this talk - will share aspects of the journey to do this, a history of AI attacks and what the best practices are to keep an AI implementation secure (spoiler: there's no secret sauce) and how you should be thinking about this in your organisation, no matter what cloud or AI platform you're using.

Panda to gibbon is the least of your worries: why securing AI is not what you think

But this session isn't just about the triumph of the red team; it serves as a powerful wake-up call for organizations to bolster their defenses and adopt a proactive approach to cybersecurity. Discover the invaluable insights gained from this red team engagement, and learn how to elevate your company's security posture, shoring up weak points and staying one step ahead of potential adversaries.

Hacked in Hours: A red team assessment that doomed a corporation

Experience report

Come join 15-year Microsoft MVP & RD Maarten Goet and learn how Microsoft Defender 365 and Microsoft Sentinel can help detect command-and-control platform Cobalt Strike, nasty exploits and much more, in this real-world case where an attacker went from Zero to Ransomware in just 52 minutes. This is a session no security admin should miss!

52 mins from initial access to ransomware -- is your defensive team ready?

Representing a leading bank, we will share our first-hand experience of navigating these challenges and fortifying the protection of our customers' invaluable data and assets. Delve into the organizational hurdles we confronted from a cybersecurity perspective and gain insights into the measures we have implemented to safeguard privacy and ensure financial safety.

During our session, we will showcase a live demo, unveiling the impact of DeepFake on fraud. Discover the risks it poses to the banking sector and beyond, explore future implications, and learn about our proactive steps to mitigate these risks. Gain invaluable insights, practical advice, and stay ahead in the ever-evolving cybersecurity landscape. Don't miss this opportunity to safeguard your data and assets.

Banking Cybersecurity: Battling DeepFakes & AI-powered Scammers

Privacy

This talk would be focusing on the What, Why, and How of this. Talking about the impact of the supply chain attacks as the weakest link in the chain and how to prevent them.

It would include Extensive internet scanning of NPM packages to find ones prone to account takeover [+ impact identification and defense]

This briefing is focused on the dangers of NPM package hacking and account takeover. As many of you know, NPM packages are crucial dependencies for the widely-used Javascript programming language. Unfortunately, in recent times there have been numerous instances of NPM package hacking, including confusion attacks and account takeovers, putting developers at risk without their knowledge.

Supply Chain Attacks:- Focused on NPM attacks. (Includes, demonstrations of research and prevention

AWS SRA describes and demonstrates how security services should be deployed and managed, the security objectives they serve, and how they interact with one another. In this session, learn about these assets, the AWS SRA team’s design decisions, and guidelines for how to use AWS SRA for your security designs. Discover an authoritative reference to help you design and implement your own security architecture on AWS.

AWS Security Reference Architecture: Visualize your security

The Top 10 will help organizations prioritize their security efforts and focus on the most significant security risks that they may face. By understanding and addressing these risks, organizations can better protect against malicious attacks, data breaches, and other security incidents.

In this talk we'll cover what's in the list, the selection criteria for it, and discuss strategies organizations should take to mitigate these critical risks to cloud native computing security.

The Top 10 List of Istio Security Risks and Mitigation Strategies

CDR strategies combine cloud threat detection and incident response by employing several techniques, including active monitoring, log analytics, threat intelligence, incident response, forensic analysis, and threat analysis. This is advantageous since security teams are enabled to be agile and more productive; hence CDRs are rapidly becoming essential tools for security teams focused on protecting cloud-native infrastructure, including detection engineers, cloud security engineers, cloud incident responders, and SOC teams.

However, enabling efficient CDR strategies is challenging for several reasons, including cloud complexities, insufficient expertise, and cloud misconfiguration. These challenges often lead to blindspots; some cloud attacks are not detected, leading to successful compromises. Furthermore, the ephemerality of cloud resources requires continuous assessment, validation, and configuration of CDR to align with the evolving threat landscape. This level of security validation is challenging for most teams, and there are hardly solutions that can be easily leveraged.

Security Chaos Engineering (SCE) is an evolving approach to cyber security that employs empirical evaluation of security controls to proactively gain evidence about their effectiveness via quick feedback loops. These feedback loops, a core of system thinking, allow for quick analysis and adaption of security systems to stay ahead of cyber attacks. SCE is aligned with cloud-native infrastructure, given its roots are chaos engineering, a discipline Netflix formulated as part of its digital transformation process over a decade ago. Consequently, SCE empowers cloud security teams to quickly and continuously evaluate CDR efficiently in a variety of ways.

This talk provides practical steps and examples based on a hybrid CDR system consisting of AWS GuardDuty, AWS Detective, and Datadog Cloud SIEM. Security chaos engineering experiments are conducted using the Mitigant Cloud Immunity platform, which is the first of its kind. Using the examples, we are able to demonstrate how CDR systems can miss malicious patterns, including those defined in the MITRE ATT&CK library. The talk provides recommendations on how to remediate these blindspots to enhance CDR systems' efficiency.


Optimizing Cloud Detection & Response With Security Chaos Engineering

Testing

At the end of this conversation, it will be clear to everyone how Dev/ Research should look better at their cloud environment, in addition to providing clear guidance on how people can seek more basic knowledge, with file structures, software architecture and language. schedule.

Effects Malware hunting in Cloud environment

We will look at how so-called "prompt injection" attacks occur, why they work, different variations like direct and indirect injections, and then see if we can find good solutions on how to mitigate those risks. We'll also learn how LLMs are "jailbroken" to ignore their alignment and produce dangerous content.

LLMs are not brand new, but we know that their use will increase drastically in the next few years, and therefore it is important to take security seriously by considering the risks involved before using AI for sensitive operations.

Prompt Injection: When Hackers Befriend Your AI

Attend this session to go on a deep dive for Microsoft Security Copilot. Learn how it can assist security operations teams to prioritise workloads, facilitate incident response and remediation, understand how it can assist on understanding best practice to manage environments in ways to reduce the likelihood of repeat successful attacks.

Microsoft Security Copilot - your new best friend!

Dark Arts

These attacks include serialization exploits of platforms that don't use well-known .NET serializers, "mutation" attacks that can exploit deserialization even when the serialized data cannot be tampered with, and techniques for bypassing serialization binders. New remote code execution vulnerabilities in MongoDB, LiteDB, ServiceStack.Redis, RavenDB, MartenDB, JSON.Net and the .NET JavaScriptSerializer are all demonstrated.

Because these attacks violate typical assumptions regarding serializer security, applications that use these platforms and technologies are very likely to be vulnerable. Mitigations made to the vulnerable platforms discussed in this talk are limited, and application-level fixes will still be required in many cases. This talk describes techniques to detect and mitigate these vulnerabilities, along with best practices for avoiding them.

Second Breakfast: Implicit and Mutation-Based Serialization Vulnerabilities in .NET

The Hidden Risk in Undocumented API Behavior

This talk provides an in-depth look into red-teaming LLMs as an evaluation methodology to expose these vulnerabilities. By focusing on case studies and practical examples, we will differentiate between structured red team exercises and isolated adversarial attacks, such as model jailbreaks. Attendees will gain insights into the types of vulnerabilities that red teaming can reveal in LLMs, as well as potential strategies for mitigating these risks. The session aims to equip professionals with the knowledge to better evaluate the security and ethical dimensions of deploying Large Language Models in their organizations.

Red Teaming Large Language Models

Understanding how these systems arrive at conclusions, evaluating their behaviour, and ensuring consistency across a large input space can be elusive. At Equinor, we have started adopting Threat Modelling practices to identify potential risks in the use of ML/AI systems. Threat Modelling is recognised as one of the most effective practices in improving security in software solutions. In this talk, we'll explore how to adapt Threat Modelling methodologies to the unique challenges posed by ML/AI. Additionally, we will share outcomes and experiences from applying this approach to selected ML/AI applications within our organisation.

Threat Modelling for ML/AI systems

Process

Furthermore, take your Security Operations one step further by reducing noise and responding to findings such as data exfiltration, compromised identities, and cryptocurrency mining.

Workshop (60 min)

Detect threats and misconfigurations in your GCP environment and operationalize on findings

Workshop

- CVE-2023-35078: authentication bypass in Ivanti EPMM, CVSS 9.8
- CVE-2023-35081: path traversal / arbitrary file write in Ivanti EPMM, CVSS 7.2
- CVE-2023-38035: authentication bypass in Ivanti Sentry, CVSS 9.8, allowing command execution as root.

