Highlights of OWASP
Global Appsec Conference,
- Threat modeling gained the spotlight. Threat modeling is a structured approach of identifying and prioritizing potential threats to a system, and determining the value that potential mitigations would have in reducing or neutralizing those threats. This cheat sheet aims to provide guidance on how to create threat models for both existing systems or applications as well as new systems.
- Tanya Janca, keynote speaker, talked on the need to shift security everywhere. “Shifting Security Left” approach is not enough. Comprehensive security is required, from the beginning of the development until keeping applications secure after being deployed to production. We should keep developers engaged and be present. In addition, measuring and monitoring the actions is important in order to show the value of the security program.
- Kim Wuyts’s keynote speech on privacy: Keep only the data you need or it gets messy. More data brings more responsibilities. Use threat modeling on privacy with linddun threat modeling methodology.
- Jakub Kaluzny talked about the concept of “AppSec data lake”. Developers should own Security. All data from threat modeling to SAST tools should be stored in a database. Then, we can backtrack actions and connect fixes to findings and results of SAST and DAST tools and even to threat modeling. This way you can identify patterns and monitor the effectiveness of your actions.
- Magda Lilia Chelly, keynote speaker, talked about assisted AI coding, benefits and risks. AI will not replace developers as it does not produce code that follows the security guidelines. However, it can be used to improve developers’ productivity.
- AI applications are on the rise and so are the concerns regarding AI security and privacy. This is why OWASP is now offering the AI security & privacy guide here. See also the slides from Rob van der Veer’s talk, during which this guide was launched.
Let’s close with an interesting fact that shows how #softwaresecurity is evolving: OWASP decided in this event to change its name from Open Web Application Security Project (OWASP) to Open Worldwide Application Security Project. This comes as a result of the broadening of the scope that security should be applied, given the transition from web to mobile applications and the introduction of AI in systems.