Recorded at Global AppSec DC 2019 https://dc.globalappsec.org/ DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again? In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us and even though the world has radically changed over the last century, we are still facing many of the same root challenges. Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together. James Wickett Verica Sr. Security Engineer and Developer Advocate James is a dynamic speaker on software engineering topics ranging from security to development practices. He spends a lot of time at the intersection of the DevOps and Security communities, and seeing the gap in software testing, James founded the open source project, Gauntlt, to serve as a Rugged Testing Framework. James works as a Sr. Security Engineer and Developer Advocate at Verica and is he is the author of several courses on DevOps and DevSecOps at LinkedIn Learning. His courses include DevOps Foundations, Infrastructure as Code, DevSecOps: Automated Security Testing, Continuous Delivery (CI/CD), Site Reliability Engineering, and more. James is the creator and founder of the Lonestar Application Security Conference, which is the largest annual security conference in Austin, TX. He also runs DevOps Days Austin and Serverless Days Austin. He previously served on the global DevOps Days board. In his spare time, he is trying to learn how to make a perfect BBQ brisket. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
Recorded at Global AppSec DC 2019 https://dc.globalappsec.org/ Modern web applications and systems have grown increasing complex in the 18 years since OWASP was founded. Today's systems are composed from many diverse components, employ a wide variety of frameworks and toolkits, and utilize a vast spectrum of hosting models and external services. Secure design and operation for such composite systems requires thoughtful application security engineering principles, attention to interactions among composite system elements, and awareness of dependencies across the system lifecycle. This talk will cover a selection of high-level principles, and illustrate them with reference to a Smart City transit system example. Neal Ziring NSA Technical Director for the National Security Agency’s Capabilities Directorate Mr. Neal Ziring is the Technical Director for the National Security Agency’s Capabilities Directorate, serving as a technical advisor to the Capabilities Director, Deputy Director, and other senior leadership. Mr. Ziring is responsible for setting the technical direction across many parts of the capabilities mission space, including in cyber-security. Mr. Ziring tracks technical activities, promotes the technical health of the staff, and acts as the liaison to various industry, intelligence, academic, and government partners. Prior to the formation of the Capabilities Directorate, Mr. Ziring served 5 years as Technical Director of the Information Assurance Directorate. His personal expertise areas include security automation, IPv6, cloud computing, cross-domain information exchange, and data access control, and cyber defense. Prior to coming to NSA in 1988, Neal worked at AT&T Bell Labs. He has BS degrees in Computer Science and Electrical Engineering, and an MS degree in Computer Science, all from Washington University in St. Louis. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
https://dc.globalappsec.org/ Board members Ofer Maor, Richard Greenberg and Mike McCamon, OWASP Executive Director Ben Pick Conference Co-Chair - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
Recorded at Global AppSec DC 2019 https://dc.globalappsec.org/ Making a Change, One at a time - Diversity: More than just Gender There has been a lot of conversations around diversity and inclusion in the recent past. This is a step in a positive direction. The benefits of diversity in cybersecurity are clear. As an industry, we can do better, we need to do better. We need not only to keep the conversation going but to really place some action behind it. While homogenous teams feel easier to operate in, it can lead to stagnation, or specialisations in some aspects at the expense of others. In this talk, I will present some of my thoughts on the importance and benefits of diversity and inclusion in our industry. I will share some of my experiences working over the last few years towards diversity initiatives, some real change observed, challenges associated with it and small steps anyone can do to improve diversity. Vandana Verma IBM India Software Labs Security Architect Vandana is a seasoned security professional with over a decade worth of experience ranging from application security to infrastructure and now dealing with cloud security. She works with various communities (InfosecGirls, OWASP, WoSec, and null) and is passionate about increasing female participation in InfoSec space. She is currently working as a Security Architect with IBM India Software Labs. She has spoken and trained at various conferences Blackhat USA 2019, BSides LV 2019, Diana Initiative, Defcon (AppSec Village), AppSec Europe, AppSec USA, Nullcon, Security Guild 2019, BSides Delhi, c0c0n (Kerala Police Conference), Global AppSec Tel Aviv and many more. She is part of the crew for OWASP SeaSides and BSides Delhi conferences. She also does CFP Reviews for AppSec Europe, Global AppSec Tel Aviv, Global AppSec DC, BSides Ahmedabad and Grace Hopper US 2019 (Security/Privacy Review Track). Recently she won the Cybersecurity Women of the year award in "Secure Coder" Category by Women Cyberjutsu. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