All three vulnerabilities are listed in CISA's Known Exploited Vulnerabilities catalog, as they are known to have been exploited by threat actors in the wild. Ivanti has also confirmed that the vulnerabilities can be combined in an exploit chain.

In this talk we'll take a closer look at what actually happened.

Finding a three 0-day exploit chain in Ivanti EPMM and Ivanti Sentry

By combining some of our favorite graph, AI, and GPU techniques into a single pipeline, we were able reduce alert volumes in a fusion center covering ISPs and universities by 97% and create more useful situational awareness views for prioritization and interactive investigations. We will also touch on how we have been using LLMs & AI to further automate our graph workflows in more recent projects such as in zero-trust identity monitoring & investigations.

Start thinking differently in how events can be used for investigations and detections

Learn how modern graph AI techniques like hypergraphs, UMAP, graph neural networks, GPU ETL, and GPU feature engineering fit together

Free & OSS: Get a feel for how tools like Jupyter Notebooks, Nvidia RAPIDS, PyGraphistry[AI], DGL/PyG, and cu_cat can boost your own workflows

Leveraging graph AI and GPUs to win the US Cyber Command AI challenge

Architecture

Platforms

Opening Keynote

Pushed Authorize Requests (PAR) is a new specification from the OAuth protocol family that solves those problems by adding client authentication to the initial request, and removing the request parameters from the URL altogether.

Learn how PAR works, why we think it should be the default going forward, and which additional scenarios it enables.

PAR: Securing the OAuth and OpenID Connect Front-Channel

This a panel discussion between 2 Security Experts in the Cloud Security and Application Security industry. You can ask your spicy application security or cloud security questions to our expert panelists. Shilpi (from Cloud Security Podcast) will be moderating the panel and perhaps the temperature of the discussions incase things get too hot.

See you at the session.

Panel: Will Application Security eat Cloud Security for lunch?

DevOps

Most of us will know the names of the most commonly used asymmetric encryption algorithms, RSA and ECDSA. But how many of us know how they actually work? What are their drawbacks and limitations, and where are they vulnerable?

Join me for a mathematical deep dive into one of the most fundamental underpinnings of our security infrastructure, journeying from the inception of these algorithms and their algebraic foundations to their modern day usage. We'll talk about why ECDSA has superseded RSA, why it's still not good enough in a post-quantum world, and what's next for asymmetric encryption.

Asymmetric Encryption: A Deep Dive

Today, it is not enough that the application works according to the functional requirements; we should also heavily protect it against cybercriminals. This session will demonstrate how to leverage the GitHub platform to create automated security checks such as static application security testing and software composition analysis to get you well on your way to securing your application with minimal effort. In addition, you'll learn what different tools we have available for spotting security issues and how to analyze and act on the potential vulnerabilities to improve the security posture of your source code repository.

Developing secure software with GitHub

Specifically, I will cover topics such as few-shot learning, code generation and retrieval augmentation and provide basic examples and experiments to illustrate these concepts. Whether you're new to GPT models or have experience working with them, this talk aims to provide a fresh perspective on how they can be leveraged to empower security teams and spark new ideas for research.

Empowering Security Teams with Generative AI: Fundamentals and Applications of GPT models

Of course, it's always a good idea to get updates of libraries in case of a bug fix related to a functional and/or security issue found. But will that be enough? What about packages that have malicious code inside? Even related to your own supply-chain security, any problem in the package its supply-chain implicitly means your supply-chain is compromised as well!


Would it not be nice if there is a better way to review NuGet packages for security? An easier way to perform an assessment based on certain aspects of the package that will tell you more about the package its software security. With the introduction of Scorecards the Open Source Security Foundation (OpenSSF) exactly tries to achieve that. You could consider a Scorecard being the equivalent of a nutrition labels put on food you buy in a supermarket. It will allow you to see what's inside and determine if you want to eat it or not.


In this session we start out with different area's covered by of OpenSSF Scorecards, like how well it's maintained, does the build have dangerous workflows, and does the project use other security tools to check for problems? We're also going to identify additional area's for NuGet packages in which we could add additional information related to reproducibility, insights on what .NET APIs are used, and security review of the codebase. All combined will give us the ability to assess a NuGet package its security posture more easily and improve our own application security.

Assessing NuGet Packages more easily with Security Scorecards

Supply Chain

In this presentation, we will explore how we can make security monitoring more efficient by automating as much of the incident handling as possible.

