Chapter 11 Singapore

[Francisca Noggles]

OWASPFoundation (OverviewSlides)is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters arerun independently and guided by the Chapter_Policy. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Join us for the 2024 OWASP AppSec Days Singapore at Marina Bay Sands hotel. Designed for private and public sector infosec professionals, OWASP conference equips developers, defenders, and advocates to build a more secure web. We are offering three educational **1-day training courses on 01-October that requires a separate ticket purchase followed by the conference and exhibition on 02-October. Join us for leading application security technologies, speakers, prospects, and community, in a unique event that will build on everything you already know to expect from an OWASP Conference. With amazing speakers and networking opportunities, this is an event you will not want to miss.

Our meetings are open to the public, and you do not need to be a member to attend. Please do consider joining OWASP if you find our community, projects, and meetings valuable, or sponsoring this chapter.

Gian-Luca Frei is an experienced Application Security Consultant based in Singapore, currently working at Zhlke. With a passion for security, Gian-Luca has a proven track record of securing systems with the highest security standards, including e-banking portals and health applications. He brings a wealth of knowledge and expertise in the field of application security, having worked in the industry for several years. Gian-Luca is also the founder and co-leader of the OWASP Application Gateway Project, which focuses on developing open-source tools to help secure web applications. In addition to his professional engagements, Gian-Luca is a researcher at heart. He has a keen interest in modern cryptographic protocols and has conducted extensive research in this field. His contributions have been recognized with the ISSS Excellence Award in 2019.

Vinoth leads the Cyber Offensive consulting team in Singapore at softScheck APAC. His insatiable curiosity led him into the world of hacking, where he dedicates his time to uncovering vulnerabilities and safeguarding clients across various industries. Vinoth maintains an avid interest in security research, and a particular passion for low-level systems engineering and exploit development.

This presentation delves into the intricate landscape of advanced mobile security attacks that pose significant risks to mobile platforms. We explore the evolving nature of mobile malware, emphasizing the need for proactive measures to fortify applications against advanced attacks.

This talk delves into common API security concerns and the importance of API Discovery. It highlights the key needs for an API security tool to detect API abuses and the importance of having a data lake for threat hunting.

We have a distinguished speaker lined up: James Lee from F5. The topics covered in this meetup will be highly relevant for individuals engaged in both AppSec within App Development and AppSec within Cyber Security.

Join us for an insightful session where we delve into the evolving landscape of API security. In this engaging event, we will uncover the advancements made in the OWASP API Top 10 from 2019 to 2023, highlighting the key changes and emerging threats.

Join us in this session to learn how F5 Distributed Cloud solutions bridge this gap, offering Zero Trust-based API access by leveraging the standard OAuth framework and its App Segmentation integration.

Ashwath (co-author of ATOR Burp Plugin) and Avneesh (employee of Akto) will be doing a hands-on walkthrough of API security and talk about automating testing for complex API scenarios. They will cover the following topics:

Ashwath currently works as a Principal Engineer at Razorpay. He has previously worked at Synopsys and Microsoft Corp. His interests are in Cloud Security, Red teaming, Application security (Web Applications) and Threat Modeling. He has released plugins for Burp to handle complex authentication mechanisms . He has presented at Rootconf, FS-Isac, Nullcon, Cocon, Bright Talk, 50p (HasGeek) and technical conferences conducted by SAP, IAF, Infosys, NetApp amongst others.

Avneesh started as the first employee at akto.io (an api security company). His interests lie in the area of API security, understanding misconfigurations in API setup and variants of API architectures like GraphQL, JSONP, gRPC. While working on the tool, he has shared his experiences in multiple forums such as Accel CTO & CISO summit.

In this session, Onn Chee will cover 3 PDPC published decisions - one on ransomware and 2 on API insecurity - and lessons we can draw from such cases. In addition, Onn Chee will highlight a common mistake what cloud users make in managing credentials and/or access keys on cloud. OWASP API Top 10 will be touched on too.

Effective security comes in layers. In this session, Shahn will cover wide range of controls needed to build layers of API defense. We will study the kill chain for an API breach and share design approaches to meet these challenges and cover for OWASP API security Top 10.