OWASP Global AppSec Tel Aviv https://telaviv.appsecglobal.org/ In moving to serverless, we shift some security responsibilities to the infrastructure provider by eliminating the need to manage servers. Unfortunately, that doesn’t mean we’re entirely absolved of all security duties. Serverless functions still execute code and can still be vulnerable to application-level attacks. As a new type of architecture, serverless presents new security challenges. Some are equal to traditional application development, but some take a new form. Attackers are thinking differently, and developers must do so as well to gain the upper hand. In this talk, I will dive into the Top 10 risks of the OWASP Serverless Top 10 project. I will discuss why these risks are different from traditional attacks and how we should protect our application against them. I will also introduce OWASP DVSA, a deliberately vulnerable tool, aiming to assist both security professionals and developers to better understand the implications and processes of serverless security. Tal Melamed Head of Security Research, Protego Labs In the past year, Tal Melamed been experimenting in offensive and defensive security for the serverless technology, as part of his role as Head of Security Research at Protego Labs. Specializing in AppSec, he has more than 15 years of experience in security research and vulnerability. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
OWASP Global AppSec Tel Aviv https://telaviv.appsecglobal.org/ Have you ever wondered how much data your favorite business application is capturing during your mobile app visits? Are you a developer or security engineer tasked with keeping your client data secure? Are you curious about what kind of data that mobile game you love can gather, even if you don’t give it special permissions? The apps we trust with our data hopefully use caution and comply with regulations, but what about the safeguards and authentication around these analytics portals? This session will hone in on precisely those questions. We will tear apart some favorite apps and their analytic products/tracking engines to expose exactly the content and frequency commonly used mobile applications are reporting. Attendees will walk away with insider knowledge to make informed decisions regarding the scope of this exposure, in effort to guard or personal and client data. Kevin Cody Principal Application Security Consultant, nVisium Kevin Cody is a Principal Application Security Consultant with experience working at several Fortune 500 enterprises. Although his particular expertise is geared toward hacking Web and Mobile applications, he is also experienced in the entire gamut from mainframes to embedded systems. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
OWASP Global AppSec Tel Aviv https://telaviv.appsecglobal.org/ Struts2 Java framework has started as a cool modern framework and ended up like a bomb periodically exploding into security teams’ faces. Now it’s impossible to get rid of from production and it may lead to massive damage like Equifax breach because of the architectural decisions from long time ago. Take the plunge into OGNL swamp, play the cat and mouse game alongside with Struts2 developers and security researchers and finally find out prerequisites to blow up the framework with a new exploit Eugene Rojavski Application Security Researcher, Checkmarx A passionate appsec specialist who loves to poke things until they explode. 8 years in infosec and appsec constantly pursuing a goal to unravel the mystery of security. I enjoy coaching others how to create "securer things" - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
OWASP Global AppSec Tel Aviv https://telaviv.appsecglobal.org/ Nowadays, cloud infrastructure is pretty much the de-facto service used by large/small companies. Most of the major organizations have entirely moved to cloud. With more and more companies moving to cloud, the security of cloud becomes a major concern. While AWS, GCP & Azure provide you protection with traditional security methodologies and have a neat structure for authorization/configuration, their security is as robust as the person in-charge of creating/assigning these configuration/policies. Also, the massive scale at which cloud services are adopted in enterprises, merged with inevitability of human error, often leads to catastrophic business damages. While managing massive infrastructures, system audit of server instances is a challenging task. CS Suite is a one stop tool for auditing the security posture of the AWS/GCP/Azure infrastructures along with server audit feature. CS-Suite leverages capabilities of current open source tools and has plethora of custom checks into one tool to rule them all. Jayesh Chauhan Lead Security Engineer, Sprinklr Jayesh Singh Chauhan is a security professional with 7+ years of experience in the security space. In past, he has been part of security teams of PayPal, PwC and currently works as the Lead security engineer at Sprinklr. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
OWASP Global AppSec Tel Aviv https://telaviv.appsecglobal.org/ The OWASP DevSlop team is dedicated to learning and teaching DevSecOps via examples, and “Patty the Pipeline” is no exception: we ensure all the 3rd party components are known-secure, retrieve secrets from a secret store, and the code must pass negative unit tests, dynamic application security testing (DAST), static application security testing (SAST), and encryption and infrastructure VA verification. This entire system/project is open-sourced as part of the OWASP DevSlop project on GitHub and as live streaming and recorded videos, so that developers can watch each of the lessons, add it to their own pipelines, giving them a head start on DevSecOps. The talk will consist mostly of a start-to-finish demo of each part of the pipeline. Tools showcased include SSL Labs, White Source Bolt, Azure DevOps Security Toolkit and OWASP Zap. Supporting videos available here: https://aka.ms/DevSlopSho Nancy Gariché Co-Founder, Secure That Cert! In the early 2000's, this speaker joined the Canadian federal government as a computer science CO-OP student and never left. In 2009, he/she moved to Ottawa from Montreal, his/her beloved hometown, to land his/her first IT security job as a security analyst. Tanya Janca Senior Cloud Advocate, Microsoft Tanya Janca is a senior cloud advocate for Microsoft, specializing in application and cloud security; evangelizing software security and advocating for developers and operations folks alike through public speaking, her open source project OWASP DevSlop, and various forms of teaching. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
