SecAppDev 2023 - Secure Coding

The OWASP Top 10 is a standard awareness document for web developers and web application security professionals. It represents a broad consensus about the most critical security risks to web applications. As software developers author code that makes up a web application, they need to embrace and practice various secure coding techniques. This training provides defensive instruction in relation to the OWASP Top Ten to aid developers in authoring secure software.

Learning goal: A thorough understanding of the risks listed in the OWASP top 10, along with best practice secure coding guidelines to mitigate these risks in web applications and APIs

The software security industry is shifting left. Traditional security tools have failed to address the challenges of modern engineering teams as they often are too slow, overwhelm users with false positives, and do not provide sufficient remediation help. As a result, they do not ultimately raise a company’s security bar.

In this workshop we will focus on hands-on exercises, supported by research results to teach participants how to use Semgrep by taking a different approach to security, called paved road or secure defaults.

Learning goal: Why the current approach to software security is not working. How to automate code review to free up your time for higher impact work. Best practices in rolling out continuous code scanning, and how to write custom Semgrep rules.

How does an SDLC become a secure SDLC? In this session, we use real-world stories to identify and overcome challenges to integrate security into a development lifecycle. You will learn how to build and implement a high-value AppSec program.

Key takeaway: Learn how to initiate a software security program, manage the program on ongoing basis, keep it sustainable, and build stakeholder engagement and buy-in

Managing third party library dependence is one of the most difficult challenges in software development and requires significant process and technical discipline. This session offers actionable advice on getting this challenge under control.

Key takeaway: To handle third-party dependencies securely, you need to reduce the amount of libraries you use, vet the ones you use, and keep them up to date

Understand how API contracts can be written in with the OpenAPI standard and leveraged across the API lifecycle, including for security.

Key takeaway: Learning about the power and extensibility of OpenAPI and its application across the API lifecycle.

This session covers 42 things about appsec. SIX software security zombies. TEN software security flaws. SEVEN software security myths. SEVEN startup lessons. FOUR CISO tribes. SEVEN things I learned in 21 years. Oh, and ONE BONUS THING.

Key takeaway: A treasure trove of advice based on the experience of a pioneer in the field of software security, or "42 things" in short

In this session, we start by threat modeling an authentication system. We analyze the risks of secret-based authentication and guide you in building usable password policies. We'll dive into the math, and investigate secure password storage.

Key takeaway: Analyze the security of user authentication, make the right trade-offs, and strengthen the security of password-based authentication

We will go over the vision for secure defaults, and then discuss how we can improve processes, training and tools to support this approach. The advice in this session is backed by my research.

Key takeaway: Security is no longer just the responsibility of the expert. Security training and tools should be adapted to fit a developer audience

This talk traces Application Security from its '60s origins marked by poor practices to today's advancements. We aim to inspire security professionals by highlighting the accelerated pace of positive changes over time.

Key takeaway: Exploring Application Security's history reveals an encouraging trend: continuous, accelerating improvement over time.