Global AppSec Amsterdam

We have identified that there's a gap in the threat modeling/risk assessment/control selection/security assurance pipeline. Current best practices and available tools include SAST/DAST, SCA, Container Vulnerability Analysis and Vulnerability Correlation. Gartner has recently recognized an emerging technology category for test orchestration: ASTO (Application Security Testing Orchestration) to integrate those existing tools. However, this is not enough. DevOps and SDx allow automating the building of not only the application but the complete infrastructure, making critical to automatically check hundreds of small configuration controls. And unlike feature testing where a simple test can be safely extrapolated, insecurity we need to test for "all of" or "none of" conditions, making necessary to pipeline and orchestrate outputs of tools as inputs of other tools, being existing commercial ones or small CLI scripts. Fortunately, and also unlike feature testing, security tests are more universal because the security controls (and system configurations) are similar, just with different instantiation. Also, the overwhelming number of tests a single organization should develop makes it difficult to start a project that will require a high maintenance cost. However, we have some success cases of community-based approaches like IDS, WAF or Yara rules. We have checked with some OWASP members the interest in such kind of tool and community and are starting a seed open source project, initially with 3 big European financial companies involved. We want to present the initiative to the OWASP community and the current state at the time of the Conference to obtain feedback in order to start it as a new OWASP project and a call to collaboration