OWASP Global AppSec Tel Aviv https://telaviv.appsecglobal.org/ This talk will focus on the tools that Microsoft built into our CI/CD pipelines to secure the products and services we are deploying, and the lessons we've learned along the way. Sasha Rosenbaum Azure DevOps Program Manager, Microsoft Sasha is a Program Manager on the Azure DevOps engineering team, focused on making the technology better aligned with open source software projects. Sasha has a Computer Science degree from the Technion. She is a co-organizer of the DevOps Days Chicago conference. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
OWASP Global AppSec Tel Aviv https://telaviv.appsecglobal.org/ Organizations are in the process of changing and becoming more agile and to adopt DevOps as way of thinking. Many of them use Docker and Containers in order to implements those concepts in effective, Accurate and secure way. The changes from the traditional relationships between “System”, “Dev” and “Security” relationships into new relationships that Dev is actually doing the whole process include the “System” and “Security”, dramatically affect not only the internal IT infrastructure but the balance between the attacker and defenders. That change expose the organization to whole new security and cyber risks that seem to be solved years ago and revived with the new structure of the IT department. Asher Genachowski Security Senior Principal , Cyber Readiness & Audit Lead, Accenture The speaker is senior manager at global management consulting and professional services firm that provides strategy, consulting, digital, technology and operations services and leading the Cyber Readiness and Purple Team services for that firm. Chen Cohen Linux Cyber Security consultant, Accenture Chen Cohen is Linux Cyber Security consultant in Accenture cyber security readiness team. As part of his job Chen is working with major global companies in order to create and improve secure Linux & Unix environments include virtualization, cloud and more. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
OWASP Global AppSec Tel Aviv https://telaviv.appsecglobal.org/ Our engineers are going from software engineers to software + infrastructure + network + database engineers, and they’re delivering faster. In an environment of continuous deployment how can we ensure that as security teams we’re scaling as fast as our applications are? In this talk we’re going to be covering how we turn our engineers blue. Not sad; not by telling them to fix every possible threat vector before building any new features and not by saying no. We’re going to start turning them into our extended blue team, giving them tools, techniques and processes to better secure our estate. We’re going to be covering off a few different TTP’s for our engineers using real threat models as examples; How to use incidents to evolve our threat models Using incidents to better evolve our understanding of the threat landscape Determining other attack vectors that could contribute to the same outcome as the incident (with threat example) How to create incremental threat models/ rapid threat models Why and how we should write and use security tests to validate our models How to use BDD tests (and contribute to the Cloud security OWASP project) Why we should write tests for threat vectors we have proven mitigations for (with threat example) How to use tests to educate product owners/ project managers on threat vectors The power of POC’ing attack vectors from our models to evolve them further. Example: Cloudfront subdomain hijacking Using POC's to discover new threat vectors and provide security awareness training for engineers How we build, evolve, share and ultimately transfer ownership of these models to our engineering teams - teaching them to be our blue team. How to create security champions (building programs, what programs should include) How to integrate rapid threat modeling into the SDLC Tash Norris AppSec Lead, Photobox Group Senior Cloud Security Engineer at Photobox Group. Currently building tools and processes to automate all the things/ make the Cloud more secure. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
OWASP Global AppSec Tel Aviv https://telaviv.appsecglobal.org/ Open source usage has become a mainstream practice — it’s impossible to keep up with today’s pace of software production without it. The rise in open source usage has led to a dramatic rise in open source vulnerabilities, demanding that development teams address the rapidly evolving issue of open source security. The State of Open Source Vulnerability Management Report drills down into the deeper layers of open source management. Surveying over 650 developers and collecting data from the NVD, security advisories, peer-reviewed vulnerability databases, and popular open source issue trackers, this report brings to light the realities of current open source security management. It’s mission is to determine where we are as an industry and create a best practices for managing open source vulnerabilities and compliance issues. Shiri Ivtsan WhiteSource, Product Manager Experienced Cloud Solutions Architect and Product Manager, focusing on open-source security and compliance tools for developers and DevOps. holds BS in Industrial Engineering and Management. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
