"The Best Real-Life InfoSec Problem Solving Event in the World" (and new Owasp Summit blog)

I just added a blog feature to the Owasp Summit site (which wasn't very hard since Jekyll is a blogging engine) which you can see at http://owaspsummit.org/website/blog.html

The first 3 posts are:

• The Best Real-Life InfoSec Problem Solving Event in the World , by Ante Gulam 
• FAQ on Attendees Count, Working Session Format and how to Contribute , by me
• How the Summit's Working Sessions with work and Summit's Schedule  , by me

FAQ on attendees count, working session format and how to contribute (as a vendor)

(email sent to all Owasp Summit participants)

-----
Hi Summit Participants, please see below an email sent today in response to a couple questions we received from one of the companies in the Security Crowdsourcing space. See if you can guess which one :)

I'm sure some of you have similar questions, specially around the participation by vendors of security products/services in the Summit's Working Sessions

Btw, if you have questions that you think we have not provided good answers for, please reach out, and we will do our best to answer them

-----

The Woodstock of AppSec and more Owasp Summit Working Sessions

(email sent to all onsite and remote Owasp Summit Participants)

Hi Summit Participants, I hope you had a great weekend. Here in London I meet with Ante Gulam for BBQ and we had a very productive Sunday (as you can see below)

Before I go into the details, I have a question for you: What do you think of this tag line for the Summit: "The Woodstock of AppSec"

Seba come up with it when we meet for lunch on Friday, when we were talking about the Summit's gravitational pull (as in 'the place to be', 'the place were the most interesting AppSec conversations will occur', 'the place where the best minds in XYZ topic will be together', 'the place where participants are trying to solve hard problems that I have today')

Help with OWASP Summit 2017 Outreach

(email I just sent to the owasp-leaders list)

Hi Owasp Leaders, I would like to ask you for some help in promoting the Owasp Summit 2017. 

We are now at phase of the Summit's journey, where we have reached critical mass, and really need your energy, collaboration and involvement.

About the Summit:

Owasp Summits are not a normal conference where attendees go to watch presentations. This is a highly collaborative environment made of Working Sessions, which are created by the participants around areas they are passionate about or have real-world problems they need solutions for. 

How the Summit's Working Sessions will work and Summit's Schedule

(email sent to all Summit registered participants)

Hi Summit Participants (BCCed). I have been receiving a number of questions about how the Working Sessions will be organised at the Summit, so here is an explanation of how they will be setup.

At the moment it might look a bit weird the fact that we have more Working Sessions (106) than participants (81). This is actually quite normal (at this stage), since we still have a large number of participants that will be registering in the next month, and a significant number of Working Sessions that will not have enough energy, content, focus or registrations to justify its inclusion in the final schedule.

19 new Owasp Summit 2017 Working Sessions

(email I just send to all onsite and remote Owasp Summit 2017 participants)

Hi Summit Participant (BCCed)

I hope you are having a good weekend and have some energy for some Summit related GitHub Pull Request activities :)

39 Working Sessions with no organizers, two new Gold Sponsors (CapitalOne and PhotoBox)

Thanks for the Owasp Summit Participants that added themselves as an organiser to 6 Working Sessions.

It's a great start, but, we need more :)

In fact we now have 39 Working Sessions that need organisers (two more than yesterday), because we added the following 8 new Working sessions (most with no organiser and very little content)

Summit Working Sessions with NO organizer (please help)

(here is the email I just sent to all registered Owasp Summit 2017 participants which also applies to you (reader of my blog) :)  . Please take a good look at those 37 'Working Sessions with no organizer' and pick one to help) 

---

Hi Owasp Summit Participants (onsite and remote)

As you can see by the latest list of 76 Working Sessions, we have a quite a good number of very interesting/important topics to collaborate/work at the Summit (with more sessions being added daily).

We have grouped them into the following tracks and technologies:

Owasp top 10 2017 Working Session at next OWASP Summit

Given the recent debates about the changes made on this new version of the OWASP Top 10 (which you can download from here), the next OWASP Summit 2017 will host a Working Session to allow for further collaboration and debate.

Please take a look at http://owaspsummit.org/Working-Sessions/Project-Summit/Owasp-Top-10-2017.html and add/change it accordingly (btw, you can now register as participant, and, if you want to help organising it, please we need an organiser for this Working Session)

Here is a first pass at the topics to cover:

RfP for Owasp SAMM assessment (£10k budget)

Here is a project brief I have been asked to share by a company that operates across Europe, USA and Australia.

Seems to me like a great opportunity for an active member of the OWASP/SAMM community :)

Ping me if your company (or you) want to respond, and I'll put you in touch with them.

--------

Project brief:

Our e-commerce security maturity is of critical importance to us and our valued customers.

Through this RfP process, we are approaching the App/InfoSec community to invite responses from Europe-based AppSec consultants and businesses who are interested in engaging with our Group Security team to delivery an acute assessment of our individual team's security maturity.

We welcome responses from those well versed in the OWASP SAMM methodology, and have full-stack technical experience of auditing complex e-commerce environments and practices. Experience in producing board-level written reports and visualisations of data collected is highly desired. The data is to be collected using the Owasp Maturity Model tool.

