What was interesting #

Robot Framework #

Democratizing ZAP with test automation and DSLs by Abhay Bhargav

BDD (Behaviour Driven Development) in IT-Security
- apparently, there’s this robotframework which makes writing test cases in quite a simple way, and you can run pentests on your UI application

Why using a DAST scanner? #

DAST (Dynamic Application Security Testing) keeps app secure:

test your running app
find bugs before they are deployed to prod
mimick how attackers view your system
test how the whole system works not just components
give you low signal to noise ratio
reveal real risks not just theoretical ones

ZAP automation framework #

by Simon Bennetts – ZAP Project Lead

DEMO available
it will support core features like:
- passive scanning
  - configuration
  - waiting to complete
- traditional spider
- active scanner
additional addons supported

Mobile app security with OWASP ZAP #

by Ankush Mohanty & Milan Sen

DEMO available
in mobile AppSec, Traffic Analysis has major role in finding various server side vulns
some common vulns uncovered by Traffic Analysis include (but not limited to)
- secure communication validation (SSL/TLS or HTTP)
- server side open ports
- PII data or Server information leak
- Server side Brute force/lock out validation
- validation of resource utilization vulnerability
- Server side authorization vulns

Enhance ZAP with feedback-based fuzzing #

by Khaled Yakdan

Coverage-guided, in-process fuzzing for the JVM -> github.com/CodeIntelligenceTesting/jazzer
DEMO CVE-2021-23899
feedback-based fuzzing is great for finding bugs that cannot be unvealed during blackbox testing

Wrap up #

Overall, the conference was pretty cool and much knowledge was gained, most interesting part for me was the BDD with the Robot Framework, that’s actually something interesting to implement in your Sec pipelines and you can actually run it in headless mode (no UI, no browser required).