Conference:  Global AppSec San Francisco 2022

Authors: Sven Schleier

2022-11-18

There are numerous ways of developing mobile apps today, but how do you ensure that security is part of the development process? What are the attacks you should be concerned about and what can you do to avoid being an easy target? If you don't want to miss anything, leveraging a standard is essential. The Mobile AppSec Verification Standard (MASVS) offers exactly that. It works together with the agile written Mobile Security Testing Guide (MSTG) to help you understand the attack surface of mobile apps, how to exploit them and how to protect them. Both resources are crafted and are curated by a team of numerous experts and community contributors. In this talk we will make a deep dive into the upcoming changes of both projects and the transitioning into version 2.0. We are sharing the current status of the refactoring of the OWASP MASVS and the MSTG and what we were able to automate to get rid of manual processes and have more time focusing on the content! Want to secure your mobile apps? See you there!Detailed Outline- Introduction into the OWASP MASVS and MSTG - Reasoning for refactoring of the MASVS and re-structuring of the test cases in the MSTG- Status of refactoring and restructuring for MASVS and MSTG- Explaining OSCAL as a way to create profiles that can be utilised in the MASVS- Automation initiatives through Github Actions; all done in minutes without manual intervention (hands-free)- Releases of the OWASP MASVS in over a dozen languages and various file formats- Releases of the OWASP MSTG in various file formats- Releases of the Checklists in all MASVS languages generated from both the MASVS and MSTG.- Involvement of the community through Github discussions and encourage feedback and being transparent in our changes before releasing version 2.0

Conference:  Cloud Native SecurityCon North America 2022

Authors: Pratik Lotia, Jon Zeolla

2022-10-25

Organizations are in need for a standard, sane way to perform an assessment of their cloud native environments. This talk provides insight on how security professionals as well as auditors can identify whether they are following the controls and practices suggested in CNCF published white papers and thereby adhering to NIST 800-53v5 controls.. We will also provide examples on how we plan to develop open source automation (such as OSCAL) to reduce the toil of audits; and cross mapping to various frameworks and standards to enable builders focus on making their environments safer.