Presentation: Building AppSec Teams

Here is the presentation I delivered recently at an online SC Conference on Web Application Security.

This is the consolidation of my recent research (and practical experience) of creating AppSec teams.

I think this structure and focus would make a massive difference (if implemented) at a large number of companies (specially the AppSec Squad concept)

The video is available on demand here

Presentation: OWASP Summit 2017 (Jan and Feb updates)

Here are two presentations I delivered recently (at the OWASP London Chapter) about the forthcoming OWASP Summit 2017

Presentation: Security champions

Here is a presentation I delivered recently to a newly created Security Champions team.

The objective was to present them what are Security Champions, and to motivate them into wanting to become one.

Let me know what you think of it, and if there is anything missing from this initial 'motivational' slide deck

Presentation: Legacy-SecDevOps (AppSec Management Debrief)

Here is a presentation I created last year as a debrief to C-Level execs

It is quite strong, but they took it quite well and agreed with most of it :)

Let me know what you think of it (I'm sure you've seen many similar projects and organisations)

Just published new version of OWASPSummit 2017 website

At http://owaspsummit.org 

Please give it a test drive 

Official launch is next week

The Authentication micro-service cache incident

A good example of why we need tests across the board, not just normal unit tests, but integration tests, and tests that are spawned as wide as possible, is the story of a authentication module that was developed as an re-factoring into a separate micro-service.

When the module was developed, it contained a high degree of code coverage, in fact it had 100% unit test coverage. The problems arose when it went live, and several issues occurred. One of the original issues occurred because the new system was designed to improve the way the database or the passwords were stored. This meant that once it was fully deployed some of existing dependent services stopped working.

Risk Dashboards and emails

It is critical that you create a suite of management dashboards that map the existing security metrics and the status of RISK tickets:

Why GitHub and JIRA

My current experience is that only GitHub and JIRA have the workflows and the speed that allow these risk workflows to be used properly in the real world.

I know there are other tools available that try to map this and create some UIs for risk workflows, but I believe that you need something very close to the way developers work. GitHub and JIRA meet this essential requirement, as they are both connected to the source code.

Linking source code to Risks

If you add links to risk as source code comments, you deploy a powerful and very useful technique with many benefits.

When you add links to the root cause location, and all the places where the risk exists, you make the risk visible. This reinforces the concept of cost (i.e. pollution) when insecure, or poor quality, code is written. Linking the source code to risk becomes a positive model when fixes delete the comments. When the comments are removed, the AppSec team is alerted to the need for a security review. Finally, tools can be built that will scan for these comments and provide a 'risk pollution' indicator.

(from SecDevOps Risk Workflow book, please provide feedback as an GitHub issue)

Employ Graduates to Manage JIRA

One of the challenges of the JIRA RISK workflow is managing the open issues. This can be a considerable amount of work, especially when there are 200 or more issues to deal with.

In large organizations, the number of risks opened and managed should be above 500, which is not a large quantity. In fact, visibility into existing risks starts to increase, and improve, when there are more than 500 open issues.

The solution to the challenge of managing issues isn't to have fewer issues.

Can't do Security Analysis when doing Code Review

One lesson I have learned is that the mindset and the focus that you have when you do security reviews are very different than when you work on normal feature and code analysis.

This is very important because as you accelerate in the DevOps world, it means that you start to ship code much faster, which in turn means that code hits production much faster. Logically, this means that vulnerabilities also hit production much faster.

Threat Model Confirms Pentest

A key objective of pentest should be to validate the threat model. Pentests should confirm whether the expectations and the logic defined in the threat model are true. Any variation identified is itself an important finding because it means there is a gap in the company's understanding of how the application behaves.

There are three important steps to follow:

1. Take the threat models per feature, per layer and confirm that there is no blind spots or variations on the expectation
2. Check the code path to improve the understanding of the code path and what is happening in the threat model
3. Confirm that there are no extra behaviours

(from SecDevOps Risk Workflow book, please provide feedback as an GitHub issue)

Threat Model per Feature

Creating and following a threat model for a feature is a great way to understand a threat model journey.

First, take a very specific path, a very specific new feature that you are adding, or take a property, such as a new field, or a new functionality.

Using Git as a Backup Strategy

When you code, you inevitably go on different tangents. Git allows you to keep track of all those tangents, and it allows you to record and save your progress.

In the past, we used to code for long periods of time and commit everything at the end. The problem with this approach is that sometimes you follow a path to which you might want to return, or you might follow a path that turns out to be inefficient. If you commit both early and often, you can keep track of all such changes. This is a more efficient way of programming.

Feedback Loops

The key to DevOps is feedback loops. The most effective and powerful DevOps environments are environments where feedback loops, monitoring, and visualizations are not second-class citizens. The faster you release, the more you need to understand what is happening.

DevOps is not a silver bullet, and in fact anyone saying so is not to be trusted. DevOps are a profound transformation of how you build and develop software.

DevOps are all about small interactions, small development cycles, and making sure that you never make big changes at any given moment. The feedback loop is crucial to this because it enhances your understanding and allows you to react to situations very quickly.