OWASP Global AppSec Tel Aviv https://telaviv.appsecglobal.org/ Isaiah has used online dating sites such as Tinder and OkCupid. At times this seems antithetical to his stance on privacy and security. To better understand the security ramifications of online dating, and to establish safer methods of doing it, he applied threat modeling to online dating. Through this he came up with a set of best practices depending on your threat model. This talk is relevant for anyone who is trying to balance privacy/security and a desire for human connection in this modern world. Due to the real and perceived dangers of online dating, the stigma that surrounds it, and the pervasiveness of it, it is a great lens through which folks can be introduced to the core principles of threat modeling. It also makes it fun to talk about! Isaiah Sarju Co-Owner, Revis Solutions Isaiah Sarju is a Red Teamer. He has contributed to the Microsoft Security Intelligence Report, conducted numerous penetration/red team engagements, and taught students how to become top tier defenders. He plays tabletop games, swims, and trains Brazilian Jiu-Jitsu. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
OWASP Global AppSec Tel Aviv https://telaviv.appsecglobal.org/ As innovation in technology increases, security becomes trickier. In order to embrace latest technologies like Docker and Kubernetics, Product IT organizations must consider security as top priority. Containers vulnerabilities like “Dirty Cow”, “Escape Vulnerability” and a recent vulnerability “Jack-In-The-Box” when unpacking image etc. have shaken the world. During my talk, I would like to present core issues with Docker related components like daemon, images, containers with practical demos & possible counter measures, Docker Secrets management, Docker Content Trust Signature Verification, Docker notary services, best practices to be followed in production environment and also how to deal with Open Source Libraries used in building images. Sujatha Yakasiri Senior Computer Scientist, EdgeVerve Systems Limited Working as a Senior Computer Scientist at EdgeVerve Systems Limited (An Infosys Company). She is a passionate security researcher, speaker and author with in-depth expertise in pen testing web applications, mobile applications, performing source code reviews and performing threat. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
OWASP Global AppSec Tel Aviv https://telaviv.appsecglobal.org/ We are all going continuous these days. Continuous delivery, integration - but what about Threat Modeling? How do we bring this (traditionally) heavy activity into the new "speed" of development, integrate and educate developers and reflect the correct state of a rapidly evolving system? This talk will share the experiences of the speaker developing a methodology and collaborating with real life product teams operating in a continuous environment. Izar Tarandach Lead Product Security Architect, Autodesk Long-time security practitioner, currently a lead security architect at Autodesk, previously at DellEMC. Contributor to SAFECode and the IEEE Center for Secure Design, he holds a masters degree in Computer Science/Security from Boston University . - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
OWASP Global AppSec Tel Aviv https://telaviv.appsecglobal.org/ Application Security as a discipline has continuously evolved over the last couple of decades. This is an expected outcome of the growth and maturity of this engineering discipline. At the same time, technology has continued to become more pervasive that has led to increased risk associated with appsec failures. On this learning journey, our community has played an important part since the beginning, OWASP being an important contributor to that. In this talk, we will discuss how that community has evolved until now and how it needs to change in the future to enable us to solve future security problems at scale. Astha Singhal Netflix Astha Singhal leads the Application Security team at Netflix that is responsible for securing all the applications in Netflix's cloud infrastructure. Prior to this, she managed product security for the Salesforce AppExchange and other core Salesforce products. She is a security engineer. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
OWASP Global AppSec Tel Aviv https://telaviv.appsecglobal.org/ The talk will introduce the new OWASP Software Security 5D Framework showing the assessment data of various International companies. The evolution of software security verification activities: from firm reports on desks to the integration of security bugs in the life cycle. Matteo Meucci CEO and a co-founder, Minded Security More than 18 years of specializing in Application Security and collaborates with the OWASP project since 2002: he founded the OWASP-Italy Chapter in 2005 and leads the OWASP Testing Guide since 2006, the OWASP Software Security 5D Framework since 2018. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
OWASP Global AppSec Tel Aviv https://telaviv.appsecglobal.org/ In this talk, I will share my 20+ years’ experience in protecting large and small, multinational and high profile enterprises. I will present strategies and disciplines, and how do the CISO and the executive teams choose the right one for the organization and how does application security, in its various roles, fit in. Yoram Golandsky VP Technologies and InfoSec, NSO Group Yoram is the VP Technologies and InfoSec at NSO Group, prior to that Yoram was the founder and CEO of CSA, which provided strategic advisory on Cyber Security, Crisis management and Blockchain to Board of Directors and executive teams. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
OWASP Global AppSec Tel Aviv https://telaviv.appsecglobal.org/ In this talk, we will see what security issues can be found in the Node.js and JavaScript world and how to successfully protect against attackers. Vladimir de Turckheim Software Engineer, Sqreen V. works as a software engineer at Sqreen where he builds a tool to secure web applications. He used to be a professional security auditor and a web developer in agencies. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project