Shifting Knowledge Left: Keeping up with Modern Application Security

Conference:  BlackHat USA 2019



The presentation discusses the importance of engaging developers in cybersecurity and providing them with opportunities to practice writing secure code.
  • Duo has developed an intro and advanced app set course for cybersecurity awareness month in October, with over 20 labs across the two courses.
  • The courses provide real-time awareness and feedback, engaging developers in the way they work and creating a relationship between the lecture and the lessons.
  • Duo is open sourcing the custom lessons and hopes to encourage the community to build and release more lessons.
  • Developers need to be given a chance to practice writing secure code and be given guidance and feedback along the way.
  • The community needs to be grown by providing resources for security training and creating a program that is different from the OWASP top ten.
Duo has created a lab where developers can practice exploiting and patching a vulnerable Python flask application. The lab provides step-by-step instructions and feedback throughout the process. Developers are also given guidance on how to write secure code and the trade-offs involved. The lab is a real application, allowing developers to see what is possible and giving them a chance to practice writing secure code.


With security "shifting left" into DevSecOps, it's more difficult than ever to keep up with a rapidly evolving landscape of web technologies and the threats that come with them. While familiar vulnerability classes continue to plague our apps with the likes of XSS and SQL injection attacks, many frameworks are adopting automatic defences that protect against common abuse cases. At the same time, as the work of developers is abstracted away from these security decisions, remaining points of failure can more easily go overlooked. To keep our applications secure in a world where developers own deployments and commit production code many times a day, we need every software engineer to be well versed and up to date in secure coding techniques relevant to their particular language and framework. Education in application security is hard, and the days of passive compliance-based training through outdated videos and slideshows can't keep up. Meanwhile, traditional cybersecurity has little to do with modern appsec, and security teams are often seen by developers as a punitive function and (un)necessary evil. Beyond relying on slow-to-update measures like the OWASP Top 10 to guide us, we must find better ways to share appsec knowledge, both within teams and across the industry. To this end, Duo and Hunter2 have partnered to bring a set of free training resources that can be shared among development teams, including interactive training labs that allow engineers to practice exploiting and patching up modern web applications in their stack of choice. We are also opening this platform up to the community, so that attendees can publish their own labs demonstrating specific vulnerability and remediation examples as well.