The Open Source Fortress at the AppSec Village (DEF CON)

Last updated:
Tags: open-source appsec defcon status-update


I'm joining this year the AppSec Village and DEF CON folks in challenging the old saying, "What happens in Vegas, stays in Vegas".

On the 9th of August, starting at 3 p.m. for 2.5 hours, I will be hosting the Open Source Fortress workshop in the AppSec Village as part of DEF CON.

The purpose of the workshop will be aligned with those from the previous conferences it was presented in, namely to empower security engineers with public AppSec information and a handy open source toolkit for vulnerability discovery. The stories may be different: no AppSec tooling at all, limited budgets for the security dept, or compute power that can be burned on new CI pipelines with quality gates. What matters is that these tools, put in the open by passionate people, can be used to level up the security posture of the codebases or catch bugs that other scanners missed.

The Goat-like vulnerable application that is analysed during the workshop, the Sand Castle, also got an update. There are new XSSes, CSRFs, and SSRFs to be discovered with open source tooling. The wiki was also made more expert-friendly, with the ability to hide hints and beginner pages.

If you are at DEF CON, join the workshop! You'll leave with new AppSec knowledge and hands-on practice, some Swiss chocolate, stickers, and, for the most competitive of you, some prizes. See you in Vegas!