OWASP 2024 Global AppSec San Francisco

If you work in vulnerability management, you’re probably familiar with the painful condition known as CVE overload. Each year, tens of thousands of new vulnerabilities are reported, and these potential risks overwhelm security teams tasked with confirming risks and remediating them. 


A proposed solution is VEX (Vulnerability Exploitability eXchange): a set of formats that communicates vulnerability impact status, whether a vulnerability is exploitable in its deployed context, and mitigation steps. In theory, VEX (when used alongside other prioritization inputs) makes it possible for downstream security teams to remediate more efficiently. But as with most security frameworks, efficacy depends on proper implementation.  


This talk will cover five steps to leveraging VEX throughout the vulnerability remediation lifecycle, from the time a vulnerability is disclosed to the time you publish and distribute a VEX statement. We’ll cover the tools and workflows security practitioners need to know to effectively use VEX in their organizations. 

The potential benefits are substantial as organizations increasingly adopt AI-driven code-generation tools to enhance productivity and streamline development workflows. Code generation offers transformative advantages, from accelerating development cycles to minimizing manual errors.

However, this technological advancement introduces a range of risks that, if not adequately understood and managed, could pose significant challenges. Key risks include security vulnerabilities, code quality issues, potential copyright infringement, data breaches, and the possibility of reverse engineering models. Additional concerns involve bias introduction, poisoning attacks, inefficient code generation, hallucinated dependencies, and an over-reliance on AI tools, potentially leading to increased technical debt over time. A comprehensive understanding and effective mitigation of these risks are essential to fully realizing the potential of code generation technologies.

A robust risk mitigation strategy is critical. Organizations must prioritize comprehensive code reviews, continuous monitoring of tools, and the implementation of rigorous testing frameworks. Establishing clear guidelines, adopting stringent security measures, and managing controlled rollouts are vital to minimizing vulnerabilities. Additionally, safeguards around data management, intellectual property protection, and sustainable code practices will ensure code generation tools’ long-term efficacy and security.

This talk will detail these risks, offering actionable insights and strategies for leveraging AI-driven code generation while mitigating associated risks. This will allow organizations to harness this technology’s full potential safely and effectively.

Through a metaphorical journey into the 'Container Escape Room,' we will navigate through real-world scenarios and dissect the mechanisms behind container escapes. From privilege escalation exploits to vulnerabilities within container runtimes, we'll explore the diverse array of techniques employed by attackers to break out of containerized environments. Drawing insights from notable incidents and vulnerabilities, we will examine the implications of container escapes on system integrity, data confidentiality, and overall security posture. Moreover, we'll discuss mitigation strategies and best practices for hardening Kubernetes infrastructures against potential exploits. Whether you're a seasoned security professional, a DevOps enthusiast, this talk promises to be an insightful exploration into the evolving landscape of cybersecurity within containerized environments. Join us as we uncover the mysteries of container escapes.

You're a security analyst triaging a list of exposed credentials - how do you prioritize which key to rotate first? How do you even know what resources the key can access? Most SaaS providers make it difficult to enumerate the access granted to a particular credential without logging into their UI.


In this talk, we're releasing a new method (self-discovery) for enumerating the permissions and resources associated with API keys and other secrets, without requiring access to the provider's UI. We'll walk through the meticulous steps required to accurately assess different SaaS providers' permission and scopes, as well as share the logic behind how to validate key permissions, including string analysis, HTTP request brute forcing and more.


Finally, we'll demo a new open-source tool that automates the enumeration of API key permissions and accessible resources, without requiring access to the provider's UI.

There is some debate as to how SBOMs can enhance vulnerability management practices, and some believe that collecting SBOMs from internal teams or suppliers is too difficult and time-consuming. Learn how one company has collected thousands of our product SBOMs and how we are leveraging the SBOMs as part of our corporate product CERT to quickly analyze and focus our attention when time is of importance. This presentation describes how we modified our policies and processes to collect, generate, and store thousands of SBOMs. You will hear how we have leveraged SBOMs during the Log4j and OpenSSL vulnerability events. Then we will conclude with key learnings, suggestions, and opportunities for improvement.