Global AppSec Tel Aviv 2019

The OWASP DevSlop team is dedicated to learning and teaching DevSecOps via examples, and “Patty the Pipeline” is no exception: we ensure all the 3rd party components are known-secure, retrieve secrets from a secret store, and the code must pass negative unit tests, dynamic application security testing (DAST), static application security testing (SAST), and encryption and infrastructure VA verification.  This entire system/project is open-sourced as part of the OWASP DevSlop project on GitHub and as live streaming and recorded videos, so that developers can watch each of the lessons, add it to their own pipelines, giving them a head start on DevSecOps. The talk will consist mostly of a start-to-finish demo of each part of the pipeline. Tools showcased include SSL Labs, White Source Bolt, Azure DevOps Security Toolkit and OWASP Zap. Supporting videos available here: https://aka.ms/DevSlopSho

Nowadays, cloud infrastructure is pretty much the de-facto service used by large/small companies. Most of the major organizations have entirely moved to cloud. With more and more companies moving to cloud, the security of cloud becomes a major concern. While AWS, GCP & Azure provide you protection with traditional security methodologies and have a neat structure for authorization/configuration, their security is as robust as the person in-charge of creating/assigning these configuration/policies. Also, the massive scale at which cloud services are adopted in enterprises, merged with inevitability of human error, often leads to catastrophic business damages.
While managing massive infrastructures, system audit of server instances is a challenging task. CS Suite is a one stop tool for auditing the security posture of the AWS/GCP/Azure infrastructures along with server audit feature. CS-Suite leverages capabilities of current open source tools and has plethora of custom checks into one tool to rule them all.

Our engineers are going from software engineers to software + infrastructure + network + database engineers, and they’re delivering faster. In an environment of continuous deployment how can we ensure that as security teams we’re scaling as fast as our applications are?

In this talk we’re going to be covering how we turn our engineers blue. Not sad; not by telling them to fix every possible threat vector before building any new features and not by saying no. We’re going to start turning them into our extended blue team, giving them tools, techniques and processes to better secure our estate.

We’re going to be covering off a few different TTP’s for our engineers using real threat models as examples;
How to use incidents to evolve our threat models

•  Using incidents to better evolve our understanding of the threat landscape
•  Determining other attack vectors that could contribute to the same outcome as the incident (with threat example)
•  How to create incremental threat models/ rapid threat models
• Why and how we should write and use security tests to validate our models
•  How to use BDD tests (and contribute to the Cloud security OWASP project)
•  Why we should write tests for threat vectors we have proven mitigations for (with threat example)
• How to use tests to educate product owners/ project managers on threat vectors

The power of POC’ing attack vectors from our models to evolve them further.

• Example: Cloudfront subdomain hijacking
• Using POC's to discover new threat vectors and provide security awareness training for engineers

How we build, evolve, share and ultimately transfer ownership of these models to our engineering teams - teaching them to be our blue team.

• How to create security champions (building programs, what programs should include)
• How to integrate rapid threat modeling into the SDLC