Joe Leon

The Dig

September 19, 2024

8 Must-See Talks at OWASP 2024 Global AppSec

8 Must-See Talks at OWASP 2024 Global AppSec

Joe Leon

September 19, 2024

As OWASP 2024 Global approaches next week in San Francisco, several of us at Truffle Security are gearing up to attend and will be there as part of the conference and meeting the community at Booth 112. In anticipation, we wanted to share the top 8 talks we're most excited to check out.

Recommended Talks for Thursday, 9/26

Under the Radar: How we found 0-days in the Build Pipeline of OSS Packages

Securing CI/CD pipelines is really tough. It seems like every week a new vulnerability gets released. In his talk, François Proulx, will share how his team found 0-days in the build pipelines of major open-source projects like Kubernetes Operators, RedHat OS Build, etc. That alone will be cool to learn about. But what makes this talk standout is that he’s releasing 3 open-source projects. In particular, as a fan of the LOLBAS project, I’m super excited to hear more about his Living Off the Pipeline project.

Catch François’ presentation on Thursday at 11:30 AM PDT.

O My Data: OData Injection attack and other injections in Microsoft Power Platform and UiPath

Low Code / No Code (LCNC) tools, like Salesforce Lightning, Microsoft Power Platform, and Appian, have become quite popular over the last several years as non-developers seek to automate their work and tap into the vast ecosystem of APIs. Apparently we need to start worrying about LCNC security. Nokod Security CTO Amichai Shulman will share demos of vulnerabilities plaguing LCNC tools, such as information disclosure, bypassed access control, SQL injection and command injection. Maybe there are secrets to be found too?

See Amichai speak on Thursday at 1:15 PM PDT. As a bonus, his company is organizing a CTF about LCNC hacking later that afternoon.

AI Goat: A Damn Vulnerable AI Infrastructure

Yes. Another AI in cybersecurity presentation. I know. But this one is different. Security researchers Ofir Yakobi and Shir Sadon will be introducing AI Goat. Similar to OWASP’s purposefully vulnerable projects like DVWA and WebGoat, AI Goat provides a safe environment for security professionals to identify (and exploit) AI vulnerabilities. I’ve been looking for a resource like this for some time; I spent 4 years pen testing / red teaming, but I’ve been unsure how to get started with learning about security risks in AI infrastructure. This is the starting point.

Check out Ofir and Shir’s presentation on Thursday at 2:15 PM PDT.

Self-Discovering API Key Permissions and Resources

(Caveat: This is a Truffle Security presentation.)  

We’ll be sharing a new methodology (self-discovery) for enumerating the permissions and resources that an API key has. Importantly, our methodology does not require access to the API key’s GUI. 

So, why is this important? If you’re triaging a list of exposed credentials, how do you prioritize which key to rotate first? How do you even know whose key you’re looking at? For example, if it’s a GitHub personal access token, how do you know if it can even access your corporate repositories? Maybe it’s just an employee’s personal token. 

Until now, all of these questions were impossible to answer easily unless you could log into the account and look at the API key permissions (which an API key alone doesn’t provide). We’ll discuss our methodology as well as demo our new open-source tool TruffleHog Analyze.

This talk will be at the exact same time as the AI Goat presentation: Thursday at 2:15 PM PDT. If you can’t make our presentation and want a briefing for your organization, please let us know.

Web Security Experts: Are you overlooking WebRTC vulnerabilities?

I’ll be honest, my knowledge of WebRTC vulnerabilities is rather limited. But Google “WebRTC vulnerabilities” and you’ll see some major bug reports. As a security researcher, I’m constantly looking for ways to keep my skill set up-to-date. This talk checks that box. Sandro Gauci’s talk will provide an overview of the technology, vulnerabilities and (most importantly to me) practical testing methodologies for WebRTC. 

Learn about WebRTC vulnerabilities from Sandro on Thursday at 3:30 PM PDT. 

The Missing Link - How we collect and leverage SBOMs

The term SBOM is tossed around quite a bit. Conceptually it makes a ton of sense, but going from idea to execution at scale inside a large enterprise is daunting. Cassie Crossley is VP of Supply Chain Security at Schneider Electric, an old-school F500 organization. She’ll be sharing how Schneider Electric is collecting, generating and storing SBOMs at scale, as well as documenting how they were utilized during vulnerability events like Log4j. This is exactly the bridge between every other blog post about SBOMs and seeing how they can be used inside an enterprise. Also, it’s really awesome to see an old-school org like Schneider Electric support a talk like this. We need more of that.

Listen to Cassie’s talk on Thursday at 3:30 PM PDT.

Recommended Talks for Friday, 9/27

Millions Of Public Certificates Are Reusing Old Private Keys

(Caveat: This is a Truffle Security presentation.)

Turns out millions of TLS certificates, the things that provide underlying security to all of our web traffic, are re-using private keys. Not only that, we found many examples of organizations revoking a certificate and then re-using that same key, over-and-over again for a decade. The worst is when a key is revoked due to key compromise (aka a threat actor now has it), and then that key is re-used. Like, why? Just generate a new one.

We also took a look at SSH key re-use on GitHub. That’s an issue too. We found >100k SSH keys re-used between multiple GitHub accounts. 

During our talk, we’ll share our research and open-source a new tool to identify certs that re-use private keys.

Check out our presentation on Friday at 11:30 AM PDT.

I Know What You Did Last Summer: Lessons Learned from Privacy Breaches and Scandals

This is a talk about privacy engineering. Dr. Kim Wuyts will step us through some of the most important privacy breaches in recent years, including many that most of us probably don’t know about because these breaches don’t always grab headlines. But just because the media isn’t as excited about privacy breaches as Fancy Bear using a well-publicized CVE, doesn’t mean it’s not as important. In many ways, privacy breaches (and privacy engineering) will only become more important in the coming years as legal frameworks continue to mature.

Close out an exciting two-days at OWASP with Kim’s talk on Friday at 3:30 PM PDT.