Shahn has over a decade experience in Information Security, practicing in the Asia Pacific. With keen interest in modern application security, digital identity, and multi-cloud security, he focuses on building security intelligence into solutions and firmly believes in automated proactive defense. He writes on IT security at f5labs.com and has co-authored a Redbook on access management deployment patterns.

In this talk, we will be introducing AWSGoat, a vulnerable by design infrastructure on AWS featuring the latest released OWASP Top 10 web application security risks (2021) and other misconfiguration based on services such as IAM, S3, API Gateway, Lambda, EC2, and ECS. AWSGoat mimics real-world infrastructure but with added vulnerabilities. The idea behind AWSGoat is to provide security enthusiasts and pen-testers with an easy to deploy/destroy vulnerable infrastructure where they can learn how to enumerate cloud applications, identify vulnerabilities, and chain various attacks to compromise the AWS account. The deployment scripts will be open-source and made available after the talk.

Jeswin Mathai is the Chief Architect (Lab Platform) at INE. He leads the team responsible for managing the lab infrastructure, Prior to joining INE, He was working as a senior security researcher at Pentester Academy (Acquired by INE). He has published his work at DEFCON China, RootCon, Blackhat Arsenal, and Demo labs (DEFCON). He has also been a co-trainer in classroom trainings conducted at Black Hat Asia, HITB, RootCon, and OWASP NZ Day. He has a Bachelor degree from IIIT Bhubaneswar. He was the team lead at InfoSec Society IIIT Bhubaneswar in association with CDAC and ISEA, which performed security auditing of government portals, conducted awareness workshops for government institutions. His area of interest includes Cloud Security, Container Security, and Web Application Security.

He joined Palo Alto Networks from Akamai where he was a key technology leader focussed on emerging cybersecurity domains across Asia-Pacific and Japan. Prior to Akamai, Siddharth spent almost a decade at Gartner where he was a strategic advisor to organizations across the Asia-Pacific and Japan region as well as globally around a variety of emerging and established cybersecurity domains. Siddharth holds a Bachelor in Electronics Engineering from Mumbai University in India

Finally we will learn the importance of having Cloud Infrastructure Entitlements Management (CIEM) to enforce permissions and security identities across workloads and clouds. Demo will be included in this meetup.

With over 9 years of experience as a software developer and application (security) architect, Nathan Aw is a firm believer-practitioner of zero trust and advocate of secure coding practices. His passion is in designing, building and rolling out asynchronous, polyglot-based microservices that are both zero-trust, performant which can securely run anywhere (multi-cloud and/or on-premise) that scale without limits.

With the significant increased adoption in cloud-native technologies and against the backdrop of supply chain attacks (Solarwinds hack), what can all of us do to ensure what we build and deploy to Production is indeed secure? In this session, Nathan Aw will expound on the need for a Secure Software Factory (SSF), share some useful cloud-native security checklists and finally demo some security and compliance tools that can help to secure our cloud-native supply chain.

A hands-on microservices developer turned AppSec architect and practitioner, Nathan Aw unyielding passion lies in building and deploying secure and scalable software that can run anywhere. Through the actual hands-on setup of a Secure Software Factory (SSF), Nathan understands intimately the importance of setting up a first-class secure software factory that is able to quickly deliver trusted and secure digital services to its customers. More on Nathan can be found at

Martin Knobloch, Global AppSec Strategist at Micro Focus, is a long-time information security leader with more than 15 years of experience in the field. With a background in software development and architecture, his focus is on software security. Martin is actively involved in OWASP where he is a frequent contributor to various projects and initiatives, as well as a member of the Board of Directors. During his career, Martin has been a recognized teacher, guest lecturer at various universities and invited speaker and trainer at local and international software development, testing and security conferences throughout the world.

Securing the Multi-cloud, Portable, *-Tier Microservice Application that potentially run anywhere such as an on-premise K8S, or on multiple cloud (AKS, EKS, GKE, etc) can truly be a real challenge to microservices developers (yours truly!) and security folks alike.

3a8082e126