1. InfoconDB
  2. OWASP
  3. AppSec USA 2017
  4. What We Learned Remediating XSS in GitHub Open Source Projects

What We Learned Remediating XSS in GitHub Open Source Projects

Presented at AppSec USA 2017, Sept. 22, 2017, 9 a.m. (45 minutes)

Our goal was to fix as many high-risk vulnerabilities throughout the GitHub Open Source project portfolio as we could with a minimum of effort. The intent was to simulate portfolio wide remediation in a large and diverse organization within a context that allows sharing concrete statistics and experiences.   Fixing XSS throughout a portfolio of applications is more challenging than fixing a single application. In addition to the remediation work required for a single application, fixing a portfolio requires getting developer buy in, complying with various coding style guides, integration with each project's existing processes, testing, metrics, and more.   This presentation will discuss how we did it, lessons learned, as well as some alternatives. Three things that made our scaling approach unusual was: 1) Focusing on risk broadly across application portfolios instead of a single application. 2) Focusing on adding missing security controls instead of the exploitability of vulnerabilities. 3) Automating JSP source code modification   We will compare the approach that we used on this project to more traditional manual and automated techniques that focus on vulnerability detection, as well as scaling through training, and scaling through building offshore capabilities.

Presenters:

  • Mike Fauzy - Founder, CTO - FauzyLogic
    Mike Fauzy has been writing and assessing web applications since 1997. He helped write components of OWASP ESAPI, as well as minor contributions to Scrubbr, JavaSnoop, and other web app security projects. He also builds, trains, and expands automated web application security teams in the US and abroad. He has presented a workshop on XSS Remediation at DEF CON as well as at Java User Groups and OWASP chapters around the US. Experience in hacking contests include taking second at the AppSecEU CTF, and winning Hack Fortress at DEF CON and ShmooCon. His current focus is performing web application security remediation using artificial intelligence.
  • Demetria Robertson - COO - FauzyLogic
    Demetria Robertson's background straddles data science, applied analytics, and software product management. She has held leadership roles in building analytics programs ranging from Fortune 500 to startup companies. Her credentials include data science certificates from Johns Hopkins, Certified Scrum Master (CSM) and Certified Scrum Product Owner (CSPO) certifications, and both an MBA and B.S. Molecular Biology and Biotechnology from UNLV.

Links:

Similar Presentations: