Global AppSec Amsterdam

Managing security within a cloud-native development pipeline requires reimagining traditional security rituals. With hybrid and multi-cloud deployments as well as different container runtimes, orchestration platforms, and technology stacks, getting it right requires more than tooling. We must understand how our teams build software and consume telemetry gleaned through operations. This talk will dive into building with isolation in mind and limiting the damage of a compromised service within an environment. It starts with development and extends through deploying software to the runtime environment. This presentation’s goal is to provide strategies on moving security both to the left and to the right in our software development lifecycle. This presentation will explain the distinct differences between shipping traditional software and how the cloud-native development pipeline changes things. We will focus on popular projects from the Continuous Delivery Foundation (CDF) including Jenkins X, Spinnaker, and Tekton and using them with Kubernetes. We'll examine the non-linear pipelines we're building, the additional steps we've introduced, and the consequences of how CI/CD works in cloud-native shops. At the end of this presentation, you'll be ready to tighten up your stack with new tricks to solidify your cloud-native CI/CD pipeline and the additional security dilemmas it presents.

Threat Modeling is an art of foreseeing the threats associated with an application and getting them fixed in a very early stage. There have been various Threat Modeling frameworks developed over the course of years. Most of companies follow their own version of Threat Modeling. However, these frameworks lack one of the most crucial steps in order to produce the maximum result of Threat modeling. The aim of this presentation is to provide you with the last missing piece of the puzzle. We help you complete the full circle of Threat Modeling and create a feedback model to create overall Threat Landscape for any organization. We will talk about how and when you should upgrade your threat modeling process in order to accommodate newly introduced Threat Vectors in the market. We will also talk about building a security mindset that would help in successful Threat Model with a real life case study or demo.

In most companies security is driven by compliance regulations. The policies are designed to contain the security vulnerabilities each company is interested to comply with. These vulnerabilities can be measured only at the end, after the software has been developed, which is way too late. The result of this approach is a high number of insecure applications are still produced and injection is still King. Is there another way to create a more secure the software from the start? This presentation will look at security vulnerabilities from a different angle. We will decompose the vulnerabilities into the security controls that prevent them and developers are familiar with. We will flip the security from focusing on vulnerabilities (which can be measured only at the end, after the software has been developed) to focus on the security controls, which can be used from beginning in software development cycle. Recommended to all builders and security professionals interested to build a more secure software from the start.

Modern security practices require extensive testing using a multitude of tools. Moreover, orchestrating and executing them in a traditional CI/CD environment doesn’t scale easily. Additionally, adopting the push-left ideology, enabling developers to run pipelines on demand places a bottleneck when using a traditional CI/CD solution. While modern CI/CD servers usually provide some ability to orchestrate a kubernetes cluster which could mitigate this load, the orchestration is usually a transparent frontend to loading K8s manifests. This talk introduces Dracon, an open source tool providing a pluggable and flexible way of running producer/consumer pipelines natively on Kubernetes. We will provide use cases, architecture details and demos along with links to documentation on how to integrate new tools.

OWASP SAMM (https://owaspsamm.org) is the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyse and improve their software security posture. Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance will have a significant impact on the organisation. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements. OWASP Software Assurance Maturity Model (SAMM) gives you a structural and measurable framework to do just that. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organisation. In this talk, we give an overview of the new release of the SAMM model. After 10 years since its first conception, it was important to align it with today’s development practices. We will cover a number of topics in the talk: (i) the core structure of the model, which was redesigned and extended to align with modern development practices, (ii) the measurement model which was setup to cover both coverage and quality and (iii) the new security practice streams where the SAMM activities are grouped in maturity levels. We will demonstrate the new SAMM2 toolbox to measure the maturity of an example DevOps team and how you can create a roadmap of activities.

Last year at AppSec EU I had a presentation about the Ethereum smart contracts and did a technical showcase of some of their potential vulnerabilities and security flaws. I also presented my proposition on how to handle the responsible disclosure process in the smart contracts world.
This year I want to focus on the whole process of security testing and present it by analogies to the web applications which are quite well-known. Smart contracts are described as Web3 decentralized apps and I believe that my talk will not only bring new light on this subject but will also help to understand and organize the way of testing. I am going to cover the whole SDLC and show the similarities and differences between the smart contracts and web applications on each step.
The presented overview is especially important nowadays when the biggest companies are building their own blockchain platforms and cryptocurrencies – i.e. Libra introduced by Facebook (which by the way also supports smart contracts).
I am also going to show the differences in the arsenal of vulnerabilities, security tools and standards by the analogy to web apps arsenal. I think that, even though there exist a lot of great security projects for smart contracts, we do not have a single, widely accepted security standard (such as ASVS in web apps world). I would like to discuss potential work that needs to be done in that area and show my preliminary work on that matter.
After this presentation audience will know what are the similarities and differences between smart contracts and web apps in the SDLC, an arsenal of tools and standards, but also will have a fresh overview of possible options and current trends.

