logo
Dates

Author


Conferences

Tags

Sort by:  

Authors: Sebastien Deleersnyder, Bart De Win
2023-02-15

Are you looking for an effective and measurable way to analyze and improve your organization's software security posture? Look no further! During this talk, Seba and Bart, the co-leaders of the OWASP SAMM project, will introduce you to OWASP SAMM v2.1 - the premier maturity model for software assurance. They will provide a thorough overview of how to use SAMM in your organization and highlight the new features of the recently released v2.1. In addition, they will share the results of our 2022 SAMM survey and provide an update on the revamped SAMM benchmark initiative. Don't miss this opportunity to learn from the experts and take your organization's software security to the next level!
Authors: David Wheeler, Brian Behlendorf, Trey Herr, Amelie Koran
2022-06-22

tldr - powered by Generative AI

The panel discussion summarizes the OpenSSF summit held in May 2022, which aimed to develop a mobilization plan for securing the open source ecosystem. The discussion focuses on the attitudes and progress of open source software security in the federal government and the input of developers and maintainers to the OpenSSF summit and mobilization plan.
  • The panelists introduce themselves and their backgrounds in technology and policy.
  • The Cyber Statecraft Initiative at the Atlantic Council has been working on software supply chain issues since 2019 and is collaborating with OpenSSF to bring more policy attention to open source security.
  • The OpenSSF mobilization plan includes ten work streams that prioritize different areas of open source security.
  • The panelists discuss the importance of prioritization and government demand signals in the mobilization plan.
  • The panelists also emphasize the need for more community engagement and volunteer contributions to the work streams.
  • The panelists reflect on the historical context of open source security and the usefulness of an S-bomb in incident response.
Authors: Debasis Mohanty
2021-09-25

tldr - powered by Generative AI

The presentation discusses the reasons why old security bugs continue to persist in the industry and proposes better mitigation strategies.
  • Machine learning can be used to prevent malicious actions by training it to do behavioral checks
  • DevSecOps is not a silver bullet for software security engineering and should not be hyped as such
  • The way organizations respond to bug reports contributes to the persistence of old security bugs
  • Mitigation strategies that only fix reported bugs or prioritize based on risk rating are inadequate
  • Publicly reported security bugs should be taken seriously and addressed promptly
Authors: Rob van der Veer, Spyros Gasteratos
2021-09-24

Abstract:​This presentation marks the official go-live of the Common Requirement Enumeration initiative, as an interactive linking platform across standards and guidelines.Software is becoming more important for us every day, and at the same time software security is complex and not getting any easier. This is our calling as appsec professionals. To deal with this, we have built great tools and helpful standards and guidelines. But because there is no single silver bullet, we now face the big challenge to combine all these separate solutions into an integrated approach – to make it easier for the experts, but above all: to bring application security within reach of a larger group of people. This is essential because the shortage of application security superheroes is not expected to go away. Therefore, the key to a secure future is to make appsec more accessible. More simple.Unfortunately, making things simple is not easy. Within OWASP, an initiative to drive integration has started in 2020, with the Integration standards project. Its goal is to link and align key standards (OWASP and others), by providing a unified framework to attain more consistency, completeness, overview and clarity.One of the results has been the Appsec wafyinder: an interactive map of the key OWASP projects.Another, more substantial effort is the Common Requirement Enumeration(CRE): a semantic web that links standards at the level of topics, within OWASP and beyond (NIST, PCI-DSS, ISO/IEC, MITRE, CIS etc etc). The CRE ties all standards and guidelines together and allows people to jump from source to source to learn more on a specific subject. For example, the CRE links an ASVS check to the corresponding Testing guide section, with the right Cheat sheet, Pro-active control and Top 10 entry.This meta-mapping is self-maintaining, so when standards refer to other standards using the CRE: those links will automatically stay up to date. The important side-effects of this integration are increased consensus, more clarity and a mutual understanding of what application security is for developers, ops, testers, security teams, management, procurement and other stakeholders, across domains. No more silos. The future is simple.This presentation officially launches the CRE, discusses the extensive research that has been done on the landscape of appsec standards and describes how alignment is created through the unified CRE framework - positioning OWASP as a driver of community-based global consensus .​​​​​​​
Authors: Philippe De Ryck
2021-09-24

tldr - powered by Generative AI

The presentation discusses the challenges of building secure applications and proposes solutions to improve the situation. The speaker uses examples of security issues with JSON Web Tokens and unsafe HTML components to illustrate the problem.
  • Developers want to build secure applications but still fail despite their best efforts
  • JSON Web Tokens have security issues that need to be addressed
  • Unsafe HTML components can lead to security vulnerabilities
  • Encapsulating security behavior in code can make it easier to apply security best practices at scale
  • Usable security for developers is necessary to improve the situation
Authors: Rami Elron
2021-09-24

tldr - powered by Generative AI

The presentation discusses the importance of better software security through auto remediation and the challenges associated with it. It emphasizes the need for trustworthiness, accuracy, and insightfulness in auto remediation.
  • Auto remediation is about facilitating the process of remediation and reducing the number of unattended issues.
  • Standardized fixed approach helps with triaging and prioritization.
  • Auto remediation can combat the security knowledge gap and better allocate resources.
  • Trust is important in auto remediation and it must be designed to accommodate the developer's concerns.
  • Auto remediation should be proactive, accurate, and reduce noise and ambiguity.
  • Insightfulness is important in auto remediation to provide suggestions that garner more trust from the end user.
  • Auto remediation must drive results and be developer-centric.
  • The challenges associated with auto remediation include the proper placement and annotation of sanitization and the potential for inadvertent changes to the logic of the application.
  • Traditional remediation approaches can be confounding and irrelevant to developers.
  • Auto remediation should embrace a developer's standpoint and provide confirmation that the solution will work.