OWASP 2024 Global AppSec San Francisco

If you work in vulnerability management, you’re probably familiar with the painful condition known as CVE overload. Each year, tens of thousands of new vulnerabilities are reported, and these potential risks overwhelm security teams tasked with confirming risks and remediating them. 


A proposed solution is VEX (Vulnerability Exploitability eXchange): a set of formats that communicates vulnerability impact status, whether a vulnerability is exploitable in its deployed context, and mitigation steps. In theory, VEX (when used alongside other prioritization inputs) makes it possible for downstream security teams to remediate more efficiently. But as with most security frameworks, efficacy depends on proper implementation.  


This talk will cover five steps to leveraging VEX throughout the vulnerability remediation lifecycle, from the time a vulnerability is disclosed to the time you publish and distribute a VEX statement. We’ll cover the tools and workflows security practitioners need to know to effectively use VEX in their organizations. 

The potential benefits are substantial as organizations increasingly adopt AI-driven code-generation tools to enhance productivity and streamline development workflows. Code generation offers transformative advantages, from accelerating development cycles to minimizing manual errors.

However, this technological advancement introduces a range of risks that, if not adequately understood and managed, could pose significant challenges. Key risks include security vulnerabilities, code quality issues, potential copyright infringement, data breaches, and the possibility of reverse engineering models. Additional concerns involve bias introduction, poisoning attacks, inefficient code generation, hallucinated dependencies, and an over-reliance on AI tools, potentially leading to increased technical debt over time. A comprehensive understanding and effective mitigation of these risks are essential to fully realizing the potential of code generation technologies.

A robust risk mitigation strategy is critical. Organizations must prioritize comprehensive code reviews, continuous monitoring of tools, and the implementation of rigorous testing frameworks. Establishing clear guidelines, adopting stringent security measures, and managing controlled rollouts are vital to minimizing vulnerabilities. Additionally, safeguards around data management, intellectual property protection, and sustainable code practices will ensure code generation tools’ long-term efficacy and security.

This talk will detail these risks, offering actionable insights and strategies for leveraging AI-driven code generation while mitigating associated risks. This will allow organizations to harness this technology’s full potential safely and effectively.

Through a metaphorical journey into the 'Container Escape Room,' we will navigate through real-world scenarios and dissect the mechanisms behind container escapes. From privilege escalation exploits to vulnerabilities within container runtimes, we'll explore the diverse array of techniques employed by attackers to break out of containerized environments. Drawing insights from notable incidents and vulnerabilities, we will examine the implications of container escapes on system integrity, data confidentiality, and overall security posture. Moreover, we'll discuss mitigation strategies and best practices for hardening Kubernetes infrastructures against potential exploits. Whether you're a seasoned security professional, a DevOps enthusiast, this talk promises to be an insightful exploration into the evolving landscape of cybersecurity within containerized environments. Join us as we uncover the mysteries of container escapes.

You're a security analyst triaging a list of exposed credentials - how do you prioritize which key to rotate first? How do you even know what resources the key can access? Most SaaS providers make it difficult to enumerate the access granted to a particular credential without logging into their UI.


In this talk, we're releasing a new method (self-discovery) for enumerating the permissions and resources associated with API keys and other secrets, without requiring access to the provider's UI. We'll walk through the meticulous steps required to accurately assess different SaaS providers' permission and scopes, as well as share the logic behind how to validate key permissions, including string analysis, HTTP request brute forcing and more.


Finally, we'll demo a new open-source tool that automates the enumeration of API key permissions and accessible resources, without requiring access to the provider's UI.

There is some debate as to how SBOMs can enhance vulnerability management practices, and some believe that collecting SBOMs from internal teams or suppliers is too difficult and time-consuming. Learn how one company has collected thousands of our product SBOMs and how we are leveraging the SBOMs as part of our corporate product CERT to quickly analyze and focus our attention when time is of importance. This presentation describes how we modified our policies and processes to collect, generate, and store thousands of SBOMs. You will hear how we have leveraged SBOMs during the Log4j and OpenSSL vulnerability events. Then we will conclude with key learnings, suggestions, and opportunities for improvement.

In this presentation, we will explore an innovative approach to improve the security of containerized applications using behavior analysis during continuous integration testing and generating native policies based on behavior. By leveraging behavioral analysis, we can replace tedious manual policy definitions which take long to define and can break easily. We will also discuss the importance of native policies, which allow us to enforce security policies directly within container orchestration tools like Kubernetes without relying on third-party tools.


We will focus on policies like seccomp profiles, network policies, AppArmor, and security context. We will cover hands-on practices for implementing this approach, including how to do behavioral analysis using eBPF-based tools, how to integrate this analysis into CI testing, and how to use native policies to enforce security policies.


By the end of this presentation, attendees will have a deeper understanding of how to leverage innovative approaches to security in Kubernetes clusters (and in containerized orchestration in general), and how to use behavioral analysis and native policies to protect their environments against the multiple threats.

The frequency of Software Supply Chain attacks has been increasing over the last several years. This is, in part, due to the fact that the term “Software Supply Chain Attack” actually refers to a set of attacks that include: Repo Jacking, Repo Poisoning, Typo Squatting, and Dependency Confusion. Threat actors, such as Nation states, select high value targets that can be extremely disruptive. They weaponize the software supply chain against their enemies (real or perceived) to wreak physical infrastructure damage or engage in commercial and governmental espionage. Attackers who are motivated by money have been able to demand huge ransoms, which would have been impractical in the past but have been made easy by cryptocurrencies. Frequently, they seek soft targets. Hospitals, municipalities and schools can be notoriously lax in their software security efforts. Often, they lack the capital and expertise to enable a successful defense against ransomware gangs. 


Governments and the private sector are investing in defensive measures. Europe has responded with the Cyber Resilience Act. The US has mandated SBOMs as a countermeasure against supply chain attacks. If you know what is in your code then such an attack is unlikely. Right? Not exactly. In the commercial sector, a huge software security industry has arisen. In 2023 it was estimated to be valued at approximately 172 billion USD and it is a growing market. Yet this has not resulted in a diminishing threat.


In this presentation, I am going to describe practical strategies for improving your organization’s ability to defend against software supply chain attacks.

Much like cars, AI technologies must undergo rigorous testing to ensure their safety and reliability. However, just as a 16-wheel truck’s brakes are different from that of a standard hatchback, AI models too may need distinct analyses based on their risk, size, application domain, and other factors. Prior research has attempted to do this, by identifying areas of concern for AI/ML applications and tools needed to simulate the effect of adversarial actors. However, currently, a variety of frameworks exist which poses challenges due to inconsistent terminology, focus, complexity, and interoperability issues, hindering effective threat discovery. In this talk, we discuss initial findings from our meta-analysis of 14 AI threat modeling frameworks, providing a streamlined set of questions for AI/ML threat analysis. We will also discuss how we refined this library through expert review to simplify questions and allow seamless integration to the manual analysis of AI/ML applications.