Conference:  Global AppSec San Francisco 2022

Authors: Zohar Shchar, Dmitry Ryskin

2022-11-18

When doing application security for an API–centric enterprise spanning over thousands of micro services, Dynamic Application Security Testing (DAST) is almost a must-have. However, DAST products often fail to execute even the most rudimentary tests on internal endpoints that require a complex user flow. If an API call requires an ID that was obtained in the response BODY 5 HTTP calls ago, the chances a traditional DAST will be able to test your API are slim.In this talk we’ll present our approach for solving this issue, by leveraging existing headless-chrome test suites (built by the engineers as part of the R&D flow) to serve as the attack surface for our custom DAST solution, Krampus. By using Chromium interceptors, we were able to introduce appsec payloads into HTTP requests issued during the execution of normal 'user flow' test scenarios (and pick up the results) and have an effective DAST for internal API's and endpoints.It wasn't smooth sailing, though, with many challenges along the way. Particularly, we realized that replicating each API call & param with a separate test will mean that the number of our test calls grows exponentially, pushing up both cost and overhead. As many of our API’s also include dynamic params as part of the path, we had to build an API asset DB to understand if and when a specific URL was already tested (code for which we plan to release as open source).At the end of the talk the participants will have the tools to leverage similar testing suites in their own orgs to drastically improve the quality & coverage of the automatic testing in their environment.

Conference:  CloudOpen 2022

Authors: Ran Regenstreif

2022-06-22

The talk focuses on utilizing open source security tools to reduce threats and risks in cloud systems, environments, and products. The speaker emphasizes the importance of a programmatic approach to security and shifting left.

• Shift left movement empowers developers with security tools and processes
• Open source security tools are important in minimizing risks
• A broader set of risks should be considered when selecting tools
• Utilizing a toolkit and tool belt can help minimize risks
• Programmatic approach to security is crucial

Conference:  OWASP 20th Anniversary Event

Authors: Ran Klein, Eitan Worcel

2021-09-24

The presentation discusses the benefits of using correlation in cybersecurity and DevOps to reduce the amount of work needed to resolve issues and prioritize them.

• Using correlation can reduce the amount of work needed to resolve issues and prioritize them
• Correlation can consolidate multiple issues into a single one
• Data-driven prioritization and remediation can be achieved through correlation
• Actual numbers show a significant reduction in the amount of issues after consolidation
• The industry now focuses on fixing issues rather than just detecting them