Conference:  OWASP 20th Anniversary Event

Authors: Debasis Mohanty

2021-09-25

The presentation discusses the reasons why old security bugs continue to persist in the industry and proposes better mitigation strategies.

• Machine learning can be used to prevent malicious actions by training it to do behavioral checks
• DevSecOps is not a silver bullet for software security engineering and should not be hyped as such
• The way organizations respond to bug reports contributes to the persistence of old security bugs
• Mitigation strategies that only fix reported bugs or prioritize based on risk rating are inadequate
• Publicly reported security bugs should be taken seriously and addressed promptly

Conference:  OWASP 20th Anniversary Event

Authors: Marcin Szydłowski

2021-09-24

Abstract:​Traditionally Change Management is a very well-defined process. You can find hundreds of articles on the Internet explaining how each change should be properly requested, developed, tested and approved before being moved to the production environment.Obviously, each of these steps requires documentation and formal approval (sign-off) from the appropriate person. This process was giving security engineers several chances to ensure that changes do not introduce any new vulnerabilities and infrastructure to which the application is deployed is hardened and patched.Security around the Change Management process gets a little bit more complicated for agile software development and DevOps methodologies where tens of small changes are introduced every day. Each of these small changes is being automatically tested from various perspectives and if everything goes as expected it gets deployed to the environment of your choice without human intervention.Without any manual review in place, change management and security controls rely heavily on the fact that:- humans cannot access sensitive environments in an uncontrolled manner- application’s and infrastructure’s code is independently reviewed to avoid unauthorized changes and detect flaws- pre-approved and verified artifacts are used while building applications to decrease the risk of insecure dependencies or malicious artifacts- automated tests are performed by pipeline to detect defects or security issuesIt goes without saying, that ability to circumvent any of the above mentioned controls may introduce unauthorized changes and security issues to the application.This presentation will describe often ignored area of application security which is related to security of development environment. Presenter will share some common misconfigurations of build/deployment environment which can have a significant negative impact on source code integrity and as an ultimate result on security of application itself.​​​

Conference:  OWASP 20th Anniversary Event

Authors: Christian Schneider

2021-09-24

Fragile is an open-source agile threat modeling toolkit that generates rule-based risk analysis and outputs reports to mitigate risks in data assets and technical assets.

• Fragile is an open-source agile threat modeling toolkit that generates rule-based risk analysis and outputs reports to mitigate risks in data assets and technical assets
• It uses a YAML file to create a threat model and generates various outputs such as reports, JSON, and REST API
• It has over 40 risk rules that can analyze the graph precisely leading to less false positives
• It has a plug-in interface that allows users to add custom risk rules to extend the tool's functionality
• It has a model macro concept that automates certain changes to the model in a wizard-style question and answer format
• It is released as open-source software under the MIT license and runs offline as a command-line interface or as a web server with a REST API