1. A Good First Impression Can Work Wonders: Creating AppSec Training That Developers Love

    Good vulnerability response practices are critical to software security. But good vulnerability response practices work even better on software built with security in mind. …


  2. Working with Developers for Fun and Progress

    Forging a strong relationship with developers is essential part of creating an impactful AppSec program. Without it, your team will have little idea what’s going on and will have trouble getting bugs fixed and features shipped. Segment has built strong ties to developers using our competition-based training featuring Burp Suite and OWASP Juice Shop, partnership during implementation of tooling, and contributions to the existing codebase. This presentation is chock full of practical examples and references that attendees can bring back to their organization. …


  3. Absolute AppSec Episode #42

    Members of Segment’s security and engineering teams appeared on the Absolute AppSec podcast to discuss product security features, SSRF mitigations, developer training, and our approach to building a security program. …


  4. Year[0]: AppSec at a Startup

    Have you wanted to be on the application security team at a startup, but were worried about having an employer that can’t figure out how to monetize its user base, being compensated in potentially worthless stock options, or discovering your company’s business model is based on selling a $400 juicer and expensive juice packets that could actually be squeezed by hand? If so, then this talk is for you! From the safety of the audience you’ll hear about the first year of an appsec program at a tech startup. We’ll cover how to win over the hearts and minds of your developers, useful tooling/automation, and other topics to rapidly improve the security of a growing SaaS startup. …


  5. Enumall - The Ultimate Subdomain Tool

    Enumall leverages the Kali Linux distribution and the wildly popular recon-ng framework to find hidden gems in application assessments, asset discovery work, and OSINT engagements. These gems are acquisitions and subdomains. This isn’t just your standard DNS tool. Enumall pulls possible subdomains and acquisitions from Google, Yahoo, Bing, Baidu, Netcraft, Shodan, techcrunch and more! It gives a standard output that inter-operates with several tools (one of which we will be demo’ing is Eyewitness for further detailed discovery!). In addition, Enumall also has the largest and most curated DNS bruteforce list on the internet. Come by and let us show you how you can use Enumall to supercharge your bug hunting and find ripe subdomains and acquisitions! …


  6. Introducing the OWASP API Security Project

    An ever-increasing number of applications have released public and private APIs, enabling awesome programmatic features to be released internally and to the world. Unfortunately, the ubiquity of APIs is a double-edged sword – and security risks are often ignored. This talk introduces the OWASP API Security Project, including the Top Ten API Security Risks, and explains how contributors of many skill levels can get involved. …


  7. State of Bug Bounty

    2015 saw unprecedented participation in crowdsourced bug bounty programs, as big technology vendors like Google, Facebook and even Tesla have embraced the need for bug bounty programs. Across the board, bug bounties saw a sharp rise in both popularity and accessibility. For the first time, companies beyond the enterprise technology space have been able to participate in wide scale public or private bug bounties. …