Advancing Your Threat Modeling Approaches in an Agile / DevOps World - Robert Hurlbut
Threat #A04:Insecure Design was added as a new category in the most recent OWASP Top 10 2021, highlighting the risks related to
secure design flaws. Threat Modeling is a great tool to help introduce secure software design into software development, but it can be
viewed as tedious and not applicable to the fast-paced world of Agile or DevOps environments.
In this session, we will look at some of the latest advances in Threat Modeling integrated with Agile / DevOps processes by using new Threat Modeling approaches that are iterative and meant to keep step with Agile / DevOps Development practices.
The three approaches, user stories, abuser stories, and knowledge bases, will help you learn how to:
Go granular by enumerating threats against relevant user stories / abuser stories
Understand common threats in your domain so you can quickly identify the design flaws in your solutions
See how these processes facilitate the creation of multiple segues into Security Test Cases and Mitigation Plans
Why can't tools automatically fix security vulnerabilities? Or can they? - Eitan Worcel
For years appsec vendors tried (and failed) to develop automatic remediation capabilities to add to their toolset. Not for nothing, their customers often asked for such a capability "if you can automatically detect issues, why can't you also automatically fix them?"
When I heard such requests years ago, I politely dismissed them, knowing in my engineering heart that it could never be done. "How can any tool automatically fix human code errors without breaking something?" For me, a security vulnerability was no different from any "regular" defect, and no one ever expected to have automatic defect remediation.
Over the past year, as I was involved in creating an automatic remediation solution, I learned I was wrong on oh so many levels, definitely on that "never" part.
I learned that most security vulnerabilities differ from most "regular" defects. Fixing an SQLi or XSS usually doesn't involve changing any business logic or a significant architectural change. The number of different kinds of security vulnerabilities detected is, on a grand scale, smaller than the defects.
I also learned that building an automatic secure code remediation tool is achievable. It is challenging, of course, but not impossible.
As we dived deep into our project, we better understood the real complexities of automatic remediation and why earlier solutions failed.
We want to use this opportunity to share some of our insights with you here.
To do that, we will take you through some examples that, on the surface, will seem very simple to fix automatically, and together we will see that that is not the case. We will also see how we can overcome some of these complexities.
At the end of this session, you will better understand the challenges involved in creating such a technology, but also be optimistic as it is coming.
Your MASA Mission: Automating MASVS L1 Checks! Impossible or Highly Probable? - Ryan Lloyd
Join us for a valuable learning experience on how you can boost speed and reliability of your mobile app security testing. Dive into the Mobile App Security Assessment (MASA) requirements, and discover how easily you can execute required OWASP MASTG L1 tests within your CI/CD pipelines. Automation is key to ensuring consistent, regular evaluations. Learn how using frameworks that align with OWASP standards like the App Defense Alliance’s MASA, developers easily integrate security into their mobile app development process.
We'll explore the importance of having a comprehensive mobile security strategy that includes standards-based testing. Attendees will learn about MASA and its many benefits for reducing security risks in your mobile apps. But we won't stop there - we'll also cover how automated testing benefits pentesting down the line.
You'll walk away with a clear understanding of best practices for automating tests according to MASA and OWASP MSTG L1 as part of your DevOps pipeline. Finally, we'll highlight the crucial need for moving security testing further to the forefront of the SDLC.