Conference:  Global AppSec San Francisco 2022

Authors: Simon Bennetts, semgrep.dev

2022-11-18

Is OWASP Still Relevant?Do people want to go to conferences and chapter meetings in the aftermath of COVID?Do we need 260+ projects?Does anyone get past the titles of the Top 10?In this talk Simon will explain why he thinks OWASP is still very relevant and a much needed force for good.But this will be interactive and you will get a chance to have your say!

Conference:  Global AppSec San Francisco 2022

Authors: Niclas Kjellin

2022-11-18

A little trust goes a long way, or so they say. The fundamentals of any resilient network, be it human or digital, starts with trust, where entities can authenticate themselves and others and communicate securely.Traditionally, a digital network uses the X.509 certificate standard and application-specific solutions to build trust and secure communication. Dime (Data Integrity Message Envelope) is an alternative open data format used to build trust and share data securely within networks of any size and shape. Dime envelopes contain encoded information, including verifiable claims by the sending party and application-specific data. In addition, using digital signatures and end-to-end encryption ensures that data cannot be altered or read by unauthorized parties. Some of the covered topics:- Trust-based networks – public key-based authentication to provide trust between entities- Message wrapping – end-to-end encryption to securely deliver data- Cryptographic linking – link items cryptographically for proof-building- Signature tags – to prove reception, processing, or verification of an itemAlthough there is no need to have deep secure engineering knowledge to get going with Dime, this talk aims to go through the underlying concepts, which will help to avoid common pitfalls and enable you to build more secure applications. The presentation uses real code examples to support and explain each concept further. Human readability and ease of use are at the heart of Dime, drawing on ideas from other formats such as JWT, PASETO, and Branco.As many use cases exist, including IoT, instant messaging, and banking apps, Dime may be crucial to your plans to take over the world (with your subsequent app success). At the very least, it will work through and strengthen your (digital) trust issues.

Conference:  Global AppSec San Francisco 2022

Authors: Yaniv Balmas

2022-11-18

Conference:  Global AppSec San Francisco 2022

Authors: Josh Grossman

2022-11-18

2022 will be remembered as a milestone in the progression of the OWASP Application Security Verification Standard (ASVS) as well as the Mobile version (MASVS). Not only are two major releases in the pipeline for the end of the year (5.0 and 2.0 respectively) but this is also the year that industry stands up, takes notice and starts expecting more from applications, based on these standards.In this talk, the ASVS project leadership will take you through these key developments including what you should expect from the upcoming version 5.0 of the ASVS and how you can be involved in their final release. This will also be a chance to hear first-hand about a new programme where you will see the SVSs being more widely used and required and how you can prepare your organizations for this significant impact this will have, whether you are developing applications or you are assessing them.

Conference:  Global AppSec San Francisco 2022

Authors: Chen Gour-Arie

2022-11-18

"and this mess is so big and so deep and so tall - we can not pick it up, there is no way at all" – Dr. SeussThe evolution of application security coincides, for the most part, with the innovations in the realm of applications themselves. When characterizing each of these chapters, we see that while the techniques and tools of application security may have changed, the challenge has remained the same – AppSec is always playing catch-up. Is there anything we can do as AppSec professionals to change this vicious cycle? In order to better secure our future, we must first look at the past.This presentation will define, for the first time, the four major transformation periods of application security:1. Primordial Terminal Applications2. Thick Application Clients3. The Web Application Era4. Mobile, SPA & Cloud Native Applications.We will review the mistakes we have made as AppSec practitioners and the impact we’ve had on each transformation stage. But most of all, we will ask the critical question– why do we have more problems today in AppSec yet so many more security solutions and innovations? The answer lies in the fact that although we’ve tried, AppSec still evolves at a slower pace than engineers in application development.We will always need application security– just as a door needs a lock and a yard needs a fence. It’s the classic game of offense and defense: innovation will spur incredible progress in application development, which in turn will surface new vulnerabilities, attack vectors and challenges. As AppSec professionals, now is the moment to tie the game and stop playing catch-up.So although demoralized, we are not defeated!The final part of my presentation will discuss the ways in which AppSec can become as agile as development and transform!But in order to pave the road for this future, we must learn important lessons from our past. Welcome to AppSec story time!

Conference:  Global AppSec San Francisco 2022

Authors: Jim Manico, semgrep.dev

2022-11-18

The presentation discusses the history and progress of information security testing and the role of OWASP in promoting application security.

• The history of security testing dates back to the Polish researchers who built the first security testing tool to crack Enigma during World War II.
• The first security testing device in modern history is the bomb.
• The OWASP foundation is a non-profit international foundation dedicated to helping people and organizations make informed decisions about application security risk.
• OWASP has released several free guides and tools to promote application security, including the OWASP Top 10 and the Application Security Verification Standard.
• Cross-site scripting is a complicated vulnerability category that requires attention in application security.

