OWASP Global AppSec SF 2024: Empowering Developer Security As A Community
Dwayne McDaniel
Posted on November 4, 2024
Only one section of the Mississippi River runs East to West. That stretch of the Big Muddy is home to Davenport, Iowa. While not the largest city in the Hawkeye State, it is part of the "Quad Cities," a healthy-sized metropolitan area spanning the river into Illinois, and is successful because they are working together as one large community. That same spirit of getting together collaboration, regardless of what separates us, was present in 2024 at CornCon X, the 10th-anniversary edition.
Around 400 practitioners, thought leaders, and students gathered at The RiverCenter for a packed agenda that spanned three full days. Day one was the CISO Summit, an invitation-only event where CISOs and executives could speak freely while catching up on the current market trends. The final two days of activities featured 47 sessions, multiple workshops and CTFs, a K-12 Kids' Hacker Camp, and a day-long High School Cybersecurity Event. On top of all that, there were multiple villages and a whole lot of hallway conversations where folks from all backgrounds and focus areas could swap stories and talk about the latest developments in cybersecurity.
Here are just a few highlights from CornCon X
We must debunk the myths of cybersecurity to find a better path ahead
In a real highlight for participants, CornConX featured Dr. Gene Spafford, Author and Professor at Purdue University, presenting "Myths and Misconceptions in Cybersecurity," based on his book of a similar title. This thought-provoking session explored some core issues holding us back as an industry, including the fact that we use language wholly unique to us in security but expect the larger world to know what we mean. For example, the word 'virus' means something very different to a blue teamer than it does to someone working in microbiology or public health. The term "ransomware" is unique to our space and not understood by the average user.
The first myth he debunked is that we even have a clear definition of cybersecurity. We have a rough agreement that it means "protecting our assets against all forms of threats." However, it falls very short when you take a larger view of that definition. We cannot, eventually, protect against all threats. Even NIST has three current different definitions of security. In reality, we are always balancing risks, opportunities, and costs in our journey to secure our world. Dr. Spafford believes we need to come to an agreement on what measurements matter for security. He asked, "We measure everything else, so why is it so elusive to measure security?"
Another myth he discussed was, "More tech is better," pointing out we really don't value simplicity in our systems. Simpler is easier to defend, after all. He quoted Bob Courtney, who said, "There are no tech solutions to management problems. There are management problems to technical solutions."
He left us with some inspiration on how we can make changes for the better. He encouraged us all to rethink current conventional methods, asking ourselves why we are doing things this way. He asked us to seek simplicity in our work, as simpler systems are easier to defend. We must think about the whole of our systems, including the people who use and implement our solutions. Finally, we must seek to promote good values in our work.
Dr. Gene Spafford presenting Myths and Misconceptions in Cybersecurity
SaaS might be your attacker's best friend
In his session "The Saas and the Furious - A deep dive in SaaS compromises," Ryan Wisniewski, Incident Response Lead, Obsidian Security, started by asking us why attackers would even care about SaaS. To paraphrase bank robber Willie Sutton, the answer is, "That's where the data is." Attackers don't need to be skilled with tools or fancy exfiltration techniques. If they can access your SaaS applications, they can use the same click-box interfaces you do and likely just download any data they want. They can even email it to themselves in some situations.
Ryan has been working to update the MITRE ATT&CK framework to better account for SaaS. His research shows that identity compromises are the main way into our orgs for attackers. This makes sense when you realize that most teams rely on shared service accounts with long-lived, seldom-rotated credentials to manage these services. Worse yet, a lot of these accounts, up to 90% in his research, were not even in use in the last 30 days, making service accounts a large and juicy target for adversaries.
He walked us through the major steps common in all SaaS attacks: Initial Access, Persistence, Defense Evasion, Discovery, and finally, Impact. While most of his work was focused on Business Email Compromises, one of the most financially damaging attacks possible, according to the FBI, Ryan also talked us through some major breaches that involved password reset and even multifactor authentication resets, as we saw with MGM in 2023. Ryan directed us to his blog post for those who are interested in learning more about SaaS identity compromise.
The Saas and the Furious: A deep dive in SaaS compromises from Ryan Wisniewski
Understanding access management means having conversations with humans
In his session, "Hacking other teams using social skills to strengthen your IAM program," Sean Juroviesky, Senior Security Engineer at SoundCloud, shared his hard-learned lessons about dealing with very different teams, all thinking about access management in wildly different ways. He said that no magic formula or approach will suddenly solve IAM for everyone. Still, with time, patience, and actually talking to human beings, there is a path forward.
We first need to understand what kind of access we are dealing with, be it employee-initiated, as is common with SaaS, or externally-initiated, as some providers like ServiceNow provide. There are also the proper channels that internal security teams set up, but if those paths are seen as slowing things down, they are often worked around. In the long term, we must work to understand what is happening and establish a baseline for how access is actually being managed before we can work to improve it.
