Exploitation, automation, mitigation

Speakers: Riccardo ten Cate & Glenn ten Cate

Abstract

We can see the trends in integrating security tooling into CI/CD pipelines. However, security tooling alone will not cover your entire attack surface. This is because the tooling can never understand the full context of the applications functions and logic. On the other hand, resources in the form of manual verification can often be scarce and expensive.

Where do we find the right balance between security test automation and manual verification?

Even more importantly, how do we train the developers to understand the metrics and make security part of their process and culture?

OWASP security knowledge framework introduced a new interactive learning platform to teach you everything you need to know about secure software development! SKF helps you deploy sandboxed learning environments on the fly where you find all the tools you need to get yourself going.

Use the OWASP SKF to train yourself or your entire team to exploit and mitigate web application vulnerabilities.

In our session:

• We will show you how the SKF is set-up, so you can get started.
• We will show the labs and demo live exploitation of the labs.
• How do we fix the vulnerabilities? We will use SKF to generate security requirement that guide how to mitigate the vulnerabilities demonstrated in the labs
• We will implement mitigations (requirements) and use the Owasp ZAP (Automation framework) and ZEST to validate the mitigations.

Biography Riccardo

As a coder, hacker, speaker, trainer and security chapter leader employed at ING Belgium Glenn has over 15 years experience in the field of security. One of the founders of defensive development security trainings dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world.

Not only does Glenn train developers, he and his brother Riccardo also donated an entire knowledge framework solely dedicated to help developers make their code secure by design.

See: SKF (Security knowledge framework) https://www.securityknowledgeframework.org

Biography Glenn

As a penetration tester from the Netherlands Riccardo ten Cate specialises in application security and has extensive knowledge in securing applications in multiple coding languages. Riccardo has many years of experience in training and guiding development teams becoming more mature and making their applications secure by design.