In favor of simplicity, only the Bearer token type was specified with the firm plan to add proof of possession at a later point. Turns out the problem was harder than expected and for the better part of the following decade there was no solution. Today multiple industries and verticals require that extra security feature and there are now two fundamental ways how to achieve sender constraining. This talk looks at the history of proof of possession and the ways to implement it today.

Talk (60 min)

OAuth and the long way to Proof of Possession

Security

Applications can securely store and share credentials, secrets and cryptographic keys, sign and encrypt data, negotiate a common encryption key - all this by never touching a single byte of the underlying cryptographic material.

This is especially useful in the post-heartbleed and cloud-native environments, where services authenticate and securely talk to each other using some kind of credentials. But if a network-facing service also has some secret in its process address space, it sets itself up for a security failure as any potential out-of-bounds memory access vulnerability may allow the secret to be leaked. Imagine a world where you don’t have to run an SSH agent just to protect your SSH keys.

On top of keeping your secrets secret Linux keystore nicely integrates with specialized security hardware, like TPMs and HSMs and may provide a single entry point on the system for applications to obtain their secrets. Thus Linux keystore is a very useful building block for a corporate key management system.

What is Linux kernel keystore and why you should use it in your next application

Platforms

Although developers are making great progress in using these technologies to implement new passwordless architectures for the users of their products, we are years behind in doing the same for our own internal infrastructure. Tokens, passwords, and other secrets that are shared internally among developers are a major security risk, yet are extremely common among companies of all sizes.

This talk gives an overview of the current situation and associated security risks, a review of FIDO and FIDO2 standards, the options we have to improve our designs, and a case study of a sample passwordless infrastructure stack. We'll also discuss things to look for and avoid when selecting vendors and development tools to greatly improve security posture.

Learn how your team, regardless of size, can put all of the pieces together to implement a more secure, passwordless infrastructure.

NOPASSWD: Building a Passwordless Cloud Infrastructure

Architecture

Cloud Security

DevOps

In this session, Rouan will equip you to find common security issues before they're shipped to production. He’ll cover eight questions you should ask yourself whenever you’re reviewing code. We’ll look at an example pull request together and spot some big security issues that could easily have gone unnoticed.

Is this okay!? How to review code for security issues.

Application Security

Programming

In 2019, GitHub released its own CI tool called GitHub Actions. According to GitHub, GitHub Actions help you automate tasks within your software development life cycle, and it has been gaining a lot of adoption from developers.

This talk plans to demonstrate how GitHub Actions work and show security measures to protect your Actions from misuse by attackers. First, we'll do a deep dive into the Runners, the servers provided by GitHub to run your Actions, and the risks of using them. Then, we'll show how attackers can leverage these runners to mine cryptocurrencies, pivot into other targets, and more. Lastly, we'll demonstrate how to maliciously distribute backdoors into different repositories via the GitHub Actions Marketplace.

This presentation results from detailed research published earlier this year on the topic where the author investigated abuse case scenarios such as how attackers were leveraging this free service to mine cryptocurrencies on their behalf and behalf of other users, among other attack vectors. We'll also demonstrate how to perform interactive commands to the Runner servers via reverse shell, which are technically not allowed via traditional means. In the end, we'll show the problem of third-party dependencies via the GitHub Actions Marketplace. By demonstrating how easy it is to create a fake GitHub Action that, if used unwillingly by other projects, can make their runners act as bots to target other victims and even be used in supply-chain attacks by tampering with the result of the pipeline.

Full research article:
https://research.trendmicro.com/GitHubActions

Research repositories:
https://github.com/magnologan/gha-test
https://github.com/magnologan/fake-gha


GitHub Actions: Vulnerabilities, Attacks, and Counter-measures

A walk through of our guiding principles, what we prioritised first, which solutions we went for and what training we provided to developers. This talk is a combined talk of process and technical solutions.