Establishing that baseline means talking to the individuals who are managing these accounts and understanding what they are using and why they manage it the way they do. This can not just be a manager-level discussion, as each team member is going to be using slightly different tools. We also need to understand these SaaS offerings and pricing tiers, as for many, single sign-on (SSO) is only an option once you hit a certain price point.
If we work with our teams to understand them as human beings, when the time comes to help enable better access controls, they might not fight you as hard since they will know you are really on their side.
Hacking other teams using social skills, to strengthen your IAM program! From Sean Juroviesky
Threat Intelligence requires interpreting context
In her thought-provoking session, "What the heck is Hermeneutics, and how can it be used to level up your threat intel game?" Cherie Burgett, Director of Cyber Intelligence Operations at The Mining and Metals Information Sharing and Analysis Center (MM-ISAC), introduced a lot of the audience to the concept of Hermeneutics. This is the study of interpretation, particularly of biblical, philosophical, and wisdom literature. This field of study dates back to the 15th century. While originally used to studying ancient texts, looking at contextual clues writers left behind in their work, there is a lot we can use from this field of study when performing threat intelligence in modern cybersecurity.
She explained the Hermeneutics circle, which is to examine the context the written artifact comes from, the text of the writing itself, re-examination of the wider context the writing introduces, and interpreting the work there, which leads back to having more context to consider, beginning the cycle over again. While similar to the threat intelligence process of examining text, looking at context clues, performing an analysis, and making an action plan, the traditional modeling approach does not loop back through after feedback to re-think about the context and loop iteratively. Basically, the approach asks, "Why the why?" inviting us to go deeper and look at the context of any useful information we discover.
Cherie also warned us to be aware of the fallacies of built-in presuppositions. If we are told by an attacker, "If you don't pay us, we will sell your data and keep attacking you," then we naturally want to suppose that the opposite must hold true, "If you do pay us, we won't sell your data and will stop attacking you." While that would be a nice thing to believe, it is rarely true when dealing with ransomware criminals, and we must keep that in mind as we respond to the incident.
What the heck is Hermeneutics, and how can it be used to level up your threat intel game? By Cherie Burgett
Finding our way through the 'maize' of security threats together as humans
There were a lot more sessions across the three speaking tracks covering a wide variety of security topics. Across every session I attended, and in almost all of the conversations I had in the hallway track and at the after-event networking socials, there was a common theme: Security requires humans to empathize with other humans. Your author even got to talk about this in my session "Hidden Dangers Of AI In Developer Workflows: Navigating Security Risks with Human Insight." We must design our processes and technology with empathy; the users of our tools and processes are other human beings, and ultimately, it is humans we are trying to keep safe.
Fortunately, there is a great way for us all to connect with other humans in person, and CornCon is just one good example. You don't need to wait until CornCon XI in 2025 to connect with the security community. You can likely find a meetup or local event near you. You may even see GitGuardian there, too.On the eastern shores of San Francisco, you will find The Embarcadero. Embarcadero, *which means "pier" or "wharf" in Spanish, is derived from the verb *embarcar, which means "to embark." For many travelers to SF, this home to the iconic Ferry Building and Cable Car Museum is the starting point for exploring the city and the Bay. Most of those tourists are not aware that the Embarcaders is built above a ship graveyard, filled with vessels abandoned by sailors who left to mine for gold. This embarkation point was also the home to a gathering of security professionals on a journey to engineer the next generation of application security tools and best practices, which is built atop the reality that too many organizations overlook security in their rush to deliver sellable products; OWASP Global AppSec San Francisco 2024.
Over 1,200 project leads, practitioners, vendors, developers, and students were able to come together for five days of workshops, talks, and conversations all around application security. The sessions were spread across six tracks: Breaker, Builder, Defender, Manager/Culture, and the very important Project Track. That last one was a showcase of various Open Web Application Security Project (OWASP) projects from the project maintainers and contributors themselves, including JuiceShop, DevSecOps Maturity Model (DSOMM), Web Application Firewall, Software Assurance Maturity Model (SAMM), and DefectDojo.
There was a lot of amazing content, and we can't recap it all here. Fortunately, most sessions have been recorded and will be available online for free. Here are just a few reflections from OWASP Global AppSec San Francisco 2024.
Security is built on humans trusting humans
In her keynote, "Breaking the Mold: Navigating the Intersection of Technology, Security, and Trust," Reeny Sondhi, Chief Digital Officer (CDO) at Twilio, reiterated a common theme several other presenters, including your author, addressed in their presentations: We must understand one another if we are to effectively help one another. Walking us through her background and journey to her current role. Reeny credited her time in a product management role as helping her be able to 'step into the shoes of the customer.' It is almost impossible to make things better for them without empathy for what they are going through.
