Shifting Knowledge Left: Keeping up with Modern Application Security

Presented at Black Hat USA 2019, Aug. 8, 2019, 5 p.m. (60 minutes).

With security "shifting left" into DevSecOps, it's more difficult than ever to keep up with a rapidly evolving landscape of web technologies and the threats that come with them. While familiar vulnerability classes continue to plague our apps with the likes of XSS and SQL injection attacks, many frameworks are adopting automatic defences that protect against common abuse cases. At the same time, as the work of developers is abstracted away from these security decisions, remaining points of failure can more easily go overlooked.

To keep our applications secure in a world where developers own deployments and commit production code many times a day, we need every software engineer to be well versed and up to date in secure coding techniques relevant to their particular language and framework. Education in application security is hard, and the days of passive compliance-based training through outdated videos and slideshows can't keep up. Meanwhile, traditional cybersecurity has little to do with modern appsec, and security teams are often seen by developers as a punitive function and (un)necessary evil.

Beyond relying on slow-to-update measures like the OWASP Top 10 to guide us, we must find better ways to share appsec knowledge, both within teams and across the industry. To this end, Duo and Hunter2 have partnered to bring a set of free training resources that can be shared among development teams, including interactive training labs that allow engineers to practice exploiting and patching up modern web applications in their stack of choice. We are also opening this platform up to the community, so that attendees can publish their own labs demonstrating specific vulnerability and remediation examples as well.


Presenters:

  • Mark Stanislav - Head of Security Engineering, Duo Security
    Mark Stanislav is the Head of Security Engineering for Duo Security. Stanislav has spoken internationally at over 100 events, including RSA, DEF CON, SOURCE Boston, Codegate, SecTor and THOTCON. His security research and initiatives have been featured by news outlets such as the Wall Street Journal, the Associated Press, CNET, Good Morning America and Forbes. Stanislav is the Author of the book Two-Factor Authentication. Stanislav holds a BS in networking and IT administration and an MS in technology studies focused on information assurance, both from Eastern Michigan University. During his time at EMU, Stanislav built the curriculum for two courses focused on Linux administration and taught as an adjunct lecturer for two years. Stanislav is currently pursuing his PhD in cybersecurity from Dakota State University. He holds CISSP, Security+, Linux+, and CCSK certifications.
  • Fletcher Heisler - CEO, Hunter2
    Fletcher Heisler is the founder and CEO of Hunter2, a company that provides engineering teams with modern appsec training through an online platform of interactive labs, developers get hands-on practice exploiting and patching up real applications. Fletcher previously ran Real Python, an online community of hundreds of thousands learning modern web development and programming practices.

Links:

Similar Presentations: