Hackers of India

Running an appsec program with open source projects

By Vandana Verma Sehgal on 09 Aug 2020 @ Defcon : Appsec Village
πŸ“Š Presentation πŸ“Ή Video πŸ”— Link
#owasp #secure-development #devsecops #web-security #static-analysis #dynamic-analysis
Focus Areas: πŸ” Application Security , βš™οΈ DevSecOps , 🦠 Malware Analysis , 🌐 Web Application Security

Presentation Material

Presentation

Video

Abstract

We are all heading towards the modernization of applications. However, we still see the companies being impacted with the most common website vulnerabilities like SQL Injection, Sensitive data exposure, security misconfiguration, etc. OWASP has many projects which can be tied seamlessly into the application development pipeline structure. However, firstly we don’t know if the projects exist, second, if we know about the projects, we do not know the exact working of the projects. In the talk, I will be talking about how to run an AppSec program with open source projects (OWASP Projects).

AI Generated Summary

The talk presented a framework for establishing an application security (AppSec) program using open source tools, primarily from OWASP, to address common security gaps in modern development. It emphasized integrating security early into the development lifecycle (shifting left) for applications including web, mobile, APIs, and microservices.

The framework outlined sequential stages: requirements gathering using tools like the OWASP Security Knowledge Framework and ASVS to define and prioritize security needs; threat modeling with Threat Dragon and PyTM to visualize and assess risks; secure code development and review supported by the Code Review Checklist, language-specific guides like Go Secure Coding, and the Cheat Sheet Series; software composition analysis (SCA) using OWASP Dependency-Check to identify vulnerable third-party components; vulnerability testing leveraging guides like the Web Security Testing Guide (WSTG), API Security Top 10, and Mobile Security Testing Guide (MSTG), with OWASP ZAP as an automated scanner; and vulnerability management and reporting via DefectDojo to track, prioritize, and document findings.

Key findings indicated that breaches often stem from known issues like SQL injection and dependency vulnerabilities. The open source tools provide a cost-effective, integrated pipeline for continuous security assessment. Practical takeaways include the necessity of a structured program, the value of community-driven tools for both organizations and individuals seeking to enter AppSec, and the importance of contributing back to these projects. The approach aims to minimize risk by making security practices accessible and automated throughout the development process.

Disclaimer: This summary was auto-generated from the video transcript using AI and may contain inaccuracies. It is intended as a quick overview β€” always refer to the original talk for authoritative content. Learn more about our AI experiments.