In late September Open Web Application Security Project (OWASP) hosted their Global AppSec conference in the RAI convention center in Amsterdam. We took the team out and enjoyed two full days of inspiration by a large variety of experts in the community. In this article we will share our key takeaways.
OWASP is a non-profit organization supported by a huge global community whose core purpose is to “be the thriving global community that drives visibility and evolution in the safety and security of the world’s software”. OWASP has been around for almost 20 years now and the adoption of their flagship projects has really been taking off since world scale digitization has pushed application security or information security in general to society level threats.
The conference schedule was nicely organized around OWASP’s builder, breaker, and defender communities, as well as some other tracks. Our personal and professional interests cover all of these but we found ourselves attending more builder related sessions. As security engineers who work for a digital agency that helps companies with their digital transformation, and that builds their next generation application landscape, we want to keep learning so we can stay ahead of the game and effectively collaborate with our engineering teams.
CI/CD pipelines using tools like Jenkins have been around for a long time and have helped us to integrate and deliver code to target environments fast, frequent and consistent. A vast ecosystem of solutions and tools today offer nearly every capability imaginable but practically implementing security in and of the pipeline still requires a lot of planning and thought. Cloud native paradigms like containerization further abstract and accelerate solution delivery but they also add complexity and new security concerns (see also “container security” below).
In “Controlled mayhem with cloud native security pipelines” Ben Pick and Jack Mannino provided a comprehensive overview of traditional vs. cloud native pipelines and common security considerations and pitfalls to take into consideration when designing your pipeline.
Our takeaways from this session were:
Vulnerabilities are everywhere and their numbers grow exponentially. How is your average developer supposed to think of every possible scenario as they are trying to solve a business problem? Specific vulnerabilities manifest themselves in many different ways but on a more abstract level the top 10 vulnerabilities haven’t changed all that much in the past decades.
In “Security vulnerabilities decomposition: another way to look at vulnerabilities” Katy Anton took us through groups of vulnerabilities and the controls applied to prevent them.
You find a (security) bug and fix it. Or did you? It is not uncommon that bug fixes are incomplete because we don’t analyze beyond the initial bug report. A bug may be fixed for the reported steps to reproduce but a slight change in the steps may reveal the same bug. A bug may be fixed in one part of the code but all other instances of the same bug in other places of the code or in similar applications are left untouched.
In “How to find and prevent entire classes of security vulnerabilities” Sam Lanning showed some great examples of this behaviour and provides guidance on how we can improve the impact of our bug fixing efforts.
Our takeaways from these sessions were:
Threat modelling has been increasing in popularity. Spending quality time with a team focussed on the security of whatever it is they are creating is invaluable. It’s more concrete than a security awareness training, it’s more transparent than reviewing documents, and it is an opportunity to influence design decisions very early on. It can also be a great team building activity and it can be fun for developers to think like an attacker for a change.
In “OWASP based threat modelling: creating a feedback model in an agile environment” Chaitanya Bhatt shared how he approaches threat modelling in a large scale agile environment.
In “Threat modelling stories from the trenches” David Johannson and Andrew Lee-Thorp shared some real world examples which challenge us to look beyond the first obvious threats.
Our takeaways from these sessions were:
We are big fans of the Software Assurance Maturity Model (SAMM) and the 2.0 beta version has been out for some time now. SAMM provides a maturity model for organizations to analyse and improve their software security posture. It breaks down recommended practices by business function and maturity level and gives detailed guidance on these practices. This helps organizations to drive continuous improvement through an iterative approach.
In “OWASP SAMM2 - your dynamic software security journey” Sebastien Deleersnyder provided an overview of both the current model (v1.5) and the new beta (v2.0).
In “Secure agile development according to SAMM” Rob Van Der Veer presented the agile notes which provide additional guidance on how to embed security activities in agile organizations.
Our key takeaways from these sessions:
Containers are everywhere and they are here to stay. The concept of containerization is very powerful but with great power also comes great responsibility. The biggest challenges when securing container based applications is that the number of components to secure has drastically increased and that the responsibility to design and secure these components has shifted from infrastructure specialists to software developers who don’t usually have a lot of experience in network design, system administration, and security.
Dirk Wetter presented a new OWASP project for a Docker Top 10. Dirk sets out in a great amount of detail how the use of containers can be dangerous if not properly designed and maintained and proposes 10 areas of controls which help reduce the attack surface.
Docker Top 10 on Github:
Our takeaways from this session were:
There was so much more! Below are some sessions we attended that we wanted to call out.
In “Unlikely allies: how HR can help build a security-first culture” Alison Eastaway explained how HR can help to make security a priority and to keep it fun. A must see for all security and HR officers.
Serialization and deserialization is used in many places when data is exchanged between (sub)systems or components. A good example is when an object in a browser is sent as json text to a backend API or vise versa but there are also many other forms and applications. In this example when the json text is deserialized back to an object, this is potentially very dangerous transformation and the application should not trust the serialized input as an attacker may have modified its content and cause the unintended creation of objects or properties which in turn can have all sorts of adverse effects. In “[In]secure deserialisation, and how [not] to do it” Alexei Kojenov set out a collection of examples how (not) to do this.
In “Five key trends in application security” Ameya Talwalkar summed up five key trends he sees in the application security landscape. Ameya underpins these trends by showing concrete examples of real-world threats and attacks. We are warned.
We had two great days with our team. We learned a lot and left with a healthy dose of fresh inspiration. The task at hand can be quite intimidating but the collective knowledge of the community helps us plan for impact.
Our key takeaways in a nutshell?
Are you, like us, still hungry for more? Since last week all the videos are available on the OWASP YouTube channel so you can watch sessions you missed.
Thanks for reading and thank you OWASP!
Give us your information below to start the conversation.