Automating security monitoring

Challenge stereotypes and biases: Break down societal barriers that hinder women's representation and advancement in the technology industry.

Brainstorm innovative solutions: Explore fresh and creative ideas to attract and retain more women in the field of Cyber Security.

Foster a supportive network: Build a community that provides networking opportunities, mentorship, and collaboration to empower women in their professional journey.

Promote equal opportunities: Advocate for equal access to education, training, and career advancement, ensuring a level playing field for all.

Drive industry-wide change: Be part of a game-changing movement that revolutionizes the Cyber Security landscape, making it more inclusive, diverse, and representative.

Don't miss this exciting opportunity to contribute to a future where women excel and lead in Cyber Security. Sign up now and help shape a more equitable and thriving industry. Together, we can break barriers and pave the way for a transformative future.

Breaking Barriers: Empowering Women to Thrive in Cyber Security

Culture


This talk will walk through the various phases of our research culminating in a demonstration of an attack leverage a number of different tools and techniques within MS-SQL. The high level overview of the presentation;

The problem we faced initially when attempting to detect attack tools and techniques being used within MS-SQL databases

The configuration and documentation that we built out as part of our research.

The detections we crafted as a baseline to detect a number of tools and techniques.

An attack demonstration chaining a number of tools and techniques together

Some of the challenges faced across the entire process

Future items to work on as separate research pieces.


Detecting Malicious Activity: Unveiling the Secrets of MS-SQL Logging

Join in as we demystify this directive, and see how it's changing the game, what it means for businesses, individuals, and yes, even the humble smart devices in our homes. Walk away with insights that'll make you the star of your next virtual hangout, and have your smart toaster nodding in approval (well, metaphorically).

The NIS2 Directive: Europe's Response to Cyber Shenanigans

The only disadvantage: to utilise this framework, application developers have to explicitly add sandboxing code to their projects and developers usually either delay this or omit completely as their main focus is mostly on the functionality of the code rather than security. Moreover, the seccomp security model is based around system calls, but many developers, writing their code in high-level programming languages and frameworks, either have little knowledge to no experience with syscalls or just don’t have easy-to-use seccomp abstractions or libraries for their frameworks.

All this makes seccomp not widely adopted—but what if there was a way to easily sandbox any application in any programming language without writing a single line of code? This presentation discusses potential approaches with their pros and cons.

Sandboxing in Linux with zero lines of code

What started as a personal pet project with two dozen hacking challenges, became an OWASP Flagship project shortly after and grew in size, scope and use case coverage significantly over the years. Join Björn Kimminich on a tour through the origins, history and evolution of OWASP Juice Shop from 2014 to 2024, closing with a peek into the future of this juicy hacking delicacy for its 10th anniversary.

OWASP Juice Shop - An Open Source Software and security Fairytale

Passkeys are a new authentication technology that uses cryptography within the web browser to securely identify and authenticate users, automatically syncing across devices, to entirely eliminate the need for passwords. It's like magic! We'll learn what they are, how they work, and why they are (virtually) unhackable. Your users will love a simplified login flow, and you'll stop worrying about account takeovers.

Passwords are Dead, Long live Passkeys!

If you are involved in using automated scanners, such as SAST, DAST or SCA tools, in your organization, these may be familiar feelings to you.

In this talk, I will give you ideas on how to streamline your implementation and automation to focus on what matters most. We’ll also discuss what to consider when designing the manual processes and tasks around the automation so that you get more value in less time.

You will leave with a much better understanding of these security tools as well as ideas for improving processes and adding value that you can take and apply at your own organizations.


Tune your Toolbox for Velocity and Value

Based on our experiences performing penetration tests and security reviews, this presentation will show common OAuth2/OIDC security weaknesses and pitfalls.

In particular concerning the BFF-pattern and why it is bad practice to use reverse proxy catch-all routing, an OAuth2 client with access to many scopes, together with APIs that do authorization based on just a valid token and scopes. Does your BFF enable authenticated SSRF as a Service?

During the presentation, we will demonstrate both attacks and defences for an OAuth2/OIDC application running locally.

OAuth2/OIDC security weaknesses and pitfalls

“Why do I need a password that has at least 1 uppercase, 1 lowercase, 1 digit and 1 symbol?”
“Why does it say my email address isn’t valid?”
“Why doesn’t my password manager work with this website?”
“Why did my password manager generate a password that doesn’t even work?”
“How do I change or reset my password?”
“How do I enable 2FA/MFA for this website?”
“Why does this have to be so hard?!”

