How Security, Development & Testing can work together to stop the same recurring vulnerabilities appearing in the OWASP Top 10

The presentation discusses the importance of embedding security at every stage of the development process and highlights the prevalence of human error in causing data breaches.

• Developers spend only a small percentage of their time writing code, with the majority spent on debugging and fixing vulnerabilities.
• There are over 125 vulnerabilities, with the top 21 accounting for 400 CWEs, including design vulnerabilities, SSRF, CSRF, and authentication.
• Embedding security at every stage is crucial, including threat modeling, policies as code, peer reviews, and penetration testing.
• Insufficient logging and monitoring is a significant issue, and incident response teams are essential in containing and mitigating the damage of a breach.
• Human error is a prevalent cause of data breaches, accounting for 25% of all breaches in 2020.
• Developers are motivated by features and functions, while security is focused on finding problems.

The speaker shares a story of a famous organization that lost one-third of its market cap, equivalent to $5 billion, due to a bad version of Struts in 2017. The incident highlights the importance of brand and the potential financial impact of a data breach.

Abstract:Although the OWASP top 10 has been updated several times, the same vulnerabilities keep appearing over and over again! Security is a shared responsibility, how can we work together to stop the same recurring vulnerabilities?The majority of vulnerabilities are introduced during coding and identified during testing. How can development, security and testing work together to prevent these vulnerabilities reappearing? Changing culture is key! How can we motivate developers? How do we put a positive spin on security? How can we break down the silos between different teams and unite behind the shared goal of secure software?Security can no longer be the ‘bad guy’ at the end of the software development process. Security practises must be embedded within the developer workflow and software development lifecycle. This requires a mix of hard and soft skills which will be discussed during this session.