Dates
Conferences
Tags
Sort by:
Most recent
Conference: Black Hat Asia 2023
Authors: Maxine Holt, Marina Krotofil, Tara Seals, Fyodor Yarochkin, Stefano Zanero
2023-05-11
Artificial Intelligence (AI) has the potential to revolutionize cybersecurity by enhancing detection and response capabilities, automating routine tasks, and identifying threats that are invisible to humans. However, AI also poses significant risks, including the potential for attackers to use AI to develop more sophisticated attacks and evade detection. Panelist will explore how AI can be used to improve cybersecurity, the ethical considerations of using AI in security, and how to manage the risks associated with AI-powered security systems. Additionally, the panel will discuss the future of AI and cybersecurity and the role the InfoSec community and policymakers can have in shaping the development and use of AI in security.
Conference: Global AppSec Dublin 2023
Authors: Spyros Gasteratos
2023-02-15
tldr - powered by Generative AI
The presentation introduces a free and open source Application Security Toolchain Framework that unifies multiple security tools and allows for per-team configuration, conditional tool execution, and automated reporting. The framework is low to no code, platform-agnostic, and community-driven.
- Automated security testing has brought an abundance of signal about codebases and infrastructure without much manual effort, but managing findings and triaging false positives is time-consuming and results in hiring more security experts.
- The Application Security Toolchain Framework unifies multiple security tools and allows for per-team configuration, conditional tool execution, and automated reporting to different sinks based on code ownership.
- The framework is low to no code, platform-agnostic, and community-driven, with integrations for several scanners both under the OWASP umbrella and not.
- The framework allows for scheduling tool execution against both code and infrastructure, aggregating results from different tools, enriching them using several processors, and consuming them with a multitude of visualization platforms.
- The framework is demonstrated through a tool called Dracon, which unifies security tool execution and results management.
- The community-driven aspect of the framework allows for integration with a wide range of security tools and provides an idea of which tools are more popular based on their integrations.
Conference: Global AppSec San Francisco 2022
Authors: Aakash Shah
2022-11-18
Infrastructure-as-code adoption continues to grow as more organizations seek to automate deployments and better manage the complexity of their cloud applications. Increasingly, development teams are taking ownership of IaC for their application as the boundaries between the application and infrastructure layers continue to blur in the Cloud. Terraform (more accurately - Hashicrop Configuration Language (HCL)) is one of the most widely used infrastructure-as-code (IaC) languages at the forefront of this transformation with over 100M open-source downloads.There are a lot of public Terraform projects available to developers to quickly learn and build from. Terraform also offers modules - an abstraction that allows infrastructure developers to write modular and clean code, allowing them to accelerate development and better maintain this code. And there are many community-driven open-source Terraform modules available for developers to reference in their Terraform code to quickly design & deliver changes to infrastructure.As of today, there are over 90k public repositories on GitHub with Terraform (HCL) code and over 15k open-source terraform modules. As an infrastructure developer if you utilize a community Terraform module or build from an existing example, how can you be assured that your infrastructure design will meet your security needs? What steps do you need to take to ensure that your cloud-native deployment is both secure & compliant?We used automation to assess public Terraform repositories and modules across Github to identify the most common security gaps against industry best practices. We selected best practices based on Cloud Service Provider reference architectures, Cloud Security Alliance, CIS benchmarks and OWASP. To limit the scope, we focused on Terraform for AWS and Azure resources. In this talk, we will share results of this assessment and provide lessons learned. Since this is OWASP, we’ll present the top 10 classes of security issues we found. We will then discuss security best practices for using community Terraform modules and building your cloud architectures from public Terraform repositories.
Conference: Global AppSec San Francisco 2022
Authors: Joshua Bregler, Corbin Moyer
2022-11-18
Make no mistake, secure development relies on automation. In a DevSecOps culture, having scalable, reliable tools and processes are the only way to make DevSecOps a reality. Creativity and technical chops are lauded for their ability to bring magic from the machines. However, is anyone in charge of making sure that your organization is automating the right things? How much attention is being paid towards supporting that automation across an Enterprise? The security is baked in, right? It may just be possible to focus so heavily on automation and tools that disparate teams lose sight of the bigger picture.This talk discusses the pitfall that many organizations trip into all too readily. By focusing forcefully or narrowly on automation, an organization can find itself creating technical debt, waste, and classically unsupportable support systems. We utilize two real-world case studies to clearly demonstrate classic automation problems and propose functional solutions. Audiences will come away with data-driven DevSecOps security management techniques as well as how to recognize and accept the trade-offs in a secure DevSecOps culture. This includes how to avoid creating new, unintended, invisible stove-pipe problems, drawing from our 25+ years of experience in the military and commercial spaces. Finally, we explore methods to find these opportunities, track meaningful metrics, and recognize when you’ve fallen over the edge.
Conference: Cloud Native SecurityCon North America 2022
Authors: Kara Yimoyines
2022-10-25
tldr - powered by Generative AI
The presentation discusses the need for an actionable user interface to address the challenges of vulnerability data and CVEs in the security space.
- Vulnerability data alone is not enough to secure software supply chain
- An actionable user interface is needed to automate remediation and understand blast radius of CVEs
- GUI can help prioritize work and alert when things go sideways
- GUI should allow annotation of CVEs and weigh potential harm and risk to the business
- GUI becomes the central location to collaborate and communicate with cross-functional teams
- GUI should be extensible and interoperable with other tools solving adjacent problems
- Building accessible tools that don't require exclusive use of the terminal is important
Conference: SupplyChainSecurityCon 2022
Authors: Hritik Vijay, Philippe Ombredanne
2022-06-22
tldr - powered by Generative AI
The presentation discusses the challenges of package and dependency management in software development and proposes solutions such as using package URLs and a universal versioning system.
- The complexity of package and dependency management in software development makes it difficult to express boundaries between dependencies and automate the process.
- Solutions proposed include providing installation prerequisites, using a single package manager, and using general-purpose package managers such as Spack, Conda, Nix, and Guix.
- Package URLs can be used to name packages and a universal versioning system can be used to deal with version ranges.
- The universal versioning system can accommodate different versioning schemes and express version ranges in a universal way.
Tags:
Conference: OWASP 20th Anniversary Event
Authors: Daniel Krasnokucki
2021-09-24
Abstract:Having Security testing in the pipeline is getting more and more popular, I would say it is becoming a standard! But what we are doing with findings? What are we automating and how are using the automation?The presentation will cover security-as-a-code practices to integrate security testing into the CI and CD pipelines, but in addition - I will discuss the part of the testing that cannot be automated, which is penetration testing. How do you connect it with your automation testing and what is the role of penetration testing in monitoring? I will show how it affects next round of the process and what the process should look like.During the presentation I will discuss real use cases from different pipelines and security tools, showing pros and cons, advantages and challenges. Demo will include GitHub Actions and open-source tools like OWASP ZAP and examples will be provided with pipeline-as-a-code and security-as-a-code. Real life use cases and examples with step-by-step instruction how the development process in mature state of DevSecOps should look like.