She also discussed the need for security teams to become enablers. You may have heard this referred to this as going from the "department of 'no!'" to the "department of 'how'." We must adopt a mindset that makes application and product security become ubiquitous across all teams. We can do this by supporting each other's goals while working to minimize the pain that current security issues and implementing security requirements cause day to day.
Reeny said we all need to act as security salespeople internally to everyone in our organizations. We can do this by finding and presenting data in digestible ways that show the better path. We must believe that we can solve these problems and show any evidence that supports that. We must take a position that is at same the time cautious and optomstic about tooling we leverage to empower humans to work more securely.
A conversation with Reeny Sondhi
The danger of letting AI act on your behalf
At the beginning of his talk "Living off Microsoft Copilot," Michael Bargury Co-Founder and CTO at Zenity, explained the answer to our current dilemma with AI was written in a 45 year old IBM internal document. That document contained the words:
A computer can never be held responsible. Therefore a computer must never make a management decision.
In our rush to implement LLMs and AI everywhere throughout our organizations, we have overlooked one of the largest threats AI brings. If we pay attention to the marketing and sales materials for AI assisted productivity tools, like Microsoft's Copilot, they spend a lot of time talking about the security of the data and how their tools prevent data leaks. What they don't talk about is what can go wrong when you allow these tools to interact with your other tools as if they were you.
Attackers are trying to deliver control instruction payloads which tell the AI to ignore your prompt and to do what the attacker wants. This kind of attack is called jailbreaking and it can get the AI to write phishing emails or worse. These attacks become extremely potent if you allow AI assistants do things like send emails or make API calls. Michael concluded with a reminder that AI is still new and therefore we are all AI security noobs. However, we must persist and learn this new area of security because AI and these threats are not going away.
Living off Microsoft Copilot by Michael Bargury
Developers need tools that get them to their goals
Matan Rabi, R&D Team Leader at Bright, at the very beginning of his talk "How to get developers to want to adopt AppSec," asked the room, "Why do developers hate application security?" His answer is, for the most part, that they do not believe they get measured on doing things securely, just getting many things done. Security is too often seen as just extra work.
He suggested having the conversation that "a bug, is a bug, is a bug." If we are measuring output and rewarding low bug counts, then we need to frame all security issues they introduce that cause rework as bugs. We must then empower them to reduce that bug count effectively with the right tools. If we measure their output in terms of getting to production the fastest and with the least amount of rework, seeing security as bugs, we can hopefully drive their desire to work with security early and often if security teams can offer a way to do that.
However, It can't just be giving developers new tools, it will take awareness, training, and building trust with each other as human beings. Matan believes we need to start training developers to hack their own applications to understand better why it is important to develop securely. Of course, tools are needed, but they need to integrate into the developer's preferred workflow and toolchain easily if we expect adoption. If we add toil through a new layer of tooling with a steep learning curve, then nothing will change.
How to get developers to want to adopt AppSec by Matan Rabi
Re-enforcing good developer security means rewarding their positive actions
In their joint talk "From Hype to Reality: The Broken State of DevSecOps and Its Maturity Model," co-presenters Eitan Worcel, CEO & Co-Founder at Mobb, and Dustin Lehr, Co-founder and CPTO at Katilyst, invited us to step back and remind ourselves what DevOps was trying to solve and how we have approached securty. The issue is not that developers want to write insecure applications, the reality is that security is confusing and they need help in delivering secure code.
They reminded us of the G.K Chesterton Quote:
It isn't that they can't see the solution. It is that they can't see the problem.
While it would be great to have a single tool or automation that would solve everything for us, they stressed that there is no silver bullet in DevSecOps. It requires people to understand the problem and put the right processes in place so people can leverage the right tooling. All of that is predicated on building relationships between security and DevOps team members. There is a solid business case for building those relationships, as we can solve problems for a lot less money if we fix them earlier in the SDLC.
Of course, transformation is hard. It takes innovators who can see and explain the change we need to see. It requires buy-in, which we can only get by inviting people in and listening to them. If we can identify when developers do the right things and start rewarding them for taking those actions, developers will start finding new actions they can take to get more recognition and reinforced by faster times to production. This positive reinforcement loop will take time. We must be patient as we build this needed foundation for successful DevSecOps programs.
From Hype to Reality from Eitan Worcel and Dustin Lehr
Finding a more secure path together
OWASP exists because a group of like-minded people saw a need to address security got together and produced the tools to do that. It still exists today because more like-minded people have continued the conversation for 20 years now. The real power of OWASP is the community. Global AppSec is one of the best chances to get together with peers to talk through the challenges of today and the map the road ahead towards solving tomorrow's problems in an accessible, scalable, and open way.
But you don't need to wait until the next OWASP event to get together; there is more than likely a local meeting near you. You don't even need to be a member; you just have a curiosity about security. It is something we are proud to sponsor at GitGuardian. Hopefully, we will get a change to discuss secrets security at an event soon.
Posted on November 4, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.