This talk presents the work that has been done to extend SAMM with agile guidance. SAMM is OWASP's flagship project on how to setup and grow a secure development process. It wants to be agnostic of the type of development approach, which is why agile was not covered. Nevertheless, there appears to be a strong need in the industry for guidance on how to make secure software development work in an agile environment. Together with the SAMM working group, industry colleagues and clients, I have been working on extending SAMM with such guidance. How do you squeeze all the necessary activities in a sprint, e.g. requirement selection, threat modeling, verification? What do you do with stories, with abuse stories and with the definition of done? How do you get security teams and developers to co-operate instead of just setting up quality gates? Based on studying many organizations on what works and what doesn't work, by doing interviews and by looking into the many publications on this topic, a straightforward set of 'Agile' notes were written and validated. The results will be published with an upcoming SAMM update.

Threat modelling is a software analysis technique capable of finding design defects. But what sort of issues are uncovered in practice using threat modelling? This talk bridges the gap between theory and practice by describing case studies – design flaws uncovered for actual (but anonymised) systems across many domains, for example online gaming, two-factor authentication, business-to-business, embedded, and cloud. In this talk we are less concerned with theory. Instead, in this interactive session the attendee will gain insight into the mindset of threat modelling by considering mistakes in the real-world. Along the way we will (re)learn secure design principles and attack patterns and see how the theory is expressed in reality.

Modern applications include Mobile Applications, JS Single Page Applications, APIs, Microservices, etc and we need modern & secure Identity and Access Management solutions to protect them. Unfortunately, Authentication and Authorization related CWEs (Common Weakness and Enumerations) still result in many vulnerabilities in both traditional and modern applications. This eventually results in data breaches. Different studies related to data breaches (Verizon data breach report) clearly show attackers' interest in these vulnerabilities and how they are abusing this. This presentation is focused on a proactive solution to these problems. It's evident that attackers misuse the vulnerabilities in the IAM implementations. This can be secured by reducing the multiple weak IAM implementations and by utilizing centrally managed and more secure IAM solutions using the federation with the security principle of minimization attack surface area. This presentation will cover basic terminologies in IAM, different ways to implement IAM solutions, benefits of the Federation. Comparison between OIDC and SAML. Explanation of different OIDC flows (Authcode flow, Auth Code Flow with PKCE) for modern applications.

The Web has become highly interactive and an important driver for modern life, enabling information retrieval, social exchange, and online shopping. From the security perspective, Cross-Site Scripting (XSS) is one of the most nefarious attacks against Web clients. Most informational resources (OWASP one of the few positive counterexamples) name three categories of XSS: reflected, persistent, and DOM-based XSS. In this talk, we provide real-world insights that show that the categorization into client/server and reflected/persistent XSS as done by the OWASP is much more sensible. To do so, we report on a real-world study which shows that of the Alexa Top 5,000 domains, around 2,000 make use of persisted data on the client. We conduct this study using a combination of taint tracking and a fully automated exploit generation pipeline. Doing so, we find that of these 2,000, over 20% make that use in an insecure way which enables an attacker to execute a persisted payload on every page load, allowing for nefarious long-term attacks such as JavaScript-based keyloggers, credential extraction from password managers, or cryptojacking. In addition, we analyze the end-to-end exploitability of the flaws we discovered based on two attacker models, showing that at least 70% of the sites with an insecure data flow can successfully be infected with a malicious payload. Additionally, we also analyze the vulnerable code pieces and classify them according to their intended use case. On the one hand, we can reason about the prevalent places in which developers put full trust into the integrity of the storages. On the other hand, this allows us to discuss how to achieve the same goal in a secure fashion, hence providing the audience with actionable insights for their own applications.

The best way to enable developers to create secure applications is to “shift left” in security. That means providing developers with the tools and techniques that help build more secure applications from the get-go. Developers may get security controls into their applications in different ways. They may write them from scratch following security training or guidance, they may use open source libraries, or they may use frameworks that have the security features built in already. In this talk we explore JavaScript applications that use different types of security controls implemented at levels ranging from developer code, to libraries and plugins, to different frameworks, and analyze which applications actually turn out to be more secure. This work is based on analysis of over 500 open source JavaScript applications on GitHub that use client-side frameworks and template engines to prevent XSS, as well as server-side frameworks (Express, Koa, Hapi, Sails, Meteor) and CSRF prevention mechanisms. In conclusion, we provide data-driven recommendations for framework maintainers and application developers on how to develop and choose a framework that will actually make applications more secure.

Over 10 years of experience in web application security bundled into a single application! The OWASP Security Knowledge Framework (SKF) is a vital asset to the coding toolkit of you and your development team. Use SKF to learn and integrate security by design in your web application. During the last 5 years since we released the SKF a lot has changed. We took all the challenges and problems that both security and development teams are facing and re-shaped the SKF to fit their needs most effective. In a nutshell the OWASP security knowledge framework: * trains your developers in writing secure code * facilitates security by design by providing the right security requirements * integrates seamlessly in your favorite source control systems * provides containerized labs with detailed write-ups to train developers to do verification on their code. We want to take the stage to introduce the new release of the SKF!