Defendable Products: How we try to improve security in our products

This requires a flexible policy engine capable of making decisions on any type of data, but just as much, it needs to operate in any type of environment — from embedded to the cloud. In this presentation, we’ll explore compiling Rego into the new, low-level Intermediate Representation (IR) format, and the opportunities (and challenges!) provided by moving the policy decision point from an external component, and into our applications. We’ll take a closer look at the format of an evaluation plan, and what a simple evaluator implementation might look like. Can we run OPA anywhere and everywhere? Let’s find out!

OPA everywhere! Exploring new opportunities in policy evaluation

Security Tooling

In this talk we will briefly explore this problem and present one potential solution that could work for some teams.

Running system tests with active authn/z

Containers

SDLC

Testing

Let us venture on a journey into the wonderful world that is software exploitation and learn how to use gamified safe environments to build skillsets to help us write better and safer software. Because once you learn how to hack, you never go back.

How hacking works

Dark Arts

Hacking

So I want to take you on a journey from the early days of PHP through to now, looking at different frameworks that have come and gone and where the current state of security is in PHP. I may even defend modern WordPress… maybe…

In Defence of PHP

In this talk, I will show why this vulnerability type is commonly overlooked, what happens when it's found using real world examples, how you can prevent such issues and most importantly how you can test for it efficiently.

What happens if I change this URI… oooooh

People

Tools

The OWASP Juice Shop is a site that you can set up and use for this. It has a great Tutorial mode for beginners and a lot of challenges at all different levels as well as a scoreboard where you can track your progress. You can also set up a scoring-server for competitions, like getting the highest score or doing it jeopardy-style.
In this session, you will learn how to set it up, and how it works, and get a kickstart on the hacking. After this session, you will have the knowledge to host your own CFT event.

Hacking the Juice Shop

In addition to being able to generate text, answer questions, classify sentiment expressed in text and so forth, these models are now making advances in understanding and generating source code - an area of a special interest to security professionals.

As more and more developers are using assisted code generation tools like GitHub’s Copilot, new security risks will be emerging: how do we make sure the code generated is secure? How do we audit these models? In addition to code generation, large language models are making advances in the field of intelligent code search, understanding of large code bases - something that will contribute both to security auditing of code bases as well as to finding exploits.

Finally, an interesting new avenue is emerging: what if techniques from neural machine translation could also be applied to creating new kinds of tools for reverse engineering code? In the final part of the talk, we will take a look at recent advances in applying neural machine translation techniques and large language models to the tasks of decompilation and deobfuscation - both of which are useful in analyzing malware.

This talk will serve the following purposes: to introduce the security community briefly to the natural language processing tools, various large language models, how they are constructed and what big techniques enabled the fast-paced advances that we are seeing now and then build upon this foundation to see how natural language processing techniques and in-particular sequence-to-sequence models can do for reverse engineering applications. The audience will learn about the transformer architecture, the difference between encoder, decoder and encoder-decoder models and what it means to fine tune a model.

Finally, we will take a closer look at applying natural language processing models to the task of decompilation - recovering higher level source code from lower level compiled code and deobfuscation. By the end of this talk, the audience should have a good understanding of natural language processing techniques, how large language models are trained, how they can be applied to the realm of source code in the form of code generation, semantic code search, decompilation and deobfuscation.


Lost and Found in Translation: An intro to ML assisted decompilation and deobfuscation

AI/ML

From a forensic point of view, I focus on finding if there are any traces left leave behind when using VPNs for mobile phone. And if the gaps in timelines can help investigators and incident responders see the whole picture?

This is an independent research on iOS and Android devices.

Can VPNs tell the whole story?

Mobile Application Security

Process

In this talk you will learn how it works, and we will go through some examples to show how it can be used to execute code in contexts where the stack is not executable.

Return Oriented Programming, an introduction

This talk tells the story of how Stacc, a leading software provider to the financial services sector extended devops to prepare for ISO27001 security certification.

