Links

Presentations

Our presentation and tools
Davide Cioccia @ DevDays / DevPro Europe 2023 (Lithuania) online
Davide Cioccia @ SECCON NL 2023 (Netherlands)
Davide Cioccia @ TestCon Europe 2023 (Lithuania)
After spending the last 1 or 2 years getting your DevOps process right, here it comes the new security guy: "We need to move to DevSecOps". This talk wants to share my personal experience, challenges, and successes as DevSecOps Architect in implementing DevSecOps in different DevOps processes. The talk starts with the main question: "Where do we start?" to then moves to topics like IaC security, the policy as code, SAST, SCA, SBOM, Security Champions, CI/CD security, supply chain security, logging and monitoring, and DevSecOps maturity. Don't look at it as a list but as a mix of connected resources that will increase automation and reduce manual bottlenecks. At the end of the talk, attendees should already be able to picture their DevSecOps journey ahead.
Davide Cioccia @ OWASP MAS
We provided a set of solutions to exploit the OWASP MAS Android Crackle challenges using Ghidra and Frida. Read our writeups here
Davide Cioccia & Stefan Petrushevski @ DevSecCon Boston 2019
"Attacking and Defending GraphQL Applications: A Hands-On Approach" is a workshop that provides practical knowledge on securing GraphQL applications. Participants engage in hands-on activities to identify, exploit, and mitigate vulnerabilities in GraphQL APIs. The workshop covers attack vectors specific to GraphQL and teaches defensive techniques such as authentication, input validation, and rate limiting.
Davide Cioccia & Stefan Petrushevski @ BlackHat Asia 2019
We presented a new tool to automate cybersquatting attacks and indentify available websites to use in phishing campaigns. The tool also allows you to monitor existing domains for expiration date and buy it as soon as it becomes available. And .... it is opensource
Davide Cioccia & Stefan Petrushevski @ BlackHat Arsenal London 2018
We presented a CLI tool to exploit, detect and prevent cybersquatting attacks. The tool is designed to be fast and give a quick feedback to companies and pentesters.
Davide Cioccia @ Open Security Sammit London 2018
The session has been focused on creating BDD tests to automated the OWASP MSTG test cases, in order to integrate those tests in the CI/CD pipeline*
Davide Cioccia @ OWASP AppSec USA 2018
This talk introduces a new process and practical solution that achieves this – automation of mobile security tests. We are using a combination of existing penetration testing frameworks (Drozer and Needle), UI automation, underlying system commands available in the mobile OS for execution of tests and describe (write) tests in BDD fashion. In this way, you can cover all kind of security tests, such as testing for not encrypted PII, input validation, cryptography, network security, SQL injection and so on! Basically, the goal is to translate MASVS (and its sister project MSTG) into automated BDD security tests and give pentesters more time to focus on "crazy stuff"
Davide Cioccia @ OWASP AppSec Romania 2017
A novel approach on automating OWASP MASVS and MSTG via unit and integration tests using BDD.