Have you been as frustrated as me and asked yourself these questions more often that you’d want? Want to spare your own users from thinking the same about your website?

Let’s have a little talk and some demos on how you can design your website registration, login and password management to make it easier and more friendly for your users, while making it more secure at the same time! It’s really not that hard, I promise! :)

We’ll also take a look at how website security and password management is changing in the future and how we can stay up to date!

Passwords don't have to be so hard!

People

We all use generic tools such as SAST and DAST, but they miss out on security issues that are unique to our business logic, don’t recognize our custom security mechanisms, and might miss vulnerabilities if the exploitation flow is too complex.

Is it possible to have a security solution that is both tailored to our application and doesn’t require enormous effort?

(If the answer was no that would be a pretty short and boring talk!)

In this session we’ll see how with simple syntax and just a few lines of rule code we can create custom security tests that achieve our goals of being specific and efficient.

The customization approach offers a precise solution by placing control in the engineer’s hands. It empowers them to:

1.	Focus on App-Specific Vulnerabilities: Crafting custom security rules specifically designed for the application's unique architecture and functionalities. For instance, looking for unique issues that stem from the application’s business logic, such as flows involving payment or booking.
2.	Verify custom security mechanisms: When unique sanitization or authorization flows are needed in the application, and we want to verify their implementation across the app.
3.	Find generic, but hard to discover, vulnerabilities: Sometimes generic scanning tools miss out on complex, although generic, vulnerabilities. For instance, a complex SSRF flow, or a verification of key rotation. With customized tests we can check for those issues that generic tools might miss.

Most importantly, we can take care of continuous verification and regression testing of the issues mentioned above by integrating those scans into the CI/CD process, so they’ll be checked on an ongoing basis with a simple one-time effort.

The demonstrations in this talk will utilize the simple rule syntax provided by the free, open-source, tools: Semgrep and Nuclei.

Through hands-on examples and practical demonstrations, we will illustrate how these tools put control back into the hands of security experts, enabling us to enhance application security effectively and efficiently.

This talk caters to anyone involved in application security, including software engineers, and provides insights into the advantages of taking a customized approach to addressing application security challenges.

No Size Fits All: Empowering Engineers with Custom Application Security tests

The critical theme of container security is explored, covering image scanning, vulnerability assessments, and the role of secure base images in safeguarding containerized applications. Attendees are enlightened on how to incorporate security checks seamlessly into their pipelines, thereby preventing vulnerabilities from permeating into production.

Kubernetes Security in Cloud-Native DevOps Pipelines

This talk uses three case studies – incidents in Costa Rica, India, and Greece – to present a framework for evaluating the impact on critical services. Additionally, this talk will outline the shortcomings in ICS incident response capacity and leverage methodologies for cyber risk quantification, as well as draw lessons from wildfire response and cognitive psychology. Attendees will leave this talk with an effective rubric for assessing and measuring cyber incidents affecting critical services, enabling prioritization of investment and precious resources.

Measuring the Wrong Metric – Lessons from Attacks on Critical Services

In this session, you’ll learn how to use Sealed Secrets, a Kubernetes custom resource to manage secrets when using GitOps with Kubernetes while managing the RSA certificate internally, making the process simpler for you and your organization.

Securing GitOps with Sealed Secrets

This workshop provides a hands-on experience working through the key components the Graphistry team used to win the 2022 US Cyber Command AI alert challenge around event correlation. We will take participants through a notebook-based workflow of GPU ETL, automatic GPU feature engineering, GPU graph analytics & graph AI (UMAP + graph neural networks), and graph visualization. Amazingly, every single step can now be done with high-level and automated Python: we only require light Python Pandas experience.

Time pending, we will also share going to real-time always-on GPU workflows with dask_cudf (batch) and Nvidia Morpheus (streaming). Finally, we will cover automating some of these steps all the way to natural language with LLMs and Louie.AI.

Most of the tools and techniques are easily available as free services and OSS. Attendees will gain hands-on experience with data science notebooks, GPU graph AI and visualization libraries and methods, and how they can be used for core security analytics workflows. Theoretical knowledge can be applied towards new use cases and architectures.