Conference:  Global AppSec San Francisco 2022

Authors: Aakash Shah

2022-11-18

Infrastructure-as-code adoption continues to grow as more organizations seek to automate deployments and better manage the complexity of their cloud applications. Increasingly, development teams are taking ownership of IaC for their application as the boundaries between the application and infrastructure layers continue to blur in the Cloud. Terraform (more accurately - Hashicrop Configuration Language (HCL)) is one of the most widely used infrastructure-as-code (IaC) languages at the forefront of this transformation with over 100M open-source downloads.There are a lot of public Terraform projects available to developers to quickly learn and build from. Terraform also offers modules - an abstraction that allows infrastructure developers to write modular and clean code, allowing them to accelerate development and better maintain this code. And there are many community-driven open-source Terraform modules available for developers to reference in their Terraform code to quickly design & deliver changes to infrastructure.As of today, there are over 90k public repositories on GitHub with Terraform (HCL) code and over 15k open-source terraform modules. As an infrastructure developer if you utilize a community Terraform module or build from an existing example, how can you be assured that your infrastructure design will meet your security needs? What steps do you need to take to ensure that your cloud-native deployment is both secure & compliant?We used automation to assess public Terraform repositories and modules across Github to identify the most common security gaps against industry best practices. We selected best practices based on Cloud Service Provider reference architectures, Cloud Security Alliance, CIS benchmarks and OWASP. To limit the scope, we focused on Terraform for AWS and Azure resources. In this talk, we will share results of this assessment and provide lessons learned. Since this is OWASP, we’ll present the top 10 classes of security issues we found. We will then discuss security best practices for using community Terraform modules and building your cloud architectures from public Terraform repositories.

Conference:  Global AppSec San Francisco 2022

Authors: Meghan Jacquot

2022-11-18

When there is too much data our brains strain to find patterns, organization, and categorization. Context, frequency mapping, and using data to tell a larger story via trend analysis helps us parse the signal to noise ratio into something meaningful and into something actionable. This talk seeks to share a combination of open source data and bug bounty data about vulnerabilities from 2021 and 2022, how to categorize those vulnerabilities, and then once categorized, how to connect meaningful context for defenders and builders.All of the vulnerabilities that will be covered in this talk are related to application security and each will be mapped to the most recent OWASP Top Ten list (2021). The vulnerabilities will be grouped into 3 case studies. The first case study will focus on vulnerabilities found in the Google Project Zero report and other Open Source Intelligence (OSINT) sources that relate to Application Security. The second case study will focus on impactful vulnerabilities from 2022, such as those listed on open sources like MITRE’s CWE Top 25 list. The final case study will focus on disaggregated and anonymous data that the presenter has access to related to a bug bounty program. All the vulnerabilities shared from this data will connect with Application Security and they will all be mapped to OWASP Top Ten. Then a cumulative trend and frequency analysis will be discussed.To provide additional context, when data is available and known, it will be shared if the vulnerability was also being actively exploited in the wild, if there is a published proof-of-concept (PoC), and if there is a mitigation plan. Be prepared for visualization of data and story based data telling. At the end of the talk, the speaker will share resources for research and further development for skills around OSINT, threat intelligence, and vulnerability management.The content of this talk could be used by devops to further understand the context behind vulnerabilities that affect the platforms they are building, vulnerability management teams, threat modelers, cyber threat intelligence teams, and incident responders.

Conference:  Global AppSec San Francisco 2022

Authors: Tsvi Korren

2022-11-18

From medications to aircraft, car parts to computer parts -- humans have figured out how to secure the process of sourcing and building some of our most complicated products. With software supply chain security only now getting started, what can we learn from parallel industries that can give us a leg up on securing the supply chains of our digital world? If most of us can agree that industry involves taking in materials and processing them to make something new, why is there still this view of software developers as artisans who write everything from scratch? The fact is that most organizations today write only a small part of their software. Most software is sourced, either as finished products or as components for internal software development. This is especially true for Cloud Native applications, which are based on open source components, running in open source or Cloud-provided orchestration, and are spread across multiple types of workloads. The result is that organizations end up assuming security responsibility for an application, where much of the code was written elsewhere, and assembled in a build pipeline with varying degrees of governance and oversight.Over the years, manufacturing has developed a set of tools and processes to ensure quality and security in the supply chain and assembly lines. Similarly, Application Security needs to account for how software is sourced and used in the modern application pipeline.This presentation will show the similarities between manufacturing supply chains and software supply chain. We will use the pharmaceutical industry as a model to outline the required controls, where to place them and how to use gathered information to make better decisions and produce more secure software.

Conference:  Global AppSec San Francisco 2022

Authors: Omar Minawi

2022-11-18

Can’t seem to shake off those XSS bug bounty reports? Interested in exploring a novel XSS attack chain? This session is for you.Tune in to explore a real-life example of a multi-step XSS attack chain that targeted and exploited multiple trust domains. You will get an insight into defense-in-depth and an exciting walkthrough of exploit research and investigation. Lastly, we will tie it all together by evaluating and diving into multiple web security defense-in-depth tactics that could thwart this novel chained attack.