logo
Dates

Author


Conferences

Tags

Sort by:  

Authors: Ken Toler
2023-02-16

tldr - powered by Generative AI

The presentation discusses the importance of threat modeling and testing in web3 organizations and the need for understanding code in web3.
  • Threat modeling is important in web3 organizations and should be done iteratively starting with a contract or cloud infrastructure
  • Writing tests is crucial in web3 organizations
  • Learning to code is important for effective communication with developers in web3 organizations
Authors: Chen Gour-Arie
2022-11-18

"and this mess is so big and so deep and so tall - we can not pick it up, there is no way at all" – Dr. SeussThe evolution of application security coincides, for the most part, with the innovations in the realm of applications themselves. When characterizing each of these chapters, we see that while the techniques and tools of application security may have changed, the challenge has remained the same – AppSec is always playing catch-up. Is there anything we can do as AppSec professionals to change this vicious cycle? In order to better secure our future, we must first look at the past.This presentation will define, for the first time, the four major transformation periods of application security:1. Primordial Terminal Applications2. Thick Application Clients3. The Web Application Era4. Mobile, SPA & Cloud Native Applications.We will review the mistakes we have made as AppSec practitioners and the impact we’ve had on each transformation stage. But most of all, we will ask the critical question– why do we have more problems today in AppSec yet so many more security solutions and innovations? The answer lies in the fact that although we’ve tried, AppSec still evolves at a slower pace than engineers in application development.We will always need application security– just as a door needs a lock and a yard needs a fence. It’s the classic game of offense and defense: innovation will spur incredible progress in application development, which in turn will surface new vulnerabilities, attack vectors and challenges. As AppSec professionals, now is the moment to tie the game and stop playing catch-up.So although demoralized, we are not defeated!The final part of my presentation will discuss the ways in which AppSec can become as agile as development and transform!But in order to pave the road for this future, we must learn important lessons from our past. Welcome to AppSec story time!
Authors: Joshua Bregler, Corbin Moyer
2022-11-18

Make no mistake, secure development relies on automation. In a DevSecOps culture, having scalable, reliable tools and processes are the only way to make DevSecOps a reality. Creativity and technical chops are lauded for their ability to bring magic from the machines. However, is anyone in charge of making sure that your organization is automating the right things? How much attention is being paid towards supporting that automation across an Enterprise? The security is baked in, right? It may just be possible to focus so heavily on automation and tools that disparate teams lose sight of the bigger picture.This talk discusses the pitfall that many organizations trip into all too readily. By focusing forcefully or narrowly on automation, an organization can find itself creating technical debt, waste, and classically unsupportable support systems. We utilize two real-world case studies to clearly demonstrate classic automation problems and propose functional solutions. Audiences will come away with data-driven DevSecOps security management techniques as well as how to recognize and accept the trade-offs in a secure DevSecOps culture. This includes how to avoid creating new, unintended, invisible stove-pipe problems, drawing from our 25+ years of experience in the military and commercial spaces. Finally, we explore methods to find these opportunities, track meaningful metrics, and recognize when you’ve fallen over the edge.
Authors: Chris Koehnecke
2022-11-17

tldr - powered by Generative AI

The presentation discusses the OWASP DevSecOps Maturity Model and how to practically apply security controls using open source tools for each requirement.
  • The OWASP DevSecOps Maturity Model provides a framework for companies to apply security in a cloud-native and fast-paced engineering world.
  • Whatever isn't automated is much more difficult to practically apply to systems.
  • Open source security tools have evolved and provide good coverage for many of the layers of the DSOMM model.
  • The presentation walks through the different security requirements in the DSOMM framework and does live code demos for each.
  • Prioritization of security issues can be done per each pull request.
  • The speaker shares their experience with implementing security processes in a startup environment.
  • Developers owning security is seen as the future of the security industry.
Authors: Paul McCarty
2022-11-17

tldr - powered by Generative AI

The DevSecOps Playbook is a flexible guide for implementing cybersecurity practices in any organization, regardless of size or expertise.
  • The DevSecOps Playbook is a guide for implementing cybersecurity practices in any organization
  • It is flexible and can be adapted to any size or type of organization
  • The Playbook is broken down into domains of ownership, with prioritization and difficulty levels for each task
  • The Playbook includes an addendum for compliance
  • The Playbook is a work in progress, with ongoing collaboration and updates
Authors: Dov Hershkovitch
2022-10-25