Prerequisites: Python with minimal Pandas

Preconfigured GPU notebook environment will be provided

Tools covered: Jupyter Notebooks, RAPIDS AI (pandas->cudf, scikit->cuml, networkx->cugraph), PyGraphistry[AI], cu_cat, DGL/PyTorch Geometric, Louie.AI (LLM), Nvidia Morpheus

Datasets covered: Honeypot logs, Windows event logs, endpoint/network alerts


Part 1/2: Hands-on grand tour of GPU Graph AI for security event correlation

In this session, we explore the past, present, and future of Cross-Site and Cross-Origin Request Forgery attacks. We identify the attack pattern and the impact on the application. We explore how typical defenses mitigate the attacks, but also how their shortcomings often fail to stop all attack vectors. We also identify how API-based applications become vulnerable to CSRF attacks, along with best practice defenses for APIs. You will walk away from this session with a solid understanding of CSRF attacks, the necessary prerequisites to become vulnerable to such attacks, and best practice defenses to stop CSRF once and for all.

The Past, Present, and Future of Cross-Site/Cross-Origin Request Forgery

TBA - Einar Otto Stangvik

TBA - Victoria Almazova

Incidents and incident handing @ VG.no

TBA - Scott Helme

TBA - Martin Ertsås

TBA - Patricia Aas

Over the years, pentesting humans leveraging social engineering techniques have become increasingly important to many organizations, and rightfully so. While many focus on the performance of a social engineering engagement, fewer deal with the post-engagement process. How do we deal with the results of a social engineering engagement? How does a target feel afterward knowing they have been duped, and who is helping them?

Taking care of those affected by social engineering engagements is pivotal in making an engagement a positive learning experience, and avoiding negative outcomes. If the post-engagement process were poor, and it turned into a blame-game, one could argue that the pentest itself was futile, as there would be no room for creating a learning environment.

A social engineering pentest puts humans (and not systems as seen in technical pentests), to the test. By doing so, the people affected can feel they have failed as humans and not just failed professionally. Distress, psychological strain, and self-blame are just some of the factors that can affect a human not being treated correctly in the aftermath of a pentest.

Together, we will take a deep dive into the processes of how a physical social engineering test is carried out by walking through a previous test and reviewing the tools that were used and what you have to think about before and after a social engineering test.

When we want to test the human element, it is easy to make mistakes and end up with dissatisfied employees or with a test where the results are not useful for the company. It is, therefore, important to evaluate what the desired value is from performing a social engineering test and to think about how it should be carried out.

This presentation seeks to highlight the possible pitfalls in handling the aftermath of social engineering engagements and explores various challenges and proposed solutions to problems that may arise. This will hopefully help companies make the right choices and ask the right questions before ordering a cyber security test of their employees.

Social engineering pentesting. - How it is done, and what you should think about

Talk 1: Trapping a Scammer - Stephen Rees-Carter


One day I received an email asking me if I would like to purchase the “.com” variant of a domain name I owned the “.net” variant of. I knew it was a scam, but decided to play along…
One week and a couple of emails later, and the scammer transferred the domain to me, completely free and unpromoted, saying: “I did not know it is a trap.”
Let me you what happened…

Talk 2: External Identities is the new Guest! - Jan Vidar Elven


Or is it something completly different? Organizations are well known with the B2B and Guest concept, but now more than ever you need to know the difference (or similarities) between internal & external members, guests, and what options there are for collaboration between multiple tenants. The answer is Microsoft Entra External ID, but what is really the question??

Talk 3: Code as Logistics: Lexical Lessons from Supply Chain - Munish Walther-Puri


Open source software code runs on virtually every computer and sustains critical infrastructure. How can we develop trust for it? Where did it come from? Do we understand all its dependencies? Code developed outside enterprise boundaries is subject to opaque security criteria, and there are dangerous discontinuities between the emergence of risk in the software supply chain, the customer’s awareness of those vulnerabilities and supplier provision of remediated updates. To get a handle on the complexity and opportunity, this talk will introduce the origins of "code as logistics" and an actionable framework for mitigating software supply chain risks.

Talk 4: Ambitious S-SDLC at Norway’s biggest home construction company - Hans Ove Ringstad


Yes, even a home construction company can have an ambitious S-SDLC, so you should too!