Stacc has been around since 2016, and grown over the years through new product lines, and mergers and acquisitions. We have been early adopters of devops principles, and moved with the times when it comes to software development. Recently we made a company commitment to achieving ISO27001 security certifications.

This talk describes our journey through the process of getting an ensemble of companies, teams and tech stacks together to meet the same standard. With the help of devops, it will show how we avoided the “one-platform-to-rule-them-all”, what we learned along the way, and what we still have to solve.

Turbo Eureka

This OSS project is a community-curated list of the most common Kubernetes risks backed by data collected from organizations varying in maturity and complexity. This session will discuss the project in detail, examples for each of the risks in the list, and how you can get involved.

Introducing the OWASP Top 10 for Kubernetes 

TBA - Victoria

This session will first go back in time to help attendees understand exactly how RBAC works under the hood and explore some lesser-known RBAC gotchas. We will then cover the essential pillars of designing an effective RBAC strategy for the enterprise including automation and observability opportunities. After this session, attendees can expect to have a better understanding on how to build and monitor least privilege RBAC configurations within Kubernetes.

 RBAC to the Future: Untangling Authorization in Kubernetes

These modern applications typically also need authentication and single-sign-on as well as token-based security for calling APIs – in other words OpenID Connect and OAuth 2. There are different patterns for securing such applications and this session covers some of the pitfalls of the various approaches, especially given the ever-changing browser landscape. We will conclude with the “backend for frontend” (or BFF) pattern which has become the most secure and stable of these approaches.

Securing SPAs and Blazor Applications using the BFF (Backend for Frontend) Pattern

This talk looks at the essentials you should know about, if you would enter the OAuth ecosystem today. Which protocol flows and extensions should you study, which “dialects” like OpenID Connect are important, and if you decide to dive deeper, what would that “recommended reading” list look like?

OAuth – the good Parts

However, Privacy Engineering is a nascent and relatively new field with many of the same goals and objectives. From Threat Modeling to Cryptography, our knowledge and experience can help accelerate Privacy.

Fundamentals of Privacy Engineering

Privacy

Right prioritisation is key! But how to prioritise security when there are so many other priorities? You will learn what hinders and facilitates teams’ work on security and which strategies are working and not working so well in more than 300 software teams.

Improving the Chances of Success in Secure Software Development

This is a problem that will impact most organisations globally as they struggle to find qualified talent to manage their daily cyber security operations as well as engage in projects and product development.

Cyber Security can be often delegated as 'someone else's problem' much like you don't think it will be your house broken into or your belongings being stolen, sadly this being a priority often too late, usually after an incident occurs and remediation after the activity is needed.

To combat this, I wanted to investigate what an organisation can do to automate as many security functions as possible to supplement staff, not replace and lighten the workload of already beleaguered security teams. This session will describe what I have found, what is working, and where the short falls are. The session will cover as many broad aspects as possible of an organisations IT operations and projects life cycles including systems and application development. Building and managing infrastructure as well as the humans that rely on these systems.

This session won't be a deep dive in any one area, it will be a bird's eye view of end-to-end cyber security for a business.

What I learnt about automating security

This presentation will demonstrate a test-driven approach to application security and show how we can write automated tests to prove that our defenses work as expected.

Demos will be in C#, for an API in ASP.NET Core 6.

Test Driven Application Security

Now, WASM is expanding beyond the browser to run in a server-based context. With the introduction of WebAssembly System Interface (WASI), the technology leverages a standardised API that allows it to run on any system that supports it, for example to support cloud-based workloads.
Had WASM and WASI been around in 2009, Docker would not have existed according to one of its founders, Solomon Hykes. WASM has a strong security posture given how it works with linear memory space and how it supports a sandboxed-based environment called “nano-process”, which uses a capabilities-based security model. Users can even take .NET and, with the help of WASI, run it on a Trusted Execution Environment (TEE) to add an additional layer of security.
In this session we'll start out with going through some of the basic security features of WASM and then move to running and extending an .NET application it with WASM. After that we'll focus on the security features and run .NET on a TEE and use the sandbox and the capabilities based security model to limit what it's allowed to do.

