Conference Venue: RAI Amsterdam, Europaplein 24, 1078 GZ Amsterdam, The Netherlands

Book Hotel click HERE
Back To Schedule
Friday, September 27 • 10:15am - 11:00am
SUSTO: Systematic Universal Security Testing Orchestration

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
We have identified that there's a gap in the threat modeling/risk assessment/control selection/security assurance pipeline. Current best practices and available tools include SAST/DAST, SCA, Container Vulnerability Analysis and Vulnerability Correlation. Gartner has recently recognized an emerging technology category for test orchestration: ASTO (Application Security Testing Orchestration) to integrate those existing tools. However, this is not enough. DevOps and SDx allow automating the building of not only the application but the complete infrastructure, making critical to automatically check hundreds of small configuration controls. And unlike feature testing where a simple test can be safely extrapolated, insecurity we need to test for "all of" or "none of" conditions, making necessary to pipeline and orchestrate outputs of tools as inputs of other tools, being existing commercial ones or small CLI scripts. Fortunately, and also unlike feature testing, security tests are more universal because the security controls (and system configurations) are similar, just with different instantiation. Also, the overwhelming number of tests a single organization should develop makes it difficult to start a project that will require a high maintenance cost. However, we have some success cases of community-based approaches like IDS, WAF or Yara rules. We have checked with some OWASP members the interest in such kind of tool and community and are starting a seed open source project, initially with 3 big European financial companies involved. We want to present the initiative to the OWASP community and the current state at the time of the Conference to obtain feedback in order to start it as a new OWASP project and a call to collaboration

avatar for Luis Saiz

Luis Saiz

Head of Innovation in Security, BBVA
25 years of experience in multiple fields of security and fraud management. Last 19 years working in BBVA Bank involved in Privacy Compliance, Security Assessments and Engineering in SDLC. Design of BBVA Group Security Strategic Plans. Builder and Head of Global Security Center (detection... Read More →

Friday September 27, 2019 10:15am - 11:00am CEST