Construction companies are not widely known for their IT security prowess. Instead, we are known for having a lot of money, and that is a scary combination. This is why the IT security team at OBOS, Norway’s biggest home construction company, decided to implement an S-SDLC to sleep better at night. OBOS has a bunch of in-house teams developing custom software, and they all must stick to this now.

This short talk explains the content of the S-SDLC, and how it is working out for us.

Talk 5: Discover your inner security engineer with this one weird trick (hackers hate it!) - Josh Grossman


When it comes to security, we are all trying to figure out how to do more, in less time and less budget.

How would you like to have:
• A simple outline to get you started in software security.
• Comprehensive requirements to use as a security baseline.
• Detailed guides on how to write secure code in various languages and situations.
• Sample vulnerable applications you can use to challenge your security knowledge.
• A community of security experts who are usually happy to answer questions and help out.

…and all for the low, low price of FREE!

OWASP, the Open Web (and) Application Security Project can bring you this and more. However, with over 200 different projects and no easy way for someone outside the ecosystem to know where to start, some of the best resources might be the least known.

In this talk, I will use my experience working with OWASP in a variety of areas to walk you through the key projects that can help you at different stages of your software security journey such as those noted above. I will also highlight the less obvious benefits that it offers you which could potentially save you time and money.

You will leave with ideas and tricks which you can immediately adopt in your day job to level up your security knowledge, impress your peers, and maybe have some fun along the way!

Lightning Talks

Part 2/2: Hands-on grand tour of GPU Graph AI for security event correlation

Our idolization of hackers, penetration testing and ‘breaking’ has not resulted in secure software for our industry, only egos, stereotypes and unaffordable security models. Modern application security approaches are needed for new technologies, and this talk will outline several strategies for new tech, one by one. The future of security is PURPLE.

Purple is the New Black: Modern Approaches to Application Security

Åge and Sindre talk about their experience working in the national police investigating hackers.

NDC { Security }

Agenda

09:00 - 10:00 (UTC+01)

Opening Keynote

Troy Hunt

10:20 - 11:20 (UTC+01)

Leveraging graph AI and GPUs to win the US Cyber Command AI challenge

Leo Meyerovich

52 mins from initial access to ransomware -- is your defensive team ready?

Maarten Goet

Finding a three 0-day exploit chain in Ivanti EPMM and Ivanti Sentry

Tor E. Bjørstad

Pentesting Azure Container Services

Sergey Chubarov

11:40 - 12:40 (UTC+01)

Panda to gibbon is the least of your worries: why securing AI is not what you think

Sarah Young

Microsoft Security Copilot - your new best friend!

George Coldham

The Future of Cookies

Anders Abel

Supply Chain Attacks:- Focused on NPM attacks. (Includes, demonstrations of research and prevention

Danish Tariq

Detect threats and misconfigurations in your GCP environment and operationalize on findings

Brian Jung

13:40 - 14:40 (UTC+01)

PAR: Securing the OAuth and OpenID Connect Front-Channel

Dominick Baier

AWS Security Reference Architecture: Visualize your security

Mohamed Wali

Prompt Injection: When Hackers Befriend Your AI

Vetle Hjelle

Second Breakfast: Implicit and Mutation-Based Serialization Vulnerabilities in .NET

Jonathan Birch

15:00 - 16:00 (UTC+01)

Threat Modelling for ML/AI systems

Andrea Brambilla

Benjamin Løkling

Optimizing Cloud Detection & Response With Security Chaos Engineering

Kennedy Torkura

Banking Cybersecurity: Battling DeepFakes & AI-powered Scammers

George Proorocu

Hacker vs Azure Web Application Firewall

Laura Kokkarinen

16:20 - 17:20 (UTC+01)

Red Teaming Large Language Models

Armin Buescher

Surprising ways to escalate privileges in Entra ID

Marius Solbakken Mellum

Human vs AI: How to ship secure code

Joseph Katsioloudes

Hacked in Hours: A red team assessment that doomed a corporation

Rico Komenda

17:40 - 18:40 (UTC+01)

Panel: Will Application Security eat Cloud Security for lunch?

Shilpi Bhattacharjee

Tanya Janca

Ashish Rajan

The Top 10 List of Istio Security Risks and Mitigation Strategies

José Carlos Chávez

The Hidden Risk in Undocumented API Behavior

Bahaa Naamneh

Effects Malware hunting in Cloud environment

Filipi Pires