Using WebAssembly to run, extend, and secure your .NET application

In the first part, we will present a 360-degree view of the attack surface. There will be plenty of real-world examples, including exploit details, to illustrate the different angles that attackers can exploit. Some in commercial applications, like SolarWinds or the MeDoc accounting software that led to the infamous NotPetya spread. Other examples are from open-source components, like UAParser.js or PHP. Dormant vulnerabilities like Log4j or Python’s tarfile illustrate how we can be unknowingly exposed for years. In addition to the real-world examples, we will cover categories of attacks like Dependency Confusion, Typo Squatting, and Brandjacking.

The message of the first part is that the full breadth of Supply Chain Attacks can seem overwhelming. By engaging with the audience, we will show that Supply Chain Attacks are a problem that concerns all of us.

In the second part, we present solutions. How can organizations handle the complexity and minimize the attack surface? We will discuss different frameworks and guidelines. Some of these are very hands-on while others approach the challenge from a compliance angle. Everyone from a down-in-the-dirt developer to a compliance oriented CISO will find their set of tools.


Attacking through the Software Supply Chain

Supply Chain

In this talk, we take an in-depth look at the consequences of XSS in frontend OAuth 2.0 clients. We explore real-world attacker capabilities and map them against a concrete threat model. We also explore how structural solutions like the Backend-for-Frontend pattern effectively increase the security of frontend applications. By the end of this session, you will have the necessary knowledge to assess the security of your frontends and choose the appropriate defense strategy.

The insecurity of OAuth 2.0 in frontends

In this session I will share our journey on this topic in Equinor. Starting with the problem of information overload from multiple sources, we move on to how we now collect, aggregate, join and analyze the data and shape them into actionable insights, both on a team level and company level.

A data driven approach to application security

But how do we do that? Not everyone can think up security requirements on demand and we need to do this constantly for each new feature or development.

As a project lead for the OWASP Application Security Verification Standard (ASVS), a list of requirements for building secure software, this is something I have spent time working on as well as discussing with a variety of development teams. In this talk I want to show you what we came up with.

After a brief overview of what the ASVS is, we will then talk about how to:

- Get buy-in for security at this stage
- Balance trade-offs and prioritize different security requirements
- Trim the ASVS to focus on your current context
- Make the process repeatable and maintain a view of security state

You should leave the talk with not only a better understanding of the ASVS but also clear ideas on how you can take this and implement it as part of your own organization's requirements process.

Building a sustainable security requirements process with the ASVS

Culture

Design

The vulnerability hit the IT world like a Lousianna Slugger, and similar will hit again. But the problem is not just the frameworks, but also how we design our applications. Even if a framework becomes vulnerable, the applications need not to be possible to exploit.

So, what do we do? We walk through a few designs and design principles and see what this incident can teach us about how systems should be designed.

What the log4j incident taught us about Secure by Design

Throughout this talk you'll learn that motivated teenager can easily workaround the restrictions on the device through the combination of security weaknesses in in Google app and usage of unfortunate APIs in 3rd party applications like Microsoft Skype.

We'll begin with Google Family Link overview and the reasons behind why it may be the best worst thing we could have. We'll touch on parenting, social impact of mobile devices addiction and science behind it.

Next we'll step through number of bugs found by a curious teenage boy before discussing problematic APIs exposed in Android.

Lastly we'll cover mitigations that ensure that Google Family Link policies are preserved in applications to ensure digital wellbeeing.

