OWASP BE chapter meeting (14/6/2022, Leuven)

For this ON-SITE chapter meeting, we have scheduled Isabelle Mauny and Abhay Bhargav.

Both speakers are faculty of the Secure Application Development (SecAppDev 2022) course held in Leuven from 2022-06-13 to 2022-06-17.

Agenda:

• 18h15 - 19h00: Welcome & sandwiches
• 19h00 - 19h10: OWASP Update
• 19h10 - 20h00: Top 5 of recent API Breaches - What can we learn from them? by Isabelle Mauny (Field CTO, 42Crunch)
• 20h00 - 20h10: Break
• 20h10 - 21h00: The Call is coming from inside: Post-Exploitation Scenarios with Kubernetes Webhooks by Abhay Bhargav (CEO, AppSecEngineer)

Top 5 of recent API Breaches - What can we learn from them?
We will outline the root causes of some recent API vulnerabilities making the news.
• A detailed look at the underlying OWASP API security Top 10 flaws.
• Explain of how the vulnerability occurred and what we could have done to prevent it.

Isabelle Mauny (Field CTO, 42Crunch)
I have been spending the last 15 years helping people integrate their applications internally and externally. I introduced IBM DataPower in Europe in 2005 and worked with numerous enterprises customers deploying what were the first API Gateways. I have stayed in that field since then, with a stronger focus on security in the past 5 years with 42Crunch

The Call is coming from inside: Post-Exploitation Scenarios with Kubernetes Webhooks
Admission Controllers are an integral part of Kubernetes Security. Specifically, Access Control. These take the form of mutating and validating web-hooks. Kubernetes clusters use these webhooks to enforce/mutate security policy checks. Everything from security context to memory limits can be enforced through the use of these webhooks. However, attackers can leverage custom-built webhooks as a way of maintaining persistence in an exploited Kubernetes cluster. In this talk, I will detail the admission controller implementation in Kubernetes. I will build and deploy both mutating and validating, malicious webhooks to a cluster to demonstrate a bevy of post-exploit persistence approaches that one can leverage, entirely using Kubernetes webhooks.

Abhay Bhargav (CEO, AppSecEngineer)
Abhay Bhargav is the Founder of we45 and AppSecEngineer. He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps. In addition to this, Abhay is active in his research of new technologies and their impact on Application Security. Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, AppSecDay Melbourne, CodeBlue, BlackHat and so on.

Our chapter meetings are open for everyone, and attendance is free of charge. We ask you to register on Meetup in order to provide you with last-minute updates, if needed.

More info can be found on the Belgium OWASP chapter page at https://owasp.org/www-chapter-belgium/ .