OWASP Global AppSec Singapore 2023

Last updated:

Banner of the event

OWASP Global AppSec Singapore

The Open Web Application Security Project, the organisation behind the well-known OWASP Top 10, organised the OWASP Global AppSec Singapore application security conference. I attended two days, October 4 and 5, one for a workshop and the other for talks.

Despite its name and the normal style for Global AppSec conferences, the conference was online-only and adhered to the Singapore timezone. This meant an early start time for me (4 AM, for the Romanian timezone), but it was good to be able to attend How to Web in the afternoons.

Top 3 events

Here are my personal favourites:

Threat Modelling: From None to Done

John DiLeo, a Solution Architecture Lead at IriusRisk and the OWASP leader in New Zealand, led the 7-hour workshop. The presented workflow had a shift-left approach, prioritising security investments as near to the design phase as possible. This contrasts with the prior shift-right model, in which security personnel were focused on incident response on an inadequate infrastructure.

Threat modelling is a type of risk analysis in which the most valuable assets (i.e., anything that should be safeguarded from some attackers) and their threats (i.e., anything that could allow someone or anything to obtain, damage, or destroy an asset) are identified.

Threat model from Synopsys

The following characteristics of a threat model were taken into account:

An additional concept that I thought was important is the order of magnitude for mitigations, which can be combined with defence-in-depth: "If a mitigation with an order of magnitude N (i.e., at the layer N in a layered security architecture) can fail, then another mitigation with the order N + 1 should be put in-place".

The workshop also included a hands-on component. Given a customer-facing, serverless web project, we choose one of its user stories: account details updating. We developed the threat model based on this.

A Retrospective on Application Security Failures

The presentation focused on application security posture management, incorporating subjects such as software composition analysis, SAST, DAST, developer learning platform, infrastructure as code scanning, and secret scanning.

One key lesson offered by the presenter based on his experience was the goal of establishing security design patterns that are included by default in the products to avoid bug classes rather than filing Jira tickets for found concerns. Secret scanning, default encryption, application event logging, and input validation routines are examples of patterns.

Large-Scale Application Attack Surface Management

The significance of asset management was the beginning point for this discussion. Each organisation should have an up-to-date list of assets (software, servers, documents, services, and so on) in order to know what to fight against and where attackers might try to exploit.

With this as a basis, the speaker went on to illustrate how organisations might identify their attack surface, or the set of places in their informational architectures where an attacker could try to access the organisation (e.g., APIs, DNS records, applications). OSINT, code review, code annotation, traffic collection and analysis, runtime instrumentation, and analysis of relevant files (such as API contracts and Android manifests) were all given as approaches.