Name: AppSec Explained: OWASP Edition
Start: 2023-07-31T17:25:00Z
End: 2023-07-31T17:25:55.000Z
Location: BrightTALK
Rating: 4

Security Journey offers robust application security education tools to help developers and the entire SDLC team recognize and understand vulnerabilities and threats and proactively mitigate these risks. The knowledge learners acquire in our programs goes beyond helping learners code more securely – it turns everyone in the SDLC into security champions. 

Why do the same threats appear on OWASP Top 10 after almost ten years?

Director of Application Security Mike Burch explores how the application security industry has been failing and how adopting a few core concepts can help shape a new way forward.

This webinar includes the following topics:
- OWASP Top 10 Threats
- The AppSec Dilemma
- Security Champions Programs
- How Education Fits in the Software Development Lifecycle
- Optimal Engineering Team Structure

AppSec Redefined: A New Way Forward

In 2023, the White House, CISA, the SEC, and the PCI Security Standards Council increased their regulation and governance of software security.
 
This study, conducted independently by the Ponemon Institute and sponsored and published by Security Journey, aimed to understand the state of secure coding training and provide insights into how organizations are attempting to improve software security in the face of increasing regulatory pressure.
 
The research reveals that organizations are still prioritizing speed to market over security, going to production with vulnerabilities and doing secure coding training only to check the regulatory box instead of focusing on educating teams on handling a broader landscape of threats.
 
A few highlights from the report:
- Only 20% of respondents were confident in their ability to detect a vulnerability before an application is released
- Over 60% struggle to remediate vulnerabilities effectively
- 50% fail to test the security of their applications after they have been released. 
- 47% of organizations are blaming these challenges of remediating vulnerabilities in production on a lack of qualified personnel

2024 Study on How Secure Coding Training Impacts Regulatory Compliance

The OWASP Top 10 is a well-known list of the top 10 risks in web application security, but did you know there are at least eight other "top ten" lists in the OWASP universe? As security professionals, it's important to comprehensively understand new technologies and the associated application security issues with each type of tech. 

Mike Burch, Director of Application Security at Security Journey, and his team took the time to evaluate these lists and compile what we believe is a list to rule them all – the top 10 biggest threats to our products across the different technologies. 

By creating this master top ten list, we hope to continue to embrace the commonalities and work to secure your products and apps, regardless of where they fall on the technology spectrum. You can teach mitigation strategies with Security Journey’s enterprise-class application security training content; learn more today at securityjourney.com.

Top 10 Biggest Security Threats to Your Products

Organizations are seeing more attacks on their applications, leading to concerns. Penetration testing and code scanning are helpful, but not enough. 

A lot of companies do not have sufficient security measures in place during their SDLC which leads to more vulnerabilities. To address this, it is important to invest in secure coding training and consistent education for developers and support teams. This will enable teams to identify and prevent issues before they even get to scanning tools or production.

In a video, Amy Baker discusses the importance of security education in solving this application security issue.

The Value of Security Education for Developers

We are currently in an application security dilemma that stems from growing security concerns, pressure on development teams, and a lack of structured security training. This dilemma is affecting organizations and is why application security has not improved over the last decade. 

Let's take a look at some stats: 
- Recent studies show 210% new vulnerabilities per year in the National Vulnerability Database 
- 92% of developers feel pressure to release code to market faster 
- Top 50 US university coding programs currently don't require their students to take secure coding courses  

In this video, Amy Baker from Security Journey will review the business impact of an application security risk, the cost of secure coding training, and show how you can calculate the ROI of secure coding training.

Measuring the ROI of Secure Coding Training

Today, 0 of the top 50 undergraduate computer science programs require a course in application security.  In many organizations, developers have little training beyond basic security awareness around the OWASP Top 10. 

In this webinar, we will discuss why code security is important and how to implement security into your software development life cycle. We will also provide tools, techniques, and best practices to help developers build secure code.

How Are You Solving The Developer Security Knowledge Gap?

Teams across industries struggle to find the right balance between thorough testing and rapid release.

Waiting too long to test in the SDLC may require lengthy and expensive code refactoring. Only testing at the beginning or not enough likely means you're missing critical vulnerabilities. 

Effective and efficient testing strategies require balance throughout the entire SDLC. We've defined a software security testing framework that accomplishes this. 

During this webinar, Michael Burch, Director of Application Security, will: 
1. Discuss the benefits of a balanced testing framework
2. Define Software Security Testing Lifecycle (SWSTL)
3. Outline how SWSTL works with DevSecOps

Keeping The Balance Between Security Testing and Rapid Release

Server-Side Request Forgery (SSRF) attacks make news. We've heard the stories of victim organizations who report data loss and a lot of negative chatter in the news among technical communities. Malicious actors executing this attack can do so because we create trust relationships between software and systems based on security assumptions.

Mitigation advice is everywhere - input validation, zero-trust architecture, safe listing - just to name a few. We've built lessons around strategies to combat SSRF. But why are we choosing those?

In this session, you'll learn how attackers abuse trust relationships, identify different types of SSRF attacks and apply appropriate mitigations to secure your environment.

A Deep Dive into SSRF

It is evident that threat modeling significantly minimizes the need to rewrite code due to security vulnerabilities. In Part Two of the threat modeling webinar series, Chris Romeo, AppSec Expert and co-author of the Threat Modeling Manifesto, continues his threat modeling session, focusing on the appropriate approach to address the next steps. You can enhance your threat modeling skills by learning and practicing exercises.

Threat Modeling Unleashed: Part 2

To prevent the need to fix security bugs, it's important to create an effective threat modeling strategy. You can improve your development lifecycle by learning the scoping and drawing steps of threat modeling. Chris Romeo, AppSec Expert and co-author of the Threat Modeling Manifesto, recently hosted a discussion on the best approach to start threat modeling. Through this conversation, you can learn and practice exercises to enhance your threat modeling abilities.

Threat Modeling Unleashed: Part 1

Implementing threat modeling is essential to avoid security bugs and enhance the development process. Chris Romeo, the AppSec Expert and co-author of the Threat Modeling Manifesto, recently hosted a discussion on the benefits of threat modeling, including a live demo of the process. This conversation provides insight into the patterns that support effective threat modeling and highlights its principles and values.

Threat Modeling in Action

If you are a development leader who loathes every call or interaction with the security team, this webinar will help you.

We have industry research to share to improve your secure development strategy, extend an olive branch to the security team, and prove to your developers how valuable they are to you.

This discussion embraces the needs of both the development and security teams to help everyone reach the combined goal of quality, secure software while still hitting your speed-to-market goals with new features.

Don't worry, this solution pays for itself, and we'll show you how.

Development vs. Security: Make It Stop

This is a shell webinarOWASP released its' peer-approved, final list of the OWASP Top 10 2021 in September. Since it had been many years since they released their list, Chris Romeo and AppSec Engineer,  Michael Burch, discussed and broke down the OWASP Top 10 2021 list for Cyber Security Awareness Month (October 2021). The big question is, what can we really do to turn these top vulnerabilities around? They provided a comprehensive knowledge behind each vulnerability and their opinions on what should be done to make changes.

AppSec Explained: OWASP Edition

AppSec

Application Security

OWASP

OWASP Top 10

Secure Coding Training

Developers

Secure Code

Security Culture

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

AppSec Explained: OWASP Edition

Presented by

About this talk

More from this channel