OWASP AppSec USA 2014

One of the reasons application security is so challenging to address is that it spans multiple teams within an organization. Development teams build software, security testing teams find vulnerabilities, security operations staff manage applications in production and IT audit organizations make sure that the resulting software meets compliance and governance requirements. In addition, each team has a different toolbox they use to meet their goals, ranging from scanning tools, defect trackers, Integrated Development Environments (IDEs), WAFs and GRC systems. Unfortunately, in most organizations the interactions between these teams is often strained and the flow of data between these disparate tools and systems is non-existent or tediously implemented manually. 

In today’s presentation, we will demonstrate how leading organizations are breaking down these barriers between teams and better integrating their disparate tools to enable the flow of application security data between silos to accelerate and simplify their remediation efforts. At the same time, we will show how to collect the proper data to measure the performance and illustrate the improvement of the software security program. The challenges that need to be overcome to enable teams and tools to work seamlessly with one another will be enumerated individually. Team and tool interaction patterns will also be outlined that reduce the friction that will arise while addressing application security risks. Using open source products such as OWASP ZAP, ThreadFix, Bugzilla and Eclipse, a significant amount of time will also be spent demonstrating the kinds of interactions that need to be enabled between tools. This will provide attendees with practical examples on how to replicate a powerful, integrated Application Security program within their own organizations. In addition, how to gather program-wide metrics and regularly calculate measurements such as mean-time-to-fix will also be demonstrated to enable attendees to monitor and ensure the continuing health and performance of their Application Security program.

Measuring the effectiveness of any security activity is widely discussed – security leaders debate the topic with a religious fervor rivaling that of any other hot button issue. Virtually every organization has some sort of application security training effort, but data on training effectiveness remains scarce. Last year our research team delivered the first-ever survey that captured developer awareness of secure coding concepts and the impact of formal application security training on a developer’s ability to write secure code. We learned that most software developer were aware of certain application security concepts, yet when asked how to write more secure code, they faired poorly.

This year’s 600-developer survey provides more quantitative data on what software developers understand about application security, both concepts and practices. It dives most deeply into awareness of defensive coding practices, which most developers largely did not grasp in the 2013 survey. It also is separates respondents by roles, so we can better understand how architects, developers, and QA staff grasp key application security concepts and put them to work. It better captures how software developers learn in general, so one can tailor any security training effort to how software developers, in practice, actually learn. This information will provide data to application security managers responsible for corporate security training that should allow them them to make more fact-based decisions about security training.

In 2013, OWASP updated its top 10 list to include “(A9) Avoiding the use of open source components with known vulnerabilities.” The guideline was added as OWASP leaders came to understand that 90% of a typical application is composed of open source components.

In this session, a senior panel of application security experts will share and discuss the results of a four-year, industry-wide study on application security practices, drivers, and trends within the open source development community. To date, over 11,000 professionals have participated in the study.

Among the surprising survey responses, panelists will share their perspectives on:

 75% of organizations are not enforcing their open source policies
 Only 16% of participants must prove they are not using components with known vulnerabilities
 64% don't track changes in open source vulnerability data

This annual study in 2014 was run during the month of April, right in the wake of the notorious open source Heartbleed bug announcement. Over 3,000 participated in the 2014 study with results directly reflecting the state of organization's preparedness to react to Heartbleed and any future vulnerabilities.

For a small or medium sized business (SMB) the fallout from a security or privacy incident can be at best a PR nightmare. At their worst it can cause irrecoverable damage and end your business by impacting sales or ad revenue. Your user base may take a hit. You may need to draft a blog post or email your customers describing the incident and asking them to change passwords. A key culprit is budget constraints – as a SMB you are allocating resources to innovating, creating, and improving your product. Security, while important, isn't always the primary objective.

Our talk will introduce a simple framework for SMBs to focus their security efforts. We will then discuss a common scenario applicable to most SMBs that employs our framework; and leverages it to introduce cheap and effective security mechanisms that provide prevention, limitation, detection, and response capabilities. The key take away will be the thought process and sample techniques that can enable a SMB to take their rag-tag security outfit and turn it into a business enabler.

Don’t be a hero; assemble your team of avengers from unlikely allies. Nearly every aspect of our job as defenders has gotten more difficult and more complex—escalating threat, massive IT change, burdensome compliance reporting, all with stagnant security budgets and headcount. Rather than surrender, it’s time to fight back. This session will provide new approaches to finding financial and operational support for information security across the organization. Together we will highlight actual success stories and soft skills that make all the difference.

The DevOps movement is going to celebrate it’s fifth anniversary this October.  I was fortunate enough to attend the inaugural event in Ghent in October 2009. Over the past five years I have been deeply involved with this movement as a practitioner, evangelist and all out junkie.  Although the movement started out as a problem statement to solve developer and operations collaboration, it quickly moved into other disciplines such as security, networking and storage. In this presentation we will take a look at the Devops affect on things like Converged Infrastructure, Software Defined Networking, Software Defined Data Center and of course IPSec.  We will start out with a quick overview covering the past, present and future of Devops.  Then we will end up with a comprehensive roadmap of how Devops is kind of becoming the core of everything happening in IT. 

DevOps (despite it's increasing popularity amongst both startups and now enterprises as well) still has a bad image with large chunks of the security community. While there are some challenges it brings, this negative reputation is largely undeserved and due to several critical myths around how DevOps breaks security or leaves security out of the equation. DevOps, when done right (and that is a key distinction) actually improves security of your applications. This is due to some very interesting, though initially counter-intuitive features of DevOps. We'll dismantle these myths, replace them with facts and perhaps generate a few legends of our own.

DevOps is a natural evolution of Agile, Lean, Continuous Integration and other patterns common amongst high performers and continuous process improvement. As someone who has helped dozens of organizations get started with DevOps patterns and tool chains, we will explain where people get started – and therefore where security can inject and support sound practices for the bulk of the adoption curve. This will also serve as a great hand-off to the next talk about the bleeding edge trends and trajectories.

Ever Onward… as DevOps keeps evolving, this session will show you how the newest DevOps patterns and technologies (e.g. Docker) trends continue to change and morph the opportunities and risks for security. It’s more exciting than scary… once you get over the shock

DevOps isn't just a buzzword. It isn't a miracle cure. It isn't the security apocolypse. From the perspecitve of a practitioner who has been on a DevOps journey, we can explore the lessons learned - including surprises. This session will be a mixture of case study, lessons learned, future plans, and interactive discussion.