Google Family Link field test

Therefore, we need to automate as much as possible and provide actionable incidents to them, and, in some cases, automate the incident response as well. This requires automation of various tasks that would normally be tedious manual labor. How does one do this in a way to avoid false positives? To fight the biggest enemy of automation, false positives, we need to have a clear set of strategies to correlate various detections and offer response actions that are based on context of the user, device and attacker.
In this session you will learn the various methods to do this correlation and take automated response actions. We will both review important statistical methods, as well as incident response and threat hunting operations. We will then put this together into a concrete use case. You will also see a demo of this use case, and all material will be available to you after the session to continue your learning and, hopefully, automation journey.

Cyber Security vs. Statistics: Fighting False Positives to Automate your Security Operations

Adopting SaC tightly couples application development with security and vulnerability management, while simultaneously enabling developers to focus on core features and functionality. More importantly, it improves the collaboration between Development and Security teams and helps nurture a culture of security across the organization.

In this session, we will review lessons learned from DevOps to implement a successful DevSecOps culture, in particular how we can make developers contribute security checks with the SaC approach. We will introduce CodeQL, a language that allows us to implement security checks with code, and will demo how we can code queries for vulnerabilities and misconfigurations so they can be identified as soon as they hit your CI/CD pipeline.

Security as Code: A DevSecOps Approach

Usually, a backend component will only need to look up DNS records in a short list of zones, but because of the recursive nature of DNS, it's not possible to allowlist DNS in the IP layer. In this talk, I will both demonstrate how hackers use DNS to exfiltrate data, and how you can mitigate this threat by equipping your application with a dnsmasq sidecar.

Block DNS exfiltration with dnsmasq proxy

Many organizations are using Terraform with automated pipelines like GitHub Actions. How do we automatically scan our Terraform modules for misconfiguration or secrets? How can we configure Terraform to store state securely in the cloud for each environment?

During this session we will examine how to leverage open source tools to:

Scan for security and configuration issues using tools like tfsec, terrascan, and checkov

Securely configure Terraform backends like AzureRM

Securely pass variables and input into Terraform

Securely deploy Terraform to clouds like Azure

After this session you will have the tools and examples to securely deploy terraform to the cloud.

Securely deploying Infrastructure as Code

TBA - Stangvik

I'm going to talk about our infrastructure and how we use the most awesome data structure that you're probably not using, a Bloom Filter, to help us handle unimaginable amounts of data with amazing speed and space efficiency.

NDC { Security }

Agenda

10:20 - 11:20 (UTC+01)

OPA everywhere! Exploring new opportunities in policy evaluation

Anders Eknert

RBAC to the Future: Untangling Authorization in Kubernetes

Jimmy Mesta

Can VPNs tell the whole story?

Lorena Carthy-Wilmot

11:40 - 12:40 (UTC+01)

Turbo Eureka

Mike Long

Øyvind Fanebust

Defendable Products: How we try to improve security in our products

Ståle Pettersen

Running system tests with active authn/z

Lars Skjorestad

13:40 - 14:40 (UTC+01)

OAuth and the long way to Proof of Possession

Dominick Baier

Steinar Noem

GitHub Actions: Vulnerabilities, Attacks, and Counter-measures

Magno Logan

TBA - Victoria

Victoria Almazova

Lost and Found in Translation: An intro to ML assisted decompilation and deobfuscation

Camilla Montonen

15:00 - 16:00 (UTC+01)

Return Oriented Programming, an introduction

Patricia Aas

Is this okay!? How to review code for security issues.

Rouan Wilsenach

How hacking works

Espen Sande-Larsen

16:20 - 17:20 (UTC+01)

Introducing the OWASP Top 10 for Kubernetes

Steve Wade

What is Linux kernel keystore and why you should use it in your next application

Ignat Korchagin

Hacking the Juice Shop

Cecilia Wirén

17:40 - 18:40 (UTC+01)

NOPASSWD: Building a Passwordless Cloud Infrastructure

Kyle Kotowick

What happens if I change this URI… oooooh

Halvor Sakshaug

In Defence of PHP

Stephen Rees-Carter