With security "shifting left" into DevSecOps, it's more difficult than ever to keep up with a rapidly evolving landscape of web technologies and the threats that come with them. While familiar vulnerability classes continue to plague our apps with the likes of XSS and SQL injection attacks, many frameworks are adopting automatic defences that protect against common abuse cases. At the same time, as the work of developers is abstracted away from these security decisions, remaining points of failure can more easily go overlooked.
To keep our applications secure in a world where developers own deployments and commit production code many times a day, we need every software engineer to be well versed and up to date in secure coding techniques relevant to their particular language and framework. Education in application security is hard, and the days of passive compliance-based training through outdated videos and slideshows can't keep up. Meanwhile, traditional cybersecurity has little to do with modern appsec, and security teams are often seen by developers as a punitive function and (un)necessary evil.
Beyond relying on slow-to-update measures like the OWASP Top 10 to guide us, we must find better ways to share appsec knowledge, both within teams and across the industry. To this end, Duo and Hunter2 have partnered to bring a set of free training resources that can be shared among development teams, including interactive training labs that allow engineers to practice exploiting and patching up modern web applications in their stack of choice. We are also opening this platform up to the community, so that attendees can publish their own labs demonstrating specific vulnerability and remediation examples as well.