Sort by:  

Authors: Guillaume Sauvage de Saint Marc

tldr - powered by Generative AI

Open Clarity is an open source suite effort that aims at addressing the entire cloud security and application security stack, and making it practical and usable for developers, cloud architects, and security teams alike.
  • Security is key for modern apps
  • Application security needs to be approached across the entire stack and software supply chain
  • Scanners are essential but need to be deployed and orchestrated at scale
  • Good dashboards and UI are necessary to convey a clear and convincing picture of application security posture
  • Open Clarity is an open source suite effort that aims at addressing the entire cloud security and application security stack
  • VM Clarity is a new project that offers VM agentless scanning at scale
  • More open source tools are needed to address the totality of the application security picture
Authors: Meghan Jacquot

tldr - powered by Generative AI

The speaker discusses the problem of wearing too many hats in cybersecurity and offers solutions through finding patterns and categorization.
  • Wearing too many hats is a common problem in cybersecurity
  • Finding patterns and categorization can help consolidate roles and reduce noise
  • The speaker provides examples of the OWASP Top 10 vulnerabilities
  • The speaker is working on a book about cybersecurity and is gathering stories from people in the field
Authors: Zohar Shchar

Bug bounty is a wonderful thing, and over the last few years it has completely overturned the industry focus, where more and more organizations direct money and resources to operating thriving programs. But there is another side to bug bounty - the side that can side-track your entire appsec strategy. As bug bounty becomes more and more popular, more and more researchers focus on scale and wide-spread issues that can be discovered by automation, rather than spending their time on deeper technical research of a particular target. Your team might easily get bombarded with low impact (valid) issues such as subdomain takeovers and XSS on random domains, and less and less focused on higher risk issues that require deep technical understanding. While this can be sometimes subverted by carefully aligning your scope and educating your researchers, you might end up spending more time on refining your program than on actually solving issues. As an enthusiastic bug bounty researcher myself, I truly believe in bug bounty. As an appsec manager, I understand bug bounty will never be enough to replace penetration testing. In this talk I’ll cover some of the pitfalls we fell into within our own program, and how you need to calibrate your expectations from bug bounty - and perhaps recalibrate your appsec strategy.
Authors: Felipe Zipitria, Juan Pablo Tosso

tldr - powered by Generative AI

The presentation discusses the importance of web application firewalls (WAFs) in cybersecurity and the benefits of using the open-source WAF, Coraza. The speaker emphasizes the need for companies to embrace API security and the new internet, and highlights the challenges of handling SQL injection and cross-scripting attacks. The presentation also showcases the Coraza playground, a tool for debugging and testing web applications.
  • WAFs are crucial in protecting against cyber threats such as SQL injection and cross-scripting attacks
  • Coraza is an open-source WAF that offers active development and easy customization through customer support
  • API security and the new internet must be embraced by companies
  • Handling SQL injection and cross-scripting attacks is challenging due to the variety of SQL dialects and HTML syntax
  • The Coraza playground is a useful tool for debugging and testing web applications
Authors: Jeff Williams

tldr - powered by Generative AI

The presentation discusses the importance of incorporating threat intelligence and runtime protection into application security programs to prevent attacks and vulnerabilities.
  • Threat intelligence can dynamically change the risk of an attack and allow for prioritization of security measures.
  • Runtime protection can prevent a significant portion of vulnerabilities from being exploited.
  • Instrumentation and telemetry can provide real-time feedback to developers and production teams.
  • Trust boundaries and sandboxes can be implemented to prevent common vulnerabilities such as unsafe serialization and expression language injection.
Authors: Josh Grossman

2022 will be remembered as a milestone in the progression of the OWASP Application Security Verification Standard (ASVS) as well as the Mobile version (MASVS). Not only are two major releases in the pipeline for the end of the year (5.0 and 2.0 respectively) but this is also the year that industry stands up, takes notice and starts expecting more from applications, based on these standards.In this talk, the ASVS project leadership will take you through these key developments including what you should expect from the upcoming version 5.0 of the ASVS and how you can be involved in their final release. This will also be a chance to hear first-hand about a new programme where you will see the SVSs being more widely used and required and how you can prepare your organizations for this significant impact this will have, whether you are developing applications or you are assessing them.
Authors: Jim Manico, semgrep.dev

tldr - powered by Generative AI

The presentation discusses the history and progress of information security testing and the role of OWASP in promoting application security.
  • The history of security testing dates back to the Polish researchers who built the first security testing tool to crack Enigma during World War II.
  • The first security testing device in modern history is the bomb.
  • The OWASP foundation is a non-profit international foundation dedicated to helping people and organizations make informed decisions about application security risk.
  • OWASP has released several free guides and tools to promote application security, including the OWASP Top 10 and the Application Security Verification Standard.
  • Cross-site scripting is a complicated vulnerability category that requires attention in application security.
Authors: Meghan Jacquot

When there is too much data our brains strain to find patterns, organization, and categorization. Context, frequency mapping, and using data to tell a larger story via trend analysis helps us parse the signal to noise ratio into something meaningful and into something actionable. This talk seeks to share a combination of open source data and bug bounty data about vulnerabilities from 2021 and 2022, how to categorize those vulnerabilities, and then once categorized, how to connect meaningful context for defenders and builders.All of the vulnerabilities that will be covered in this talk are related to application security and each will be mapped to the most recent OWASP Top Ten list (2021). The vulnerabilities will be grouped into 3 case studies. The first case study will focus on vulnerabilities found in the Google Project Zero report and other Open Source Intelligence (OSINT) sources that relate to Application Security. The second case study will focus on impactful vulnerabilities from 2022, such as those listed on open sources like MITRE’s CWE Top 25 list. The final case study will focus on disaggregated and anonymous data that the presenter has access to related to a bug bounty program. All the vulnerabilities shared from this data will connect with Application Security and they will all be mapped to OWASP Top Ten. Then a cumulative trend and frequency analysis will be discussed.To provide additional context, when data is available and known, it will be shared if the vulnerability was also being actively exploited in the wild, if there is a published proof-of-concept (PoC), and if there is a mitigation plan. Be prepared for visualization of data and story based data telling. At the end of the talk, the speaker will share resources for research and further development for skills around OSINT, threat intelligence, and vulnerability management.The content of this talk could be used by devops to further understand the context behind vulnerabilities that affect the platforms they are building, vulnerability management teams, threat modelers, cyber threat intelligence teams, and incident responders.
Authors: Tsvi Korren

From medications to aircraft, car parts to computer parts -- humans have figured out how to secure the process of sourcing and building some of our most complicated products. With software supply chain security only now getting started, what can we learn from parallel industries that can give us a leg up on securing the supply chains of our digital world? If most of us can agree that industry involves taking in materials and processing them to make something new, why is there still this view of software developers as artisans who write everything from scratch? The fact is that most organizations today write only a small part of their software. Most software is sourced, either as finished products or as components for internal software development. This is especially true for Cloud Native applications, which are based on open source components, running in open source or Cloud-provided orchestration, and are spread across multiple types of workloads. The result is that organizations end up assuming security responsibility for an application, where much of the code was written elsewhere, and assembled in a build pipeline with varying degrees of governance and oversight.Over the years, manufacturing has developed a set of tools and processes to ensure quality and security in the supply chain and assembly lines. Similarly, Application Security needs to account for how software is sourced and used in the modern application pipeline.This presentation will show the similarities between manufacturing supply chains and software supply chain. We will use the pharmaceutical industry as a model to outline the required controls, where to place them and how to use gathered information to make better decisions and produce more secure software.
Authors: Warren Kopp

Building an application security program is hard. Application Security teams struggle to grow, be effective, or get budget. Why? They’re missing the collaboration. You face resistance from developers, they don’t want to change their practices. You face resistance from testers, this isn’t in their test plans. You face resistance from leadership, SAST costs how much?! Overcoming this adversity depends on growing your communication and collaboration skills. It’s key to learn how to identify stakeholders for AppSec output. Who needs to know about your metrics? Why do they need to know that? Is it Marketing, to help sell your software, your posture, your commitment? Is it Compliance, to know about all the hard work that gets done building secure defaults? Is it Operations, so they know how to report new vulnerabilities? These are only a few examples of where in your company you might find new allies.At every level in an organization there are people who need to know about Application Security who aren’t currently even aware of the concept. And they need your help to get there. Attendees will learn about sharing their hard work with the right people across their organization. They will learn about how to find the right people for their message, and about building the right message for the audience. They will learn how to solicit feedback and build actionable plans and goals to address it.It is on the shoulders of Application Security Teams to reach out and build a community around their goals. This takes a lot of meetings, a lot of compromise, and quite often a lot of doing “non-security” work. But it builds a stronger team that breaks down existing silos. It builds a more effective organization that can adapt to changes in customers, markets, and technologies. Building a community around application security amplifies effort, but more importantly, strengthens the output. After building your community you will learn about vulnerabilities sooner, address questions quicker, and support your customers better, all while delivering more secure software.