May 3, 2023

OWASP Bay Area May Meetup

This live meetup will be on May 3, 5pm at Hacker Dojo, 855 Maude Ave, Mountain View

This meetup is sponsored by Deepfactor. This event is in partnership with Pacific hackers group.

Register here.

Schedule:
5PM :- Doors open, food, drinks and networking
5.45PM :- Introduction and Short talk by Kiran Kamity from Deepfactor
6PM :- Workshop on The Purple Team Cloud Security Ninja Learning Lab
8 PM :- Doors closed.

Talk#1 AppSec 2.0: Reimagine AppSec With Runtime Analysis
SCA tools (container and dependency scans) generate too much noise. Runtime security tools don’t understand SCA findings, and don’t come in until production. What if you could marry SCA with runtime analysis during dev, test, and prod?

In this session, Kiran Kamity, CEO and Founder of Deepfactor, will discuss how the next generation of AppSec needs to go beyond just integrating static SCA into your CI pipeline, to analyzing insecure behaviors inside running apps and correlating that back to SCA to understand which vulnerable components are actually loaded into memory and used by your application. This new approach to AppSec will detect both known vulnerabilities/CVEs with SCA scans and unknown vulnerabilities with runtime analysis. It will then prioritize known vulnerabilities with runtime correlation of SCA findings. End result: you catch most of the key risks in your app, prioritize the key items your devs need to work on without flooding them with alerts, and remove unused components from your containers to burn down your CVE debt rapidly….and achieve the true mission of AppSec…to empower engineering and security teams to create secure applications.

## Session Abstract

The Purple Team Cloud Security Ninja Learning Lab is meant to be a completely hands-on exploration of cloud security attacks and defense against major cloud providers, AWS, Azure and GCP. In this Learning Lab, participants will be given vulnerable cloud environments on cyber-ranges. The participants have to identify and fix the vulnerabilities in the cloud environments.

## Facilitator(s)

  • Abhay Bhargav, Founder and Chief Research Officer, AppSecEngineer

## Technical Requirements

  • Participants will need to bring their own laptops that can connect to the conference WiFi network. They will need to access our lab environment on the cloud to access the labs for the learning lab
  • Participants should preferably not have a highly restrictive network policy, especially to access cloud resources

## Outline

  • 0-20 minutes: Overview of Learning Lab, Shared Responsibility on Cloud, History of Cloud Attacks and Exploits
  • 21-60 mins – AWS Attack and Defense Scenarios
  • AWS EC2 and Attack and Defense Story and Scenario
  • AWS Lambda Attack and Defense Story and Scenario
  • 60-90 mins – Azure Attack and Defense Scenarios:
  • Azure Compute and Storage Attack and Defense Story
  • Azure Functions and Logic Apps Attack and Defense Story and Scenario
  • 90-110 mins – Google Cloud Attack and Defense Scenarios:
  • Google Storage IAM Attack and Defense Story and Scenario
  • 110-120 mins – Conclusions + Review of Scenarios

Subscribe to our monthly eNewsletter and stay up-to-date on everything Deepfactor has to offer!