DevSecOps extends the DevOps ecosystem with the security aspect. Sensitive information is everywhere, be it passwords, secret tokens or exchanged IDs in order to gain access to tools and platforms. The problem has been addressed by many secret management solutions and frameworks, yet creating another problem: Which to choose from, and how to integrate best into your DevOps processes? Engineers started to workaround the security protocols, and often sensitive information is stored in insecure ways. A plaintext token can lead to security leaks and business incidents in a worst case scenario. JSON Web Token (JWT) aims to build the integration bridge as an open standard for security claims exchange. Join this session to learn how in GitLab we leverage JWT tokens to access different secret management solutions, including major cloud providers. Hear best practices on the challenges to retrieve sensitive data and how to enhance the DevSecOps security processes in your organization.
Authors: Ayse Kaya
2022-10-24

tldr - powered by Generative AI

The talk discusses the evolution of vulnerabilities in popular public container images and the challenges faced by developers and DevSecOps teams in handling them. The speaker shares insights from a report on publicly available containers on Docker Hub and highlights the need for practical steps to prevent the dev process from grinding to a halt.
  • Container scanning and security is becoming more widely adopted, but the long-term security posture of containers is not well-understood.
  • New vulnerabilities arise constantly, and many vulnerabilities fall into a catchall bucket of 'won't fix'.
  • The attack surface of popular public container images like Python and NodeJS has changed over the past year, and different vulnerability scanners show different results.
  • Developers and DevSecOps teams face challenges in ensuring containerized applications are free from vulnerabilities due to the complexity of containers and manual processes.
  • Practical steps can be taken to stay on top of vulnerabilities and prevent the dev process from grinding to a halt.
Authors: Debasis Mohanty
2021-09-25

tldr - powered by Generative AI

The presentation discusses the reasons why old security bugs continue to persist in the industry and proposes better mitigation strategies.
  • Machine learning can be used to prevent malicious actions by training it to do behavioral checks
  • DevSecOps is not a silver bullet for software security engineering and should not be hyped as such
  • The way organizations respond to bug reports contributes to the persistence of old security bugs
  • Mitigation strategies that only fix reported bugs or prioritize based on risk rating are inadequate
  • Publicly reported security bugs should be taken seriously and addressed promptly
Authors: Daniel Krasnokucki
2021-09-24

Abstract:Having Security testing in the pipeline is getting more and more popular, I would say it is becoming a standard! But what we are doing with findings? What are we automating and how are using the automation?The presentation will cover security-as-a-code practices to integrate security testing into the CI and CD pipelines, but in addition - I will discuss the part of the testing that cannot be automated, which is penetration testing. How do you connect it with your automation testing and what is the role of penetration testing in monitoring? I will show how it affects next round of the process and what the process should look like.During the presentation I will discuss real use cases from different pipelines and security tools, showing pros and cons, advantages and challenges. Demo will include GitHub Actions and open-source tools like OWASP ZAP and examples will be provided with pipeline-as-a-code and security-as-a-code. Real life use cases and examples with step-by-step instruction how the development process in mature state of DevSecOps should look like.
Authors: Scott Gerlach
2021-09-24

tldr - powered by Generative AI

Challenges in implementing application security programs and tools for engineering teams
  • Starting a small application security program with a small engineering team and choosing a technology like SCA and DAST
  • Helping engineering teams understand and take measured risks in developing and testing code
  • Enabling process and tooling that can easily get people started quickly in testing application security
  • AppSec tools are built for security teams and can be complicated and difficult to understand for engineering teams
  • Using technical jargon and wall of text to describe application security issues can be confusing for engineering teams