Відео

Fantastic presentation

hi. how(where) could i learn all these topics ? :O

ahla erez & paulo.

We love Bonnie's people-centric approach! Here are our notes from watching her session: ### ONE-SENTENCE TAKEAWAY: Scaling a security champions program requires consistent engagement, data-driven value demonstration, and empowering champions as influencers to drive company-wide security adoption. ### RECOMMENDATIONS: • Implement consistent bi-weekly community meetups to maintain champion engagement and knowledge sharing. • Develop an automated onboarding process to efficiently scale your champions program. • Align champions with specific product areas to create more focused security impact. • Use data analysis to demonstrate the financial value of your champions program. • Apply behavioral science techniques like nudging and boosting to increase tool adoption. • Create quarterly JIRA tickets to help champions track and request time for security tasks. • Offer conference attendance as rewards for impactful contributions to motivate champions. • Invite leadership to champion presentations to increase visibility and support for the program. • Conduct yearly surveys to gather feedback and improve the champions program continuously. • Map tool findings to CWEs to analyze vulnerability trends and focus remediation efforts. • Compare bug bounty payouts to vulnerabilities found by champions to show financial impact. • Record and share community meetup presentations for those who cannot attend live sessions. • Continuously seek passionate volunteers to grow your champions program organically. • Empower champions as influencers rather than expecting them to do all security work. • Develop a clear methodology for measuring the impact and value of your champions program. ### FACTS: • Yahoo branded their security team as "the paranoids" in 1999. • Yahoo merged with AOL in 2017 to form Verizon Media. • Yahoo's security champions program was initially launched in 2006. • The program grew from 51 to 116 champions over 3 months. • 35% of cybersecurity companies have a security champions program. • 65% of those with champions programs say they work extremely well. • Only 20% of champions programs have scaled company-wide. • Yahoo has approximately 14,000 engineers across the company. • The study analyzed data from July 2023 through August 2023. • Yahoo uses Success Factors as their source of truth for training. • 89% of companies use open-source code in their products. • Yahoo's champions program aims for 1 champion per 10 engineers. • Champions are asked to dedicate 20% of their time to security tasks. • Attendance at community meetups grew from 30% to 78% over time. • The top 10 CWEs found by their tool are typical across most companies.

The api server doesn’t start in my test using docker compose. The swagger is available but /api/v1/metrics does not load and gives a 404. How to troubleshoot?

yeah, the slide is not readable. But you can click the link in the description, find the speaker, and download the slides.

Was a great pleasure to speak at OWASP Global AppSec. I had the main auditorium nearly packed. Thank you to everyone to attended my talk! Awesome event with fantastic talks and incredible people 🚀🚀🚀!!

❤

Nice way to learn

xxxx

Great presentation 🎉

Amazing panel, everyone! A take lot of good insights notes here. Thank you so much!

this vedio is gold mine for any bug hunter

I absolutely loved this presentation! It made so many things so much clearer. My friend and I are working on a SPA + REST API project, and we thought it was a good idea to add login with Google to it. I was aware of the OAuth2.0 and OpenID Connect specifications, and thought it was going to be easy, until I found myself in a situation I didn't even know had an official term to it - Backend For Frontend. Every tutorial on the internet shows how to add Google login to either a traditional application, where the backend returns plain HTML to the browser, or purely on a SPA frontend, like the theme of this talk. So I came here thinking the presentation would talk about my problem, whereas in reality, it talks about a purely frontend based application. Just to find out at the end, that what I'm trying to implement is indeed a backend for frontend.

Clouddflare WAF better than OWASP Rules, they use Machine Learning to block threats that are not yet in the WAF rules or CVE database In my opinion, OWASP rules are rubbish and easy to bypass imposible block blind spot new attack aka zero-day attacks

amazing !

Brilliant! I gotta introduce this to my peers to play it at least once!

good idea!

Website app would be great! Looks exciting

It would be great if there is a mobile or website application version of this in the future, very nice

2:12 going over the data kinda makes it more about the data than focusng on the research maybe?

Pass out to all your Indian buddies Arsehole, just so they can Steal Cars in Canada / UK / USA Ect Dipshit!

thank you for all of your hard work jc

I just discovered this video and the content is amazing. I see it’s from a few months ago; do you have any more recent videos or articles you suggest on this topic?

Thank you

Cant see the slides

Okay thanks

The part where talks about spoofing a ship's gps signal really made me think of the Key bridge incident. I'm not saying it was hacked, but the fact that it's possible is mind boggling.

Great talk by 4 great people. I'm fortunate to know Aubrey for years and have met with Cameron and Dan and looking forward to meeting Corey some day. Thanks for putting this content out, well worth my time.

Thanks for sharing! However do you have a tutorial which implements Backend For Frontend (BFF) framework with Authorization code with PKCE in addition to this tutorial? It is unsafe to store access token on browser.

Actually, you've been publishing videos for the past 9 years, and you're still posting them today. You don't have many subscribers, but you're incredibly strong and patient.

That's the reason why WAF and API Gateway are never be enough.....

how to login and owasp mail password

excellent insights in this presentation, thanks for sharing

I don't agree with the conclusion of this talk. The whole point of BFF and http-only auth cookies is to prevent an attacker that has gained acces to execute js code through an xss attack, to steal the auth-token from your storage and thereby execute requests on your behalf. If an attacker has managed to sucessfully gain access, he can execute api calls directly from the clients browser with or without bff.

superb! you guys are awesome! Keep up the good work!

1 question Have anyone know webuy0day website or something (relax I just asking😅😅😅)

one of the worst presentation ever seen!

couldn't read anything on the screen. should present it in full screen mode because that's the important part

Awesome. But It's almost 4.5 years, when can we expect this as Open Source :(

Thanks :)

how did you find that password?

Great conversation.

FIDO2 with keys and credentials generated by the user himself/herself is more private and you don't need to give up your face, phone number or email etc. Great!

In non-cloud, like a dedicated nginx server, can we integrate coraza?

I JUST WANT TO GET INTO MY DAMN CAR WITHOUT PAYING 500 BUCKS FOR A KEY!!!

The more I watch this man’s videos the more I respect him.

Legends without cars are watching ❤❤

but most of all samy is my hero