logo
ArticlesConferencesPresentations
Dates
Author
Conferences
Tags

Sort by:  

Do more with less screen-time, a modern Application Security Toolchain.

Conference:  Global AppSec Dublin 2023
Authors: Spyros Gasteratos
2023-02-15

tldr - powered by Generative AI

The presentation introduces a free and open source Application Security Toolchain Framework that unifies multiple security tools and allows for per-team configuration, conditional tool execution, and automated reporting. The framework is low to no code, platform-agnostic, and community-driven.
  • Automated security testing has brought an abundance of signal about codebases and infrastructure without much manual effort, but managing findings and triaging false positives is time-consuming and results in hiring more security experts.
  • The Application Security Toolchain Framework unifies multiple security tools and allows for per-team configuration, conditional tool execution, and automated reporting to different sinks based on code ownership.
  • The framework is low to no code, platform-agnostic, and community-driven, with integrations for several scanners both under the OWASP umbrella and not.
  • The framework allows for scheduling tool execution against both code and infrastructure, aggregating results from different tools, enriching them using several processors, and consuming them with a multitude of visualization platforms.
  • The framework is demonstrated through a tool called Dracon, which unifies security tool execution and results management.
  • The community-driven aspect of the framework allows for integration with a wide range of security tools and provides an idea of which tools are more popular based on their integrations.
Tags:
automation
testing
tools
framework

Getting More Confident with Your Security Helper Libraries Thanks to Go Fuzzing

Conference:  Cloud Native SecurityCon North America 2022
Authors: Jeremy Matos
2022-10-25

tldr - powered by Generative AI

Using Go Fuzzing to improve the test coverage of security helper libraries and gain confidence in their effectiveness
  • Security helper libraries can be hard to unit test as they need to ensure 'bad' inputs are not considered valid
  • Go Fuzzing can be used to identify corner cases and improve test coverage
  • A real-life example of a path traversal vulnerability in Grafana OSS is used to demonstrate the effectiveness of Go Fuzzing
  • Writing predicates for Go Fuzzing can be challenging as the validation logic becomes more complex
  • Once trusted security helpers are identified, they should be communicated and enforced through static analysis tools
Tags:
helper
libraries
unit
testing

How Security, Development & Testing can work together to stop the same recurring vulnerabilities appearing in the OWASP Top 10

Conference:  OWASP 20th Anniversary Event
Authors: Stefania Chaplin
2021-09-24

tldr - powered by Generative AI

The presentation discusses the importance of embedding security at every stage of the development process and highlights the prevalence of human error in causing data breaches.
  • Developers spend only a small percentage of their time writing code, with the majority spent on debugging and fixing vulnerabilities.
  • There are over 125 vulnerabilities, with the top 21 accounting for 400 CWEs, including design vulnerabilities, SSRF, CSRF, and authentication.
  • Embedding security at every stage is crucial, including threat modeling, policies as code, peer reviews, and penetration testing.
  • Insufficient logging and monitoring is a significant issue, and incident response teams are essential in containing and mitigating the damage of a breach.
  • Human error is a prevalent cause of data breaches, accounting for 25% of all breaches in 2020.
  • Developers are motivated by features and functions, while security is focused on finding problems.
Tags:
vulnerabilities
OWASP top 10
Coding
testing

Objects In The Rear View Mirror Are Closer Than They Appear

Conference:  OWASP 20th Anniversary Event
Authors: Erez Yalon
2021-09-24
Abstract:We are living in the future. Actually, we have been living in the future for some time now. Unfortunately, progress is not equally divided between the different facets of technology. An area that has always suffered a delayed reaction is security, and more specifically security testing. When it comes to innovation and digital transformation, we are charging forward at full speed, but failing to adapt testing practices to evolve with the times and technologies. We are quickly, and often blindly, embracing the bleeding edge of technology, but every tech adoption comes with the overhead of a new set of tests (and their respective vendors of course). We are aggressively shifting left to the point where our testing results are not actionable, and sometimes not even clear. In this talk, we will discuss the ‘opportunities’ future-fueled applications present to adversaries, the challenges security teams encounter with modern architectures, and the vision we should consider when testing and securing these applications to take a more proactive defense approach across the industry.
Tags:
testing
innovation
digital transformation
left

Purple Teaming with OWASP PurpleTeam

Conference:  OWASP 20th Anniversary Event
Authors: Kim Carter
2021-09-24

tldr - powered by Generative AI

The presentation discusses the Purple Team approach to cybersecurity and DevOps, which involves collaboration between red and blue teams to improve security testing and remediation.
  • Purple Team approach involves collaboration between red and blue teams
  • Uses automated testing tools and continuous integration to improve security testing and remediation
  • Involves setting up web applications and deploying them using infrastructure as code
  • Provides detailed reports on defects and how to remediate them
  • Offers opportunities for contributors with various skill levels to participate in building the Purple Team framework
Tags:
PurpleTeam
regression
testing
Web